redline | 8fbe7dbe5d454300a3e3fc212d58080721cb858a0ded98186bd0d674bf9f2898

Analysis

max time kernel
122s
max time network
142s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
29-05-2023 00:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8fbe7dbe5d454300a3e3fc212d58080721cb858a0ded98186bd0d674bf9f2898.exe
Size

1.1MB
MD5

e7b4ea68199a4af9853475c548de37ed
SHA1

e17976bcd15dcbac3aba462080e2a22ba43ab230
SHA256

8fbe7dbe5d454300a3e3fc212d58080721cb858a0ded98186bd0d674bf9f2898
SHA512

5ead42c54aa15c61b0077e161e5ecb56f5da47fd629a522961fa00bc116223abfa9cc1fa61481ab2418e4b17ad837713746dcb1bcd25b1fac6a0965b41c4d1ab
SSDEEP

24576:VyzcRkSmV83wboZT3FXBhbMkebnQAUSS3G+rcMedlIUOD+fPE1iTOB:wrf8Ab0TVXB6bnQr3jAMs+UODSPqiT

Score

10^/10

redline liza metro redline discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

liza

83.97.73.127:19045

Attributes

auth_value
198e3e9b188d6cfab0a2b0fb100bb7c5

Extracted

Family

redline

Botnet

metro

83.97.73.127:19045

Attributes

auth_value
f7fd4aa816bdbaad933b45b51d9b6b1a

Extracted

Family

redline

Botnet

Redline

85.31.54.183:18435

Attributes

auth_value
50837656cba6e4dd56bfbb4a61dadb63

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

AppLaunch.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Downloads MZ/PE file

Executes dropped EXE 14 IoCs

Processes:

z5464143.exez3031213.exeo4595788.exep4331132.exer6879365.exes5373038.exes5373038.exelegends.exelegends.exeredline.exelegends.exelegends.exelegends.exelegends.exe

pid	process
2588	z5464143.exe
3012	z3031213.exe
5000	o4595788.exe
3008	p4331132.exe
4788	r6879365.exe
4908	s5373038.exe
804	s5373038.exe
4328	legends.exe
4400	legends.exe
1008	redline.exe
3988	legends.exe
2540	legends.exe
5104	legends.exe
1292	legends.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

4500 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4500	rundll32.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

z5464143.exez3031213.exe8fbe7dbe5d454300a3e3fc212d58080721cb858a0ded98186bd0d674bf9f2898.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z5464143.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z3031213.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z3031213.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	8fbe7dbe5d454300a3e3fc212d58080721cb858a0ded98186bd0d674bf9f2898.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	8fbe7dbe5d454300a3e3fc212d58080721cb858a0ded98186bd0d674bf9f2898.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z5464143.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 6 IoCs

Processes:

o4595788.exer6879365.exes5373038.exelegends.exelegends.exelegends.exe

description	pid	process	target process
PID 5000 set thread context of 4024	5000	o4595788.exe	AppLaunch.exe
PID 4788 set thread context of 4696	4788	r6879365.exe	AppLaunch.exe
PID 4908 set thread context of 804	4908	s5373038.exe	s5373038.exe
PID 4328 set thread context of 4400	4328	legends.exe	legends.exe
PID 3988 set thread context of 2540	3988	legends.exe	legends.exe
PID 5104 set thread context of 1292	5104	legends.exe	legends.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2524 1292 WerFault.exe legends.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4604 schtasks.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

AppLaunch.exep4331132.exeAppLaunch.exeredline.exe

pid process

4024 AppLaunch.exe
4024 AppLaunch.exe
3008 p4331132.exe
3008 p4331132.exe
4696 AppLaunch.exe
4696 AppLaunch.exe
1008 redline.exe
1008 redline.exe

pid	pid_target	process	target process
2524	1292	WerFault.exe	legends.exe

pid	process
4604	schtasks.exe

pid	process
4024	AppLaunch.exe
4024	AppLaunch.exe
3008	p4331132.exe
3008	p4331132.exe
4696	AppLaunch.exe
4696	AppLaunch.exe
1008	redline.exe
1008	redline.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

AppLaunch.exep4331132.exes5373038.exelegends.exeAppLaunch.exeredline.exelegends.exelegends.exe

description	pid	process
Token: SeDebugPrivilege	4024	AppLaunch.exe
Token: SeDebugPrivilege	3008	p4331132.exe
Token: SeDebugPrivilege	4908	s5373038.exe
Token: SeDebugPrivilege	4328	legends.exe
Token: SeDebugPrivilege	4696	AppLaunch.exe
Token: SeDebugPrivilege	1008	redline.exe
Token: SeDebugPrivilege	3988	legends.exe
Token: SeDebugPrivilege	5104	legends.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

s5373038.exe

pid process

804 s5373038.exe

pid	process
804	s5373038.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

8fbe7dbe5d454300a3e3fc212d58080721cb858a0ded98186bd0d674bf9f2898.exez5464143.exez3031213.exeo4595788.exer6879365.exes5373038.exes5373038.exelegends.exelegends.execmd.exe

description	pid	process	target process
PID 2456 wrote to memory of 2588	2456	8fbe7dbe5d454300a3e3fc212d58080721cb858a0ded98186bd0d674bf9f2898.exe	z5464143.exe
PID 2456 wrote to memory of 2588	2456	8fbe7dbe5d454300a3e3fc212d58080721cb858a0ded98186bd0d674bf9f2898.exe	z5464143.exe
PID 2456 wrote to memory of 2588	2456	8fbe7dbe5d454300a3e3fc212d58080721cb858a0ded98186bd0d674bf9f2898.exe	z5464143.exe
PID 2588 wrote to memory of 3012	2588	z5464143.exe	z3031213.exe
PID 2588 wrote to memory of 3012	2588	z5464143.exe	z3031213.exe
PID 2588 wrote to memory of 3012	2588	z5464143.exe	z3031213.exe
PID 3012 wrote to memory of 5000	3012	z3031213.exe	o4595788.exe
PID 3012 wrote to memory of 5000	3012	z3031213.exe	o4595788.exe
PID 3012 wrote to memory of 5000	3012	z3031213.exe	o4595788.exe
PID 5000 wrote to memory of 4024	5000	o4595788.exe	AppLaunch.exe
PID 5000 wrote to memory of 4024	5000	o4595788.exe	AppLaunch.exe
PID 5000 wrote to memory of 4024	5000	o4595788.exe	AppLaunch.exe
PID 5000 wrote to memory of 4024	5000	o4595788.exe	AppLaunch.exe
PID 5000 wrote to memory of 4024	5000	o4595788.exe	AppLaunch.exe
PID 3012 wrote to memory of 3008	3012	z3031213.exe	p4331132.exe
PID 3012 wrote to memory of 3008	3012	z3031213.exe	p4331132.exe
PID 3012 wrote to memory of 3008	3012	z3031213.exe	p4331132.exe
PID 2588 wrote to memory of 4788	2588	z5464143.exe	r6879365.exe
PID 2588 wrote to memory of 4788	2588	z5464143.exe	r6879365.exe
PID 2588 wrote to memory of 4788	2588	z5464143.exe	r6879365.exe
PID 4788 wrote to memory of 4696	4788	r6879365.exe	AppLaunch.exe
PID 4788 wrote to memory of 4696	4788	r6879365.exe	AppLaunch.exe
PID 4788 wrote to memory of 4696	4788	r6879365.exe	AppLaunch.exe
PID 4788 wrote to memory of 4696	4788	r6879365.exe	AppLaunch.exe
PID 4788 wrote to memory of 4696	4788	r6879365.exe	AppLaunch.exe
PID 2456 wrote to memory of 4908	2456	8fbe7dbe5d454300a3e3fc212d58080721cb858a0ded98186bd0d674bf9f2898.exe	s5373038.exe
PID 2456 wrote to memory of 4908	2456	8fbe7dbe5d454300a3e3fc212d58080721cb858a0ded98186bd0d674bf9f2898.exe	s5373038.exe
PID 2456 wrote to memory of 4908	2456	8fbe7dbe5d454300a3e3fc212d58080721cb858a0ded98186bd0d674bf9f2898.exe	s5373038.exe
PID 4908 wrote to memory of 804	4908	s5373038.exe	s5373038.exe
PID 4908 wrote to memory of 804	4908	s5373038.exe	s5373038.exe
PID 4908 wrote to memory of 804	4908	s5373038.exe	s5373038.exe
PID 4908 wrote to memory of 804	4908	s5373038.exe	s5373038.exe
PID 4908 wrote to memory of 804	4908	s5373038.exe	s5373038.exe
PID 4908 wrote to memory of 804	4908	s5373038.exe	s5373038.exe
PID 4908 wrote to memory of 804	4908	s5373038.exe	s5373038.exe
PID 4908 wrote to memory of 804	4908	s5373038.exe	s5373038.exe
PID 4908 wrote to memory of 804	4908	s5373038.exe	s5373038.exe
PID 4908 wrote to memory of 804	4908	s5373038.exe	s5373038.exe
PID 804 wrote to memory of 4328	804	s5373038.exe	legends.exe
PID 804 wrote to memory of 4328	804	s5373038.exe	legends.exe
PID 804 wrote to memory of 4328	804	s5373038.exe	legends.exe
PID 4328 wrote to memory of 4400	4328	legends.exe	legends.exe
PID 4328 wrote to memory of 4400	4328	legends.exe	legends.exe
PID 4328 wrote to memory of 4400	4328	legends.exe	legends.exe
PID 4328 wrote to memory of 4400	4328	legends.exe	legends.exe
PID 4328 wrote to memory of 4400	4328	legends.exe	legends.exe
PID 4328 wrote to memory of 4400	4328	legends.exe	legends.exe
PID 4328 wrote to memory of 4400	4328	legends.exe	legends.exe
PID 4328 wrote to memory of 4400	4328	legends.exe	legends.exe
PID 4328 wrote to memory of 4400	4328	legends.exe	legends.exe
PID 4328 wrote to memory of 4400	4328	legends.exe	legends.exe
PID 4400 wrote to memory of 4604	4400	legends.exe	schtasks.exe
PID 4400 wrote to memory of 4604	4400	legends.exe	schtasks.exe
PID 4400 wrote to memory of 4604	4400	legends.exe	schtasks.exe
PID 4400 wrote to memory of 5060	4400	legends.exe	cmd.exe
PID 4400 wrote to memory of 5060	4400	legends.exe	cmd.exe
PID 4400 wrote to memory of 5060	4400	legends.exe	cmd.exe
PID 5060 wrote to memory of 4260	5060	cmd.exe	cmd.exe
PID 5060 wrote to memory of 4260	5060	cmd.exe	cmd.exe
PID 5060 wrote to memory of 4260	5060	cmd.exe	cmd.exe
PID 5060 wrote to memory of 1456	5060	cmd.exe	cacls.exe
PID 5060 wrote to memory of 1456	5060	cmd.exe	cacls.exe
PID 5060 wrote to memory of 1456	5060	cmd.exe	cacls.exe
PID 5060 wrote to memory of 4796	5060	cmd.exe	cacls.exe

C:\Users\Admin\AppData\Local\Temp\8fbe7dbe5d454300a3e3fc212d58080721cb858a0ded98186bd0d674bf9f2898.exe
"C:\Users\Admin\AppData\Local\Temp\8fbe7dbe5d454300a3e3fc212d58080721cb858a0ded98186bd0d674bf9f2898.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2456

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5464143.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5464143.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2588

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z3031213.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z3031213.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3012

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o4595788.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o4595788.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5000

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
5⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4024

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p4331132.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p4331132.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3008

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r6879365.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r6879365.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4788

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4696

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s5373038.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s5373038.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4908

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s5373038.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s5373038.exe
3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:804

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
"C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4328

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4400

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legends.exe /TR "C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe" /F
6⤵
- Creates scheduled task(s)
PID:4604

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legends.exe" /P "Admin:N"&&CACLS "legends.exe" /P "Admin:R" /E&&echo Y|CACLS "..\41bde21dc7" /P "Admin:N"&&CACLS "..\41bde21dc7" /P "Admin:R" /E&&Exit
6⤵
- Suspicious use of WriteProcessMemory
PID:5060

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
7⤵
PID:4260

C:\Windows\SysWOW64\cacls.exe
CACLS "legends.exe" /P "Admin:N"
7⤵
PID:1456

C:\Windows\SysWOW64\cacls.exe
CACLS "legends.exe" /P "Admin:R" /E
7⤵
PID:4796

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
7⤵
PID:3380

C:\Windows\SysWOW64\cacls.exe
CACLS "..\41bde21dc7" /P "Admin:N"
7⤵
PID:4296

C:\Windows\SysWOW64\cacls.exe
CACLS "..\41bde21dc7" /P "Admin:R" /E
7⤵
PID:4252

C:\Users\Admin\AppData\Local\Temp\1000043001\redline.exe
"C:\Users\Admin\AppData\Local\Temp\1000043001\redline.exe"
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1008

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
6⤵
- Loads dropped DLL
PID:4500

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3988

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
2⤵
- Executes dropped EXE
PID:2540

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:5104

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
2⤵
- Executes dropped EXE
PID:1292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1292 -s 24
3⤵
- Program crash
PID:2524

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log
Filesize
226B

MD5
957779c42144282d8cd83192b8fbc7cf

SHA1
de83d08d2cca06b9ff3d1ef239d6b60b705d25fe

SHA256
0d7ca7ba65e2b465e4878e324ceab8f8981f5ec06dcf5bc32559a4467a9c7d51

SHA512
f1549c61b4f2906d13b2aabb74772c2bc826cd42373d7bb6c48cbb125d5aa2ec17617e6b5e67e8aae3bb5790cc831cdba48a45008ed01df4fba8be448cce39fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\legends.exe.log
Filesize
425B

MD5
605f809fab8c19729d39d075f7ffdb53

SHA1
c546f877c9bd53563174a90312a8337fdfc5fdd9

SHA256
6904d540649e76c55f99530b81be17e099184bb4cad415aa9b9b39cc3677f556

SHA512
82cc12c3186ae23884b8d5c104638c8206272c4389ade56b926dfc1d437b03888159b3c790b188b54d277a262e731927e703e680ea642e1417faee27443fd5b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000043001\redline.exe
Filesize
145KB

MD5
2d0d9f29bca70bdde306f8b5188117ce

SHA1
a4a04353801aee05a4e90dd1ddbd395c2830ea3e

SHA256
71bcea62630cac801c7e2b3ddd9fc7d6bf20490c44630a86fa8dba75f3bebc87

SHA512
a7fb78aaa48afddaf5f1c514a9ac0d4ca5cbfd755ded98f17399a88208070a526ad3ea9b4d18410e8cb9fe882b0ce1350b192a4a3b6bceab289d968e419c79d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000043001\redline.exe
Filesize
145KB

MD5
2d0d9f29bca70bdde306f8b5188117ce

SHA1
a4a04353801aee05a4e90dd1ddbd395c2830ea3e

SHA256
71bcea62630cac801c7e2b3ddd9fc7d6bf20490c44630a86fa8dba75f3bebc87

SHA512
a7fb78aaa48afddaf5f1c514a9ac0d4ca5cbfd755ded98f17399a88208070a526ad3ea9b4d18410e8cb9fe882b0ce1350b192a4a3b6bceab289d968e419c79d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000043001\redline.exe
Filesize
145KB

MD5
2d0d9f29bca70bdde306f8b5188117ce

SHA1
a4a04353801aee05a4e90dd1ddbd395c2830ea3e

SHA256
71bcea62630cac801c7e2b3ddd9fc7d6bf20490c44630a86fa8dba75f3bebc87

SHA512
a7fb78aaa48afddaf5f1c514a9ac0d4ca5cbfd755ded98f17399a88208070a526ad3ea9b4d18410e8cb9fe882b0ce1350b192a4a3b6bceab289d968e419c79d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
963KB

MD5
56c1cf88a7e2c3093382cdd08dc4a741

SHA1
a9476241539fbd81d81d562aac7a30f3f7401d5a

SHA256
9d3d1231e01f892d3b2a46543e890321745c4ee52235dfa0f8ac613d8fa277b0

SHA512
d5d5802331eb3977b792a78eaca8f817f9ebc54f056282e7209efe56e40ef82248d7491ec7b05aebe86c2af84cf509d2cacddf9af22233bd9faec1b6a894d2f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
963KB

MD5
56c1cf88a7e2c3093382cdd08dc4a741

SHA1
a9476241539fbd81d81d562aac7a30f3f7401d5a

SHA256
9d3d1231e01f892d3b2a46543e890321745c4ee52235dfa0f8ac613d8fa277b0

SHA512
d5d5802331eb3977b792a78eaca8f817f9ebc54f056282e7209efe56e40ef82248d7491ec7b05aebe86c2af84cf509d2cacddf9af22233bd9faec1b6a894d2f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
963KB

MD5
56c1cf88a7e2c3093382cdd08dc4a741

SHA1
a9476241539fbd81d81d562aac7a30f3f7401d5a

SHA256
9d3d1231e01f892d3b2a46543e890321745c4ee52235dfa0f8ac613d8fa277b0

SHA512
d5d5802331eb3977b792a78eaca8f817f9ebc54f056282e7209efe56e40ef82248d7491ec7b05aebe86c2af84cf509d2cacddf9af22233bd9faec1b6a894d2f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
963KB

MD5
56c1cf88a7e2c3093382cdd08dc4a741

SHA1
a9476241539fbd81d81d562aac7a30f3f7401d5a

SHA256
9d3d1231e01f892d3b2a46543e890321745c4ee52235dfa0f8ac613d8fa277b0

SHA512
d5d5802331eb3977b792a78eaca8f817f9ebc54f056282e7209efe56e40ef82248d7491ec7b05aebe86c2af84cf509d2cacddf9af22233bd9faec1b6a894d2f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
963KB

MD5
56c1cf88a7e2c3093382cdd08dc4a741

SHA1
a9476241539fbd81d81d562aac7a30f3f7401d5a

SHA256
9d3d1231e01f892d3b2a46543e890321745c4ee52235dfa0f8ac613d8fa277b0

SHA512
d5d5802331eb3977b792a78eaca8f817f9ebc54f056282e7209efe56e40ef82248d7491ec7b05aebe86c2af84cf509d2cacddf9af22233bd9faec1b6a894d2f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
963KB

MD5
56c1cf88a7e2c3093382cdd08dc4a741

SHA1
a9476241539fbd81d81d562aac7a30f3f7401d5a

SHA256
9d3d1231e01f892d3b2a46543e890321745c4ee52235dfa0f8ac613d8fa277b0

SHA512
d5d5802331eb3977b792a78eaca8f817f9ebc54f056282e7209efe56e40ef82248d7491ec7b05aebe86c2af84cf509d2cacddf9af22233bd9faec1b6a894d2f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
963KB

MD5
56c1cf88a7e2c3093382cdd08dc4a741

SHA1
a9476241539fbd81d81d562aac7a30f3f7401d5a

SHA256
9d3d1231e01f892d3b2a46543e890321745c4ee52235dfa0f8ac613d8fa277b0

SHA512
d5d5802331eb3977b792a78eaca8f817f9ebc54f056282e7209efe56e40ef82248d7491ec7b05aebe86c2af84cf509d2cacddf9af22233bd9faec1b6a894d2f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
963KB

MD5
56c1cf88a7e2c3093382cdd08dc4a741

SHA1
a9476241539fbd81d81d562aac7a30f3f7401d5a

SHA256
9d3d1231e01f892d3b2a46543e890321745c4ee52235dfa0f8ac613d8fa277b0

SHA512
d5d5802331eb3977b792a78eaca8f817f9ebc54f056282e7209efe56e40ef82248d7491ec7b05aebe86c2af84cf509d2cacddf9af22233bd9faec1b6a894d2f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s5373038.exe
Filesize
963KB

MD5
56c1cf88a7e2c3093382cdd08dc4a741

SHA1
a9476241539fbd81d81d562aac7a30f3f7401d5a

SHA256
9d3d1231e01f892d3b2a46543e890321745c4ee52235dfa0f8ac613d8fa277b0

SHA512
d5d5802331eb3977b792a78eaca8f817f9ebc54f056282e7209efe56e40ef82248d7491ec7b05aebe86c2af84cf509d2cacddf9af22233bd9faec1b6a894d2f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s5373038.exe
Filesize
963KB

MD5
56c1cf88a7e2c3093382cdd08dc4a741

SHA1
a9476241539fbd81d81d562aac7a30f3f7401d5a

SHA256
9d3d1231e01f892d3b2a46543e890321745c4ee52235dfa0f8ac613d8fa277b0

SHA512
d5d5802331eb3977b792a78eaca8f817f9ebc54f056282e7209efe56e40ef82248d7491ec7b05aebe86c2af84cf509d2cacddf9af22233bd9faec1b6a894d2f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s5373038.exe
Filesize
963KB

MD5
56c1cf88a7e2c3093382cdd08dc4a741

SHA1
a9476241539fbd81d81d562aac7a30f3f7401d5a

SHA256
9d3d1231e01f892d3b2a46543e890321745c4ee52235dfa0f8ac613d8fa277b0

SHA512
d5d5802331eb3977b792a78eaca8f817f9ebc54f056282e7209efe56e40ef82248d7491ec7b05aebe86c2af84cf509d2cacddf9af22233bd9faec1b6a894d2f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5464143.exe
Filesize
633KB

MD5
7c10fb8c308036aee95700f41fc69e29

SHA1
36cf4aadeab1369199294b222a10ae345df1f5c2

SHA256
c2f79b698e08003eadc140a2cd2fe0f6fd43f42bfd2eebd2960306c4d0092403

SHA512
dc4f9a08541265a8c7603cc2c17ca26a367de71471f0642dc03ab0e32b213341af8091635abd2e780fa8e5fbc23ef1ef0bc12004c88a37e3b83cc8f0131c9941

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5464143.exe
Filesize
633KB

MD5
7c10fb8c308036aee95700f41fc69e29

SHA1
36cf4aadeab1369199294b222a10ae345df1f5c2

SHA256
c2f79b698e08003eadc140a2cd2fe0f6fd43f42bfd2eebd2960306c4d0092403

SHA512
dc4f9a08541265a8c7603cc2c17ca26a367de71471f0642dc03ab0e32b213341af8091635abd2e780fa8e5fbc23ef1ef0bc12004c88a37e3b83cc8f0131c9941

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r6879365.exe
Filesize
341KB

MD5
70145233410a62ef991e1805a18ee220

SHA1
bc51947dffcdf3c7a4a5a72eaabb661d9a2a4421

SHA256
540daa237d6a830a4438ed943fccb3b764d017e768d092e362c2160869bdfc8a

SHA512
cb508d32e2a806dd8dc8a0833b24ab9ea5c5a3f96805420b012916bc280216e89b4eea8c83a2e3ee0de9cfd0ebc2874efff6cd3680f39705e1c6ee2e36b79620

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r6879365.exe
Filesize
341KB

MD5
70145233410a62ef991e1805a18ee220

SHA1
bc51947dffcdf3c7a4a5a72eaabb661d9a2a4421

SHA256
540daa237d6a830a4438ed943fccb3b764d017e768d092e362c2160869bdfc8a

SHA512
cb508d32e2a806dd8dc8a0833b24ab9ea5c5a3f96805420b012916bc280216e89b4eea8c83a2e3ee0de9cfd0ebc2874efff6cd3680f39705e1c6ee2e36b79620

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z3031213.exe
Filesize
289KB

MD5
3383153e537089b5d19cfb17ec685b92

SHA1
0537ce3f69a4b105fc3cf4dc2d833bc1e81cc217

SHA256
f4e4ff2c746b66a07592ae32f6c88d257218248774d5f3a6970a39dae7e8a146

SHA512
dee394b5900b558417c997dff5e17e87a49c99c5f1ec60685c8d48cd4cfcf662213fa1761348463d52a5a632c7659ba9d31fc05fcdcc400aa512277a8f6293c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z3031213.exe
Filesize
289KB

MD5
3383153e537089b5d19cfb17ec685b92

SHA1
0537ce3f69a4b105fc3cf4dc2d833bc1e81cc217

SHA256
f4e4ff2c746b66a07592ae32f6c88d257218248774d5f3a6970a39dae7e8a146

SHA512
dee394b5900b558417c997dff5e17e87a49c99c5f1ec60685c8d48cd4cfcf662213fa1761348463d52a5a632c7659ba9d31fc05fcdcc400aa512277a8f6293c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o4595788.exe
Filesize
185KB

MD5
124daf685f838d846d129a91d05d1f67

SHA1
de90d5352ef8984e4294dbb8708f2b3d3d6be24f

SHA256
1d505d8406dd97c6382f83725017a597f0852e7016ab6d34845ad934e5766460

SHA512
f6d22f081c9189a1ff48dee89ab5051e55e514ef9e42119939c178e94e54eb832872c5d520f0bd417d1aa23a4459d44f7bcabde07763b7401e46fd56a661d618

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o4595788.exe
Filesize
185KB

MD5
124daf685f838d846d129a91d05d1f67

SHA1
de90d5352ef8984e4294dbb8708f2b3d3d6be24f

SHA256
1d505d8406dd97c6382f83725017a597f0852e7016ab6d34845ad934e5766460

SHA512
f6d22f081c9189a1ff48dee89ab5051e55e514ef9e42119939c178e94e54eb832872c5d520f0bd417d1aa23a4459d44f7bcabde07763b7401e46fd56a661d618

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p4331132.exe
Filesize
168KB

MD5
4a2c566d469b1df6322910decd6913fb

SHA1
b780660d11048fa74428de3c49078d9b3cbfeca9

SHA256
28ed1a07635312b7554415a064e6ae84ef8f0a7415982f5fdd75511f78970eb8

SHA512
8d82f21f93c21aa45e8ccb08c7d8d2f499c539ff2ec266540c88ef09890fa37e909c9338f23c667724c3d1ab4e51fef7a77832a99a2c387340f64cc5a5beeff1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p4331132.exe
Filesize
168KB

MD5
4a2c566d469b1df6322910decd6913fb

SHA1
b780660d11048fa74428de3c49078d9b3cbfeca9

SHA256
28ed1a07635312b7554415a064e6ae84ef8f0a7415982f5fdd75511f78970eb8

SHA512
8d82f21f93c21aa45e8ccb08c7d8d2f499c539ff2ec266540c88ef09890fa37e909c9338f23c667724c3d1ab4e51fef7a77832a99a2c387340f64cc5a5beeff1

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
73c0c85e39b9a63b42f6c4ff6d634f8b

SHA1
efb047b4177ad78268f6fc8bf959f58f1123eb51

SHA256
477252e3531300fe2a21a679fba3664803179e91a1a4d5dd44080dbd41126368

SHA512
ca32507717c2c099d54a5473fb062083237f7fda9c076e9a957b70072f41a78eedf9244b50862b81d00374297e3795021ad6db943c8408da50b1da8b5ed4a643

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
73c0c85e39b9a63b42f6c4ff6d634f8b

SHA1
efb047b4177ad78268f6fc8bf959f58f1123eb51

SHA256
477252e3531300fe2a21a679fba3664803179e91a1a4d5dd44080dbd41126368

SHA512
ca32507717c2c099d54a5473fb062083237f7fda9c076e9a957b70072f41a78eedf9244b50862b81d00374297e3795021ad6db943c8408da50b1da8b5ed4a643

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
73c0c85e39b9a63b42f6c4ff6d634f8b

SHA1
efb047b4177ad78268f6fc8bf959f58f1123eb51

SHA256
477252e3531300fe2a21a679fba3664803179e91a1a4d5dd44080dbd41126368

SHA512
ca32507717c2c099d54a5473fb062083237f7fda9c076e9a957b70072f41a78eedf9244b50862b81d00374297e3795021ad6db943c8408da50b1da8b5ed4a643

Download Submit
memory/804-217-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/804-223-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/804-221-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/804-220-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/804-231-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1008-389-0x0000000000DB0000-0x0000000000DDA000-memory.dmp

Filesize
168KB

Download
memory/1008-392-0x00000000057E0000-0x000000000582B000-memory.dmp

Filesize
300KB

Download
memory/1008-393-0x0000000005910000-0x0000000005920000-memory.dmp

Filesize
64KB

Download
memory/1008-391-0x0000000005910000-0x0000000005920000-memory.dmp

Filesize
64KB

Download
memory/1292-427-0x00000000003F0000-0x00000000003F0000-memory.dmp

Download
memory/2540-402-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2540-401-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2540-400-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3008-188-0x000000000B960000-0x000000000B9B0000-memory.dmp

Filesize
320KB

Download
memory/3008-172-0x000000000B310000-0x000000000B80E000-memory.dmp

Filesize
5.0MB

Download
memory/3008-160-0x000000000A480000-0x000000000A4CB000-memory.dmp

Filesize
300KB

Download
memory/3008-154-0x0000000000570000-0x000000000059E000-memory.dmp

Filesize
184KB

Download
memory/3008-155-0x0000000004D20000-0x0000000004D26000-memory.dmp

Filesize
24KB

Download
memory/3008-156-0x000000000A800000-0x000000000AE06000-memory.dmp

Filesize
6.0MB

Download
memory/3008-157-0x000000000A370000-0x000000000A47A000-memory.dmp

Filesize
1.0MB

Download
memory/3008-173-0x000000000AE10000-0x000000000AE76000-memory.dmp

Filesize
408KB

Download
memory/3008-161-0x0000000004D60000-0x0000000004D70000-memory.dmp

Filesize
64KB

Download
memory/3008-159-0x000000000A300000-0x000000000A33E000-memory.dmp

Filesize
248KB

Download
memory/3008-158-0x000000000A2A0000-0x000000000A2B2000-memory.dmp

Filesize
72KB

Download
memory/3008-171-0x000000000A740000-0x000000000A7D2000-memory.dmp

Filesize
584KB

Download
memory/3008-170-0x000000000A620000-0x000000000A696000-memory.dmp

Filesize
472KB

Download
memory/3008-189-0x000000000BB80000-0x000000000BD42000-memory.dmp

Filesize
1.8MB

Download
memory/3008-190-0x000000000C280000-0x000000000C7AC000-memory.dmp

Filesize
5.2MB

Download
memory/3008-191-0x0000000004D60000-0x0000000004D70000-memory.dmp

Filesize
64KB

Download
memory/3988-397-0x0000000007AF0000-0x0000000007B00000-memory.dmp

Filesize
64KB

Download
memory/4024-143-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4328-232-0x0000000007760000-0x0000000007770000-memory.dmp

Filesize
64KB

Download
memory/4400-379-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4400-386-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4400-282-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4400-420-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4400-269-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4400-251-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4400-250-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4696-197-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4696-210-0x0000000004C30000-0x0000000004C36000-memory.dmp

Filesize
24KB

Download
memory/4696-216-0x0000000008D40000-0x0000000008D50000-memory.dmp

Filesize
64KB

Download
memory/4908-209-0x0000000000B10000-0x0000000000C08000-memory.dmp

Filesize
992KB

Download
memory/4908-215-0x0000000007990000-0x00000000079A0000-memory.dmp

Filesize
64KB

Download
memory/5104-424-0x0000000007C80000-0x0000000007C90000-memory.dmp

Filesize
64KB

Download