redline | 6b281b20c590da9cdb41f3924670bd5c7483c04408e44c9e298d08fd2a12346f

Analysis

max time kernel
141s
max time network
143s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
29-05-2023 01:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6b281b20c590da9cdb41f3924670bd5c7483c04408e44c9e298d08fd2a12346f.exe
Size

1.1MB
MD5

ef4301851423f8ecb5dd0c43037c57cb
SHA1

3d387d334ce1fed3edd0b344216eb508f71478ce
SHA256

6b281b20c590da9cdb41f3924670bd5c7483c04408e44c9e298d08fd2a12346f
SHA512

f0daa659ee62cea4f1c6164f3213a39ff34db190f5470a56370e32edd46148af14bb90ffbc29452b53a8df69ae04937ac312a212fc4e4da26f01cb149b367427
SSDEEP

24576:RydfuitQXue9uP+LKxeunK7US90TW/QE0GNsfRAuZSfW5n:EJuitQee9uW5unKz0TB3GNqV

Score

10^/10

redline lizsa metro redline discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

lizsa

83.97.73.127:19045

Attributes

auth_value
44b0b71b36e78465dbdebb4ecfb78b77

Extracted

Family

redline

Botnet

metro

83.97.73.127:19045

Attributes

auth_value
f7fd4aa816bdbaad933b45b51d9b6b1a

Extracted

Family

redline

Botnet

Redline

85.31.54.183:18435

Attributes

auth_value
50837656cba6e4dd56bfbb4a61dadb63

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

AppLaunch.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Downloads MZ/PE file

Executes dropped EXE 14 IoCs

Processes:

z0600545.exez5158332.exeo9973847.exep8730799.exer4905482.exes2340085.exes2340085.exelegends.exelegends.exeredline.exelegends.exelegends.exelegends.exelegends.exe

pid	process
3708	z0600545.exe
4296	z5158332.exe
4908	o9973847.exe
2068	p8730799.exe
4592	r4905482.exe
4376	s2340085.exe
2648	s2340085.exe
2292	legends.exe
5008	legends.exe
4140	redline.exe
4572	legends.exe
4332	legends.exe
2088	legends.exe
3920	legends.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

4136 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4136	rundll32.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

z0600545.exez5158332.exe6b281b20c590da9cdb41f3924670bd5c7483c04408e44c9e298d08fd2a12346f.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z0600545.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z0600545.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z5158332.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z5158332.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	6b281b20c590da9cdb41f3924670bd5c7483c04408e44c9e298d08fd2a12346f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	6b281b20c590da9cdb41f3924670bd5c7483c04408e44c9e298d08fd2a12346f.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 6 IoCs

Processes:

o9973847.exer4905482.exes2340085.exelegends.exelegends.exelegends.exe

description	pid	process	target process
PID 4908 set thread context of 1540	4908	o9973847.exe	AppLaunch.exe
PID 4592 set thread context of 4724	4592	r4905482.exe	AppLaunch.exe
PID 4376 set thread context of 2648	4376	s2340085.exe	s2340085.exe
PID 2292 set thread context of 5008	2292	legends.exe	legends.exe
PID 4572 set thread context of 4332	4572	legends.exe	legends.exe
PID 2088 set thread context of 3920	2088	legends.exe	legends.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4816 schtasks.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

AppLaunch.exep8730799.exeAppLaunch.exeredline.exe

pid process

1540 AppLaunch.exe
1540 AppLaunch.exe
2068 p8730799.exe
2068 p8730799.exe
4724 AppLaunch.exe
4724 AppLaunch.exe
4140 redline.exe
4140 redline.exe

pid	process
4816	schtasks.exe

pid	process
1540	AppLaunch.exe
1540	AppLaunch.exe
2068	p8730799.exe
2068	p8730799.exe
4724	AppLaunch.exe
4724	AppLaunch.exe
4140	redline.exe
4140	redline.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

AppLaunch.exep8730799.exes2340085.exelegends.exeAppLaunch.exeredline.exelegends.exelegends.exe

description	pid	process
Token: SeDebugPrivilege	1540	AppLaunch.exe
Token: SeDebugPrivilege	2068	p8730799.exe
Token: SeDebugPrivilege	4376	s2340085.exe
Token: SeDebugPrivilege	2292	legends.exe
Token: SeDebugPrivilege	4724	AppLaunch.exe
Token: SeDebugPrivilege	4140	redline.exe
Token: SeDebugPrivilege	4572	legends.exe
Token: SeDebugPrivilege	2088	legends.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

s2340085.exe

pid process

2648 s2340085.exe

pid	process
2648	s2340085.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

6b281b20c590da9cdb41f3924670bd5c7483c04408e44c9e298d08fd2a12346f.exez0600545.exez5158332.exeo9973847.exer4905482.exes2340085.exes2340085.exelegends.exelegends.execmd.exe

description	pid	process	target process
PID 3704 wrote to memory of 3708	3704	6b281b20c590da9cdb41f3924670bd5c7483c04408e44c9e298d08fd2a12346f.exe	z0600545.exe
PID 3704 wrote to memory of 3708	3704	6b281b20c590da9cdb41f3924670bd5c7483c04408e44c9e298d08fd2a12346f.exe	z0600545.exe
PID 3704 wrote to memory of 3708	3704	6b281b20c590da9cdb41f3924670bd5c7483c04408e44c9e298d08fd2a12346f.exe	z0600545.exe
PID 3708 wrote to memory of 4296	3708	z0600545.exe	z5158332.exe
PID 3708 wrote to memory of 4296	3708	z0600545.exe	z5158332.exe
PID 3708 wrote to memory of 4296	3708	z0600545.exe	z5158332.exe
PID 4296 wrote to memory of 4908	4296	z5158332.exe	o9973847.exe
PID 4296 wrote to memory of 4908	4296	z5158332.exe	o9973847.exe
PID 4296 wrote to memory of 4908	4296	z5158332.exe	o9973847.exe
PID 4908 wrote to memory of 1540	4908	o9973847.exe	AppLaunch.exe
PID 4908 wrote to memory of 1540	4908	o9973847.exe	AppLaunch.exe
PID 4908 wrote to memory of 1540	4908	o9973847.exe	AppLaunch.exe
PID 4908 wrote to memory of 1540	4908	o9973847.exe	AppLaunch.exe
PID 4908 wrote to memory of 1540	4908	o9973847.exe	AppLaunch.exe
PID 4296 wrote to memory of 2068	4296	z5158332.exe	p8730799.exe
PID 4296 wrote to memory of 2068	4296	z5158332.exe	p8730799.exe
PID 4296 wrote to memory of 2068	4296	z5158332.exe	p8730799.exe
PID 3708 wrote to memory of 4592	3708	z0600545.exe	r4905482.exe
PID 3708 wrote to memory of 4592	3708	z0600545.exe	r4905482.exe
PID 3708 wrote to memory of 4592	3708	z0600545.exe	r4905482.exe
PID 4592 wrote to memory of 4724	4592	r4905482.exe	AppLaunch.exe
PID 4592 wrote to memory of 4724	4592	r4905482.exe	AppLaunch.exe
PID 4592 wrote to memory of 4724	4592	r4905482.exe	AppLaunch.exe
PID 4592 wrote to memory of 4724	4592	r4905482.exe	AppLaunch.exe
PID 4592 wrote to memory of 4724	4592	r4905482.exe	AppLaunch.exe
PID 3704 wrote to memory of 4376	3704	6b281b20c590da9cdb41f3924670bd5c7483c04408e44c9e298d08fd2a12346f.exe	s2340085.exe
PID 3704 wrote to memory of 4376	3704	6b281b20c590da9cdb41f3924670bd5c7483c04408e44c9e298d08fd2a12346f.exe	s2340085.exe
PID 3704 wrote to memory of 4376	3704	6b281b20c590da9cdb41f3924670bd5c7483c04408e44c9e298d08fd2a12346f.exe	s2340085.exe
PID 4376 wrote to memory of 2648	4376	s2340085.exe	s2340085.exe
PID 4376 wrote to memory of 2648	4376	s2340085.exe	s2340085.exe
PID 4376 wrote to memory of 2648	4376	s2340085.exe	s2340085.exe
PID 4376 wrote to memory of 2648	4376	s2340085.exe	s2340085.exe
PID 4376 wrote to memory of 2648	4376	s2340085.exe	s2340085.exe
PID 4376 wrote to memory of 2648	4376	s2340085.exe	s2340085.exe
PID 4376 wrote to memory of 2648	4376	s2340085.exe	s2340085.exe
PID 4376 wrote to memory of 2648	4376	s2340085.exe	s2340085.exe
PID 4376 wrote to memory of 2648	4376	s2340085.exe	s2340085.exe
PID 4376 wrote to memory of 2648	4376	s2340085.exe	s2340085.exe
PID 2648 wrote to memory of 2292	2648	s2340085.exe	legends.exe
PID 2648 wrote to memory of 2292	2648	s2340085.exe	legends.exe
PID 2648 wrote to memory of 2292	2648	s2340085.exe	legends.exe
PID 2292 wrote to memory of 5008	2292	legends.exe	legends.exe
PID 2292 wrote to memory of 5008	2292	legends.exe	legends.exe
PID 2292 wrote to memory of 5008	2292	legends.exe	legends.exe
PID 2292 wrote to memory of 5008	2292	legends.exe	legends.exe
PID 2292 wrote to memory of 5008	2292	legends.exe	legends.exe
PID 2292 wrote to memory of 5008	2292	legends.exe	legends.exe
PID 2292 wrote to memory of 5008	2292	legends.exe	legends.exe
PID 2292 wrote to memory of 5008	2292	legends.exe	legends.exe
PID 2292 wrote to memory of 5008	2292	legends.exe	legends.exe
PID 2292 wrote to memory of 5008	2292	legends.exe	legends.exe
PID 5008 wrote to memory of 4816	5008	legends.exe	schtasks.exe
PID 5008 wrote to memory of 4816	5008	legends.exe	schtasks.exe
PID 5008 wrote to memory of 4816	5008	legends.exe	schtasks.exe
PID 5008 wrote to memory of 4800	5008	legends.exe	cmd.exe
PID 5008 wrote to memory of 4800	5008	legends.exe	cmd.exe
PID 5008 wrote to memory of 4800	5008	legends.exe	cmd.exe
PID 4800 wrote to memory of 424	4800	cmd.exe	cmd.exe
PID 4800 wrote to memory of 424	4800	cmd.exe	cmd.exe
PID 4800 wrote to memory of 424	4800	cmd.exe	cmd.exe
PID 4800 wrote to memory of 3000	4800	cmd.exe	cacls.exe
PID 4800 wrote to memory of 3000	4800	cmd.exe	cacls.exe
PID 4800 wrote to memory of 3000	4800	cmd.exe	cacls.exe
PID 4800 wrote to memory of 4744	4800	cmd.exe	cacls.exe

C:\Users\Admin\AppData\Local\Temp\6b281b20c590da9cdb41f3924670bd5c7483c04408e44c9e298d08fd2a12346f.exe
"C:\Users\Admin\AppData\Local\Temp\6b281b20c590da9cdb41f3924670bd5c7483c04408e44c9e298d08fd2a12346f.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3704

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0600545.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0600545.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3708

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5158332.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5158332.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4296

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o9973847.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o9973847.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4908

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
5⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1540

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p8730799.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p8730799.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2068

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r4905482.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r4905482.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4592

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4724

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s2340085.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s2340085.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4376

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s2340085.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s2340085.exe
3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2648

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
"C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2292

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5008

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legends.exe /TR "C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe" /F
6⤵
- Creates scheduled task(s)
PID:4816

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legends.exe" /P "Admin:N"&&CACLS "legends.exe" /P "Admin:R" /E&&echo Y|CACLS "..\41bde21dc7" /P "Admin:N"&&CACLS "..\41bde21dc7" /P "Admin:R" /E&&Exit
6⤵
- Suspicious use of WriteProcessMemory
PID:4800

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
7⤵
PID:424

C:\Windows\SysWOW64\cacls.exe
CACLS "legends.exe" /P "Admin:N"
7⤵
PID:3000

C:\Windows\SysWOW64\cacls.exe
CACLS "legends.exe" /P "Admin:R" /E
7⤵
PID:4744

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
7⤵
PID:3312

C:\Windows\SysWOW64\cacls.exe
CACLS "..\41bde21dc7" /P "Admin:N"
7⤵
PID:4980

C:\Windows\SysWOW64\cacls.exe
CACLS "..\41bde21dc7" /P "Admin:R" /E
7⤵
PID:660

C:\Users\Admin\AppData\Local\Temp\1000043001\redline.exe
"C:\Users\Admin\AppData\Local\Temp\1000043001\redline.exe"
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4140

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
6⤵
- Loads dropped DLL
PID:4136

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4572

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
2⤵
- Executes dropped EXE
PID:4332

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2088

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
2⤵
- Executes dropped EXE
PID:3920

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log
Filesize
226B

MD5
957779c42144282d8cd83192b8fbc7cf

SHA1
de83d08d2cca06b9ff3d1ef239d6b60b705d25fe

SHA256
0d7ca7ba65e2b465e4878e324ceab8f8981f5ec06dcf5bc32559a4467a9c7d51

SHA512
f1549c61b4f2906d13b2aabb74772c2bc826cd42373d7bb6c48cbb125d5aa2ec17617e6b5e67e8aae3bb5790cc831cdba48a45008ed01df4fba8be448cce39fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\legends.exe.log
Filesize
425B

MD5
605f809fab8c19729d39d075f7ffdb53

SHA1
c546f877c9bd53563174a90312a8337fdfc5fdd9

SHA256
6904d540649e76c55f99530b81be17e099184bb4cad415aa9b9b39cc3677f556

SHA512
82cc12c3186ae23884b8d5c104638c8206272c4389ade56b926dfc1d437b03888159b3c790b188b54d277a262e731927e703e680ea642e1417faee27443fd5b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000043001\redline.exe
Filesize
145KB

MD5
2d0d9f29bca70bdde306f8b5188117ce

SHA1
a4a04353801aee05a4e90dd1ddbd395c2830ea3e

SHA256
71bcea62630cac801c7e2b3ddd9fc7d6bf20490c44630a86fa8dba75f3bebc87

SHA512
a7fb78aaa48afddaf5f1c514a9ac0d4ca5cbfd755ded98f17399a88208070a526ad3ea9b4d18410e8cb9fe882b0ce1350b192a4a3b6bceab289d968e419c79d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000043001\redline.exe
Filesize
145KB

MD5
2d0d9f29bca70bdde306f8b5188117ce

SHA1
a4a04353801aee05a4e90dd1ddbd395c2830ea3e

SHA256
71bcea62630cac801c7e2b3ddd9fc7d6bf20490c44630a86fa8dba75f3bebc87

SHA512
a7fb78aaa48afddaf5f1c514a9ac0d4ca5cbfd755ded98f17399a88208070a526ad3ea9b4d18410e8cb9fe882b0ce1350b192a4a3b6bceab289d968e419c79d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000043001\redline.exe
Filesize
145KB

MD5
2d0d9f29bca70bdde306f8b5188117ce

SHA1
a4a04353801aee05a4e90dd1ddbd395c2830ea3e

SHA256
71bcea62630cac801c7e2b3ddd9fc7d6bf20490c44630a86fa8dba75f3bebc87

SHA512
a7fb78aaa48afddaf5f1c514a9ac0d4ca5cbfd755ded98f17399a88208070a526ad3ea9b4d18410e8cb9fe882b0ce1350b192a4a3b6bceab289d968e419c79d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
963KB

MD5
cc4f3027ec86271a764f5c873ad6d013

SHA1
c092641386e75df93fef50dee4908a7d8546651e

SHA256
b9e089235de5a7fe9aba48076c052c36ea7670c94814385ef85215e7d76a1564

SHA512
d4e5f184765d2400249941687bdce5854af149fd81769acddda105dff65250cc0a23c623db5785ecb3b328575d46baf964ea13b14b27a835e4d2ad2131ccd669

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
963KB

MD5
cc4f3027ec86271a764f5c873ad6d013

SHA1
c092641386e75df93fef50dee4908a7d8546651e

SHA256
b9e089235de5a7fe9aba48076c052c36ea7670c94814385ef85215e7d76a1564

SHA512
d4e5f184765d2400249941687bdce5854af149fd81769acddda105dff65250cc0a23c623db5785ecb3b328575d46baf964ea13b14b27a835e4d2ad2131ccd669

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
963KB

MD5
cc4f3027ec86271a764f5c873ad6d013

SHA1
c092641386e75df93fef50dee4908a7d8546651e

SHA256
b9e089235de5a7fe9aba48076c052c36ea7670c94814385ef85215e7d76a1564

SHA512
d4e5f184765d2400249941687bdce5854af149fd81769acddda105dff65250cc0a23c623db5785ecb3b328575d46baf964ea13b14b27a835e4d2ad2131ccd669

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
963KB

MD5
cc4f3027ec86271a764f5c873ad6d013

SHA1
c092641386e75df93fef50dee4908a7d8546651e

SHA256
b9e089235de5a7fe9aba48076c052c36ea7670c94814385ef85215e7d76a1564

SHA512
d4e5f184765d2400249941687bdce5854af149fd81769acddda105dff65250cc0a23c623db5785ecb3b328575d46baf964ea13b14b27a835e4d2ad2131ccd669

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
963KB

MD5
cc4f3027ec86271a764f5c873ad6d013

SHA1
c092641386e75df93fef50dee4908a7d8546651e

SHA256
b9e089235de5a7fe9aba48076c052c36ea7670c94814385ef85215e7d76a1564

SHA512
d4e5f184765d2400249941687bdce5854af149fd81769acddda105dff65250cc0a23c623db5785ecb3b328575d46baf964ea13b14b27a835e4d2ad2131ccd669

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
963KB

MD5
cc4f3027ec86271a764f5c873ad6d013

SHA1
c092641386e75df93fef50dee4908a7d8546651e

SHA256
b9e089235de5a7fe9aba48076c052c36ea7670c94814385ef85215e7d76a1564

SHA512
d4e5f184765d2400249941687bdce5854af149fd81769acddda105dff65250cc0a23c623db5785ecb3b328575d46baf964ea13b14b27a835e4d2ad2131ccd669

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
963KB

MD5
cc4f3027ec86271a764f5c873ad6d013

SHA1
c092641386e75df93fef50dee4908a7d8546651e

SHA256
b9e089235de5a7fe9aba48076c052c36ea7670c94814385ef85215e7d76a1564

SHA512
d4e5f184765d2400249941687bdce5854af149fd81769acddda105dff65250cc0a23c623db5785ecb3b328575d46baf964ea13b14b27a835e4d2ad2131ccd669

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
963KB

MD5
cc4f3027ec86271a764f5c873ad6d013

SHA1
c092641386e75df93fef50dee4908a7d8546651e

SHA256
b9e089235de5a7fe9aba48076c052c36ea7670c94814385ef85215e7d76a1564

SHA512
d4e5f184765d2400249941687bdce5854af149fd81769acddda105dff65250cc0a23c623db5785ecb3b328575d46baf964ea13b14b27a835e4d2ad2131ccd669

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s2340085.exe
Filesize
963KB

MD5
cc4f3027ec86271a764f5c873ad6d013

SHA1
c092641386e75df93fef50dee4908a7d8546651e

SHA256
b9e089235de5a7fe9aba48076c052c36ea7670c94814385ef85215e7d76a1564

SHA512
d4e5f184765d2400249941687bdce5854af149fd81769acddda105dff65250cc0a23c623db5785ecb3b328575d46baf964ea13b14b27a835e4d2ad2131ccd669

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s2340085.exe
Filesize
963KB

MD5
cc4f3027ec86271a764f5c873ad6d013

SHA1
c092641386e75df93fef50dee4908a7d8546651e

SHA256
b9e089235de5a7fe9aba48076c052c36ea7670c94814385ef85215e7d76a1564

SHA512
d4e5f184765d2400249941687bdce5854af149fd81769acddda105dff65250cc0a23c623db5785ecb3b328575d46baf964ea13b14b27a835e4d2ad2131ccd669

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s2340085.exe
Filesize
963KB

MD5
cc4f3027ec86271a764f5c873ad6d013

SHA1
c092641386e75df93fef50dee4908a7d8546651e

SHA256
b9e089235de5a7fe9aba48076c052c36ea7670c94814385ef85215e7d76a1564

SHA512
d4e5f184765d2400249941687bdce5854af149fd81769acddda105dff65250cc0a23c623db5785ecb3b328575d46baf964ea13b14b27a835e4d2ad2131ccd669

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0600545.exe
Filesize
634KB

MD5
ce0dc56fab6ebee8476fa0f6048aae8e

SHA1
2c50f67c6a40aec59d92116840f9e8a301bdaeee

SHA256
8169bbca82c0cb758602652dfe831f17e78f6f6051b70107cd380048cc67c65f

SHA512
214016e565638674f951ef3e8e7f8d5d6f3b295ddafe805dd04f1c79009f982aafb680cd23c81669d6bc37c1419aa5634b0415f9292a8d40a666c19b98a7de3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0600545.exe
Filesize
634KB

MD5
ce0dc56fab6ebee8476fa0f6048aae8e

SHA1
2c50f67c6a40aec59d92116840f9e8a301bdaeee

SHA256
8169bbca82c0cb758602652dfe831f17e78f6f6051b70107cd380048cc67c65f

SHA512
214016e565638674f951ef3e8e7f8d5d6f3b295ddafe805dd04f1c79009f982aafb680cd23c81669d6bc37c1419aa5634b0415f9292a8d40a666c19b98a7de3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r4905482.exe
Filesize
342KB

MD5
2462b775e3c0b506d469b40d6facdfd4

SHA1
302c8d96c35cafe623175cac081e15560ccdffb4

SHA256
59d0db1764cc1739fc47b84027d8f3931a63a99213c19488ccff5ca08be8e75e

SHA512
fd1d770dfd83f2c300e3d6a3d5413370e35acd4a78b7e45f764135a7cfbc1452bdfb2f6674c384a795f5ef53139d37bf94501e17f815826088e9bd62acc1445f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r4905482.exe
Filesize
342KB

MD5
2462b775e3c0b506d469b40d6facdfd4

SHA1
302c8d96c35cafe623175cac081e15560ccdffb4

SHA256
59d0db1764cc1739fc47b84027d8f3931a63a99213c19488ccff5ca08be8e75e

SHA512
fd1d770dfd83f2c300e3d6a3d5413370e35acd4a78b7e45f764135a7cfbc1452bdfb2f6674c384a795f5ef53139d37bf94501e17f815826088e9bd62acc1445f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5158332.exe
Filesize
290KB

MD5
8f10872997361199a033a0893bfafa43

SHA1
b1c19c69cb6a68e5bcab9ccd3922350fdb1bebec

SHA256
a9cbfe4aff800ed2798052d0fe271a22edb98b8255cd94bf1307cf7b42987cf1

SHA512
272bb97e077fba9020b890eaf3f3f851f5317d3218b24e024618a789779f14668a1fc9b211f317846c631d149797321a85bc62bce8df09ca571a162f8288f5d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5158332.exe
Filesize
290KB

MD5
8f10872997361199a033a0893bfafa43

SHA1
b1c19c69cb6a68e5bcab9ccd3922350fdb1bebec

SHA256
a9cbfe4aff800ed2798052d0fe271a22edb98b8255cd94bf1307cf7b42987cf1

SHA512
272bb97e077fba9020b890eaf3f3f851f5317d3218b24e024618a789779f14668a1fc9b211f317846c631d149797321a85bc62bce8df09ca571a162f8288f5d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o9973847.exe
Filesize
185KB

MD5
da0fc1c694bbe3b0fcb377d91930853f

SHA1
ddc89ecf197f05618cbb5fdece41e8f32085948d

SHA256
c3c8ceca2d6e55828f349dfa4393ccfe4aa63aae4c9f1b90de7e4bc17a47bf46

SHA512
c736f480e80b78188a7d5f7468f6f4b4e01843f0ed41fd3d94bd59e071d8b94bf5a70e9ae523abf84a45c7c315301afbcca8db27c8b7d39a11e9a391efc2990b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o9973847.exe
Filesize
185KB

MD5
da0fc1c694bbe3b0fcb377d91930853f

SHA1
ddc89ecf197f05618cbb5fdece41e8f32085948d

SHA256
c3c8ceca2d6e55828f349dfa4393ccfe4aa63aae4c9f1b90de7e4bc17a47bf46

SHA512
c736f480e80b78188a7d5f7468f6f4b4e01843f0ed41fd3d94bd59e071d8b94bf5a70e9ae523abf84a45c7c315301afbcca8db27c8b7d39a11e9a391efc2990b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p8730799.exe
Filesize
168KB

MD5
795f301d84a77733306efc8c98474f90

SHA1
cf122ebb1d6cce18b8518311f01d8ed4740a644c

SHA256
e1b61fc3613853f85e675e4ffaca82659c26ddefc710ba799a449dcc83bca983

SHA512
74d579e0029f4cf69bf5b5cde0e3e6642354ec85c7dbdf90145a5f16385403d0e077dfb9feef6a2bb1989eb95e82cde8929c080244dcd19cf892e608c11d8a26

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p8730799.exe
Filesize
168KB

MD5
795f301d84a77733306efc8c98474f90

SHA1
cf122ebb1d6cce18b8518311f01d8ed4740a644c

SHA256
e1b61fc3613853f85e675e4ffaca82659c26ddefc710ba799a449dcc83bca983

SHA512
74d579e0029f4cf69bf5b5cde0e3e6642354ec85c7dbdf90145a5f16385403d0e077dfb9feef6a2bb1989eb95e82cde8929c080244dcd19cf892e608c11d8a26

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
73c0c85e39b9a63b42f6c4ff6d634f8b

SHA1
efb047b4177ad78268f6fc8bf959f58f1123eb51

SHA256
477252e3531300fe2a21a679fba3664803179e91a1a4d5dd44080dbd41126368

SHA512
ca32507717c2c099d54a5473fb062083237f7fda9c076e9a957b70072f41a78eedf9244b50862b81d00374297e3795021ad6db943c8408da50b1da8b5ed4a643

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
73c0c85e39b9a63b42f6c4ff6d634f8b

SHA1
efb047b4177ad78268f6fc8bf959f58f1123eb51

SHA256
477252e3531300fe2a21a679fba3664803179e91a1a4d5dd44080dbd41126368

SHA512
ca32507717c2c099d54a5473fb062083237f7fda9c076e9a957b70072f41a78eedf9244b50862b81d00374297e3795021ad6db943c8408da50b1da8b5ed4a643

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
73c0c85e39b9a63b42f6c4ff6d634f8b

SHA1
efb047b4177ad78268f6fc8bf959f58f1123eb51

SHA256
477252e3531300fe2a21a679fba3664803179e91a1a4d5dd44080dbd41126368

SHA512
ca32507717c2c099d54a5473fb062083237f7fda9c076e9a957b70072f41a78eedf9244b50862b81d00374297e3795021ad6db943c8408da50b1da8b5ed4a643

Download Submit
memory/1540-138-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2068-152-0x000000000AC70000-0x000000000AD7A000-memory.dmp

Filesize
1.0MB

Download
memory/2068-165-0x000000000AF20000-0x000000000AF96000-memory.dmp

Filesize
472KB

Download
memory/2068-186-0x0000000005590000-0x00000000055A0000-memory.dmp

Filesize
64KB

Download
memory/2068-185-0x000000000C310000-0x000000000C360000-memory.dmp

Filesize
320KB

Download
memory/2068-177-0x000000000CB40000-0x000000000D06C000-memory.dmp

Filesize
5.2MB

Download
memory/2068-169-0x000000000C440000-0x000000000C602000-memory.dmp

Filesize
1.8MB

Download
memory/2068-168-0x000000000B740000-0x000000000B7A6000-memory.dmp

Filesize
408KB

Download
memory/2068-167-0x000000000BC40000-0x000000000C13E000-memory.dmp

Filesize
5.0MB

Download
memory/2068-166-0x000000000B040000-0x000000000B0D2000-memory.dmp

Filesize
584KB

Download
memory/2068-149-0x0000000000D30000-0x0000000000D5E000-memory.dmp

Filesize
184KB

Download
memory/2068-160-0x0000000005590000-0x00000000055A0000-memory.dmp

Filesize
64KB

Download
memory/2068-155-0x000000000AD80000-0x000000000ADCB000-memory.dmp

Filesize
300KB

Download
memory/2068-154-0x000000000AC00000-0x000000000AC3E000-memory.dmp

Filesize
248KB

Download
memory/2068-150-0x00000000013C0000-0x00000000013C6000-memory.dmp

Filesize
24KB

Download
memory/2068-153-0x000000000ABA0000-0x000000000ABB2000-memory.dmp

Filesize
72KB

Download
memory/2068-151-0x000000000B130000-0x000000000B736000-memory.dmp

Filesize
6.0MB

Download
memory/2088-418-0x0000000007680000-0x0000000007690000-memory.dmp

Filesize
64KB

Download
memory/2292-227-0x0000000007400000-0x0000000007410000-memory.dmp

Filesize
64KB

Download
memory/2648-216-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2648-226-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2648-212-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2648-215-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2648-220-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3920-423-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3920-422-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3920-421-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4140-386-0x0000000002FB0000-0x0000000002FC0000-memory.dmp

Filesize
64KB

Download
memory/4140-387-0x0000000002FB0000-0x0000000002FC0000-memory.dmp

Filesize
64KB

Download
memory/4140-376-0x0000000000D50000-0x0000000000D7A000-memory.dmp

Filesize
168KB

Download
memory/4332-414-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4332-416-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4332-415-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4376-210-0x0000000007180000-0x0000000007190000-memory.dmp

Filesize
64KB

Download
memory/4376-204-0x0000000000490000-0x0000000000588000-memory.dmp

Filesize
992KB

Download
memory/4572-411-0x0000000007450000-0x0000000007460000-memory.dmp

Filesize
64KB

Download
memory/4724-211-0x00000000095C0000-0x00000000095D0000-memory.dmp

Filesize
64KB

Download
memory/4724-205-0x00000000095A0000-0x00000000095A6000-memory.dmp

Filesize
24KB

Download
memory/4724-192-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/5008-237-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5008-238-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5008-309-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5008-406-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5008-299-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5008-373-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5008-370-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download