redline | 434d7530ab676b9c5085a1e14351d73aae7d4f5da1cf64cc662352b83ddac18b

Analysis

max time kernel
140s
max time network
152s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
29-05-2023 01:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

434d7530ab676b9c5085a1e14351d73aae7d4f5da1cf64cc662352b83ddac18b.exe
Size

1.1MB
MD5

6fb75fe391e006f7cf47306a2167a761
SHA1

073117199995ad069e3f8ab0b16b7306f9407eb5
SHA256

434d7530ab676b9c5085a1e14351d73aae7d4f5da1cf64cc662352b83ddac18b
SHA512

bbf31f77c6ff12170c879e5e146a3c8922537e75c03c1f120a6fac88a46f199af3f613cb3db2dcec32a192b78739b55aa2fe3319a28860950d2403153dd12c4d
SSDEEP

24576:pyRRhPAWFSXwBhB6YtNefnQTUSFtpFyTT1p5C7mmSTs68iixf9At:cbxkk9OfnQv0tpE7mtw6sf9A

Score

10^/10

redline lizsa metro redline discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

lizsa

83.97.73.127:19045

Attributes

auth_value
44b0b71b36e78465dbdebb4ecfb78b77

Extracted

Family

redline

Botnet

metro

83.97.73.127:19045

Attributes

auth_value
f7fd4aa816bdbaad933b45b51d9b6b1a

Extracted

Family

redline

Botnet

Redline

85.31.54.183:18435

Attributes

auth_value
50837656cba6e4dd56bfbb4a61dadb63

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

AppLaunch.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Downloads MZ/PE file

Executes dropped EXE 14 IoCs

Processes:

z6965582.exez9566319.exeo8374333.exep7190786.exer4168836.exes7060454.exes7060454.exelegends.exelegends.exeredline.exelegends.exelegends.exelegends.exelegends.exe

pid	process
4048	z6965582.exe
4548	z9566319.exe
4256	o8374333.exe
2156	p7190786.exe
4592	r4168836.exe
4364	s7060454.exe
4460	s7060454.exe
3676	legends.exe
4712	legends.exe
2548	redline.exe
2112	legends.exe
4244	legends.exe
2124	legends.exe
744	legends.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

4420 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4420	rundll32.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

434d7530ab676b9c5085a1e14351d73aae7d4f5da1cf64cc662352b83ddac18b.exez6965582.exez9566319.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	434d7530ab676b9c5085a1e14351d73aae7d4f5da1cf64cc662352b83ddac18b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	434d7530ab676b9c5085a1e14351d73aae7d4f5da1cf64cc662352b83ddac18b.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z6965582.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z6965582.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z9566319.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z9566319.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 6 IoCs

Processes:

o8374333.exer4168836.exes7060454.exelegends.exelegends.exelegends.exe

description	pid	process	target process
PID 4256 set thread context of 2592	4256	o8374333.exe	AppLaunch.exe
PID 4592 set thread context of 4728	4592	r4168836.exe	AppLaunch.exe
PID 4364 set thread context of 4460	4364	s7060454.exe	s7060454.exe
PID 3676 set thread context of 4712	3676	legends.exe	legends.exe
PID 2112 set thread context of 4244	2112	legends.exe	legends.exe
PID 2124 set thread context of 744	2124	legends.exe	legends.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4944 schtasks.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

AppLaunch.exep7190786.exeAppLaunch.exeredline.exe

pid process

2592 AppLaunch.exe
2592 AppLaunch.exe
2156 p7190786.exe
2156 p7190786.exe
4728 AppLaunch.exe
4728 AppLaunch.exe
2548 redline.exe
2548 redline.exe

pid	process
4944	schtasks.exe

pid	process
2592	AppLaunch.exe
2592	AppLaunch.exe
2156	p7190786.exe
2156	p7190786.exe
4728	AppLaunch.exe
4728	AppLaunch.exe
2548	redline.exe
2548	redline.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

AppLaunch.exep7190786.exes7060454.exelegends.exeAppLaunch.exeredline.exelegends.exelegends.exe

description	pid	process
Token: SeDebugPrivilege	2592	AppLaunch.exe
Token: SeDebugPrivilege	2156	p7190786.exe
Token: SeDebugPrivilege	4364	s7060454.exe
Token: SeDebugPrivilege	3676	legends.exe
Token: SeDebugPrivilege	4728	AppLaunch.exe
Token: SeDebugPrivilege	2548	redline.exe
Token: SeDebugPrivilege	2112	legends.exe
Token: SeDebugPrivilege	2124	legends.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

s7060454.exe

pid process

4460 s7060454.exe

pid	process
4460	s7060454.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

434d7530ab676b9c5085a1e14351d73aae7d4f5da1cf64cc662352b83ddac18b.exez6965582.exez9566319.exeo8374333.exer4168836.exes7060454.exes7060454.exelegends.exelegends.execmd.exe

description	pid	process	target process
PID 4024 wrote to memory of 4048	4024	434d7530ab676b9c5085a1e14351d73aae7d4f5da1cf64cc662352b83ddac18b.exe	z6965582.exe
PID 4024 wrote to memory of 4048	4024	434d7530ab676b9c5085a1e14351d73aae7d4f5da1cf64cc662352b83ddac18b.exe	z6965582.exe
PID 4024 wrote to memory of 4048	4024	434d7530ab676b9c5085a1e14351d73aae7d4f5da1cf64cc662352b83ddac18b.exe	z6965582.exe
PID 4048 wrote to memory of 4548	4048	z6965582.exe	z9566319.exe
PID 4048 wrote to memory of 4548	4048	z6965582.exe	z9566319.exe
PID 4048 wrote to memory of 4548	4048	z6965582.exe	z9566319.exe
PID 4548 wrote to memory of 4256	4548	z9566319.exe	o8374333.exe
PID 4548 wrote to memory of 4256	4548	z9566319.exe	o8374333.exe
PID 4548 wrote to memory of 4256	4548	z9566319.exe	o8374333.exe
PID 4256 wrote to memory of 2592	4256	o8374333.exe	AppLaunch.exe
PID 4256 wrote to memory of 2592	4256	o8374333.exe	AppLaunch.exe
PID 4256 wrote to memory of 2592	4256	o8374333.exe	AppLaunch.exe
PID 4256 wrote to memory of 2592	4256	o8374333.exe	AppLaunch.exe
PID 4256 wrote to memory of 2592	4256	o8374333.exe	AppLaunch.exe
PID 4548 wrote to memory of 2156	4548	z9566319.exe	p7190786.exe
PID 4548 wrote to memory of 2156	4548	z9566319.exe	p7190786.exe
PID 4548 wrote to memory of 2156	4548	z9566319.exe	p7190786.exe
PID 4048 wrote to memory of 4592	4048	z6965582.exe	r4168836.exe
PID 4048 wrote to memory of 4592	4048	z6965582.exe	r4168836.exe
PID 4048 wrote to memory of 4592	4048	z6965582.exe	r4168836.exe
PID 4592 wrote to memory of 4728	4592	r4168836.exe	AppLaunch.exe
PID 4592 wrote to memory of 4728	4592	r4168836.exe	AppLaunch.exe
PID 4592 wrote to memory of 4728	4592	r4168836.exe	AppLaunch.exe
PID 4592 wrote to memory of 4728	4592	r4168836.exe	AppLaunch.exe
PID 4592 wrote to memory of 4728	4592	r4168836.exe	AppLaunch.exe
PID 4024 wrote to memory of 4364	4024	434d7530ab676b9c5085a1e14351d73aae7d4f5da1cf64cc662352b83ddac18b.exe	s7060454.exe
PID 4024 wrote to memory of 4364	4024	434d7530ab676b9c5085a1e14351d73aae7d4f5da1cf64cc662352b83ddac18b.exe	s7060454.exe
PID 4024 wrote to memory of 4364	4024	434d7530ab676b9c5085a1e14351d73aae7d4f5da1cf64cc662352b83ddac18b.exe	s7060454.exe
PID 4364 wrote to memory of 4460	4364	s7060454.exe	s7060454.exe
PID 4364 wrote to memory of 4460	4364	s7060454.exe	s7060454.exe
PID 4364 wrote to memory of 4460	4364	s7060454.exe	s7060454.exe
PID 4364 wrote to memory of 4460	4364	s7060454.exe	s7060454.exe
PID 4364 wrote to memory of 4460	4364	s7060454.exe	s7060454.exe
PID 4364 wrote to memory of 4460	4364	s7060454.exe	s7060454.exe
PID 4364 wrote to memory of 4460	4364	s7060454.exe	s7060454.exe
PID 4364 wrote to memory of 4460	4364	s7060454.exe	s7060454.exe
PID 4364 wrote to memory of 4460	4364	s7060454.exe	s7060454.exe
PID 4364 wrote to memory of 4460	4364	s7060454.exe	s7060454.exe
PID 4460 wrote to memory of 3676	4460	s7060454.exe	legends.exe
PID 4460 wrote to memory of 3676	4460	s7060454.exe	legends.exe
PID 4460 wrote to memory of 3676	4460	s7060454.exe	legends.exe
PID 3676 wrote to memory of 4712	3676	legends.exe	legends.exe
PID 3676 wrote to memory of 4712	3676	legends.exe	legends.exe
PID 3676 wrote to memory of 4712	3676	legends.exe	legends.exe
PID 3676 wrote to memory of 4712	3676	legends.exe	legends.exe
PID 3676 wrote to memory of 4712	3676	legends.exe	legends.exe
PID 3676 wrote to memory of 4712	3676	legends.exe	legends.exe
PID 3676 wrote to memory of 4712	3676	legends.exe	legends.exe
PID 3676 wrote to memory of 4712	3676	legends.exe	legends.exe
PID 3676 wrote to memory of 4712	3676	legends.exe	legends.exe
PID 3676 wrote to memory of 4712	3676	legends.exe	legends.exe
PID 4712 wrote to memory of 4944	4712	legends.exe	schtasks.exe
PID 4712 wrote to memory of 4944	4712	legends.exe	schtasks.exe
PID 4712 wrote to memory of 4944	4712	legends.exe	schtasks.exe
PID 4712 wrote to memory of 4860	4712	legends.exe	cmd.exe
PID 4712 wrote to memory of 4860	4712	legends.exe	cmd.exe
PID 4712 wrote to memory of 4860	4712	legends.exe	cmd.exe
PID 4860 wrote to memory of 4816	4860	cmd.exe	cmd.exe
PID 4860 wrote to memory of 4816	4860	cmd.exe	cmd.exe
PID 4860 wrote to memory of 4816	4860	cmd.exe	cmd.exe
PID 4860 wrote to memory of 680	4860	cmd.exe	cacls.exe
PID 4860 wrote to memory of 680	4860	cmd.exe	cacls.exe
PID 4860 wrote to memory of 680	4860	cmd.exe	cacls.exe
PID 4860 wrote to memory of 5084	4860	cmd.exe	cacls.exe

C:\Users\Admin\AppData\Local\Temp\434d7530ab676b9c5085a1e14351d73aae7d4f5da1cf64cc662352b83ddac18b.exe
"C:\Users\Admin\AppData\Local\Temp\434d7530ab676b9c5085a1e14351d73aae7d4f5da1cf64cc662352b83ddac18b.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4024

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6965582.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6965582.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4048

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9566319.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9566319.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4548

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o8374333.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o8374333.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4256

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
5⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2592

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p7190786.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p7190786.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2156

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r4168836.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r4168836.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4592

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4728

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s7060454.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s7060454.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4364

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s7060454.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s7060454.exe
3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4460

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
"C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3676

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4712

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legends.exe /TR "C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe" /F
6⤵
- Creates scheduled task(s)
PID:4944

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legends.exe" /P "Admin:N"&&CACLS "legends.exe" /P "Admin:R" /E&&echo Y|CACLS "..\41bde21dc7" /P "Admin:N"&&CACLS "..\41bde21dc7" /P "Admin:R" /E&&Exit
6⤵
- Suspicious use of WriteProcessMemory
PID:4860

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
7⤵
PID:4816

C:\Windows\SysWOW64\cacls.exe
CACLS "legends.exe" /P "Admin:N"
7⤵
PID:680

C:\Windows\SysWOW64\cacls.exe
CACLS "legends.exe" /P "Admin:R" /E
7⤵
PID:5084

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
7⤵
PID:3980

C:\Windows\SysWOW64\cacls.exe
CACLS "..\41bde21dc7" /P "Admin:N"
7⤵
PID:3348

C:\Windows\SysWOW64\cacls.exe
CACLS "..\41bde21dc7" /P "Admin:R" /E
7⤵
PID:1164

C:\Users\Admin\AppData\Local\Temp\1000043001\redline.exe
"C:\Users\Admin\AppData\Local\Temp\1000043001\redline.exe"
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2548

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
6⤵
- Loads dropped DLL
PID:4420

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2112

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
2⤵
- Executes dropped EXE
PID:4244

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2124

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
2⤵
- Executes dropped EXE
PID:744

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log
Filesize
226B

MD5
957779c42144282d8cd83192b8fbc7cf

SHA1
de83d08d2cca06b9ff3d1ef239d6b60b705d25fe

SHA256
0d7ca7ba65e2b465e4878e324ceab8f8981f5ec06dcf5bc32559a4467a9c7d51

SHA512
f1549c61b4f2906d13b2aabb74772c2bc826cd42373d7bb6c48cbb125d5aa2ec17617e6b5e67e8aae3bb5790cc831cdba48a45008ed01df4fba8be448cce39fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\legends.exe.log
Filesize
425B

MD5
605f809fab8c19729d39d075f7ffdb53

SHA1
c546f877c9bd53563174a90312a8337fdfc5fdd9

SHA256
6904d540649e76c55f99530b81be17e099184bb4cad415aa9b9b39cc3677f556

SHA512
82cc12c3186ae23884b8d5c104638c8206272c4389ade56b926dfc1d437b03888159b3c790b188b54d277a262e731927e703e680ea642e1417faee27443fd5b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000043001\redline.exe
Filesize
145KB

MD5
2d0d9f29bca70bdde306f8b5188117ce

SHA1
a4a04353801aee05a4e90dd1ddbd395c2830ea3e

SHA256
71bcea62630cac801c7e2b3ddd9fc7d6bf20490c44630a86fa8dba75f3bebc87

SHA512
a7fb78aaa48afddaf5f1c514a9ac0d4ca5cbfd755ded98f17399a88208070a526ad3ea9b4d18410e8cb9fe882b0ce1350b192a4a3b6bceab289d968e419c79d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000043001\redline.exe
Filesize
145KB

MD5
2d0d9f29bca70bdde306f8b5188117ce

SHA1
a4a04353801aee05a4e90dd1ddbd395c2830ea3e

SHA256
71bcea62630cac801c7e2b3ddd9fc7d6bf20490c44630a86fa8dba75f3bebc87

SHA512
a7fb78aaa48afddaf5f1c514a9ac0d4ca5cbfd755ded98f17399a88208070a526ad3ea9b4d18410e8cb9fe882b0ce1350b192a4a3b6bceab289d968e419c79d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000043001\redline.exe
Filesize
145KB

MD5
2d0d9f29bca70bdde306f8b5188117ce

SHA1
a4a04353801aee05a4e90dd1ddbd395c2830ea3e

SHA256
71bcea62630cac801c7e2b3ddd9fc7d6bf20490c44630a86fa8dba75f3bebc87

SHA512
a7fb78aaa48afddaf5f1c514a9ac0d4ca5cbfd755ded98f17399a88208070a526ad3ea9b4d18410e8cb9fe882b0ce1350b192a4a3b6bceab289d968e419c79d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
963KB

MD5
5b98601c6cccc4e0f18d638fce5e2247

SHA1
f5bd990e17c6dff1ad56a15eea4ae21da4c025d4

SHA256
11ea086f73421d6f54592dd3f592937f6ca4a3bf5cc1646a14c2ada5e6093e11

SHA512
d0ea6de52e080eafc02087f5eafa9d7aa6cd2c665e4a8d0b64bc80e384ea635476b65f172db7a7b5c41a9d9848e628ac7818d9843071c0c586aed3d167fe2d68

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
963KB

MD5
5b98601c6cccc4e0f18d638fce5e2247

SHA1
f5bd990e17c6dff1ad56a15eea4ae21da4c025d4

SHA256
11ea086f73421d6f54592dd3f592937f6ca4a3bf5cc1646a14c2ada5e6093e11

SHA512
d0ea6de52e080eafc02087f5eafa9d7aa6cd2c665e4a8d0b64bc80e384ea635476b65f172db7a7b5c41a9d9848e628ac7818d9843071c0c586aed3d167fe2d68

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
963KB

MD5
5b98601c6cccc4e0f18d638fce5e2247

SHA1
f5bd990e17c6dff1ad56a15eea4ae21da4c025d4

SHA256
11ea086f73421d6f54592dd3f592937f6ca4a3bf5cc1646a14c2ada5e6093e11

SHA512
d0ea6de52e080eafc02087f5eafa9d7aa6cd2c665e4a8d0b64bc80e384ea635476b65f172db7a7b5c41a9d9848e628ac7818d9843071c0c586aed3d167fe2d68

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
963KB

MD5
5b98601c6cccc4e0f18d638fce5e2247

SHA1
f5bd990e17c6dff1ad56a15eea4ae21da4c025d4

SHA256
11ea086f73421d6f54592dd3f592937f6ca4a3bf5cc1646a14c2ada5e6093e11

SHA512
d0ea6de52e080eafc02087f5eafa9d7aa6cd2c665e4a8d0b64bc80e384ea635476b65f172db7a7b5c41a9d9848e628ac7818d9843071c0c586aed3d167fe2d68

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
963KB

MD5
5b98601c6cccc4e0f18d638fce5e2247

SHA1
f5bd990e17c6dff1ad56a15eea4ae21da4c025d4

SHA256
11ea086f73421d6f54592dd3f592937f6ca4a3bf5cc1646a14c2ada5e6093e11

SHA512
d0ea6de52e080eafc02087f5eafa9d7aa6cd2c665e4a8d0b64bc80e384ea635476b65f172db7a7b5c41a9d9848e628ac7818d9843071c0c586aed3d167fe2d68

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
963KB

MD5
5b98601c6cccc4e0f18d638fce5e2247

SHA1
f5bd990e17c6dff1ad56a15eea4ae21da4c025d4

SHA256
11ea086f73421d6f54592dd3f592937f6ca4a3bf5cc1646a14c2ada5e6093e11

SHA512
d0ea6de52e080eafc02087f5eafa9d7aa6cd2c665e4a8d0b64bc80e384ea635476b65f172db7a7b5c41a9d9848e628ac7818d9843071c0c586aed3d167fe2d68

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
963KB

MD5
5b98601c6cccc4e0f18d638fce5e2247

SHA1
f5bd990e17c6dff1ad56a15eea4ae21da4c025d4

SHA256
11ea086f73421d6f54592dd3f592937f6ca4a3bf5cc1646a14c2ada5e6093e11

SHA512
d0ea6de52e080eafc02087f5eafa9d7aa6cd2c665e4a8d0b64bc80e384ea635476b65f172db7a7b5c41a9d9848e628ac7818d9843071c0c586aed3d167fe2d68

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
963KB

MD5
5b98601c6cccc4e0f18d638fce5e2247

SHA1
f5bd990e17c6dff1ad56a15eea4ae21da4c025d4

SHA256
11ea086f73421d6f54592dd3f592937f6ca4a3bf5cc1646a14c2ada5e6093e11

SHA512
d0ea6de52e080eafc02087f5eafa9d7aa6cd2c665e4a8d0b64bc80e384ea635476b65f172db7a7b5c41a9d9848e628ac7818d9843071c0c586aed3d167fe2d68

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s7060454.exe
Filesize
963KB

MD5
5b98601c6cccc4e0f18d638fce5e2247

SHA1
f5bd990e17c6dff1ad56a15eea4ae21da4c025d4

SHA256
11ea086f73421d6f54592dd3f592937f6ca4a3bf5cc1646a14c2ada5e6093e11

SHA512
d0ea6de52e080eafc02087f5eafa9d7aa6cd2c665e4a8d0b64bc80e384ea635476b65f172db7a7b5c41a9d9848e628ac7818d9843071c0c586aed3d167fe2d68

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s7060454.exe
Filesize
963KB

MD5
5b98601c6cccc4e0f18d638fce5e2247

SHA1
f5bd990e17c6dff1ad56a15eea4ae21da4c025d4

SHA256
11ea086f73421d6f54592dd3f592937f6ca4a3bf5cc1646a14c2ada5e6093e11

SHA512
d0ea6de52e080eafc02087f5eafa9d7aa6cd2c665e4a8d0b64bc80e384ea635476b65f172db7a7b5c41a9d9848e628ac7818d9843071c0c586aed3d167fe2d68

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s7060454.exe
Filesize
963KB

MD5
5b98601c6cccc4e0f18d638fce5e2247

SHA1
f5bd990e17c6dff1ad56a15eea4ae21da4c025d4

SHA256
11ea086f73421d6f54592dd3f592937f6ca4a3bf5cc1646a14c2ada5e6093e11

SHA512
d0ea6de52e080eafc02087f5eafa9d7aa6cd2c665e4a8d0b64bc80e384ea635476b65f172db7a7b5c41a9d9848e628ac7818d9843071c0c586aed3d167fe2d68

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6965582.exe
Filesize
634KB

MD5
ea2df224dacd13f557276cc1852b866a

SHA1
6f006f556a0a1a889b77608dfcfba7bfee071ec2

SHA256
2f5647797c486a862d889c1618732b2b969ad37f400f97aaec542fe23dcaae95

SHA512
b70d317c5b0bdb6444454f4ce061fd61ba167cea2c1eb8166574314121b7940d0724082644b367cfbc4f81348e1f3c88adb263d577635ab4847baf5afd10f59c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6965582.exe
Filesize
634KB

MD5
ea2df224dacd13f557276cc1852b866a

SHA1
6f006f556a0a1a889b77608dfcfba7bfee071ec2

SHA256
2f5647797c486a862d889c1618732b2b969ad37f400f97aaec542fe23dcaae95

SHA512
b70d317c5b0bdb6444454f4ce061fd61ba167cea2c1eb8166574314121b7940d0724082644b367cfbc4f81348e1f3c88adb263d577635ab4847baf5afd10f59c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r4168836.exe
Filesize
342KB

MD5
af46496ee307a1c097561ec7196a6486

SHA1
788199e46296c9b34871d6ef58ab6a1b75909a76

SHA256
e6a822005dd2a1c049aedcad7ce53d23425fb88db1fffa58141e07e272aa1981

SHA512
d13dcad5f7637cd469b3cb2cc27ef03ab2e3755003883a84fb926ad92be27a64d4c276363f849fa860d6332e92a1b3a546f8155d18c9945fb019e12b585f5ee0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r4168836.exe
Filesize
342KB

MD5
af46496ee307a1c097561ec7196a6486

SHA1
788199e46296c9b34871d6ef58ab6a1b75909a76

SHA256
e6a822005dd2a1c049aedcad7ce53d23425fb88db1fffa58141e07e272aa1981

SHA512
d13dcad5f7637cd469b3cb2cc27ef03ab2e3755003883a84fb926ad92be27a64d4c276363f849fa860d6332e92a1b3a546f8155d18c9945fb019e12b585f5ee0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9566319.exe
Filesize
290KB

MD5
587f788ff12ed3739eace2020089234d

SHA1
c690e97f9c8465971e94b792156bd071d84e947d

SHA256
e92e2cc2563a9fd6e77a8051989b95dc16279c881f439675f22526ce172e4377

SHA512
0e177ebaa1749ef5841d4eb446b713153225f12bd560a300f6e8c33499499b33cd0a7e91abdcd245411dd7f89e16a94137bb22d4ceecb9deb6aeafc736a0035a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9566319.exe
Filesize
290KB

MD5
587f788ff12ed3739eace2020089234d

SHA1
c690e97f9c8465971e94b792156bd071d84e947d

SHA256
e92e2cc2563a9fd6e77a8051989b95dc16279c881f439675f22526ce172e4377

SHA512
0e177ebaa1749ef5841d4eb446b713153225f12bd560a300f6e8c33499499b33cd0a7e91abdcd245411dd7f89e16a94137bb22d4ceecb9deb6aeafc736a0035a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o8374333.exe
Filesize
185KB

MD5
cec3015de7276a052466ed963443601c

SHA1
b179839d9c0b7106cddb15ecaf17f64b77612621

SHA256
624bf9c5bb9d0537e1b604aa3648bb6b04eb5932da8bf9e64f553fbaecce7d75

SHA512
9d5dfc2341da757ef653adb117fb39607cac24e6ebca96d73e1381d278ee5e1518752d3f0f43b7f8d8795a5d83388d0c4aa919a931c6f548c271a2d26bfd4ce4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o8374333.exe
Filesize
185KB

MD5
cec3015de7276a052466ed963443601c

SHA1
b179839d9c0b7106cddb15ecaf17f64b77612621

SHA256
624bf9c5bb9d0537e1b604aa3648bb6b04eb5932da8bf9e64f553fbaecce7d75

SHA512
9d5dfc2341da757ef653adb117fb39607cac24e6ebca96d73e1381d278ee5e1518752d3f0f43b7f8d8795a5d83388d0c4aa919a931c6f548c271a2d26bfd4ce4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p7190786.exe
Filesize
168KB

MD5
909303f256676c672b70f11261987e63

SHA1
8b356bd484fafc85310c6088fac639faddda81df

SHA256
cca5c45700618221df5bf512af7b03e37d09d9020fbdbe1aa5a655fc76b31347

SHA512
765a7bf13f430d62fb698288f3e431bd1979ec2d39d7f78a1538fe3a13d2eefd73aa261837ce36cc76e88a1c648c9707bf57592ef37436c6a98b7cc114a84fcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p7190786.exe
Filesize
168KB

MD5
909303f256676c672b70f11261987e63

SHA1
8b356bd484fafc85310c6088fac639faddda81df

SHA256
cca5c45700618221df5bf512af7b03e37d09d9020fbdbe1aa5a655fc76b31347

SHA512
765a7bf13f430d62fb698288f3e431bd1979ec2d39d7f78a1538fe3a13d2eefd73aa261837ce36cc76e88a1c648c9707bf57592ef37436c6a98b7cc114a84fcb

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
73c0c85e39b9a63b42f6c4ff6d634f8b

SHA1
efb047b4177ad78268f6fc8bf959f58f1123eb51

SHA256
477252e3531300fe2a21a679fba3664803179e91a1a4d5dd44080dbd41126368

SHA512
ca32507717c2c099d54a5473fb062083237f7fda9c076e9a957b70072f41a78eedf9244b50862b81d00374297e3795021ad6db943c8408da50b1da8b5ed4a643

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
73c0c85e39b9a63b42f6c4ff6d634f8b

SHA1
efb047b4177ad78268f6fc8bf959f58f1123eb51

SHA256
477252e3531300fe2a21a679fba3664803179e91a1a4d5dd44080dbd41126368

SHA512
ca32507717c2c099d54a5473fb062083237f7fda9c076e9a957b70072f41a78eedf9244b50862b81d00374297e3795021ad6db943c8408da50b1da8b5ed4a643

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
73c0c85e39b9a63b42f6c4ff6d634f8b

SHA1
efb047b4177ad78268f6fc8bf959f58f1123eb51

SHA256
477252e3531300fe2a21a679fba3664803179e91a1a4d5dd44080dbd41126368

SHA512
ca32507717c2c099d54a5473fb062083237f7fda9c076e9a957b70072f41a78eedf9244b50862b81d00374297e3795021ad6db943c8408da50b1da8b5ed4a643

Download Submit
memory/744-424-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/744-423-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/744-425-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2112-413-0x00000000072F0000-0x0000000007300000-memory.dmp

Filesize
64KB

Download
memory/2124-420-0x00000000078B0000-0x00000000078C0000-memory.dmp

Filesize
64KB

Download
memory/2156-153-0x000000000AD90000-0x000000000AE9A000-memory.dmp

Filesize
1.0MB

Download
memory/2156-187-0x00000000058F0000-0x0000000005900000-memory.dmp

Filesize
64KB

Download
memory/2156-186-0x000000000BE10000-0x000000000BE60000-memory.dmp

Filesize
320KB

Download
memory/2156-171-0x000000000CBD0000-0x000000000D0FC000-memory.dmp

Filesize
5.2MB

Download
memory/2156-170-0x000000000BEF0000-0x000000000C0B2000-memory.dmp

Filesize
1.8MB

Download
memory/2156-169-0x000000000C1A0000-0x000000000C69E000-memory.dmp

Filesize
5.0MB

Download
memory/2156-168-0x000000000B0B0000-0x000000000B116000-memory.dmp

Filesize
408KB

Download
memory/2156-167-0x000000000B150000-0x000000000B1E2000-memory.dmp

Filesize
584KB

Download
memory/2156-166-0x000000000B030000-0x000000000B0A6000-memory.dmp

Filesize
472KB

Download
memory/2156-161-0x00000000058F0000-0x0000000005900000-memory.dmp

Filesize
64KB

Download
memory/2156-156-0x000000000AEA0000-0x000000000AEEB000-memory.dmp

Filesize
300KB

Download
memory/2156-155-0x000000000AD10000-0x000000000AD4E000-memory.dmp

Filesize
248KB

Download
memory/2156-154-0x000000000ACB0000-0x000000000ACC2000-memory.dmp

Filesize
72KB

Download
memory/2156-152-0x000000000B290000-0x000000000B896000-memory.dmp

Filesize
6.0MB

Download
memory/2156-151-0x00000000030C0000-0x00000000030C6000-memory.dmp

Filesize
24KB

Download
memory/2156-150-0x0000000000F80000-0x0000000000FAE000-memory.dmp

Filesize
184KB

Download
memory/2548-388-0x00000000050F0000-0x0000000005100000-memory.dmp

Filesize
64KB

Download
memory/2548-382-0x00000000004E0000-0x000000000050A000-memory.dmp

Filesize
168KB

Download
memory/2548-389-0x00000000050F0000-0x0000000005100000-memory.dmp

Filesize
64KB

Download
memory/2592-139-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/3676-228-0x00000000071C0000-0x00000000071D0000-memory.dmp

Filesize
64KB

Download
memory/4244-417-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4244-418-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4244-416-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4364-206-0x0000000000870000-0x0000000000968000-memory.dmp

Filesize
992KB

Download
memory/4364-212-0x0000000007700000-0x0000000007710000-memory.dmp

Filesize
64KB

Download
memory/4460-216-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4460-213-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4460-227-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4460-222-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4460-217-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4712-364-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4712-245-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4712-408-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4712-238-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4712-376-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4712-241-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4712-379-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4728-207-0x00000000091E0000-0x00000000091F0000-memory.dmp

Filesize
64KB

Download
memory/4728-205-0x00000000011C0000-0x00000000011C6000-memory.dmp

Filesize
24KB

Download
memory/4728-343-0x00000000091E0000-0x00000000091F0000-memory.dmp

Filesize
64KB

Download
memory/4728-193-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download