redline | f8e255eef59ce44e71a377c7b433550d59c8078884673cad97b937e1cb370e57

Analysis

max time kernel
134s
max time network
143s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
29-05-2023 01:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f8e255eef59ce44e71a377c7b433550d59c8078884673cad97b937e1cb370e57.exe
Size

1.1MB
MD5

5896a3d32d0c098783a3328f73180e1c
SHA1

a2dc65bd6929a9ab3198844076db329b2cdb586a
SHA256

f8e255eef59ce44e71a377c7b433550d59c8078884673cad97b937e1cb370e57
SHA512

bd6966afd79b52a3c2b7238eebf0a8277fd2efede24a0b5f46006ff678a01872c186b4d8567ec459e85ea57e7055bab4e0ef606981e792c458f560930553be19
SSDEEP

24576:xybHl/yIGC0v227WyZX5eUnwDUSXnbOrodTDat:kbF/y00v2JyOUnwJbOY

Score

10^/10

redline lizsa metro redline discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

lizsa

83.97.73.127:19045

Attributes

auth_value
44b0b71b36e78465dbdebb4ecfb78b77

Extracted

Family

redline

Botnet

metro

83.97.73.127:19045

Attributes

auth_value
f7fd4aa816bdbaad933b45b51d9b6b1a

Extracted

Family

redline

Botnet

Redline

85.31.54.183:18435

Attributes

auth_value
50837656cba6e4dd56bfbb4a61dadb63

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

AppLaunch.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Downloads MZ/PE file

Executes dropped EXE 14 IoCs

Processes:

z8684191.exez2022531.exeo6291044.exep8125150.exer2038787.exes6244668.exes6244668.exelegends.exelegends.exeredline.exelegends.exelegends.exelegends.exelegends.exe

pid	process
2264	z8684191.exe
2504	z2022531.exe
2956	o6291044.exe
4216	p8125150.exe
1236	r2038787.exe
2096	s6244668.exe
2668	s6244668.exe
3160	legends.exe
2916	legends.exe
3572	redline.exe
1752	legends.exe
1580	legends.exe
3200	legends.exe
4208	legends.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

5100 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
5100	rundll32.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

z2022531.exef8e255eef59ce44e71a377c7b433550d59c8078884673cad97b937e1cb370e57.exez8684191.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z2022531.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	f8e255eef59ce44e71a377c7b433550d59c8078884673cad97b937e1cb370e57.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	f8e255eef59ce44e71a377c7b433550d59c8078884673cad97b937e1cb370e57.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z8684191.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z8684191.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z2022531.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 6 IoCs

Processes:

o6291044.exer2038787.exes6244668.exelegends.exelegends.exelegends.exe

description	pid	process	target process
PID 2956 set thread context of 5108	2956	o6291044.exe	AppLaunch.exe
PID 1236 set thread context of 4668	1236	r2038787.exe	AppLaunch.exe
PID 2096 set thread context of 2668	2096	s6244668.exe	s6244668.exe
PID 3160 set thread context of 2916	3160	legends.exe	legends.exe
PID 1752 set thread context of 1580	1752	legends.exe	legends.exe
PID 3200 set thread context of 4208	3200	legends.exe	legends.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4932 schtasks.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

AppLaunch.exep8125150.exeAppLaunch.exeredline.exe

pid process

5108 AppLaunch.exe
5108 AppLaunch.exe
4216 p8125150.exe
4216 p8125150.exe
4668 AppLaunch.exe
4668 AppLaunch.exe
3572 redline.exe
3572 redline.exe

pid	process
4932	schtasks.exe

pid	process
5108	AppLaunch.exe
5108	AppLaunch.exe
4216	p8125150.exe
4216	p8125150.exe
4668	AppLaunch.exe
4668	AppLaunch.exe
3572	redline.exe
3572	redline.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

AppLaunch.exep8125150.exes6244668.exelegends.exeAppLaunch.exeredline.exelegends.exelegends.exe

description	pid	process
Token: SeDebugPrivilege	5108	AppLaunch.exe
Token: SeDebugPrivilege	4216	p8125150.exe
Token: SeDebugPrivilege	2096	s6244668.exe
Token: SeDebugPrivilege	3160	legends.exe
Token: SeDebugPrivilege	4668	AppLaunch.exe
Token: SeDebugPrivilege	3572	redline.exe
Token: SeDebugPrivilege	1752	legends.exe
Token: SeDebugPrivilege	3200	legends.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

s6244668.exe

pid process

2668 s6244668.exe

pid	process
2668	s6244668.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

f8e255eef59ce44e71a377c7b433550d59c8078884673cad97b937e1cb370e57.exez8684191.exez2022531.exeo6291044.exer2038787.exes6244668.exes6244668.exelegends.exelegends.execmd.exe

description	pid	process	target process
PID 2064 wrote to memory of 2264	2064	f8e255eef59ce44e71a377c7b433550d59c8078884673cad97b937e1cb370e57.exe	z8684191.exe
PID 2064 wrote to memory of 2264	2064	f8e255eef59ce44e71a377c7b433550d59c8078884673cad97b937e1cb370e57.exe	z8684191.exe
PID 2064 wrote to memory of 2264	2064	f8e255eef59ce44e71a377c7b433550d59c8078884673cad97b937e1cb370e57.exe	z8684191.exe
PID 2264 wrote to memory of 2504	2264	z8684191.exe	z2022531.exe
PID 2264 wrote to memory of 2504	2264	z8684191.exe	z2022531.exe
PID 2264 wrote to memory of 2504	2264	z8684191.exe	z2022531.exe
PID 2504 wrote to memory of 2956	2504	z2022531.exe	o6291044.exe
PID 2504 wrote to memory of 2956	2504	z2022531.exe	o6291044.exe
PID 2504 wrote to memory of 2956	2504	z2022531.exe	o6291044.exe
PID 2956 wrote to memory of 5108	2956	o6291044.exe	AppLaunch.exe
PID 2956 wrote to memory of 5108	2956	o6291044.exe	AppLaunch.exe
PID 2956 wrote to memory of 5108	2956	o6291044.exe	AppLaunch.exe
PID 2956 wrote to memory of 5108	2956	o6291044.exe	AppLaunch.exe
PID 2956 wrote to memory of 5108	2956	o6291044.exe	AppLaunch.exe
PID 2504 wrote to memory of 4216	2504	z2022531.exe	p8125150.exe
PID 2504 wrote to memory of 4216	2504	z2022531.exe	p8125150.exe
PID 2504 wrote to memory of 4216	2504	z2022531.exe	p8125150.exe
PID 2264 wrote to memory of 1236	2264	z8684191.exe	r2038787.exe
PID 2264 wrote to memory of 1236	2264	z8684191.exe	r2038787.exe
PID 2264 wrote to memory of 1236	2264	z8684191.exe	r2038787.exe
PID 1236 wrote to memory of 4668	1236	r2038787.exe	AppLaunch.exe
PID 1236 wrote to memory of 4668	1236	r2038787.exe	AppLaunch.exe
PID 1236 wrote to memory of 4668	1236	r2038787.exe	AppLaunch.exe
PID 1236 wrote to memory of 4668	1236	r2038787.exe	AppLaunch.exe
PID 1236 wrote to memory of 4668	1236	r2038787.exe	AppLaunch.exe
PID 2064 wrote to memory of 2096	2064	f8e255eef59ce44e71a377c7b433550d59c8078884673cad97b937e1cb370e57.exe	s6244668.exe
PID 2064 wrote to memory of 2096	2064	f8e255eef59ce44e71a377c7b433550d59c8078884673cad97b937e1cb370e57.exe	s6244668.exe
PID 2064 wrote to memory of 2096	2064	f8e255eef59ce44e71a377c7b433550d59c8078884673cad97b937e1cb370e57.exe	s6244668.exe
PID 2096 wrote to memory of 2668	2096	s6244668.exe	s6244668.exe
PID 2096 wrote to memory of 2668	2096	s6244668.exe	s6244668.exe
PID 2096 wrote to memory of 2668	2096	s6244668.exe	s6244668.exe
PID 2096 wrote to memory of 2668	2096	s6244668.exe	s6244668.exe
PID 2096 wrote to memory of 2668	2096	s6244668.exe	s6244668.exe
PID 2096 wrote to memory of 2668	2096	s6244668.exe	s6244668.exe
PID 2096 wrote to memory of 2668	2096	s6244668.exe	s6244668.exe
PID 2096 wrote to memory of 2668	2096	s6244668.exe	s6244668.exe
PID 2096 wrote to memory of 2668	2096	s6244668.exe	s6244668.exe
PID 2096 wrote to memory of 2668	2096	s6244668.exe	s6244668.exe
PID 2668 wrote to memory of 3160	2668	s6244668.exe	legends.exe
PID 2668 wrote to memory of 3160	2668	s6244668.exe	legends.exe
PID 2668 wrote to memory of 3160	2668	s6244668.exe	legends.exe
PID 3160 wrote to memory of 2916	3160	legends.exe	legends.exe
PID 3160 wrote to memory of 2916	3160	legends.exe	legends.exe
PID 3160 wrote to memory of 2916	3160	legends.exe	legends.exe
PID 3160 wrote to memory of 2916	3160	legends.exe	legends.exe
PID 3160 wrote to memory of 2916	3160	legends.exe	legends.exe
PID 3160 wrote to memory of 2916	3160	legends.exe	legends.exe
PID 3160 wrote to memory of 2916	3160	legends.exe	legends.exe
PID 3160 wrote to memory of 2916	3160	legends.exe	legends.exe
PID 3160 wrote to memory of 2916	3160	legends.exe	legends.exe
PID 3160 wrote to memory of 2916	3160	legends.exe	legends.exe
PID 2916 wrote to memory of 4932	2916	legends.exe	schtasks.exe
PID 2916 wrote to memory of 4932	2916	legends.exe	schtasks.exe
PID 2916 wrote to memory of 4932	2916	legends.exe	schtasks.exe
PID 2916 wrote to memory of 4884	2916	legends.exe	cmd.exe
PID 2916 wrote to memory of 4884	2916	legends.exe	cmd.exe
PID 2916 wrote to memory of 4884	2916	legends.exe	cmd.exe
PID 4884 wrote to memory of 4904	4884	cmd.exe	cmd.exe
PID 4884 wrote to memory of 4904	4884	cmd.exe	cmd.exe
PID 4884 wrote to memory of 4904	4884	cmd.exe	cmd.exe
PID 4884 wrote to memory of 4424	4884	cmd.exe	cacls.exe
PID 4884 wrote to memory of 4424	4884	cmd.exe	cacls.exe
PID 4884 wrote to memory of 4424	4884	cmd.exe	cacls.exe
PID 4884 wrote to memory of 3636	4884	cmd.exe	cacls.exe

C:\Users\Admin\AppData\Local\Temp\f8e255eef59ce44e71a377c7b433550d59c8078884673cad97b937e1cb370e57.exe
"C:\Users\Admin\AppData\Local\Temp\f8e255eef59ce44e71a377c7b433550d59c8078884673cad97b937e1cb370e57.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2064

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8684191.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8684191.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2264

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2022531.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2022531.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2504

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o6291044.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o6291044.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2956

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
5⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5108

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p8125150.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p8125150.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4216

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r2038787.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r2038787.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1236

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4668

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s6244668.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s6244668.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2096

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s6244668.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s6244668.exe
3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2668

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
"C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3160

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2916

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legends.exe /TR "C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe" /F
6⤵
- Creates scheduled task(s)
PID:4932

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legends.exe" /P "Admin:N"&&CACLS "legends.exe" /P "Admin:R" /E&&echo Y|CACLS "..\41bde21dc7" /P "Admin:N"&&CACLS "..\41bde21dc7" /P "Admin:R" /E&&Exit
6⤵
- Suspicious use of WriteProcessMemory
PID:4884

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
7⤵
PID:4904

C:\Windows\SysWOW64\cacls.exe
CACLS "legends.exe" /P "Admin:N"
7⤵
PID:4424

C:\Windows\SysWOW64\cacls.exe
CACLS "legends.exe" /P "Admin:R" /E
7⤵
PID:3636

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
7⤵
PID:5052

C:\Windows\SysWOW64\cacls.exe
CACLS "..\41bde21dc7" /P "Admin:N"
7⤵
PID:5048

C:\Windows\SysWOW64\cacls.exe
CACLS "..\41bde21dc7" /P "Admin:R" /E
7⤵
PID:3524

C:\Users\Admin\AppData\Local\Temp\1000043001\redline.exe
"C:\Users\Admin\AppData\Local\Temp\1000043001\redline.exe"
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3572

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
6⤵
- Loads dropped DLL
PID:5100

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1752

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
2⤵
- Executes dropped EXE
PID:1580

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3200

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
2⤵
- Executes dropped EXE
PID:4208

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log
Filesize
226B

MD5
957779c42144282d8cd83192b8fbc7cf

SHA1
de83d08d2cca06b9ff3d1ef239d6b60b705d25fe

SHA256
0d7ca7ba65e2b465e4878e324ceab8f8981f5ec06dcf5bc32559a4467a9c7d51

SHA512
f1549c61b4f2906d13b2aabb74772c2bc826cd42373d7bb6c48cbb125d5aa2ec17617e6b5e67e8aae3bb5790cc831cdba48a45008ed01df4fba8be448cce39fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\legends.exe.log
Filesize
425B

MD5
605f809fab8c19729d39d075f7ffdb53

SHA1
c546f877c9bd53563174a90312a8337fdfc5fdd9

SHA256
6904d540649e76c55f99530b81be17e099184bb4cad415aa9b9b39cc3677f556

SHA512
82cc12c3186ae23884b8d5c104638c8206272c4389ade56b926dfc1d437b03888159b3c790b188b54d277a262e731927e703e680ea642e1417faee27443fd5b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000043001\redline.exe
Filesize
145KB

MD5
2d0d9f29bca70bdde306f8b5188117ce

SHA1
a4a04353801aee05a4e90dd1ddbd395c2830ea3e

SHA256
71bcea62630cac801c7e2b3ddd9fc7d6bf20490c44630a86fa8dba75f3bebc87

SHA512
a7fb78aaa48afddaf5f1c514a9ac0d4ca5cbfd755ded98f17399a88208070a526ad3ea9b4d18410e8cb9fe882b0ce1350b192a4a3b6bceab289d968e419c79d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000043001\redline.exe
Filesize
145KB

MD5
2d0d9f29bca70bdde306f8b5188117ce

SHA1
a4a04353801aee05a4e90dd1ddbd395c2830ea3e

SHA256
71bcea62630cac801c7e2b3ddd9fc7d6bf20490c44630a86fa8dba75f3bebc87

SHA512
a7fb78aaa48afddaf5f1c514a9ac0d4ca5cbfd755ded98f17399a88208070a526ad3ea9b4d18410e8cb9fe882b0ce1350b192a4a3b6bceab289d968e419c79d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000043001\redline.exe
Filesize
145KB

MD5
2d0d9f29bca70bdde306f8b5188117ce

SHA1
a4a04353801aee05a4e90dd1ddbd395c2830ea3e

SHA256
71bcea62630cac801c7e2b3ddd9fc7d6bf20490c44630a86fa8dba75f3bebc87

SHA512
a7fb78aaa48afddaf5f1c514a9ac0d4ca5cbfd755ded98f17399a88208070a526ad3ea9b4d18410e8cb9fe882b0ce1350b192a4a3b6bceab289d968e419c79d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
963KB

MD5
314f7ed71a4afebc892ce70c60da5d55

SHA1
69dfad57b04c4b826a9d521baebb840c514100c6

SHA256
b6051cc3d3dc1492ccab6f5926c64b4349e9486cbf4d571300f902b7ab9debde

SHA512
a4d15abe8fc5630d12f364fdc5e13549ba3d48444b31502670abecfd0d00a2af791d5f032b462bfb9615e0361b73dbd81800a59d59ff220e2ed2b84f3bd25ebc

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
963KB

MD5
314f7ed71a4afebc892ce70c60da5d55

SHA1
69dfad57b04c4b826a9d521baebb840c514100c6

SHA256
b6051cc3d3dc1492ccab6f5926c64b4349e9486cbf4d571300f902b7ab9debde

SHA512
a4d15abe8fc5630d12f364fdc5e13549ba3d48444b31502670abecfd0d00a2af791d5f032b462bfb9615e0361b73dbd81800a59d59ff220e2ed2b84f3bd25ebc

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
963KB

MD5
314f7ed71a4afebc892ce70c60da5d55

SHA1
69dfad57b04c4b826a9d521baebb840c514100c6

SHA256
b6051cc3d3dc1492ccab6f5926c64b4349e9486cbf4d571300f902b7ab9debde

SHA512
a4d15abe8fc5630d12f364fdc5e13549ba3d48444b31502670abecfd0d00a2af791d5f032b462bfb9615e0361b73dbd81800a59d59ff220e2ed2b84f3bd25ebc

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
963KB

MD5
314f7ed71a4afebc892ce70c60da5d55

SHA1
69dfad57b04c4b826a9d521baebb840c514100c6

SHA256
b6051cc3d3dc1492ccab6f5926c64b4349e9486cbf4d571300f902b7ab9debde

SHA512
a4d15abe8fc5630d12f364fdc5e13549ba3d48444b31502670abecfd0d00a2af791d5f032b462bfb9615e0361b73dbd81800a59d59ff220e2ed2b84f3bd25ebc

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
963KB

MD5
314f7ed71a4afebc892ce70c60da5d55

SHA1
69dfad57b04c4b826a9d521baebb840c514100c6

SHA256
b6051cc3d3dc1492ccab6f5926c64b4349e9486cbf4d571300f902b7ab9debde

SHA512
a4d15abe8fc5630d12f364fdc5e13549ba3d48444b31502670abecfd0d00a2af791d5f032b462bfb9615e0361b73dbd81800a59d59ff220e2ed2b84f3bd25ebc

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
963KB

MD5
314f7ed71a4afebc892ce70c60da5d55

SHA1
69dfad57b04c4b826a9d521baebb840c514100c6

SHA256
b6051cc3d3dc1492ccab6f5926c64b4349e9486cbf4d571300f902b7ab9debde

SHA512
a4d15abe8fc5630d12f364fdc5e13549ba3d48444b31502670abecfd0d00a2af791d5f032b462bfb9615e0361b73dbd81800a59d59ff220e2ed2b84f3bd25ebc

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
963KB

MD5
314f7ed71a4afebc892ce70c60da5d55

SHA1
69dfad57b04c4b826a9d521baebb840c514100c6

SHA256
b6051cc3d3dc1492ccab6f5926c64b4349e9486cbf4d571300f902b7ab9debde

SHA512
a4d15abe8fc5630d12f364fdc5e13549ba3d48444b31502670abecfd0d00a2af791d5f032b462bfb9615e0361b73dbd81800a59d59ff220e2ed2b84f3bd25ebc

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
963KB

MD5
314f7ed71a4afebc892ce70c60da5d55

SHA1
69dfad57b04c4b826a9d521baebb840c514100c6

SHA256
b6051cc3d3dc1492ccab6f5926c64b4349e9486cbf4d571300f902b7ab9debde

SHA512
a4d15abe8fc5630d12f364fdc5e13549ba3d48444b31502670abecfd0d00a2af791d5f032b462bfb9615e0361b73dbd81800a59d59ff220e2ed2b84f3bd25ebc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s6244668.exe
Filesize
963KB

MD5
314f7ed71a4afebc892ce70c60da5d55

SHA1
69dfad57b04c4b826a9d521baebb840c514100c6

SHA256
b6051cc3d3dc1492ccab6f5926c64b4349e9486cbf4d571300f902b7ab9debde

SHA512
a4d15abe8fc5630d12f364fdc5e13549ba3d48444b31502670abecfd0d00a2af791d5f032b462bfb9615e0361b73dbd81800a59d59ff220e2ed2b84f3bd25ebc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s6244668.exe
Filesize
963KB

MD5
314f7ed71a4afebc892ce70c60da5d55

SHA1
69dfad57b04c4b826a9d521baebb840c514100c6

SHA256
b6051cc3d3dc1492ccab6f5926c64b4349e9486cbf4d571300f902b7ab9debde

SHA512
a4d15abe8fc5630d12f364fdc5e13549ba3d48444b31502670abecfd0d00a2af791d5f032b462bfb9615e0361b73dbd81800a59d59ff220e2ed2b84f3bd25ebc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s6244668.exe
Filesize
963KB

MD5
314f7ed71a4afebc892ce70c60da5d55

SHA1
69dfad57b04c4b826a9d521baebb840c514100c6

SHA256
b6051cc3d3dc1492ccab6f5926c64b4349e9486cbf4d571300f902b7ab9debde

SHA512
a4d15abe8fc5630d12f364fdc5e13549ba3d48444b31502670abecfd0d00a2af791d5f032b462bfb9615e0361b73dbd81800a59d59ff220e2ed2b84f3bd25ebc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8684191.exe
Filesize
634KB

MD5
b412203a23ab5815022a33c66f9c16cb

SHA1
5a9880f2be4dcf37e6cea46e9e91ab72c3acde59

SHA256
e32d15258b2c9a0d4ef093e1db650dd9bd237a10ae23e731adf9b6346dda8cf2

SHA512
b366aca1eb71d33a3977033e1ce7124dd03282ece70506fb9210269138083fa95d8ebea2ef7f7c3fbfba452d901c9d95bc0e9e0d0c901efffe505604a8eac404

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8684191.exe
Filesize
634KB

MD5
b412203a23ab5815022a33c66f9c16cb

SHA1
5a9880f2be4dcf37e6cea46e9e91ab72c3acde59

SHA256
e32d15258b2c9a0d4ef093e1db650dd9bd237a10ae23e731adf9b6346dda8cf2

SHA512
b366aca1eb71d33a3977033e1ce7124dd03282ece70506fb9210269138083fa95d8ebea2ef7f7c3fbfba452d901c9d95bc0e9e0d0c901efffe505604a8eac404

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r2038787.exe
Filesize
342KB

MD5
8bc796ebcce32bbd812ac62b9cfd0ed3

SHA1
1c07e80ca7d40a79ebd7b0dbaf7be5fe70470cab

SHA256
402ef0c5a9bcaa07d525afdbc0678f54ea27f24cb01df9682926b027994d41c2

SHA512
6b3974db9297e5b39108694b3f561257f8b98d99ace100378fdcba77907cc93f9563b256a2380732b32cd46a8619c287e578e9f9b23605d875cbb3e097f47168

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r2038787.exe
Filesize
342KB

MD5
8bc796ebcce32bbd812ac62b9cfd0ed3

SHA1
1c07e80ca7d40a79ebd7b0dbaf7be5fe70470cab

SHA256
402ef0c5a9bcaa07d525afdbc0678f54ea27f24cb01df9682926b027994d41c2

SHA512
6b3974db9297e5b39108694b3f561257f8b98d99ace100378fdcba77907cc93f9563b256a2380732b32cd46a8619c287e578e9f9b23605d875cbb3e097f47168

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2022531.exe
Filesize
290KB

MD5
0beb907869fe859eeb857694e872a8a9

SHA1
37b5ff431a3a7dfb58baa0d89fd54bd18283b2ad

SHA256
31bedfa53bb42ae597b4b2144f136d764a6d5e730018f2aa923ba880964210ca

SHA512
28be1a2a0986fc0743e8fe8be42242910387d333a64fb6c2fa2c124dce868ea43e42e5267c694bbf6a4e8b796c9d5d045b61f19b1801da77007da8494a0b8b74

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2022531.exe
Filesize
290KB

MD5
0beb907869fe859eeb857694e872a8a9

SHA1
37b5ff431a3a7dfb58baa0d89fd54bd18283b2ad

SHA256
31bedfa53bb42ae597b4b2144f136d764a6d5e730018f2aa923ba880964210ca

SHA512
28be1a2a0986fc0743e8fe8be42242910387d333a64fb6c2fa2c124dce868ea43e42e5267c694bbf6a4e8b796c9d5d045b61f19b1801da77007da8494a0b8b74

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o6291044.exe
Filesize
185KB

MD5
132e070162e7c4686e03eda0176fc913

SHA1
306184b785ca69c33f80fc8aa0b1691e483ab287

SHA256
533b903230cbd965e4af467c83a74996b6bb6f7b702ae2dbf3c59a9057137d2f

SHA512
87134e22af91511fad56af48d3b26900c351e8a58d168113e8a12cf3700984651558ff7c3d48e8622b534d07d07c872aa65d0c15f73ab2fdb4fda76f57223d1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o6291044.exe
Filesize
185KB

MD5
132e070162e7c4686e03eda0176fc913

SHA1
306184b785ca69c33f80fc8aa0b1691e483ab287

SHA256
533b903230cbd965e4af467c83a74996b6bb6f7b702ae2dbf3c59a9057137d2f

SHA512
87134e22af91511fad56af48d3b26900c351e8a58d168113e8a12cf3700984651558ff7c3d48e8622b534d07d07c872aa65d0c15f73ab2fdb4fda76f57223d1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p8125150.exe
Filesize
168KB

MD5
3dc5f87452039617aca45414df123759

SHA1
e7392e0fc21b8f7129e4c63746ca4590b29c4aea

SHA256
d3530c3dfe1d556e30c3fb3d0f72a94704cf72ae09b901f00f0e6c2d01176187

SHA512
02661fddf03c667a3f7c3f9caea99f69e09c966f317aa6b4635b044b00ffad9c48220ec988eb3f4479601e478fd002565d16884460cb1868494d81a4dbe6ee17

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p8125150.exe
Filesize
168KB

MD5
3dc5f87452039617aca45414df123759

SHA1
e7392e0fc21b8f7129e4c63746ca4590b29c4aea

SHA256
d3530c3dfe1d556e30c3fb3d0f72a94704cf72ae09b901f00f0e6c2d01176187

SHA512
02661fddf03c667a3f7c3f9caea99f69e09c966f317aa6b4635b044b00ffad9c48220ec988eb3f4479601e478fd002565d16884460cb1868494d81a4dbe6ee17

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
73c0c85e39b9a63b42f6c4ff6d634f8b

SHA1
efb047b4177ad78268f6fc8bf959f58f1123eb51

SHA256
477252e3531300fe2a21a679fba3664803179e91a1a4d5dd44080dbd41126368

SHA512
ca32507717c2c099d54a5473fb062083237f7fda9c076e9a957b70072f41a78eedf9244b50862b81d00374297e3795021ad6db943c8408da50b1da8b5ed4a643

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
73c0c85e39b9a63b42f6c4ff6d634f8b

SHA1
efb047b4177ad78268f6fc8bf959f58f1123eb51

SHA256
477252e3531300fe2a21a679fba3664803179e91a1a4d5dd44080dbd41126368

SHA512
ca32507717c2c099d54a5473fb062083237f7fda9c076e9a957b70072f41a78eedf9244b50862b81d00374297e3795021ad6db943c8408da50b1da8b5ed4a643

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
73c0c85e39b9a63b42f6c4ff6d634f8b

SHA1
efb047b4177ad78268f6fc8bf959f58f1123eb51

SHA256
477252e3531300fe2a21a679fba3664803179e91a1a4d5dd44080dbd41126368

SHA512
ca32507717c2c099d54a5473fb062083237f7fda9c076e9a957b70072f41a78eedf9244b50862b81d00374297e3795021ad6db943c8408da50b1da8b5ed4a643

Download Submit
memory/1580-402-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1580-400-0x0000000000F00000-0x0000000000FAE000-memory.dmp

Filesize
696KB

Download
memory/1752-397-0x0000000007E50000-0x0000000007E60000-memory.dmp

Filesize
64KB

Download
memory/2096-209-0x0000000000490000-0x0000000000588000-memory.dmp

Filesize
992KB

Download
memory/2096-211-0x0000000002730000-0x0000000002740000-memory.dmp

Filesize
64KB

Download
memory/2668-221-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2668-217-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2668-220-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2668-231-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2668-223-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2916-387-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2916-420-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2916-372-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2916-384-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2916-253-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2916-250-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2916-299-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3160-232-0x0000000007570000-0x0000000007580000-memory.dmp

Filesize
64KB

Download
memory/3200-424-0x0000000006FC0000-0x0000000006FD0000-memory.dmp

Filesize
64KB

Download
memory/3572-392-0x0000000004E80000-0x0000000004ECB000-memory.dmp

Filesize
300KB

Download
memory/3572-391-0x0000000004C70000-0x0000000004C80000-memory.dmp

Filesize
64KB

Download
memory/3572-393-0x0000000004C70000-0x0000000004C80000-memory.dmp

Filesize
64KB

Download
memory/3572-390-0x0000000000450000-0x000000000047A000-memory.dmp

Filesize
168KB

Download
memory/4208-429-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4208-428-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4208-427-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4216-171-0x0000000005CE0000-0x0000000005D72000-memory.dmp

Filesize
584KB

Download
memory/4216-160-0x00000000058A0000-0x00000000058DE000-memory.dmp

Filesize
248KB

Download
memory/4216-190-0x0000000005790000-0x00000000057A0000-memory.dmp

Filesize
64KB

Download
memory/4216-188-0x0000000006BA0000-0x0000000006D62000-memory.dmp

Filesize
1.8MB

Download
memory/4216-173-0x0000000006530000-0x0000000006596000-memory.dmp

Filesize
408KB

Download
memory/4216-172-0x0000000006ED0000-0x00000000073CE000-memory.dmp

Filesize
5.0MB

Download
memory/4216-191-0x0000000006E70000-0x0000000006EC0000-memory.dmp

Filesize
320KB

Download
memory/4216-170-0x0000000005BC0000-0x0000000005C36000-memory.dmp

Filesize
472KB

Download
memory/4216-165-0x00000000058F0000-0x000000000593B000-memory.dmp

Filesize
300KB

Download
memory/4216-189-0x0000000008C20000-0x000000000914C000-memory.dmp

Filesize
5.2MB

Download
memory/4216-159-0x0000000005790000-0x00000000057A0000-memory.dmp

Filesize
64KB

Download
memory/4216-158-0x0000000005730000-0x0000000005742000-memory.dmp

Filesize
72KB

Download
memory/4216-157-0x00000000059B0000-0x0000000005ABA000-memory.dmp

Filesize
1.0MB

Download
memory/4216-156-0x0000000005EB0000-0x00000000064B6000-memory.dmp

Filesize
6.0MB

Download
memory/4216-155-0x0000000003150000-0x0000000003156000-memory.dmp

Filesize
24KB

Download
memory/4216-154-0x0000000000F30000-0x0000000000F5E000-memory.dmp

Filesize
184KB

Download
memory/4668-216-0x0000000006670000-0x0000000006680000-memory.dmp

Filesize
64KB

Download
memory/4668-197-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4668-210-0x0000000006610000-0x0000000006616000-memory.dmp

Filesize
24KB

Download
memory/5108-143-0x00000000043F0000-0x00000000043FA000-memory.dmp

Filesize
40KB

Download