redline | 990717506c4c481efc7f30d3b6a9dd16f4fc46115d33870de2cf43bb26a92f20

Analysis

max time kernel
121s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
14-05-2023 22:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

990717506c4c481efc7f30d3b6a9dd16f4fc46115d33870de2cf43bb26a92f20.exe
Size

1.1MB
MD5

7a4707fd231c51d495c96ece8bb74a80
SHA1

5a389eaf12553acf938b83907a611091df21b07f
SHA256

990717506c4c481efc7f30d3b6a9dd16f4fc46115d33870de2cf43bb26a92f20
SHA512

0661fe09a8a327055ee9f3d1723726bd8ee5af268bbc082b035b67ff012a861745cf2fea89cae0af993bbae8d7516969c79ea28f9c0648316325591621b0ec1e
SSDEEP

24576:Ey0VzWVGSDJ9grgMseycJueP00LOnFWIMX1N:TmzWVG2Jqbse9J7qfM

Score

10^/10

redline horor linda discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

linda

185.161.248.75:4132

Attributes

auth_value
21cdc21d041667b9c1679f88a1146770

Extracted

Family

redline

Botnet

horor

185.161.248.75:4132

Attributes

auth_value
b8d506fe48db15c38fb031d07f42d529

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

o7479609.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	o7479609.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	o7479609.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	o7479609.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	o7479609.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	o7479609.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	o7479609.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

s4614986.exelegends.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	s4614986.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	legends.exe

Executes dropped EXE 14 IoCs

Processes:

z4170706.exez4617684.exeo7479609.exep7317495.exer3711561.exer3711561.exes4614986.exes4614986.exelegends.exelegends.exelegends.exelegends.exelegends.exelegends.exe

pid	process
1944	z4170706.exe
3384	z4617684.exe
2840	o7479609.exe
1852	p7317495.exe
2144	r3711561.exe
4860	r3711561.exe
812	s4614986.exe
3880	s4614986.exe
3116	legends.exe
3428	legends.exe
1056	legends.exe
224	legends.exe
4076	legends.exe
2368	legends.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

5024 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
5024	rundll32.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

o7479609.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	o7479609.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	o7479609.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

990717506c4c481efc7f30d3b6a9dd16f4fc46115d33870de2cf43bb26a92f20.exez4170706.exez4617684.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	990717506c4c481efc7f30d3b6a9dd16f4fc46115d33870de2cf43bb26a92f20.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	990717506c4c481efc7f30d3b6a9dd16f4fc46115d33870de2cf43bb26a92f20.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z4170706.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z4170706.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z4617684.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z4617684.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 5 IoCs

Processes:

r3711561.exes4614986.exelegends.exelegends.exelegends.exe

description	pid	process	target process
PID 2144 set thread context of 4860	2144	r3711561.exe	r3711561.exe
PID 812 set thread context of 3880	812	s4614986.exe	s4614986.exe
PID 3116 set thread context of 3428	3116	legends.exe	legends.exe
PID 1056 set thread context of 224	1056	legends.exe	legends.exe
PID 4076 set thread context of 2368	4076	legends.exe	legends.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2216 1852 WerFault.exe p7317495.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4256 schtasks.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

o7479609.exer3711561.exe

pid process

2840 o7479609.exe
2840 o7479609.exe
4860 r3711561.exe
4860 r3711561.exe

pid	pid_target	process	target process
2216	1852	WerFault.exe	p7317495.exe

pid	process
4256	schtasks.exe

pid	process
2840	o7479609.exe
2840	o7479609.exe
4860	r3711561.exe
4860	r3711561.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

o7479609.exer3711561.exes4614986.exelegends.exer3711561.exelegends.exelegends.exe

description	pid	process
Token: SeDebugPrivilege	2840	o7479609.exe
Token: SeDebugPrivilege	2144	r3711561.exe
Token: SeDebugPrivilege	812	s4614986.exe
Token: SeDebugPrivilege	3116	legends.exe
Token: SeDebugPrivilege	4860	r3711561.exe
Token: SeDebugPrivilege	1056	legends.exe
Token: SeDebugPrivilege	4076	legends.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

s4614986.exe

pid process

3880 s4614986.exe

pid	process
3880	s4614986.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

990717506c4c481efc7f30d3b6a9dd16f4fc46115d33870de2cf43bb26a92f20.exez4170706.exez4617684.exer3711561.exes4614986.exes4614986.exelegends.exelegends.execmd.exe

description	pid	process	target process
PID 4028 wrote to memory of 1944	4028	990717506c4c481efc7f30d3b6a9dd16f4fc46115d33870de2cf43bb26a92f20.exe	z4170706.exe
PID 4028 wrote to memory of 1944	4028	990717506c4c481efc7f30d3b6a9dd16f4fc46115d33870de2cf43bb26a92f20.exe	z4170706.exe
PID 4028 wrote to memory of 1944	4028	990717506c4c481efc7f30d3b6a9dd16f4fc46115d33870de2cf43bb26a92f20.exe	z4170706.exe
PID 1944 wrote to memory of 3384	1944	z4170706.exe	z4617684.exe
PID 1944 wrote to memory of 3384	1944	z4170706.exe	z4617684.exe
PID 1944 wrote to memory of 3384	1944	z4170706.exe	z4617684.exe
PID 3384 wrote to memory of 2840	3384	z4617684.exe	o7479609.exe
PID 3384 wrote to memory of 2840	3384	z4617684.exe	o7479609.exe
PID 3384 wrote to memory of 2840	3384	z4617684.exe	o7479609.exe
PID 3384 wrote to memory of 1852	3384	z4617684.exe	p7317495.exe
PID 3384 wrote to memory of 1852	3384	z4617684.exe	p7317495.exe
PID 3384 wrote to memory of 1852	3384	z4617684.exe	p7317495.exe
PID 1944 wrote to memory of 2144	1944	z4170706.exe	r3711561.exe
PID 1944 wrote to memory of 2144	1944	z4170706.exe	r3711561.exe
PID 1944 wrote to memory of 2144	1944	z4170706.exe	r3711561.exe
PID 2144 wrote to memory of 4860	2144	r3711561.exe	r3711561.exe
PID 2144 wrote to memory of 4860	2144	r3711561.exe	r3711561.exe
PID 2144 wrote to memory of 4860	2144	r3711561.exe	r3711561.exe
PID 2144 wrote to memory of 4860	2144	r3711561.exe	r3711561.exe
PID 2144 wrote to memory of 4860	2144	r3711561.exe	r3711561.exe
PID 2144 wrote to memory of 4860	2144	r3711561.exe	r3711561.exe
PID 2144 wrote to memory of 4860	2144	r3711561.exe	r3711561.exe
PID 2144 wrote to memory of 4860	2144	r3711561.exe	r3711561.exe
PID 4028 wrote to memory of 812	4028	990717506c4c481efc7f30d3b6a9dd16f4fc46115d33870de2cf43bb26a92f20.exe	s4614986.exe
PID 4028 wrote to memory of 812	4028	990717506c4c481efc7f30d3b6a9dd16f4fc46115d33870de2cf43bb26a92f20.exe	s4614986.exe
PID 4028 wrote to memory of 812	4028	990717506c4c481efc7f30d3b6a9dd16f4fc46115d33870de2cf43bb26a92f20.exe	s4614986.exe
PID 812 wrote to memory of 3880	812	s4614986.exe	s4614986.exe
PID 812 wrote to memory of 3880	812	s4614986.exe	s4614986.exe
PID 812 wrote to memory of 3880	812	s4614986.exe	s4614986.exe
PID 812 wrote to memory of 3880	812	s4614986.exe	s4614986.exe
PID 812 wrote to memory of 3880	812	s4614986.exe	s4614986.exe
PID 812 wrote to memory of 3880	812	s4614986.exe	s4614986.exe
PID 812 wrote to memory of 3880	812	s4614986.exe	s4614986.exe
PID 812 wrote to memory of 3880	812	s4614986.exe	s4614986.exe
PID 812 wrote to memory of 3880	812	s4614986.exe	s4614986.exe
PID 812 wrote to memory of 3880	812	s4614986.exe	s4614986.exe
PID 3880 wrote to memory of 3116	3880	s4614986.exe	legends.exe
PID 3880 wrote to memory of 3116	3880	s4614986.exe	legends.exe
PID 3880 wrote to memory of 3116	3880	s4614986.exe	legends.exe
PID 3116 wrote to memory of 3428	3116	legends.exe	legends.exe
PID 3116 wrote to memory of 3428	3116	legends.exe	legends.exe
PID 3116 wrote to memory of 3428	3116	legends.exe	legends.exe
PID 3116 wrote to memory of 3428	3116	legends.exe	legends.exe
PID 3116 wrote to memory of 3428	3116	legends.exe	legends.exe
PID 3116 wrote to memory of 3428	3116	legends.exe	legends.exe
PID 3116 wrote to memory of 3428	3116	legends.exe	legends.exe
PID 3116 wrote to memory of 3428	3116	legends.exe	legends.exe
PID 3116 wrote to memory of 3428	3116	legends.exe	legends.exe
PID 3116 wrote to memory of 3428	3116	legends.exe	legends.exe
PID 3428 wrote to memory of 4256	3428	legends.exe	schtasks.exe
PID 3428 wrote to memory of 4256	3428	legends.exe	schtasks.exe
PID 3428 wrote to memory of 4256	3428	legends.exe	schtasks.exe
PID 3428 wrote to memory of 4440	3428	legends.exe	cmd.exe
PID 3428 wrote to memory of 4440	3428	legends.exe	cmd.exe
PID 3428 wrote to memory of 4440	3428	legends.exe	cmd.exe
PID 4440 wrote to memory of 2012	4440	cmd.exe	cmd.exe
PID 4440 wrote to memory of 2012	4440	cmd.exe	cmd.exe
PID 4440 wrote to memory of 2012	4440	cmd.exe	cmd.exe
PID 4440 wrote to memory of 528	4440	cmd.exe	cacls.exe
PID 4440 wrote to memory of 528	4440	cmd.exe	cacls.exe
PID 4440 wrote to memory of 528	4440	cmd.exe	cacls.exe
PID 4440 wrote to memory of 3252	4440	cmd.exe	cacls.exe
PID 4440 wrote to memory of 3252	4440	cmd.exe	cacls.exe
PID 4440 wrote to memory of 3252	4440	cmd.exe	cacls.exe

C:\Users\Admin\AppData\Local\Temp\990717506c4c481efc7f30d3b6a9dd16f4fc46115d33870de2cf43bb26a92f20.exe
"C:\Users\Admin\AppData\Local\Temp\990717506c4c481efc7f30d3b6a9dd16f4fc46115d33870de2cf43bb26a92f20.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4028

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4170706.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4170706.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1944

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4617684.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4617684.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3384

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o7479609.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o7479609.exe
4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2840

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p7317495.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p7317495.exe
4⤵
- Executes dropped EXE
PID:1852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1852 -s 928
5⤵
- Program crash
PID:2216

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r3711561.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r3711561.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2144

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r3711561.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r3711561.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4860

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s4614986.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s4614986.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:812

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s4614986.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s4614986.exe
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3880

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
"C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3116

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3428

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legends.exe /TR "C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe" /F
6⤵
- Creates scheduled task(s)
PID:4256

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legends.exe" /P "Admin:N"&&CACLS "legends.exe" /P "Admin:R" /E&&echo Y|CACLS "..\41bde21dc7" /P "Admin:N"&&CACLS "..\41bde21dc7" /P "Admin:R" /E&&Exit
6⤵
- Suspicious use of WriteProcessMemory
PID:4440

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
7⤵
PID:2012

C:\Windows\SysWOW64\cacls.exe
CACLS "legends.exe" /P "Admin:N"
7⤵
PID:528

C:\Windows\SysWOW64\cacls.exe
CACLS "legends.exe" /P "Admin:R" /E
7⤵
PID:3252

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
7⤵
PID:4172

C:\Windows\SysWOW64\cacls.exe
CACLS "..\41bde21dc7" /P "Admin:N"
7⤵
PID:2928

C:\Windows\SysWOW64\cacls.exe
CACLS "..\41bde21dc7" /P "Admin:R" /E
7⤵
PID:2908

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
6⤵
- Loads dropped DLL
PID:5024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1852 -ip 1852
1⤵
PID:2484

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1056

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
2⤵
- Executes dropped EXE
PID:224

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4076

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
2⤵
- Executes dropped EXE
PID:2368

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\legends.exe.log
Filesize
425B

MD5
4eaca4566b22b01cd3bc115b9b0b2196

SHA1
e743e0792c19f71740416e7b3c061d9f1336bf94

SHA256
34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

SHA512
bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\r3711561.exe.log
Filesize
425B

MD5
4eaca4566b22b01cd3bc115b9b0b2196

SHA1
e743e0792c19f71740416e7b3c061d9f1336bf94

SHA256
34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

SHA512
bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
961KB

MD5
84b8f2e15aefb2c970cd99f55cea7dbf

SHA1
906a5bbc856f450049dac18510b79aeaa7ff21f7

SHA256
eba2fbef87c7654f065d61218447d2fba5b24c3601a81828b15af53fe5020317

SHA512
f8a6c28f5c5a7bd1b402c68f37ed79a289db2abcd22e7554147abcaf844d84de68b4baa3fdbe527b6351b3924bba862c3f116cc91b8c29c1e1743b8d2529de39

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
961KB

MD5
84b8f2e15aefb2c970cd99f55cea7dbf

SHA1
906a5bbc856f450049dac18510b79aeaa7ff21f7

SHA256
eba2fbef87c7654f065d61218447d2fba5b24c3601a81828b15af53fe5020317

SHA512
f8a6c28f5c5a7bd1b402c68f37ed79a289db2abcd22e7554147abcaf844d84de68b4baa3fdbe527b6351b3924bba862c3f116cc91b8c29c1e1743b8d2529de39

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
961KB

MD5
84b8f2e15aefb2c970cd99f55cea7dbf

SHA1
906a5bbc856f450049dac18510b79aeaa7ff21f7

SHA256
eba2fbef87c7654f065d61218447d2fba5b24c3601a81828b15af53fe5020317

SHA512
f8a6c28f5c5a7bd1b402c68f37ed79a289db2abcd22e7554147abcaf844d84de68b4baa3fdbe527b6351b3924bba862c3f116cc91b8c29c1e1743b8d2529de39

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
961KB

MD5
84b8f2e15aefb2c970cd99f55cea7dbf

SHA1
906a5bbc856f450049dac18510b79aeaa7ff21f7

SHA256
eba2fbef87c7654f065d61218447d2fba5b24c3601a81828b15af53fe5020317

SHA512
f8a6c28f5c5a7bd1b402c68f37ed79a289db2abcd22e7554147abcaf844d84de68b4baa3fdbe527b6351b3924bba862c3f116cc91b8c29c1e1743b8d2529de39

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
961KB

MD5
84b8f2e15aefb2c970cd99f55cea7dbf

SHA1
906a5bbc856f450049dac18510b79aeaa7ff21f7

SHA256
eba2fbef87c7654f065d61218447d2fba5b24c3601a81828b15af53fe5020317

SHA512
f8a6c28f5c5a7bd1b402c68f37ed79a289db2abcd22e7554147abcaf844d84de68b4baa3fdbe527b6351b3924bba862c3f116cc91b8c29c1e1743b8d2529de39

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
961KB

MD5
84b8f2e15aefb2c970cd99f55cea7dbf

SHA1
906a5bbc856f450049dac18510b79aeaa7ff21f7

SHA256
eba2fbef87c7654f065d61218447d2fba5b24c3601a81828b15af53fe5020317

SHA512
f8a6c28f5c5a7bd1b402c68f37ed79a289db2abcd22e7554147abcaf844d84de68b4baa3fdbe527b6351b3924bba862c3f116cc91b8c29c1e1743b8d2529de39

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
961KB

MD5
84b8f2e15aefb2c970cd99f55cea7dbf

SHA1
906a5bbc856f450049dac18510b79aeaa7ff21f7

SHA256
eba2fbef87c7654f065d61218447d2fba5b24c3601a81828b15af53fe5020317

SHA512
f8a6c28f5c5a7bd1b402c68f37ed79a289db2abcd22e7554147abcaf844d84de68b4baa3fdbe527b6351b3924bba862c3f116cc91b8c29c1e1743b8d2529de39

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
961KB

MD5
84b8f2e15aefb2c970cd99f55cea7dbf

SHA1
906a5bbc856f450049dac18510b79aeaa7ff21f7

SHA256
eba2fbef87c7654f065d61218447d2fba5b24c3601a81828b15af53fe5020317

SHA512
f8a6c28f5c5a7bd1b402c68f37ed79a289db2abcd22e7554147abcaf844d84de68b4baa3fdbe527b6351b3924bba862c3f116cc91b8c29c1e1743b8d2529de39

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s4614986.exe
Filesize
961KB

MD5
84b8f2e15aefb2c970cd99f55cea7dbf

SHA1
906a5bbc856f450049dac18510b79aeaa7ff21f7

SHA256
eba2fbef87c7654f065d61218447d2fba5b24c3601a81828b15af53fe5020317

SHA512
f8a6c28f5c5a7bd1b402c68f37ed79a289db2abcd22e7554147abcaf844d84de68b4baa3fdbe527b6351b3924bba862c3f116cc91b8c29c1e1743b8d2529de39

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s4614986.exe
Filesize
961KB

MD5
84b8f2e15aefb2c970cd99f55cea7dbf

SHA1
906a5bbc856f450049dac18510b79aeaa7ff21f7

SHA256
eba2fbef87c7654f065d61218447d2fba5b24c3601a81828b15af53fe5020317

SHA512
f8a6c28f5c5a7bd1b402c68f37ed79a289db2abcd22e7554147abcaf844d84de68b4baa3fdbe527b6351b3924bba862c3f116cc91b8c29c1e1743b8d2529de39

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s4614986.exe
Filesize
961KB

MD5
84b8f2e15aefb2c970cd99f55cea7dbf

SHA1
906a5bbc856f450049dac18510b79aeaa7ff21f7

SHA256
eba2fbef87c7654f065d61218447d2fba5b24c3601a81828b15af53fe5020317

SHA512
f8a6c28f5c5a7bd1b402c68f37ed79a289db2abcd22e7554147abcaf844d84de68b4baa3fdbe527b6351b3924bba862c3f116cc91b8c29c1e1743b8d2529de39

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4170706.exe
Filesize
701KB

MD5
4db0f9815e7e933bed453040789ec4da

SHA1
030c6ed52721b74764db0b9cbce1a905190ea752

SHA256
9799d87cf642777677ade10e66ac26ac9490ab453b0353a8cfe913ea0ad89a82

SHA512
21920f9785e52b0d1a564d7e1b8b81ac6abbf262ff0d6c5f6d63b7be8381f97d2bf13ed0ee3e3e16c24f4c56a60365d7828f120db25e1fd0e46b4d9172b0bee0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4170706.exe
Filesize
701KB

MD5
4db0f9815e7e933bed453040789ec4da

SHA1
030c6ed52721b74764db0b9cbce1a905190ea752

SHA256
9799d87cf642777677ade10e66ac26ac9490ab453b0353a8cfe913ea0ad89a82

SHA512
21920f9785e52b0d1a564d7e1b8b81ac6abbf262ff0d6c5f6d63b7be8381f97d2bf13ed0ee3e3e16c24f4c56a60365d7828f120db25e1fd0e46b4d9172b0bee0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r3711561.exe
Filesize
903KB

MD5
fd3a1f42d0680a8856d733a5a3261ccc

SHA1
e56577dae63eb8512987ce95076dbc88c500b86f

SHA256
eee0384836674904aafe7a930657fd17ce029e1ff8c8918c9411f6659c8a008c

SHA512
6aae201765b1e17d574436068671d15dc495c168f72477f235d21347242500c5c6f26b7866b2e293bc4ed8e9ce44b2ba4131b111dabb6e4cf095dce729d4296e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r3711561.exe
Filesize
903KB

MD5
fd3a1f42d0680a8856d733a5a3261ccc

SHA1
e56577dae63eb8512987ce95076dbc88c500b86f

SHA256
eee0384836674904aafe7a930657fd17ce029e1ff8c8918c9411f6659c8a008c

SHA512
6aae201765b1e17d574436068671d15dc495c168f72477f235d21347242500c5c6f26b7866b2e293bc4ed8e9ce44b2ba4131b111dabb6e4cf095dce729d4296e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r3711561.exe
Filesize
903KB

MD5
fd3a1f42d0680a8856d733a5a3261ccc

SHA1
e56577dae63eb8512987ce95076dbc88c500b86f

SHA256
eee0384836674904aafe7a930657fd17ce029e1ff8c8918c9411f6659c8a008c

SHA512
6aae201765b1e17d574436068671d15dc495c168f72477f235d21347242500c5c6f26b7866b2e293bc4ed8e9ce44b2ba4131b111dabb6e4cf095dce729d4296e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4617684.exe
Filesize
305KB

MD5
c540775dc2018ad607afb32ab74ffc48

SHA1
f269d3e6540e05b13e109da1616b6f180bbb0690

SHA256
b5da929d0e214e0890313981ab692dcc69b67fb52396eaeadafac259daa05c32

SHA512
b2c84b3754139e9a3424fcfa583345703c9c30c25dae03718ecec7bd7585d3db954cd45da64176144f493e58b3e6bbfe3efbe8062de84c82b6271a0f744b7bde

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4617684.exe
Filesize
305KB

MD5
c540775dc2018ad607afb32ab74ffc48

SHA1
f269d3e6540e05b13e109da1616b6f180bbb0690

SHA256
b5da929d0e214e0890313981ab692dcc69b67fb52396eaeadafac259daa05c32

SHA512
b2c84b3754139e9a3424fcfa583345703c9c30c25dae03718ecec7bd7585d3db954cd45da64176144f493e58b3e6bbfe3efbe8062de84c82b6271a0f744b7bde

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o7479609.exe
Filesize
184KB

MD5
128251e5b9c1e18a8711abd358c8a49b

SHA1
0e2e2ec64af4fbff759ed2a1fc9098901c070d08

SHA256
25275a55a04753f79bfa1bfe3e1993d25557245d56c9cd2d2f5709b23e7a997a

SHA512
d412bff1620d79849346650715b46fe7ffa710b8c800e0a8306f624fd0b993d70d559fdf5dfcdfbb41907f872d45c3b53077c000e67d68c42e8fc70c00114a35

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o7479609.exe
Filesize
184KB

MD5
128251e5b9c1e18a8711abd358c8a49b

SHA1
0e2e2ec64af4fbff759ed2a1fc9098901c070d08

SHA256
25275a55a04753f79bfa1bfe3e1993d25557245d56c9cd2d2f5709b23e7a997a

SHA512
d412bff1620d79849346650715b46fe7ffa710b8c800e0a8306f624fd0b993d70d559fdf5dfcdfbb41907f872d45c3b53077c000e67d68c42e8fc70c00114a35

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p7317495.exe
Filesize
145KB

MD5
f8962678fb3e58c3fc2206e31348b06a

SHA1
90e067348421aeb3430eed2035b392a55f6f5849

SHA256
1dd5fa115b55cb16217987e28d706ff9c317d3167a09c498daf21747db2f2489

SHA512
ffb66707dbbc1fda36505894e27cc8df8c14b4dbfdeb212247a3fae6f6819ed308210eb75e91c12a876ab87d32195e8b88ca56f76e7de8e8f3a9a6151340c5e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p7317495.exe
Filesize
145KB

MD5
f8962678fb3e58c3fc2206e31348b06a

SHA1
90e067348421aeb3430eed2035b392a55f6f5849

SHA256
1dd5fa115b55cb16217987e28d706ff9c317d3167a09c498daf21747db2f2489

SHA512
ffb66707dbbc1fda36505894e27cc8df8c14b4dbfdeb212247a3fae6f6819ed308210eb75e91c12a876ab87d32195e8b88ca56f76e7de8e8f3a9a6151340c5e3

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
73c0c85e39b9a63b42f6c4ff6d634f8b

SHA1
efb047b4177ad78268f6fc8bf959f58f1123eb51

SHA256
477252e3531300fe2a21a679fba3664803179e91a1a4d5dd44080dbd41126368

SHA512
ca32507717c2c099d54a5473fb062083237f7fda9c076e9a957b70072f41a78eedf9244b50862b81d00374297e3795021ad6db943c8408da50b1da8b5ed4a643

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
73c0c85e39b9a63b42f6c4ff6d634f8b

SHA1
efb047b4177ad78268f6fc8bf959f58f1123eb51

SHA256
477252e3531300fe2a21a679fba3664803179e91a1a4d5dd44080dbd41126368

SHA512
ca32507717c2c099d54a5473fb062083237f7fda9c076e9a957b70072f41a78eedf9244b50862b81d00374297e3795021ad6db943c8408da50b1da8b5ed4a643

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
73c0c85e39b9a63b42f6c4ff6d634f8b

SHA1
efb047b4177ad78268f6fc8bf959f58f1123eb51

SHA256
477252e3531300fe2a21a679fba3664803179e91a1a4d5dd44080dbd41126368

SHA512
ca32507717c2c099d54a5473fb062083237f7fda9c076e9a957b70072f41a78eedf9244b50862b81d00374297e3795021ad6db943c8408da50b1da8b5ed4a643

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
memory/224-256-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/224-257-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/224-258-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/812-206-0x0000000000500000-0x00000000005F6000-memory.dmp

Filesize
984KB

Download
memory/812-209-0x00000000073F0000-0x0000000007400000-memory.dmp

Filesize
64KB

Download
memory/1056-253-0x0000000007720000-0x0000000007730000-memory.dmp

Filesize
64KB

Download
memory/1852-193-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2144-197-0x0000000000B30000-0x0000000000C18000-memory.dmp

Filesize
928KB

Download
memory/2144-198-0x00000000079A0000-0x00000000079B0000-memory.dmp

Filesize
64KB

Download
memory/2368-285-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2368-283-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2368-284-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2840-163-0x0000000002670000-0x0000000002686000-memory.dmp

Filesize
88KB

Download
memory/2840-181-0x0000000002670000-0x0000000002686000-memory.dmp

Filesize
88KB

Download
memory/2840-171-0x0000000002670000-0x0000000002686000-memory.dmp

Filesize
88KB

Download
memory/2840-173-0x0000000002670000-0x0000000002686000-memory.dmp

Filesize
88KB

Download
memory/2840-167-0x0000000002670000-0x0000000002686000-memory.dmp

Filesize
88KB

Download
memory/2840-165-0x0000000002670000-0x0000000002686000-memory.dmp

Filesize
88KB

Download
memory/2840-185-0x0000000002670000-0x0000000002686000-memory.dmp

Filesize
88KB

Download
memory/2840-177-0x0000000002670000-0x0000000002686000-memory.dmp

Filesize
88KB

Download
memory/2840-175-0x0000000002670000-0x0000000002686000-memory.dmp

Filesize
88KB

Download
memory/2840-179-0x0000000002670000-0x0000000002686000-memory.dmp

Filesize
88KB

Download
memory/2840-183-0x0000000002670000-0x0000000002686000-memory.dmp

Filesize
88KB

Download
memory/2840-169-0x0000000002670000-0x0000000002686000-memory.dmp

Filesize
88KB

Download
memory/2840-161-0x0000000002670000-0x0000000002686000-memory.dmp

Filesize
88KB

Download
memory/2840-159-0x0000000002670000-0x0000000002686000-memory.dmp

Filesize
88KB

Download
memory/2840-158-0x0000000002670000-0x0000000002686000-memory.dmp

Filesize
88KB

Download
memory/2840-188-0x0000000002660000-0x0000000002670000-memory.dmp

Filesize
64KB

Download
memory/2840-154-0x0000000004AE0000-0x0000000005084000-memory.dmp

Filesize
5.6MB

Download
memory/2840-187-0x0000000002660000-0x0000000002670000-memory.dmp

Filesize
64KB

Download
memory/2840-157-0x0000000002660000-0x0000000002670000-memory.dmp

Filesize
64KB

Download
memory/2840-156-0x0000000002660000-0x0000000002670000-memory.dmp

Filesize
64KB

Download
memory/2840-186-0x0000000002660000-0x0000000002670000-memory.dmp

Filesize
64KB

Download
memory/2840-155-0x0000000002660000-0x0000000002670000-memory.dmp

Filesize
64KB

Download
memory/3116-234-0x0000000007290000-0x00000000072A0000-memory.dmp

Filesize
64KB

Download
memory/3428-244-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3428-243-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3428-276-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3428-240-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3428-241-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3880-233-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3880-219-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3880-213-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3880-216-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3880-217-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4076-280-0x0000000007710000-0x0000000007720000-memory.dmp

Filesize
64KB

Download
memory/4860-235-0x0000000005C20000-0x0000000005CB2000-memory.dmp

Filesize
584KB

Download
memory/4860-246-0x0000000006A50000-0x0000000006C12000-memory.dmp

Filesize
1.8MB

Download
memory/4860-250-0x0000000006CA0000-0x0000000006CF0000-memory.dmp

Filesize
320KB

Download
memory/4860-236-0x0000000005560000-0x00000000055C6000-memory.dmp

Filesize
408KB

Download
memory/4860-247-0x0000000007150000-0x000000000767C000-memory.dmp

Filesize
5.2MB

Download
memory/4860-248-0x0000000005160000-0x0000000005170000-memory.dmp

Filesize
64KB

Download
memory/4860-212-0x0000000005160000-0x0000000005170000-memory.dmp

Filesize
64KB

Download
memory/4860-211-0x0000000005110000-0x000000000514C000-memory.dmp

Filesize
240KB

Download
memory/4860-249-0x0000000006C20000-0x0000000006C96000-memory.dmp

Filesize
472KB

Download
memory/4860-210-0x00000000050B0000-0x00000000050C2000-memory.dmp

Filesize
72KB

Download
memory/4860-208-0x0000000005180000-0x000000000528A000-memory.dmp

Filesize
1.0MB

Download
memory/4860-207-0x0000000005600000-0x0000000005C18000-memory.dmp

Filesize
6.1MB

Download
memory/4860-199-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download