redline | 61ae2976792c032d5d802008d24ac795cbaa24978312958714eaf8db5f03054e

Analysis

max time kernel
149s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
14-05-2023 07:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

61ae2976792c032d5d802008d24ac795cbaa24978312958714eaf8db5f03054e.exe
Size

1.1MB
MD5

f1599b9018ad90da57ebee58f6f3583a
SHA1

35881374f98f1c3a89947dbcd3dd8f8813cc4d46
SHA256

61ae2976792c032d5d802008d24ac795cbaa24978312958714eaf8db5f03054e
SHA512

adec4d8dfdf9b896a2569598113110fc1cc029ce06056d804574a93bfb711c37364dc24026e840ffa3f17d547df82bb7d2f01a0b6a3bde8669e79a7b2b901280
SSDEEP

24576:rylGN0d7bpJkUq8udVmnVZlnt3X/fYTJz0QlOWO/Q2OcTr60Af:edd7rkUodYnVZlVIyQla/Qcr

Score

10^/10

redline luka terra discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

luka

185.161.248.75:4132

Attributes

auth_value
44560bcd37d6bf076da309730fdb519a

Extracted

Family

redline

Botnet

terra

185.161.248.75:4132

Attributes

auth_value
60df3f535f8aa4e264f78041983592d2

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

o0170948.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	o0170948.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	o0170948.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	o0170948.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	o0170948.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	o0170948.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	o0170948.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

legends.exes0779823.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	legends.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	s0779823.exe

Executes dropped EXE 14 IoCs

Processes:

z9693240.exez4819202.exeo0170948.exep8946414.exer7130553.exer7130553.exes0779823.exes0779823.exelegends.exelegends.exelegends.exelegends.exelegends.exelegends.exe

pid	process
4224	z9693240.exe
2852	z4819202.exe
2896	o0170948.exe
4028	p8946414.exe
1260	r7130553.exe
4068	r7130553.exe
376	s0779823.exe
600	s0779823.exe
2712	legends.exe
1168	legends.exe
2276	legends.exe
3652	legends.exe
4592	legends.exe
4448	legends.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

2448 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2448	rundll32.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

o0170948.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	o0170948.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	o0170948.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

z9693240.exez4819202.exe61ae2976792c032d5d802008d24ac795cbaa24978312958714eaf8db5f03054e.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z9693240.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z4819202.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z4819202.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	61ae2976792c032d5d802008d24ac795cbaa24978312958714eaf8db5f03054e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	61ae2976792c032d5d802008d24ac795cbaa24978312958714eaf8db5f03054e.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z9693240.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 4 IoCs

Processes:

r7130553.exes0779823.exelegends.exelegends.exe

description	pid	process	target process
PID 1260 set thread context of 4068	1260	r7130553.exe	r7130553.exe
PID 376 set thread context of 600	376	s0779823.exe	s0779823.exe
PID 2712 set thread context of 1168	2712	legends.exe	legends.exe
PID 2276 set thread context of 3652	2276	legends.exe	legends.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

676 4028 WerFault.exe p8946414.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4972 schtasks.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

o0170948.exer7130553.exe

pid process

2896 o0170948.exe
2896 o0170948.exe
4068 r7130553.exe
4068 r7130553.exe

pid	pid_target	process	target process
676	4028	WerFault.exe	p8946414.exe

pid	process
4972	schtasks.exe

pid	process
2896	o0170948.exe
2896	o0170948.exe
4068	r7130553.exe
4068	r7130553.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

o0170948.exer7130553.exes0779823.exelegends.exer7130553.exelegends.exelegends.exe

description	pid	process
Token: SeDebugPrivilege	2896	o0170948.exe
Token: SeDebugPrivilege	1260	r7130553.exe
Token: SeDebugPrivilege	376	s0779823.exe
Token: SeDebugPrivilege	2712	legends.exe
Token: SeDebugPrivilege	4068	r7130553.exe
Token: SeDebugPrivilege	2276	legends.exe
Token: SeDebugPrivilege	4592	legends.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

s0779823.exe

pid process

600 s0779823.exe

pid	process
600	s0779823.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

61ae2976792c032d5d802008d24ac795cbaa24978312958714eaf8db5f03054e.exez9693240.exez4819202.exer7130553.exes0779823.exes0779823.exelegends.exelegends.execmd.exe

description	pid	process	target process
PID 1156 wrote to memory of 4224	1156	61ae2976792c032d5d802008d24ac795cbaa24978312958714eaf8db5f03054e.exe	z9693240.exe
PID 1156 wrote to memory of 4224	1156	61ae2976792c032d5d802008d24ac795cbaa24978312958714eaf8db5f03054e.exe	z9693240.exe
PID 1156 wrote to memory of 4224	1156	61ae2976792c032d5d802008d24ac795cbaa24978312958714eaf8db5f03054e.exe	z9693240.exe
PID 4224 wrote to memory of 2852	4224	z9693240.exe	z4819202.exe
PID 4224 wrote to memory of 2852	4224	z9693240.exe	z4819202.exe
PID 4224 wrote to memory of 2852	4224	z9693240.exe	z4819202.exe
PID 2852 wrote to memory of 2896	2852	z4819202.exe	o0170948.exe
PID 2852 wrote to memory of 2896	2852	z4819202.exe	o0170948.exe
PID 2852 wrote to memory of 2896	2852	z4819202.exe	o0170948.exe
PID 2852 wrote to memory of 4028	2852	z4819202.exe	p8946414.exe
PID 2852 wrote to memory of 4028	2852	z4819202.exe	p8946414.exe
PID 2852 wrote to memory of 4028	2852	z4819202.exe	p8946414.exe
PID 4224 wrote to memory of 1260	4224	z9693240.exe	r7130553.exe
PID 4224 wrote to memory of 1260	4224	z9693240.exe	r7130553.exe
PID 4224 wrote to memory of 1260	4224	z9693240.exe	r7130553.exe
PID 1260 wrote to memory of 4068	1260	r7130553.exe	r7130553.exe
PID 1260 wrote to memory of 4068	1260	r7130553.exe	r7130553.exe
PID 1260 wrote to memory of 4068	1260	r7130553.exe	r7130553.exe
PID 1260 wrote to memory of 4068	1260	r7130553.exe	r7130553.exe
PID 1260 wrote to memory of 4068	1260	r7130553.exe	r7130553.exe
PID 1260 wrote to memory of 4068	1260	r7130553.exe	r7130553.exe
PID 1260 wrote to memory of 4068	1260	r7130553.exe	r7130553.exe
PID 1260 wrote to memory of 4068	1260	r7130553.exe	r7130553.exe
PID 1156 wrote to memory of 376	1156	61ae2976792c032d5d802008d24ac795cbaa24978312958714eaf8db5f03054e.exe	s0779823.exe
PID 1156 wrote to memory of 376	1156	61ae2976792c032d5d802008d24ac795cbaa24978312958714eaf8db5f03054e.exe	s0779823.exe
PID 1156 wrote to memory of 376	1156	61ae2976792c032d5d802008d24ac795cbaa24978312958714eaf8db5f03054e.exe	s0779823.exe
PID 376 wrote to memory of 600	376	s0779823.exe	s0779823.exe
PID 376 wrote to memory of 600	376	s0779823.exe	s0779823.exe
PID 376 wrote to memory of 600	376	s0779823.exe	s0779823.exe
PID 376 wrote to memory of 600	376	s0779823.exe	s0779823.exe
PID 376 wrote to memory of 600	376	s0779823.exe	s0779823.exe
PID 376 wrote to memory of 600	376	s0779823.exe	s0779823.exe
PID 376 wrote to memory of 600	376	s0779823.exe	s0779823.exe
PID 376 wrote to memory of 600	376	s0779823.exe	s0779823.exe
PID 376 wrote to memory of 600	376	s0779823.exe	s0779823.exe
PID 376 wrote to memory of 600	376	s0779823.exe	s0779823.exe
PID 600 wrote to memory of 2712	600	s0779823.exe	legends.exe
PID 600 wrote to memory of 2712	600	s0779823.exe	legends.exe
PID 600 wrote to memory of 2712	600	s0779823.exe	legends.exe
PID 2712 wrote to memory of 1168	2712	legends.exe	legends.exe
PID 2712 wrote to memory of 1168	2712	legends.exe	legends.exe
PID 2712 wrote to memory of 1168	2712	legends.exe	legends.exe
PID 2712 wrote to memory of 1168	2712	legends.exe	legends.exe
PID 2712 wrote to memory of 1168	2712	legends.exe	legends.exe
PID 2712 wrote to memory of 1168	2712	legends.exe	legends.exe
PID 2712 wrote to memory of 1168	2712	legends.exe	legends.exe
PID 2712 wrote to memory of 1168	2712	legends.exe	legends.exe
PID 2712 wrote to memory of 1168	2712	legends.exe	legends.exe
PID 2712 wrote to memory of 1168	2712	legends.exe	legends.exe
PID 1168 wrote to memory of 4972	1168	legends.exe	schtasks.exe
PID 1168 wrote to memory of 4972	1168	legends.exe	schtasks.exe
PID 1168 wrote to memory of 4972	1168	legends.exe	schtasks.exe
PID 1168 wrote to memory of 2776	1168	legends.exe	cmd.exe
PID 1168 wrote to memory of 2776	1168	legends.exe	cmd.exe
PID 1168 wrote to memory of 2776	1168	legends.exe	cmd.exe
PID 2776 wrote to memory of 5004	2776	cmd.exe	cmd.exe
PID 2776 wrote to memory of 5004	2776	cmd.exe	cmd.exe
PID 2776 wrote to memory of 5004	2776	cmd.exe	cmd.exe
PID 2776 wrote to memory of 5044	2776	cmd.exe	cacls.exe
PID 2776 wrote to memory of 5044	2776	cmd.exe	cacls.exe
PID 2776 wrote to memory of 5044	2776	cmd.exe	cacls.exe
PID 2776 wrote to memory of 436	2776	cmd.exe	cacls.exe
PID 2776 wrote to memory of 436	2776	cmd.exe	cacls.exe
PID 2776 wrote to memory of 436	2776	cmd.exe	cacls.exe

C:\Users\Admin\AppData\Local\Temp\61ae2976792c032d5d802008d24ac795cbaa24978312958714eaf8db5f03054e.exe
"C:\Users\Admin\AppData\Local\Temp\61ae2976792c032d5d802008d24ac795cbaa24978312958714eaf8db5f03054e.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1156

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z9693240.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z9693240.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4224

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4819202.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4819202.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2852

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o0170948.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o0170948.exe
4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2896

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p8946414.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p8946414.exe
4⤵
- Executes dropped EXE
PID:4028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4028 -s 928
5⤵
- Program crash
PID:676

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r7130553.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r7130553.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1260

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r7130553.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r7130553.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4068

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s0779823.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s0779823.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:376

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s0779823.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s0779823.exe
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:600

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
"C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2712

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1168

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legends.exe /TR "C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe" /F
6⤵
- Creates scheduled task(s)
PID:4972

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legends.exe" /P "Admin:N"&&CACLS "legends.exe" /P "Admin:R" /E&&echo Y|CACLS "..\41bde21dc7" /P "Admin:N"&&CACLS "..\41bde21dc7" /P "Admin:R" /E&&Exit
6⤵
- Suspicious use of WriteProcessMemory
PID:2776

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
7⤵
PID:5004

C:\Windows\SysWOW64\cacls.exe
CACLS "legends.exe" /P "Admin:N"
7⤵
PID:5044

C:\Windows\SysWOW64\cacls.exe
CACLS "legends.exe" /P "Admin:R" /E
7⤵
PID:436

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
7⤵
PID:2244

C:\Windows\SysWOW64\cacls.exe
CACLS "..\41bde21dc7" /P "Admin:N"
7⤵
PID:448

C:\Windows\SysWOW64\cacls.exe
CACLS "..\41bde21dc7" /P "Admin:R" /E
7⤵
PID:3908

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
6⤵
- Loads dropped DLL
PID:2448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4028 -ip 4028
1⤵
PID:4128

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2276

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
2⤵
- Executes dropped EXE
PID:3652

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4592

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
2⤵
- Executes dropped EXE
PID:4448

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
2⤵
PID:732

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\legends.exe.log
Filesize
425B

MD5
4eaca4566b22b01cd3bc115b9b0b2196

SHA1
e743e0792c19f71740416e7b3c061d9f1336bf94

SHA256
34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

SHA512
bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\r7130553.exe.log
Filesize
425B

MD5
4eaca4566b22b01cd3bc115b9b0b2196

SHA1
e743e0792c19f71740416e7b3c061d9f1336bf94

SHA256
34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

SHA512
bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
961KB

MD5
82d47674e8f395c92dc181cff3737910

SHA1
eb510cbc446d097fdde50c8f08bdb05b0f12c6ef

SHA256
54582938fd99bfbb933d091d9bd3b3012065290391f58bfbe3c4479688ab13dd

SHA512
bc15e8957ca1785a2cf782bbd8b75ab67433271d4141ed9c8f321a01dd600a8c8742b1339e9d5235f8061a4cf44b22b496e9773b7465e6a2dcb404603580d62f

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
961KB

MD5
82d47674e8f395c92dc181cff3737910

SHA1
eb510cbc446d097fdde50c8f08bdb05b0f12c6ef

SHA256
54582938fd99bfbb933d091d9bd3b3012065290391f58bfbe3c4479688ab13dd

SHA512
bc15e8957ca1785a2cf782bbd8b75ab67433271d4141ed9c8f321a01dd600a8c8742b1339e9d5235f8061a4cf44b22b496e9773b7465e6a2dcb404603580d62f

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
961KB

MD5
82d47674e8f395c92dc181cff3737910

SHA1
eb510cbc446d097fdde50c8f08bdb05b0f12c6ef

SHA256
54582938fd99bfbb933d091d9bd3b3012065290391f58bfbe3c4479688ab13dd

SHA512
bc15e8957ca1785a2cf782bbd8b75ab67433271d4141ed9c8f321a01dd600a8c8742b1339e9d5235f8061a4cf44b22b496e9773b7465e6a2dcb404603580d62f

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
961KB

MD5
82d47674e8f395c92dc181cff3737910

SHA1
eb510cbc446d097fdde50c8f08bdb05b0f12c6ef

SHA256
54582938fd99bfbb933d091d9bd3b3012065290391f58bfbe3c4479688ab13dd

SHA512
bc15e8957ca1785a2cf782bbd8b75ab67433271d4141ed9c8f321a01dd600a8c8742b1339e9d5235f8061a4cf44b22b496e9773b7465e6a2dcb404603580d62f

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
961KB

MD5
82d47674e8f395c92dc181cff3737910

SHA1
eb510cbc446d097fdde50c8f08bdb05b0f12c6ef

SHA256
54582938fd99bfbb933d091d9bd3b3012065290391f58bfbe3c4479688ab13dd

SHA512
bc15e8957ca1785a2cf782bbd8b75ab67433271d4141ed9c8f321a01dd600a8c8742b1339e9d5235f8061a4cf44b22b496e9773b7465e6a2dcb404603580d62f

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
961KB

MD5
82d47674e8f395c92dc181cff3737910

SHA1
eb510cbc446d097fdde50c8f08bdb05b0f12c6ef

SHA256
54582938fd99bfbb933d091d9bd3b3012065290391f58bfbe3c4479688ab13dd

SHA512
bc15e8957ca1785a2cf782bbd8b75ab67433271d4141ed9c8f321a01dd600a8c8742b1339e9d5235f8061a4cf44b22b496e9773b7465e6a2dcb404603580d62f

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
961KB

MD5
82d47674e8f395c92dc181cff3737910

SHA1
eb510cbc446d097fdde50c8f08bdb05b0f12c6ef

SHA256
54582938fd99bfbb933d091d9bd3b3012065290391f58bfbe3c4479688ab13dd

SHA512
bc15e8957ca1785a2cf782bbd8b75ab67433271d4141ed9c8f321a01dd600a8c8742b1339e9d5235f8061a4cf44b22b496e9773b7465e6a2dcb404603580d62f

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
961KB

MD5
82d47674e8f395c92dc181cff3737910

SHA1
eb510cbc446d097fdde50c8f08bdb05b0f12c6ef

SHA256
54582938fd99bfbb933d091d9bd3b3012065290391f58bfbe3c4479688ab13dd

SHA512
bc15e8957ca1785a2cf782bbd8b75ab67433271d4141ed9c8f321a01dd600a8c8742b1339e9d5235f8061a4cf44b22b496e9773b7465e6a2dcb404603580d62f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s0779823.exe
Filesize
961KB

MD5
82d47674e8f395c92dc181cff3737910

SHA1
eb510cbc446d097fdde50c8f08bdb05b0f12c6ef

SHA256
54582938fd99bfbb933d091d9bd3b3012065290391f58bfbe3c4479688ab13dd

SHA512
bc15e8957ca1785a2cf782bbd8b75ab67433271d4141ed9c8f321a01dd600a8c8742b1339e9d5235f8061a4cf44b22b496e9773b7465e6a2dcb404603580d62f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s0779823.exe
Filesize
961KB

MD5
82d47674e8f395c92dc181cff3737910

SHA1
eb510cbc446d097fdde50c8f08bdb05b0f12c6ef

SHA256
54582938fd99bfbb933d091d9bd3b3012065290391f58bfbe3c4479688ab13dd

SHA512
bc15e8957ca1785a2cf782bbd8b75ab67433271d4141ed9c8f321a01dd600a8c8742b1339e9d5235f8061a4cf44b22b496e9773b7465e6a2dcb404603580d62f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s0779823.exe
Filesize
961KB

MD5
82d47674e8f395c92dc181cff3737910

SHA1
eb510cbc446d097fdde50c8f08bdb05b0f12c6ef

SHA256
54582938fd99bfbb933d091d9bd3b3012065290391f58bfbe3c4479688ab13dd

SHA512
bc15e8957ca1785a2cf782bbd8b75ab67433271d4141ed9c8f321a01dd600a8c8742b1339e9d5235f8061a4cf44b22b496e9773b7465e6a2dcb404603580d62f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z9693240.exe
Filesize
702KB

MD5
ad8736de788261e3fb131fc61eb070f0

SHA1
45d8006c80230f52222a2ad172fa4a31edb8b705

SHA256
352800378338325a8cec2a3fe9bf88b6a96a8f4be0f59d25ae3ff582f2c72cf0

SHA512
e05acd95d958c423224cb0d409f6a7ab701a0636201e7f6310f2d85d3c18869c52fff8b42dfa2b411ee41f6bf8e70d3206bacb095023f2c1430c0229775b52ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z9693240.exe
Filesize
702KB

MD5
ad8736de788261e3fb131fc61eb070f0

SHA1
45d8006c80230f52222a2ad172fa4a31edb8b705

SHA256
352800378338325a8cec2a3fe9bf88b6a96a8f4be0f59d25ae3ff582f2c72cf0

SHA512
e05acd95d958c423224cb0d409f6a7ab701a0636201e7f6310f2d85d3c18869c52fff8b42dfa2b411ee41f6bf8e70d3206bacb095023f2c1430c0229775b52ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r7130553.exe
Filesize
905KB

MD5
a51e19e78cc282b5ac0715909beede24

SHA1
aeb2cb13ca4137838cca171707d8d0d082dd68b3

SHA256
f72726c6579f062cf71b0c87ab91d25e0711b5e3ca278897b9ffb6c01754fc98

SHA512
6dfa6a09380b84bd4c3b745b80a6ecda79947b564046293333eefcda77375bed4b9abafd2a7f9a2b91e11eec6579c068e5834450507391074522fb64cc17c987

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r7130553.exe
Filesize
905KB

MD5
a51e19e78cc282b5ac0715909beede24

SHA1
aeb2cb13ca4137838cca171707d8d0d082dd68b3

SHA256
f72726c6579f062cf71b0c87ab91d25e0711b5e3ca278897b9ffb6c01754fc98

SHA512
6dfa6a09380b84bd4c3b745b80a6ecda79947b564046293333eefcda77375bed4b9abafd2a7f9a2b91e11eec6579c068e5834450507391074522fb64cc17c987

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r7130553.exe
Filesize
905KB

MD5
a51e19e78cc282b5ac0715909beede24

SHA1
aeb2cb13ca4137838cca171707d8d0d082dd68b3

SHA256
f72726c6579f062cf71b0c87ab91d25e0711b5e3ca278897b9ffb6c01754fc98

SHA512
6dfa6a09380b84bd4c3b745b80a6ecda79947b564046293333eefcda77375bed4b9abafd2a7f9a2b91e11eec6579c068e5834450507391074522fb64cc17c987

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4819202.exe
Filesize
306KB

MD5
2f28588d3c4f24147822c16356ca56bc

SHA1
e9b029d394927dabd81e0faea0e0be065c12068c

SHA256
4abb7c2d5bd161d031971786743e591300ac5600b3d8f89611a2e37eb8a3dd18

SHA512
aec96b5d54c666a0c41caaafa78509db178bedaf8fcb9e37486bfd6f01896ea30c735e4ff47f17e343c23aab63094f9c6b0bd2ea4195e01e32a398aca20334cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4819202.exe
Filesize
306KB

MD5
2f28588d3c4f24147822c16356ca56bc

SHA1
e9b029d394927dabd81e0faea0e0be065c12068c

SHA256
4abb7c2d5bd161d031971786743e591300ac5600b3d8f89611a2e37eb8a3dd18

SHA512
aec96b5d54c666a0c41caaafa78509db178bedaf8fcb9e37486bfd6f01896ea30c735e4ff47f17e343c23aab63094f9c6b0bd2ea4195e01e32a398aca20334cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o0170948.exe
Filesize
185KB

MD5
0965781ea0915778cda087e6ead93f74

SHA1
b2d5affd34d0415ed57043c67ec05296b9418248

SHA256
ec69ed21fa975090fdd629f7da5fe8fdad6d01bbda3966d42ab1c3fed791de2a

SHA512
205aa19cb99aa336600210bbfba3d94672af97c76f894efcb47f3412a569140faeb3951b90757693223b59fb419b32d926b52618aa7bd02f2af4dc75d9aa87d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o0170948.exe
Filesize
185KB

MD5
0965781ea0915778cda087e6ead93f74

SHA1
b2d5affd34d0415ed57043c67ec05296b9418248

SHA256
ec69ed21fa975090fdd629f7da5fe8fdad6d01bbda3966d42ab1c3fed791de2a

SHA512
205aa19cb99aa336600210bbfba3d94672af97c76f894efcb47f3412a569140faeb3951b90757693223b59fb419b32d926b52618aa7bd02f2af4dc75d9aa87d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p8946414.exe
Filesize
145KB

MD5
10ddaf3be84ef42b45332456e72ede2f

SHA1
e6c9cafe510baf8561ba142356212223ef67ff79

SHA256
202c6eafc2694fb60f48d7b41db2c37c5f521e2c5c8d233a29ba23e871914098

SHA512
725462ee85ac55d583d8bcc45f4f4bdab4acb796af9fb1f3f6eae5d116b5fccac6a96f2a1786db649544bece70fd773667bf8e502eecb0dc0ea10dd8d3b518cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p8946414.exe
Filesize
145KB

MD5
10ddaf3be84ef42b45332456e72ede2f

SHA1
e6c9cafe510baf8561ba142356212223ef67ff79

SHA256
202c6eafc2694fb60f48d7b41db2c37c5f521e2c5c8d233a29ba23e871914098

SHA512
725462ee85ac55d583d8bcc45f4f4bdab4acb796af9fb1f3f6eae5d116b5fccac6a96f2a1786db649544bece70fd773667bf8e502eecb0dc0ea10dd8d3b518cf

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
73c0c85e39b9a63b42f6c4ff6d634f8b

SHA1
efb047b4177ad78268f6fc8bf959f58f1123eb51

SHA256
477252e3531300fe2a21a679fba3664803179e91a1a4d5dd44080dbd41126368

SHA512
ca32507717c2c099d54a5473fb062083237f7fda9c076e9a957b70072f41a78eedf9244b50862b81d00374297e3795021ad6db943c8408da50b1da8b5ed4a643

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
73c0c85e39b9a63b42f6c4ff6d634f8b

SHA1
efb047b4177ad78268f6fc8bf959f58f1123eb51

SHA256
477252e3531300fe2a21a679fba3664803179e91a1a4d5dd44080dbd41126368

SHA512
ca32507717c2c099d54a5473fb062083237f7fda9c076e9a957b70072f41a78eedf9244b50862b81d00374297e3795021ad6db943c8408da50b1da8b5ed4a643

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
73c0c85e39b9a63b42f6c4ff6d634f8b

SHA1
efb047b4177ad78268f6fc8bf959f58f1123eb51

SHA256
477252e3531300fe2a21a679fba3664803179e91a1a4d5dd44080dbd41126368

SHA512
ca32507717c2c099d54a5473fb062083237f7fda9c076e9a957b70072f41a78eedf9244b50862b81d00374297e3795021ad6db943c8408da50b1da8b5ed4a643

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
memory/376-208-0x0000000007640000-0x0000000007650000-memory.dmp

Filesize
64KB

Download
memory/376-205-0x00000000007E0000-0x00000000008D6000-memory.dmp

Filesize
984KB

Download
memory/600-232-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/600-215-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/600-216-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/600-212-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/600-218-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1168-247-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1168-246-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1168-267-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1168-242-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1168-241-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1260-197-0x0000000007060000-0x0000000007070000-memory.dmp

Filesize
64KB

Download
memory/1260-196-0x0000000000150000-0x0000000000238000-memory.dmp

Filesize
928KB

Download
memory/2276-272-0x0000000006FB0000-0x0000000006FC0000-memory.dmp

Filesize
64KB

Download
memory/2712-233-0x0000000007300000-0x0000000007310000-memory.dmp

Filesize
64KB

Download
memory/2896-178-0x0000000004AA0000-0x0000000004AB6000-memory.dmp

Filesize
88KB

Download
memory/2896-162-0x0000000004AA0000-0x0000000004AB6000-memory.dmp

Filesize
88KB

Download
memory/2896-154-0x0000000004BD0000-0x0000000005174000-memory.dmp

Filesize
5.6MB

Download
memory/2896-155-0x0000000004BC0000-0x0000000004BD0000-memory.dmp

Filesize
64KB

Download
memory/2896-156-0x0000000004BC0000-0x0000000004BD0000-memory.dmp

Filesize
64KB

Download
memory/2896-157-0x0000000004AA0000-0x0000000004AB6000-memory.dmp

Filesize
88KB

Download
memory/2896-158-0x0000000004AA0000-0x0000000004AB6000-memory.dmp

Filesize
88KB

Download
memory/2896-160-0x0000000004AA0000-0x0000000004AB6000-memory.dmp

Filesize
88KB

Download
memory/2896-187-0x0000000004BC0000-0x0000000004BD0000-memory.dmp

Filesize
64KB

Download
memory/2896-185-0x0000000004BC0000-0x0000000004BD0000-memory.dmp

Filesize
64KB

Download
memory/2896-186-0x0000000004BC0000-0x0000000004BD0000-memory.dmp

Filesize
64KB

Download
memory/2896-184-0x0000000004AA0000-0x0000000004AB6000-memory.dmp

Filesize
88KB

Download
memory/2896-164-0x0000000004AA0000-0x0000000004AB6000-memory.dmp

Filesize
88KB

Download
memory/2896-166-0x0000000004AA0000-0x0000000004AB6000-memory.dmp

Filesize
88KB

Download
memory/2896-168-0x0000000004AA0000-0x0000000004AB6000-memory.dmp

Filesize
88KB

Download
memory/2896-170-0x0000000004AA0000-0x0000000004AB6000-memory.dmp

Filesize
88KB

Download
memory/2896-182-0x0000000004AA0000-0x0000000004AB6000-memory.dmp

Filesize
88KB

Download
memory/2896-180-0x0000000004AA0000-0x0000000004AB6000-memory.dmp

Filesize
88KB

Download
memory/2896-176-0x0000000004AA0000-0x0000000004AB6000-memory.dmp

Filesize
88KB

Download
memory/2896-172-0x0000000004AA0000-0x0000000004AB6000-memory.dmp

Filesize
88KB

Download
memory/2896-174-0x0000000004AA0000-0x0000000004AB6000-memory.dmp

Filesize
88KB

Download
memory/3652-275-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3652-277-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3652-276-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4028-192-0x0000000000F40000-0x0000000000F6A000-memory.dmp

Filesize
168KB

Download
memory/4068-206-0x0000000005CA0000-0x00000000062B8000-memory.dmp

Filesize
6.1MB

Download
memory/4068-235-0x0000000005BE0000-0x0000000005C46000-memory.dmp

Filesize
408KB

Download
memory/4068-234-0x0000000005B40000-0x0000000005BD2000-memory.dmp

Filesize
584KB

Download
memory/4068-211-0x0000000005A90000-0x0000000005AA0000-memory.dmp

Filesize
64KB

Download
memory/4068-245-0x00000000076F0000-0x0000000007C1C000-memory.dmp

Filesize
5.2MB

Download
memory/4068-198-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4068-236-0x0000000006740000-0x00000000067B6000-memory.dmp

Filesize
472KB

Download
memory/4068-207-0x00000000057E0000-0x00000000058EA000-memory.dmp

Filesize
1.0MB

Download
memory/4068-237-0x00000000067C0000-0x0000000006810000-memory.dmp

Filesize
320KB

Download
memory/4068-249-0x0000000005A90000-0x0000000005AA0000-memory.dmp

Filesize
64KB

Download
memory/4068-244-0x0000000006FF0000-0x00000000071B2000-memory.dmp

Filesize
1.8MB

Download
memory/4068-209-0x0000000005710000-0x0000000005722000-memory.dmp

Filesize
72KB

Download
memory/4068-210-0x0000000005770000-0x00000000057AC000-memory.dmp

Filesize
240KB

Download