redline | bb311383a0262412695d656019fd1be92243a377c7a3211924af0921c5bc80d2

Analysis

max time kernel
143s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
14-05-2023 08:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bb311383a0262412695d656019fd1be92243a377c7a3211924af0921c5bc80d2.exe
Size

1.1MB
MD5

c3e7ef198f1496cdb48fe6ce023c805e
SHA1

1f50cdabe3987e08d4fa4b1ca6f7a274b0973587
SHA256

bb311383a0262412695d656019fd1be92243a377c7a3211924af0921c5bc80d2
SHA512

e2d1adb982a5a726e273e1c5970bae577ba8505a181c6b814f7930bc1d5de5289a896c55ea0b8e80c1c5e95fe02c61ed70a57bfbc31bcabccde465da598db4ae
SSDEEP

24576:My7lg4yl5wR9L363fOBS1gKn3i9NshNGfyjnpP3XW5Y9x4mPav:7+Z5g9D0G01gmuNtfi1HW5bmP

Score

10^/10

redline luka terra discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

luka

185.161.248.75:4132

Attributes

auth_value
44560bcd37d6bf076da309730fdb519a

Extracted

Family

redline

Botnet

terra

185.161.248.75:4132

Attributes

auth_value
60df3f535f8aa4e264f78041983592d2

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

o6606859.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	o6606859.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	o6606859.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	o6606859.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	o6606859.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	o6606859.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	o6606859.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

s4893896.exelegends.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	s4893896.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	legends.exe

Executes dropped EXE 17 IoCs

Processes:

z5465842.exez1756098.exeo6606859.exep2348554.exer8101517.exer8101517.exes4893896.exes4893896.exes4893896.exelegends.exelegends.exelegends.exelegends.exelegends.exelegends.exelegends.exelegends.exe

pid	process
4632	z5465842.exe
792	z1756098.exe
568	o6606859.exe
3528	p2348554.exe
2208	r8101517.exe
4128	r8101517.exe
4196	s4893896.exe
900	s4893896.exe
2144	s4893896.exe
2348	legends.exe
2720	legends.exe
1996	legends.exe
3056	legends.exe
3800	legends.exe
4668	legends.exe
1496	legends.exe
976	legends.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

4720 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4720	rundll32.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

o6606859.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	o6606859.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	o6606859.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

z5465842.exez1756098.exebb311383a0262412695d656019fd1be92243a377c7a3211924af0921c5bc80d2.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z5465842.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z5465842.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z1756098.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z1756098.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	bb311383a0262412695d656019fd1be92243a377c7a3211924af0921c5bc80d2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	bb311383a0262412695d656019fd1be92243a377c7a3211924af0921c5bc80d2.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 5 IoCs

Processes:

r8101517.exes4893896.exelegends.exelegends.exelegends.exe

description	pid	process	target process
PID 2208 set thread context of 4128	2208	r8101517.exe	r8101517.exe
PID 4196 set thread context of 2144	4196	s4893896.exe	s4893896.exe
PID 2348 set thread context of 2720	2348	legends.exe	legends.exe
PID 1996 set thread context of 3800	1996	legends.exe	legends.exe
PID 4668 set thread context of 976	4668	legends.exe	legends.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2780 3528 WerFault.exe p2348554.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1376 schtasks.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

o6606859.exer8101517.exe

pid process

568 o6606859.exe
568 o6606859.exe
4128 r8101517.exe
4128 r8101517.exe

pid	pid_target	process	target process
2780	3528	WerFault.exe	p2348554.exe

pid	process
1376	schtasks.exe

pid	process
568	o6606859.exe
568	o6606859.exe
4128	r8101517.exe
4128	r8101517.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

o6606859.exer8101517.exes4893896.exer8101517.exelegends.exelegends.exelegends.exe

description	pid	process
Token: SeDebugPrivilege	568	o6606859.exe
Token: SeDebugPrivilege	2208	r8101517.exe
Token: SeDebugPrivilege	4196	s4893896.exe
Token: SeDebugPrivilege	4128	r8101517.exe
Token: SeDebugPrivilege	2348	legends.exe
Token: SeDebugPrivilege	1996	legends.exe
Token: SeDebugPrivilege	4668	legends.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

s4893896.exe

pid process

2144 s4893896.exe

pid	process
2144	s4893896.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

bb311383a0262412695d656019fd1be92243a377c7a3211924af0921c5bc80d2.exez5465842.exez1756098.exer8101517.exes4893896.exes4893896.exelegends.exelegends.execmd.exe

description	pid	process	target process
PID 1520 wrote to memory of 4632	1520	bb311383a0262412695d656019fd1be92243a377c7a3211924af0921c5bc80d2.exe	z5465842.exe
PID 1520 wrote to memory of 4632	1520	bb311383a0262412695d656019fd1be92243a377c7a3211924af0921c5bc80d2.exe	z5465842.exe
PID 1520 wrote to memory of 4632	1520	bb311383a0262412695d656019fd1be92243a377c7a3211924af0921c5bc80d2.exe	z5465842.exe
PID 4632 wrote to memory of 792	4632	z5465842.exe	z1756098.exe
PID 4632 wrote to memory of 792	4632	z5465842.exe	z1756098.exe
PID 4632 wrote to memory of 792	4632	z5465842.exe	z1756098.exe
PID 792 wrote to memory of 568	792	z1756098.exe	o6606859.exe
PID 792 wrote to memory of 568	792	z1756098.exe	o6606859.exe
PID 792 wrote to memory of 568	792	z1756098.exe	o6606859.exe
PID 792 wrote to memory of 3528	792	z1756098.exe	p2348554.exe
PID 792 wrote to memory of 3528	792	z1756098.exe	p2348554.exe
PID 792 wrote to memory of 3528	792	z1756098.exe	p2348554.exe
PID 4632 wrote to memory of 2208	4632	z5465842.exe	r8101517.exe
PID 4632 wrote to memory of 2208	4632	z5465842.exe	r8101517.exe
PID 4632 wrote to memory of 2208	4632	z5465842.exe	r8101517.exe
PID 2208 wrote to memory of 4128	2208	r8101517.exe	r8101517.exe
PID 2208 wrote to memory of 4128	2208	r8101517.exe	r8101517.exe
PID 2208 wrote to memory of 4128	2208	r8101517.exe	r8101517.exe
PID 2208 wrote to memory of 4128	2208	r8101517.exe	r8101517.exe
PID 2208 wrote to memory of 4128	2208	r8101517.exe	r8101517.exe
PID 2208 wrote to memory of 4128	2208	r8101517.exe	r8101517.exe
PID 2208 wrote to memory of 4128	2208	r8101517.exe	r8101517.exe
PID 2208 wrote to memory of 4128	2208	r8101517.exe	r8101517.exe
PID 1520 wrote to memory of 4196	1520	bb311383a0262412695d656019fd1be92243a377c7a3211924af0921c5bc80d2.exe	s4893896.exe
PID 1520 wrote to memory of 4196	1520	bb311383a0262412695d656019fd1be92243a377c7a3211924af0921c5bc80d2.exe	s4893896.exe
PID 1520 wrote to memory of 4196	1520	bb311383a0262412695d656019fd1be92243a377c7a3211924af0921c5bc80d2.exe	s4893896.exe
PID 4196 wrote to memory of 900	4196	s4893896.exe	s4893896.exe
PID 4196 wrote to memory of 900	4196	s4893896.exe	s4893896.exe
PID 4196 wrote to memory of 900	4196	s4893896.exe	s4893896.exe
PID 4196 wrote to memory of 900	4196	s4893896.exe	s4893896.exe
PID 4196 wrote to memory of 2144	4196	s4893896.exe	s4893896.exe
PID 4196 wrote to memory of 2144	4196	s4893896.exe	s4893896.exe
PID 4196 wrote to memory of 2144	4196	s4893896.exe	s4893896.exe
PID 4196 wrote to memory of 2144	4196	s4893896.exe	s4893896.exe
PID 4196 wrote to memory of 2144	4196	s4893896.exe	s4893896.exe
PID 4196 wrote to memory of 2144	4196	s4893896.exe	s4893896.exe
PID 4196 wrote to memory of 2144	4196	s4893896.exe	s4893896.exe
PID 4196 wrote to memory of 2144	4196	s4893896.exe	s4893896.exe
PID 4196 wrote to memory of 2144	4196	s4893896.exe	s4893896.exe
PID 4196 wrote to memory of 2144	4196	s4893896.exe	s4893896.exe
PID 2144 wrote to memory of 2348	2144	s4893896.exe	legends.exe
PID 2144 wrote to memory of 2348	2144	s4893896.exe	legends.exe
PID 2144 wrote to memory of 2348	2144	s4893896.exe	legends.exe
PID 2348 wrote to memory of 2720	2348	legends.exe	legends.exe
PID 2348 wrote to memory of 2720	2348	legends.exe	legends.exe
PID 2348 wrote to memory of 2720	2348	legends.exe	legends.exe
PID 2348 wrote to memory of 2720	2348	legends.exe	legends.exe
PID 2348 wrote to memory of 2720	2348	legends.exe	legends.exe
PID 2348 wrote to memory of 2720	2348	legends.exe	legends.exe
PID 2348 wrote to memory of 2720	2348	legends.exe	legends.exe
PID 2348 wrote to memory of 2720	2348	legends.exe	legends.exe
PID 2348 wrote to memory of 2720	2348	legends.exe	legends.exe
PID 2348 wrote to memory of 2720	2348	legends.exe	legends.exe
PID 2720 wrote to memory of 1376	2720	legends.exe	schtasks.exe
PID 2720 wrote to memory of 1376	2720	legends.exe	schtasks.exe
PID 2720 wrote to memory of 1376	2720	legends.exe	schtasks.exe
PID 2720 wrote to memory of 2868	2720	legends.exe	cmd.exe
PID 2720 wrote to memory of 2868	2720	legends.exe	cmd.exe
PID 2720 wrote to memory of 2868	2720	legends.exe	cmd.exe
PID 2868 wrote to memory of 1984	2868	cmd.exe	cmd.exe
PID 2868 wrote to memory of 1984	2868	cmd.exe	cmd.exe
PID 2868 wrote to memory of 1984	2868	cmd.exe	cmd.exe
PID 2868 wrote to memory of 1828	2868	cmd.exe	cacls.exe
PID 2868 wrote to memory of 1828	2868	cmd.exe	cacls.exe

C:\Users\Admin\AppData\Local\Temp\bb311383a0262412695d656019fd1be92243a377c7a3211924af0921c5bc80d2.exe
"C:\Users\Admin\AppData\Local\Temp\bb311383a0262412695d656019fd1be92243a377c7a3211924af0921c5bc80d2.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1520

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5465842.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5465842.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4632

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1756098.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1756098.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:792

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o6606859.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o6606859.exe
4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:568

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p2348554.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p2348554.exe
4⤵
- Executes dropped EXE
PID:3528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3528 -s 928
5⤵
- Program crash
PID:2780

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r8101517.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r8101517.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2208

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r8101517.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r8101517.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4128

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s4893896.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s4893896.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4196

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s4893896.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s4893896.exe
3⤵
- Executes dropped EXE
PID:900

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s4893896.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s4893896.exe
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2144

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
"C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2348

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2720

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legends.exe /TR "C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe" /F
6⤵
- Creates scheduled task(s)
PID:1376

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legends.exe" /P "Admin:N"&&CACLS "legends.exe" /P "Admin:R" /E&&echo Y|CACLS "..\41bde21dc7" /P "Admin:N"&&CACLS "..\41bde21dc7" /P "Admin:R" /E&&Exit
6⤵
- Suspicious use of WriteProcessMemory
PID:2868

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
7⤵
PID:1984

C:\Windows\SysWOW64\cacls.exe
CACLS "legends.exe" /P "Admin:N"
7⤵
PID:1828

C:\Windows\SysWOW64\cacls.exe
CACLS "legends.exe" /P "Admin:R" /E
7⤵
PID:3960

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
7⤵
PID:3912

C:\Windows\SysWOW64\cacls.exe
CACLS "..\41bde21dc7" /P "Admin:N"
7⤵
PID:3908

C:\Windows\SysWOW64\cacls.exe
CACLS "..\41bde21dc7" /P "Admin:R" /E
7⤵
PID:3180

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
6⤵
- Loads dropped DLL
PID:4720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 3528 -ip 3528
1⤵
PID:4572

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1996

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
2⤵
- Executes dropped EXE
PID:3056

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
2⤵
- Executes dropped EXE
PID:3800

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4668

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
2⤵
- Executes dropped EXE
PID:1496

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
2⤵
- Executes dropped EXE
PID:976

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\legends.exe.log
Filesize
425B

MD5
4eaca4566b22b01cd3bc115b9b0b2196

SHA1
e743e0792c19f71740416e7b3c061d9f1336bf94

SHA256
34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

SHA512
bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\r8101517.exe.log
Filesize
425B

MD5
4eaca4566b22b01cd3bc115b9b0b2196

SHA1
e743e0792c19f71740416e7b3c061d9f1336bf94

SHA256
34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

SHA512
bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
961KB

MD5
7484325708e49e8ee3f687ed6edee92d

SHA1
5383b96bb591a6f10964ab739cecc81da3b72b53

SHA256
f5e3ea26dda20cd45e22b8e0171b305e5e2eff08ffd801e8817547ee59bb98a7

SHA512
dbd20f5e8bfc8a9bc7720b8025818b92511676aa4e1a1d239c016601626688d8ae832b99e43ac12b984758f7673054068875a392862c5077779fc48851955dd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
961KB

MD5
7484325708e49e8ee3f687ed6edee92d

SHA1
5383b96bb591a6f10964ab739cecc81da3b72b53

SHA256
f5e3ea26dda20cd45e22b8e0171b305e5e2eff08ffd801e8817547ee59bb98a7

SHA512
dbd20f5e8bfc8a9bc7720b8025818b92511676aa4e1a1d239c016601626688d8ae832b99e43ac12b984758f7673054068875a392862c5077779fc48851955dd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
961KB

MD5
7484325708e49e8ee3f687ed6edee92d

SHA1
5383b96bb591a6f10964ab739cecc81da3b72b53

SHA256
f5e3ea26dda20cd45e22b8e0171b305e5e2eff08ffd801e8817547ee59bb98a7

SHA512
dbd20f5e8bfc8a9bc7720b8025818b92511676aa4e1a1d239c016601626688d8ae832b99e43ac12b984758f7673054068875a392862c5077779fc48851955dd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
961KB

MD5
7484325708e49e8ee3f687ed6edee92d

SHA1
5383b96bb591a6f10964ab739cecc81da3b72b53

SHA256
f5e3ea26dda20cd45e22b8e0171b305e5e2eff08ffd801e8817547ee59bb98a7

SHA512
dbd20f5e8bfc8a9bc7720b8025818b92511676aa4e1a1d239c016601626688d8ae832b99e43ac12b984758f7673054068875a392862c5077779fc48851955dd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
961KB

MD5
7484325708e49e8ee3f687ed6edee92d

SHA1
5383b96bb591a6f10964ab739cecc81da3b72b53

SHA256
f5e3ea26dda20cd45e22b8e0171b305e5e2eff08ffd801e8817547ee59bb98a7

SHA512
dbd20f5e8bfc8a9bc7720b8025818b92511676aa4e1a1d239c016601626688d8ae832b99e43ac12b984758f7673054068875a392862c5077779fc48851955dd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
961KB

MD5
7484325708e49e8ee3f687ed6edee92d

SHA1
5383b96bb591a6f10964ab739cecc81da3b72b53

SHA256
f5e3ea26dda20cd45e22b8e0171b305e5e2eff08ffd801e8817547ee59bb98a7

SHA512
dbd20f5e8bfc8a9bc7720b8025818b92511676aa4e1a1d239c016601626688d8ae832b99e43ac12b984758f7673054068875a392862c5077779fc48851955dd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
961KB

MD5
7484325708e49e8ee3f687ed6edee92d

SHA1
5383b96bb591a6f10964ab739cecc81da3b72b53

SHA256
f5e3ea26dda20cd45e22b8e0171b305e5e2eff08ffd801e8817547ee59bb98a7

SHA512
dbd20f5e8bfc8a9bc7720b8025818b92511676aa4e1a1d239c016601626688d8ae832b99e43ac12b984758f7673054068875a392862c5077779fc48851955dd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
961KB

MD5
7484325708e49e8ee3f687ed6edee92d

SHA1
5383b96bb591a6f10964ab739cecc81da3b72b53

SHA256
f5e3ea26dda20cd45e22b8e0171b305e5e2eff08ffd801e8817547ee59bb98a7

SHA512
dbd20f5e8bfc8a9bc7720b8025818b92511676aa4e1a1d239c016601626688d8ae832b99e43ac12b984758f7673054068875a392862c5077779fc48851955dd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
961KB

MD5
7484325708e49e8ee3f687ed6edee92d

SHA1
5383b96bb591a6f10964ab739cecc81da3b72b53

SHA256
f5e3ea26dda20cd45e22b8e0171b305e5e2eff08ffd801e8817547ee59bb98a7

SHA512
dbd20f5e8bfc8a9bc7720b8025818b92511676aa4e1a1d239c016601626688d8ae832b99e43ac12b984758f7673054068875a392862c5077779fc48851955dd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
961KB

MD5
7484325708e49e8ee3f687ed6edee92d

SHA1
5383b96bb591a6f10964ab739cecc81da3b72b53

SHA256
f5e3ea26dda20cd45e22b8e0171b305e5e2eff08ffd801e8817547ee59bb98a7

SHA512
dbd20f5e8bfc8a9bc7720b8025818b92511676aa4e1a1d239c016601626688d8ae832b99e43ac12b984758f7673054068875a392862c5077779fc48851955dd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s4893896.exe
Filesize
961KB

MD5
7484325708e49e8ee3f687ed6edee92d

SHA1
5383b96bb591a6f10964ab739cecc81da3b72b53

SHA256
f5e3ea26dda20cd45e22b8e0171b305e5e2eff08ffd801e8817547ee59bb98a7

SHA512
dbd20f5e8bfc8a9bc7720b8025818b92511676aa4e1a1d239c016601626688d8ae832b99e43ac12b984758f7673054068875a392862c5077779fc48851955dd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s4893896.exe
Filesize
961KB

MD5
7484325708e49e8ee3f687ed6edee92d

SHA1
5383b96bb591a6f10964ab739cecc81da3b72b53

SHA256
f5e3ea26dda20cd45e22b8e0171b305e5e2eff08ffd801e8817547ee59bb98a7

SHA512
dbd20f5e8bfc8a9bc7720b8025818b92511676aa4e1a1d239c016601626688d8ae832b99e43ac12b984758f7673054068875a392862c5077779fc48851955dd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s4893896.exe
Filesize
961KB

MD5
7484325708e49e8ee3f687ed6edee92d

SHA1
5383b96bb591a6f10964ab739cecc81da3b72b53

SHA256
f5e3ea26dda20cd45e22b8e0171b305e5e2eff08ffd801e8817547ee59bb98a7

SHA512
dbd20f5e8bfc8a9bc7720b8025818b92511676aa4e1a1d239c016601626688d8ae832b99e43ac12b984758f7673054068875a392862c5077779fc48851955dd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s4893896.exe
Filesize
961KB

MD5
7484325708e49e8ee3f687ed6edee92d

SHA1
5383b96bb591a6f10964ab739cecc81da3b72b53

SHA256
f5e3ea26dda20cd45e22b8e0171b305e5e2eff08ffd801e8817547ee59bb98a7

SHA512
dbd20f5e8bfc8a9bc7720b8025818b92511676aa4e1a1d239c016601626688d8ae832b99e43ac12b984758f7673054068875a392862c5077779fc48851955dd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5465842.exe
Filesize
702KB

MD5
2b47627b96ca5a89af231a6d8dde2e8b

SHA1
0c3047c31ad0a70fa9c3f692055956a8e2ced615

SHA256
9dfea60774880274850850b65fda9483d2e175eebf3c3a7d8141f75f89a9d9fd

SHA512
3110d75684322ecc534ecadcb664554e6f960e67a3aad8b487e020727aacd9895c42ced9fed93c2e647c3a82ceb7e6e3d6c24305ee7db48d748fd28e4225de72

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5465842.exe
Filesize
702KB

MD5
2b47627b96ca5a89af231a6d8dde2e8b

SHA1
0c3047c31ad0a70fa9c3f692055956a8e2ced615

SHA256
9dfea60774880274850850b65fda9483d2e175eebf3c3a7d8141f75f89a9d9fd

SHA512
3110d75684322ecc534ecadcb664554e6f960e67a3aad8b487e020727aacd9895c42ced9fed93c2e647c3a82ceb7e6e3d6c24305ee7db48d748fd28e4225de72

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r8101517.exe
Filesize
905KB

MD5
6c616d4adab8beaf3b9aea49da5d6859

SHA1
a401143cb9f5fd2b143a232e1723c2d60db4f2c4

SHA256
80dd12ab916c1455a3344a51e0b3172f216dcf57d871d7202a29d34160aaa883

SHA512
10180931f3ac11ea35c5f114596e3afb6992246ead4b9b7a2b21ebc3775f06d85ffe4fdd121b45077aebefb0ad2542991c5a30cc18444fef6f62ea4d08ca4eaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r8101517.exe
Filesize
905KB

MD5
6c616d4adab8beaf3b9aea49da5d6859

SHA1
a401143cb9f5fd2b143a232e1723c2d60db4f2c4

SHA256
80dd12ab916c1455a3344a51e0b3172f216dcf57d871d7202a29d34160aaa883

SHA512
10180931f3ac11ea35c5f114596e3afb6992246ead4b9b7a2b21ebc3775f06d85ffe4fdd121b45077aebefb0ad2542991c5a30cc18444fef6f62ea4d08ca4eaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r8101517.exe
Filesize
905KB

MD5
6c616d4adab8beaf3b9aea49da5d6859

SHA1
a401143cb9f5fd2b143a232e1723c2d60db4f2c4

SHA256
80dd12ab916c1455a3344a51e0b3172f216dcf57d871d7202a29d34160aaa883

SHA512
10180931f3ac11ea35c5f114596e3afb6992246ead4b9b7a2b21ebc3775f06d85ffe4fdd121b45077aebefb0ad2542991c5a30cc18444fef6f62ea4d08ca4eaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1756098.exe
Filesize
306KB

MD5
6ff3f96d53f66ca96aaefa82164189db

SHA1
d263161f3f1db3709fb6d690180a7a17a1cc3cff

SHA256
6788d9515c31345b337e1edbd8d147da059cae4f04521bf73d061628ad2099d2

SHA512
3195e429fa27fda4174f3bbb1b6e32127993e1d5454ddd1614bf76dd3eb4c0f3955f75aaee5114c1148e38b9a88982ade8a30ea88d530459dcfdc1ad39ce785f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1756098.exe
Filesize
306KB

MD5
6ff3f96d53f66ca96aaefa82164189db

SHA1
d263161f3f1db3709fb6d690180a7a17a1cc3cff

SHA256
6788d9515c31345b337e1edbd8d147da059cae4f04521bf73d061628ad2099d2

SHA512
3195e429fa27fda4174f3bbb1b6e32127993e1d5454ddd1614bf76dd3eb4c0f3955f75aaee5114c1148e38b9a88982ade8a30ea88d530459dcfdc1ad39ce785f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o6606859.exe
Filesize
185KB

MD5
4bb2ad096f130f3c066ca72ff0beb8dc

SHA1
c82ae6808284edb8b157e3f815bb7310422eb3fa

SHA256
62631bfea13d2357455b3933c4577db1650ce67fc76c4c1d73bb2007b27b9317

SHA512
2a197b73b23b306451c27888c4f5962ecc3dcadddd37b0f1886c096d7c67f05bf8964725e8d0bdbfb1e3b6a0fb311272782aebac19cf0a87f22765661ee25c3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o6606859.exe
Filesize
185KB

MD5
4bb2ad096f130f3c066ca72ff0beb8dc

SHA1
c82ae6808284edb8b157e3f815bb7310422eb3fa

SHA256
62631bfea13d2357455b3933c4577db1650ce67fc76c4c1d73bb2007b27b9317

SHA512
2a197b73b23b306451c27888c4f5962ecc3dcadddd37b0f1886c096d7c67f05bf8964725e8d0bdbfb1e3b6a0fb311272782aebac19cf0a87f22765661ee25c3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p2348554.exe
Filesize
145KB

MD5
a50e136c05a24e806c55815bb4ff34ff

SHA1
9c3c4da49303dcf6bcef238612dceace2422143e

SHA256
51ef431896df7df2537de8582766deb0c6fec9105001da5ce8cfc7421e6a4f33

SHA512
5b0a76ed68f5e93f8687414d476500ef3e74d8ac88a7aa7574ffdaec4c886eb18fe1d88cce8f4dfd7d932da4693eb517d446937abbbe277cadd93fb96e52259d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p2348554.exe
Filesize
145KB

MD5
a50e136c05a24e806c55815bb4ff34ff

SHA1
9c3c4da49303dcf6bcef238612dceace2422143e

SHA256
51ef431896df7df2537de8582766deb0c6fec9105001da5ce8cfc7421e6a4f33

SHA512
5b0a76ed68f5e93f8687414d476500ef3e74d8ac88a7aa7574ffdaec4c886eb18fe1d88cce8f4dfd7d932da4693eb517d446937abbbe277cadd93fb96e52259d

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
73c0c85e39b9a63b42f6c4ff6d634f8b

SHA1
efb047b4177ad78268f6fc8bf959f58f1123eb51

SHA256
477252e3531300fe2a21a679fba3664803179e91a1a4d5dd44080dbd41126368

SHA512
ca32507717c2c099d54a5473fb062083237f7fda9c076e9a957b70072f41a78eedf9244b50862b81d00374297e3795021ad6db943c8408da50b1da8b5ed4a643

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
73c0c85e39b9a63b42f6c4ff6d634f8b

SHA1
efb047b4177ad78268f6fc8bf959f58f1123eb51

SHA256
477252e3531300fe2a21a679fba3664803179e91a1a4d5dd44080dbd41126368

SHA512
ca32507717c2c099d54a5473fb062083237f7fda9c076e9a957b70072f41a78eedf9244b50862b81d00374297e3795021ad6db943c8408da50b1da8b5ed4a643

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
73c0c85e39b9a63b42f6c4ff6d634f8b

SHA1
efb047b4177ad78268f6fc8bf959f58f1123eb51

SHA256
477252e3531300fe2a21a679fba3664803179e91a1a4d5dd44080dbd41126368

SHA512
ca32507717c2c099d54a5473fb062083237f7fda9c076e9a957b70072f41a78eedf9244b50862b81d00374297e3795021ad6db943c8408da50b1da8b5ed4a643

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
memory/568-157-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/568-156-0x0000000004A10000-0x0000000004A20000-memory.dmp

Filesize
64KB

Download
memory/568-168-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/568-170-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/568-172-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/568-164-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/568-162-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/568-174-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/568-176-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/568-160-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/568-166-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/568-158-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/568-187-0x0000000004A10000-0x0000000004A20000-memory.dmp

Filesize
64KB

Download
memory/568-186-0x0000000004A10000-0x0000000004A20000-memory.dmp

Filesize
64KB

Download
memory/568-185-0x0000000004A10000-0x0000000004A20000-memory.dmp

Filesize
64KB

Download
memory/568-178-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/568-184-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/568-180-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/568-154-0x0000000004A20000-0x0000000004FC4000-memory.dmp

Filesize
5.6MB

Download
memory/568-155-0x0000000004A10000-0x0000000004A20000-memory.dmp

Filesize
64KB

Download
memory/568-182-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/976-284-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/976-286-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/976-285-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1996-253-0x0000000007290000-0x00000000072A0000-memory.dmp

Filesize
64KB

Download
memory/2144-215-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2144-212-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2144-234-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2144-218-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2144-216-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2208-196-0x00000000008B0000-0x0000000000998000-memory.dmp

Filesize
928KB

Download
memory/2208-197-0x0000000007670000-0x0000000007680000-memory.dmp

Filesize
64KB

Download
memory/2348-237-0x0000000007A50000-0x0000000007A60000-memory.dmp

Filesize
64KB

Download
memory/2720-242-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2720-243-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2720-245-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2720-277-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2720-247-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3528-192-0x0000000000960000-0x000000000098A000-memory.dmp

Filesize
168KB

Download
memory/3800-257-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3800-259-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3800-258-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4128-210-0x0000000005BF0000-0x0000000005C00000-memory.dmp

Filesize
64KB

Download
memory/4128-219-0x0000000005C70000-0x0000000005CD6000-memory.dmp

Filesize
408KB

Download
memory/4128-246-0x0000000006B50000-0x0000000006BC6000-memory.dmp

Filesize
472KB

Download
memory/4128-238-0x0000000005BF0000-0x0000000005C00000-memory.dmp

Filesize
64KB

Download
memory/4128-236-0x0000000007930000-0x0000000007E5C000-memory.dmp

Filesize
5.2MB

Download
memory/4128-235-0x0000000006C60000-0x0000000006E22000-memory.dmp

Filesize
1.8MB

Download
memory/4128-223-0x0000000006800000-0x0000000006892000-memory.dmp

Filesize
584KB

Download
memory/4128-249-0x0000000006BD0000-0x0000000006C20000-memory.dmp

Filesize
320KB

Download
memory/4128-198-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4128-208-0x0000000005910000-0x000000000594C000-memory.dmp

Filesize
240KB

Download
memory/4128-207-0x00000000058B0000-0x00000000058C2000-memory.dmp

Filesize
72KB

Download
memory/4128-206-0x0000000005980000-0x0000000005A8A000-memory.dmp

Filesize
1.0MB

Download
memory/4128-205-0x0000000005E40000-0x0000000006458000-memory.dmp

Filesize
6.1MB

Download
memory/4196-204-0x0000000000AF0000-0x0000000000BE6000-memory.dmp

Filesize
984KB

Download
memory/4196-209-0x0000000002DA0000-0x0000000002DB0000-memory.dmp

Filesize
64KB

Download