redline | c54b0e6503641821eb500899f6c823a9e1063991b27de8fbb901c7d3392c1dee

Analysis

max time kernel
152s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
14/05/2023, 18:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c54b0e6503641821eb500899f6c823a9e1063991b27de8fbb901c7d3392c1dee.exe
Size

1.1MB
MD5

ce7bb9dbdc4b7d073feee6d7c77e2d23
SHA1

b34f1daf7519fef95d0b65b6e4231f6bc6821675
SHA256

c54b0e6503641821eb500899f6c823a9e1063991b27de8fbb901c7d3392c1dee
SHA512

4828e6f7fe5346e8b84fbacd76552645ac2a91fb63280ac26e053ce094d1a8acca8c1c9227daa8814f8d3018e47ffb98719d53b447544bf2cd687ba096237ff6
SSDEEP

24576:5yf+AwQZ2ZTmu77wLy06NukF+AUsN2VS8a3++JL4A6ltP:sGW8mu70Ly06NnAAUs8E8c++SAw

Score

10^/10

redline larry warum discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

larry

185.161.248.75:4132

Attributes

auth_value
9039557bb7a08f5f2f60e2b71e1dee0e

Extracted

Family

redline

Botnet

warum

185.161.248.75:4132

Attributes

auth_value
0bdb2dda91dadc65f555dee088a6a2a4

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	o2787954.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	o2787954.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	o2787954.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	o2787954.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	o2787954.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	o2787954.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	legends.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	s1082156.exe

Executes dropped EXE 14 IoCs

pid	Process
4664	z0460167.exe
4384	z6352682.exe
3780	o2787954.exe
3552	p3057837.exe
4320	r7897622.exe
3776	r7897622.exe
4024	r7897622.exe
4016	r7897622.exe
2288	s1082156.exe
4300	s1082156.exe
640	legends.exe
4212	legends.exe
1236	legends.exe
4480	legends.exe

Loads dropped DLL 1 IoCs

pid	Process
4088	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	o2787954.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	o2787954.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	c54b0e6503641821eb500899f6c823a9e1063991b27de8fbb901c7d3392c1dee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	c54b0e6503641821eb500899f6c823a9e1063991b27de8fbb901c7d3392c1dee.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z0460167.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z0460167.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z6352682.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z6352682.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 4320 set thread context of 4016	4320	r7897622.exe	99
PID 2288 set thread context of 4300	2288	s1082156.exe	101
PID 640 set thread context of 4212	640	legends.exe	103
PID 1236 set thread context of 4480	1236	legends.exe	115

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3488	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3780	o2787954.exe
3780	o2787954.exe
3552	p3057837.exe
3552	p3057837.exe
4016	r7897622.exe
4016	r7897622.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	3780	o2787954.exe
Token: SeDebugPrivilege	3552	p3057837.exe
Token: SeDebugPrivilege	4320	r7897622.exe
Token: SeDebugPrivilege	2288	s1082156.exe
Token: SeDebugPrivilege	640	legends.exe
Token: SeDebugPrivilege	4016	r7897622.exe
Token: SeDebugPrivilege	1236	legends.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4300	s1082156.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3832 wrote to memory of 4664	3832	c54b0e6503641821eb500899f6c823a9e1063991b27de8fbb901c7d3392c1dee.exe	84
PID 3832 wrote to memory of 4664	3832	c54b0e6503641821eb500899f6c823a9e1063991b27de8fbb901c7d3392c1dee.exe	84
PID 3832 wrote to memory of 4664	3832	c54b0e6503641821eb500899f6c823a9e1063991b27de8fbb901c7d3392c1dee.exe	84
PID 4664 wrote to memory of 4384	4664	z0460167.exe	85
PID 4664 wrote to memory of 4384	4664	z0460167.exe	85
PID 4664 wrote to memory of 4384	4664	z0460167.exe	85
PID 4384 wrote to memory of 3780	4384	z6352682.exe	86
PID 4384 wrote to memory of 3780	4384	z6352682.exe	86
PID 4384 wrote to memory of 3780	4384	z6352682.exe	86
PID 4384 wrote to memory of 3552	4384	z6352682.exe	94
PID 4384 wrote to memory of 3552	4384	z6352682.exe	94
PID 4384 wrote to memory of 3552	4384	z6352682.exe	94
PID 4664 wrote to memory of 4320	4664	z0460167.exe	96
PID 4664 wrote to memory of 4320	4664	z0460167.exe	96
PID 4664 wrote to memory of 4320	4664	z0460167.exe	96
PID 4320 wrote to memory of 3776	4320	r7897622.exe	97
PID 4320 wrote to memory of 3776	4320	r7897622.exe	97
PID 4320 wrote to memory of 3776	4320	r7897622.exe	97
PID 4320 wrote to memory of 3776	4320	r7897622.exe	97
PID 4320 wrote to memory of 4024	4320	r7897622.exe	98
PID 4320 wrote to memory of 4024	4320	r7897622.exe	98
PID 4320 wrote to memory of 4024	4320	r7897622.exe	98
PID 4320 wrote to memory of 4024	4320	r7897622.exe	98
PID 4320 wrote to memory of 4016	4320	r7897622.exe	99
PID 4320 wrote to memory of 4016	4320	r7897622.exe	99
PID 4320 wrote to memory of 4016	4320	r7897622.exe	99
PID 4320 wrote to memory of 4016	4320	r7897622.exe	99
PID 4320 wrote to memory of 4016	4320	r7897622.exe	99
PID 4320 wrote to memory of 4016	4320	r7897622.exe	99
PID 4320 wrote to memory of 4016	4320	r7897622.exe	99
PID 4320 wrote to memory of 4016	4320	r7897622.exe	99
PID 3832 wrote to memory of 2288	3832	c54b0e6503641821eb500899f6c823a9e1063991b27de8fbb901c7d3392c1dee.exe	100
PID 3832 wrote to memory of 2288	3832	c54b0e6503641821eb500899f6c823a9e1063991b27de8fbb901c7d3392c1dee.exe	100
PID 3832 wrote to memory of 2288	3832	c54b0e6503641821eb500899f6c823a9e1063991b27de8fbb901c7d3392c1dee.exe	100
PID 2288 wrote to memory of 4300	2288	s1082156.exe	101
PID 2288 wrote to memory of 4300	2288	s1082156.exe	101
PID 2288 wrote to memory of 4300	2288	s1082156.exe	101
PID 2288 wrote to memory of 4300	2288	s1082156.exe	101
PID 2288 wrote to memory of 4300	2288	s1082156.exe	101
PID 2288 wrote to memory of 4300	2288	s1082156.exe	101
PID 2288 wrote to memory of 4300	2288	s1082156.exe	101
PID 2288 wrote to memory of 4300	2288	s1082156.exe	101
PID 2288 wrote to memory of 4300	2288	s1082156.exe	101
PID 2288 wrote to memory of 4300	2288	s1082156.exe	101
PID 4300 wrote to memory of 640	4300	s1082156.exe	102
PID 4300 wrote to memory of 640	4300	s1082156.exe	102
PID 4300 wrote to memory of 640	4300	s1082156.exe	102
PID 640 wrote to memory of 4212	640	legends.exe	103
PID 640 wrote to memory of 4212	640	legends.exe	103
PID 640 wrote to memory of 4212	640	legends.exe	103
PID 640 wrote to memory of 4212	640	legends.exe	103
PID 640 wrote to memory of 4212	640	legends.exe	103
PID 640 wrote to memory of 4212	640	legends.exe	103
PID 640 wrote to memory of 4212	640	legends.exe	103
PID 640 wrote to memory of 4212	640	legends.exe	103
PID 640 wrote to memory of 4212	640	legends.exe	103
PID 640 wrote to memory of 4212	640	legends.exe	103
PID 4212 wrote to memory of 3488	4212	legends.exe	104
PID 4212 wrote to memory of 3488	4212	legends.exe	104
PID 4212 wrote to memory of 3488	4212	legends.exe	104
PID 4212 wrote to memory of 2704	4212	legends.exe	106
PID 4212 wrote to memory of 2704	4212	legends.exe	106
PID 4212 wrote to memory of 2704	4212	legends.exe	106
PID 2704 wrote to memory of 1928	2704	cmd.exe	108

C:\Users\Admin\AppData\Local\Temp\c54b0e6503641821eb500899f6c823a9e1063991b27de8fbb901c7d3392c1dee.exe
"C:\Users\Admin\AppData\Local\Temp\c54b0e6503641821eb500899f6c823a9e1063991b27de8fbb901c7d3392c1dee.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3832
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0460167.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0460167.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4664
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z6352682.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z6352682.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4384
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o2787954.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o2787954.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3780
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p3057837.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p3057837.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3552
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r7897622.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r7897622.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4320
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r7897622.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r7897622.exe
      4⤵
      Executes dropped EXE
      PID:3776
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r7897622.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r7897622.exe
      4⤵
      Executes dropped EXE
      PID:4024
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r7897622.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r7897622.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4016
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s1082156.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s1082156.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2288
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s1082156.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s1082156.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:4300
  - - C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
      "C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:640
    - - C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
        
        C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4212
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legends.exe /TR "C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe" /F
        6⤵
        Creates scheduled task(s)
        
        PID:3488
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legends.exe" /P "Admin:N"&&CACLS "legends.exe" /P "Admin:R" /E&&echo Y|CACLS "..\41bde21dc7" /P "Admin:N"&&CACLS "..\41bde21dc7" /P "Admin:R" /E&&Exit
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "legends.exe" /P "Admin:N"
        7⤵
        
        PID:1100
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "legends.exe" /P "Admin:R" /E
        7⤵
        
        PID:3892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\41bde21dc7" /P "Admin:N"
        7⤵
        
        PID:3216
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\41bde21dc7" /P "Admin:R" /E
        7⤵
        
        PID:3376
      - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
        6⤵
        Loads dropped DLL
        
        PID:4088

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1236
- C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
  C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
  2⤵
  - Executes dropped EXE
  PID:4480

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\legends.exe.log

Filesize
425B

MD5
4eaca4566b22b01cd3bc115b9b0b2196

SHA1
e743e0792c19f71740416e7b3c061d9f1336bf94

SHA256
34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

SHA512
bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\r7897622.exe.log

Filesize
425B

MD5
4eaca4566b22b01cd3bc115b9b0b2196

SHA1
e743e0792c19f71740416e7b3c061d9f1336bf94

SHA256
34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

SHA512
bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
962KB

MD5
499ce05261149ba083acd9e4dc78a469

SHA1
9448cd418edc87e907f5a2c85cce90c57aec86c9

SHA256
b91cad57ac10cad5db72dd9ebc34dce7c2d12580f7d65fd455f5ae2972a91446

SHA512
734f268ff08a119c59d9e2c682d57191413d642cfaf7ed859cda0dfc18da4bea19d37cc0854761d518467d8c107bf1be1eaae4cc24ddc3510ddbbea4aba1022c

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
962KB

MD5
499ce05261149ba083acd9e4dc78a469

SHA1
9448cd418edc87e907f5a2c85cce90c57aec86c9

SHA256
b91cad57ac10cad5db72dd9ebc34dce7c2d12580f7d65fd455f5ae2972a91446

SHA512
734f268ff08a119c59d9e2c682d57191413d642cfaf7ed859cda0dfc18da4bea19d37cc0854761d518467d8c107bf1be1eaae4cc24ddc3510ddbbea4aba1022c

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
962KB

MD5
499ce05261149ba083acd9e4dc78a469

SHA1
9448cd418edc87e907f5a2c85cce90c57aec86c9

SHA256
b91cad57ac10cad5db72dd9ebc34dce7c2d12580f7d65fd455f5ae2972a91446

SHA512
734f268ff08a119c59d9e2c682d57191413d642cfaf7ed859cda0dfc18da4bea19d37cc0854761d518467d8c107bf1be1eaae4cc24ddc3510ddbbea4aba1022c

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
962KB

MD5
499ce05261149ba083acd9e4dc78a469

SHA1
9448cd418edc87e907f5a2c85cce90c57aec86c9

SHA256
b91cad57ac10cad5db72dd9ebc34dce7c2d12580f7d65fd455f5ae2972a91446

SHA512
734f268ff08a119c59d9e2c682d57191413d642cfaf7ed859cda0dfc18da4bea19d37cc0854761d518467d8c107bf1be1eaae4cc24ddc3510ddbbea4aba1022c

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
962KB

MD5
499ce05261149ba083acd9e4dc78a469

SHA1
9448cd418edc87e907f5a2c85cce90c57aec86c9

SHA256
b91cad57ac10cad5db72dd9ebc34dce7c2d12580f7d65fd455f5ae2972a91446

SHA512
734f268ff08a119c59d9e2c682d57191413d642cfaf7ed859cda0dfc18da4bea19d37cc0854761d518467d8c107bf1be1eaae4cc24ddc3510ddbbea4aba1022c

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
962KB

MD5
499ce05261149ba083acd9e4dc78a469

SHA1
9448cd418edc87e907f5a2c85cce90c57aec86c9

SHA256
b91cad57ac10cad5db72dd9ebc34dce7c2d12580f7d65fd455f5ae2972a91446

SHA512
734f268ff08a119c59d9e2c682d57191413d642cfaf7ed859cda0dfc18da4bea19d37cc0854761d518467d8c107bf1be1eaae4cc24ddc3510ddbbea4aba1022c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s1082156.exe

Filesize
962KB

MD5
499ce05261149ba083acd9e4dc78a469

SHA1
9448cd418edc87e907f5a2c85cce90c57aec86c9

SHA256
b91cad57ac10cad5db72dd9ebc34dce7c2d12580f7d65fd455f5ae2972a91446

SHA512
734f268ff08a119c59d9e2c682d57191413d642cfaf7ed859cda0dfc18da4bea19d37cc0854761d518467d8c107bf1be1eaae4cc24ddc3510ddbbea4aba1022c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s1082156.exe

Filesize
962KB

MD5
499ce05261149ba083acd9e4dc78a469

SHA1
9448cd418edc87e907f5a2c85cce90c57aec86c9

SHA256
b91cad57ac10cad5db72dd9ebc34dce7c2d12580f7d65fd455f5ae2972a91446

SHA512
734f268ff08a119c59d9e2c682d57191413d642cfaf7ed859cda0dfc18da4bea19d37cc0854761d518467d8c107bf1be1eaae4cc24ddc3510ddbbea4aba1022c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s1082156.exe

Filesize
962KB

MD5
499ce05261149ba083acd9e4dc78a469

SHA1
9448cd418edc87e907f5a2c85cce90c57aec86c9

SHA256
b91cad57ac10cad5db72dd9ebc34dce7c2d12580f7d65fd455f5ae2972a91446

SHA512
734f268ff08a119c59d9e2c682d57191413d642cfaf7ed859cda0dfc18da4bea19d37cc0854761d518467d8c107bf1be1eaae4cc24ddc3510ddbbea4aba1022c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0460167.exe

Filesize
702KB

MD5
0a1165bd25aad1530a91f1309ccfb6e2

SHA1
5160a29b1973646a3355aa425eff9032979b08a0

SHA256
034098565589cbe6e6b80a1141335c16c23f6b56ec452eb6ff22146848aa78fa

SHA512
a4a5ced8a484b0a1fb4e2be376a9ff6b347f80d656dbabe193bc1bb2565279602994c5ae5dce7767d164c83d2ce4efe3612b252bdb79f428f4a9dd3eb08f724a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0460167.exe

Filesize
702KB

MD5
0a1165bd25aad1530a91f1309ccfb6e2

SHA1
5160a29b1973646a3355aa425eff9032979b08a0

SHA256
034098565589cbe6e6b80a1141335c16c23f6b56ec452eb6ff22146848aa78fa

SHA512
a4a5ced8a484b0a1fb4e2be376a9ff6b347f80d656dbabe193bc1bb2565279602994c5ae5dce7767d164c83d2ce4efe3612b252bdb79f428f4a9dd3eb08f724a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r7897622.exe

Filesize
903KB

MD5
40667a189676badb873abb821da8569e

SHA1
2dc8952b0b0ac980e5344946bb51ebf5ac798e77

SHA256
5a81af15441572e0dc49ba688d5d240128ae2b4107a60fb658f923d9b967f868

SHA512
275d1c7c8bfbfc9f74d7ff5f76484ad39f6f75f3114fa26e356cd69343a845197cfb556f20f6d957a4619eca3ea91f9533073abac9465d69dffbd3f241380d37

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r7897622.exe

Filesize
903KB

MD5
40667a189676badb873abb821da8569e

SHA1
2dc8952b0b0ac980e5344946bb51ebf5ac798e77

SHA256
5a81af15441572e0dc49ba688d5d240128ae2b4107a60fb658f923d9b967f868

SHA512
275d1c7c8bfbfc9f74d7ff5f76484ad39f6f75f3114fa26e356cd69343a845197cfb556f20f6d957a4619eca3ea91f9533073abac9465d69dffbd3f241380d37

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r7897622.exe

Filesize
903KB

MD5
40667a189676badb873abb821da8569e

SHA1
2dc8952b0b0ac980e5344946bb51ebf5ac798e77

SHA256
5a81af15441572e0dc49ba688d5d240128ae2b4107a60fb658f923d9b967f868

SHA512
275d1c7c8bfbfc9f74d7ff5f76484ad39f6f75f3114fa26e356cd69343a845197cfb556f20f6d957a4619eca3ea91f9533073abac9465d69dffbd3f241380d37

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r7897622.exe

Filesize
903KB

MD5
40667a189676badb873abb821da8569e

SHA1
2dc8952b0b0ac980e5344946bb51ebf5ac798e77

SHA256
5a81af15441572e0dc49ba688d5d240128ae2b4107a60fb658f923d9b967f868

SHA512
275d1c7c8bfbfc9f74d7ff5f76484ad39f6f75f3114fa26e356cd69343a845197cfb556f20f6d957a4619eca3ea91f9533073abac9465d69dffbd3f241380d37

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r7897622.exe

Filesize
903KB

MD5
40667a189676badb873abb821da8569e

SHA1
2dc8952b0b0ac980e5344946bb51ebf5ac798e77

SHA256
5a81af15441572e0dc49ba688d5d240128ae2b4107a60fb658f923d9b967f868

SHA512
275d1c7c8bfbfc9f74d7ff5f76484ad39f6f75f3114fa26e356cd69343a845197cfb556f20f6d957a4619eca3ea91f9533073abac9465d69dffbd3f241380d37

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z6352682.exe

Filesize
305KB

MD5
11289c745f0f4d20b9c5508ea784f437

SHA1
6f636f7eda1e6c59e3fe75280d68dd7ee089350a

SHA256
6839a49ef7bb1290787af2a197eb28076eaf4032973cba49dbf9a232d171214c

SHA512
199938c360a859d5cdfb3e0411c5a04237b9a7a8044bde8f23f679db02b59b292f15fb7f13d50a7e8a6e25bd5ae3a6c6ae9dbdf165bc437f619bf42b8ec4dc06

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z6352682.exe

Filesize
305KB

MD5
11289c745f0f4d20b9c5508ea784f437

SHA1
6f636f7eda1e6c59e3fe75280d68dd7ee089350a

SHA256
6839a49ef7bb1290787af2a197eb28076eaf4032973cba49dbf9a232d171214c

SHA512
199938c360a859d5cdfb3e0411c5a04237b9a7a8044bde8f23f679db02b59b292f15fb7f13d50a7e8a6e25bd5ae3a6c6ae9dbdf165bc437f619bf42b8ec4dc06

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o2787954.exe

Filesize
183KB

MD5
f39f77bc8224041c24a92c2d0b5cc02b

SHA1
1af03051e1e3b4eebb7da7865ab412f018d6cf09

SHA256
be3dad52f353e83b6f3eae0150d927f8cdd8c7c016c772ba791abb5396e7ffc3

SHA512
9228847d7d0af207ce7ac157e47c7bc83f401cdae46d39fc450f26653d190e748126c2143085ba61f9e5e222a52317d93622ee235d53c7227dca8746126d0769

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o2787954.exe

Filesize
183KB

MD5
f39f77bc8224041c24a92c2d0b5cc02b

SHA1
1af03051e1e3b4eebb7da7865ab412f018d6cf09

SHA256
be3dad52f353e83b6f3eae0150d927f8cdd8c7c016c772ba791abb5396e7ffc3

SHA512
9228847d7d0af207ce7ac157e47c7bc83f401cdae46d39fc450f26653d190e748126c2143085ba61f9e5e222a52317d93622ee235d53c7227dca8746126d0769

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p3057837.exe

Filesize
145KB

MD5
44de146a09ecfabd3d3a2e86f1693f0e

SHA1
61f16b72b1d0c9ff83248af72b7189e269f81e26

SHA256
2de4fc0c2c35a091aa10d0a26d711cf8b6a1d95325ea0d11fb1064d6c89aaf34

SHA512
f9b721c2999eb2ee3f33b807a0bf895a1aecbaa2988683fdd5057e5848bc866ca322e7068d4576cbb9f4510d8cffcdd2916b7e0d783738e184a5d4dcc5aa1e2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p3057837.exe

Filesize
145KB

MD5
44de146a09ecfabd3d3a2e86f1693f0e

SHA1
61f16b72b1d0c9ff83248af72b7189e269f81e26

SHA256
2de4fc0c2c35a091aa10d0a26d711cf8b6a1d95325ea0d11fb1064d6c89aaf34

SHA512
f9b721c2999eb2ee3f33b807a0bf895a1aecbaa2988683fdd5057e5848bc866ca322e7068d4576cbb9f4510d8cffcdd2916b7e0d783738e184a5d4dcc5aa1e2a

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
89KB

MD5
73c0c85e39b9a63b42f6c4ff6d634f8b

SHA1
efb047b4177ad78268f6fc8bf959f58f1123eb51

SHA256
477252e3531300fe2a21a679fba3664803179e91a1a4d5dd44080dbd41126368

SHA512
ca32507717c2c099d54a5473fb062083237f7fda9c076e9a957b70072f41a78eedf9244b50862b81d00374297e3795021ad6db943c8408da50b1da8b5ed4a643

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
89KB

MD5
73c0c85e39b9a63b42f6c4ff6d634f8b

SHA1
efb047b4177ad78268f6fc8bf959f58f1123eb51

SHA256
477252e3531300fe2a21a679fba3664803179e91a1a4d5dd44080dbd41126368

SHA512
ca32507717c2c099d54a5473fb062083237f7fda9c076e9a957b70072f41a78eedf9244b50862b81d00374297e3795021ad6db943c8408da50b1da8b5ed4a643

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
89KB

MD5
73c0c85e39b9a63b42f6c4ff6d634f8b

SHA1
efb047b4177ad78268f6fc8bf959f58f1123eb51

SHA256
477252e3531300fe2a21a679fba3664803179e91a1a4d5dd44080dbd41126368

SHA512
ca32507717c2c099d54a5473fb062083237f7fda9c076e9a957b70072f41a78eedf9244b50862b81d00374297e3795021ad6db943c8408da50b1da8b5ed4a643

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
memory/640-246-0x0000000007960000-0x0000000007970000-memory.dmp

Filesize
64KB

Download
memory/1236-258-0x0000000007680000-0x0000000007690000-memory.dmp

Filesize
64KB

Download
memory/2288-224-0x0000000007AE0000-0x0000000007AF0000-memory.dmp

Filesize
64KB

Download
memory/2288-222-0x0000000000D60000-0x0000000000E56000-memory.dmp

Filesize
984KB

Download
memory/3552-204-0x0000000006D50000-0x0000000006F12000-memory.dmp

Filesize
1.8MB

Download
memory/3552-202-0x0000000006360000-0x00000000063D6000-memory.dmp

Filesize
472KB

Download
memory/3552-197-0x0000000005070000-0x0000000005082000-memory.dmp

Filesize
72KB

Download
memory/3552-198-0x00000000050D0000-0x000000000510C000-memory.dmp

Filesize
240KB

Download
memory/3552-199-0x00000000054D0000-0x0000000005536000-memory.dmp

Filesize
408KB

Download
memory/3552-200-0x0000000005040000-0x0000000005050000-memory.dmp

Filesize
64KB

Download
memory/3552-201-0x0000000006100000-0x0000000006192000-memory.dmp

Filesize
584KB

Download
memory/3552-196-0x0000000005040000-0x0000000005050000-memory.dmp

Filesize
64KB

Download
memory/3552-203-0x00000000063E0000-0x0000000006430000-memory.dmp

Filesize
320KB

Download
memory/3552-195-0x0000000005130000-0x000000000523A000-memory.dmp

Filesize
1.0MB

Download
memory/3552-205-0x0000000007450000-0x000000000797C000-memory.dmp

Filesize
5.2MB

Download
memory/3552-194-0x00000000055B0000-0x0000000005BC8000-memory.dmp

Filesize
6.1MB

Download
memory/3552-193-0x00000000007D0000-0x00000000007FA000-memory.dmp

Filesize
168KB

Download
memory/3780-183-0x0000000002370000-0x0000000002386000-memory.dmp

Filesize
88KB

Download
memory/3780-157-0x0000000004B60000-0x0000000004B70000-memory.dmp

Filesize
64KB

Download
memory/3780-188-0x0000000004B60000-0x0000000004B70000-memory.dmp

Filesize
64KB

Download
memory/3780-187-0x0000000004B60000-0x0000000004B70000-memory.dmp

Filesize
64KB

Download
memory/3780-161-0x0000000002370000-0x0000000002386000-memory.dmp

Filesize
88KB

Download
memory/3780-186-0x0000000004B60000-0x0000000004B70000-memory.dmp

Filesize
64KB

Download
memory/3780-185-0x0000000002370000-0x0000000002386000-memory.dmp

Filesize
88KB

Download
memory/3780-159-0x0000000002370000-0x0000000002386000-memory.dmp

Filesize
88KB

Download
memory/3780-181-0x0000000002370000-0x0000000002386000-memory.dmp

Filesize
88KB

Download
memory/3780-179-0x0000000002370000-0x0000000002386000-memory.dmp

Filesize
88KB

Download
memory/3780-163-0x0000000002370000-0x0000000002386000-memory.dmp

Filesize
88KB

Download
memory/3780-177-0x0000000002370000-0x0000000002386000-memory.dmp

Filesize
88KB

Download
memory/3780-154-0x0000000004B70000-0x0000000005114000-memory.dmp

Filesize
5.6MB

Download
memory/3780-175-0x0000000002370000-0x0000000002386000-memory.dmp

Filesize
88KB

Download
memory/3780-165-0x0000000002370000-0x0000000002386000-memory.dmp

Filesize
88KB

Download
memory/3780-156-0x0000000004B60000-0x0000000004B70000-memory.dmp

Filesize
64KB

Download
memory/3780-155-0x0000000004B60000-0x0000000004B70000-memory.dmp

Filesize
64KB

Download
memory/3780-173-0x0000000002370000-0x0000000002386000-memory.dmp

Filesize
88KB

Download
memory/3780-171-0x0000000002370000-0x0000000002386000-memory.dmp

Filesize
88KB

Download
memory/3780-158-0x0000000002370000-0x0000000002386000-memory.dmp

Filesize
88KB

Download
memory/3780-169-0x0000000002370000-0x0000000002386000-memory.dmp

Filesize
88KB

Download
memory/3780-167-0x0000000002370000-0x0000000002386000-memory.dmp

Filesize
88KB

Download
memory/4016-223-0x0000000005820000-0x0000000005830000-memory.dmp

Filesize
64KB

Download
memory/4016-215-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4212-281-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4212-250-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4212-251-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4212-253-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4212-254-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4300-225-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4300-245-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4300-231-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4300-229-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4300-228-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4320-211-0x00000000073E0000-0x00000000073F0000-memory.dmp

Filesize
64KB

Download
memory/4320-210-0x00000000005F0000-0x00000000006D8000-memory.dmp

Filesize
928KB

Download
memory/4480-261-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4480-262-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4480-263-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download