redline | e04e5d101d0d716311b6b71e2958c3493199b14d787f0da6b22a84b78f71e93a

Analysis

max time kernel
180s
max time network
191s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
14-05-2023 18:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e04e5d101d0d716311b6b71e2958c3493199b14d787f0da6b22a84b78f71e93a.exe
Size

1.1MB
MD5

55db6060e2088a273573383c4789c3c5
SHA1

a2633cd98d48996a740b8b0a05a5b60ff873bdb9
SHA256

e04e5d101d0d716311b6b71e2958c3493199b14d787f0da6b22a84b78f71e93a
SHA512

231feab5e830835dd939df2b547e2b1fca43cb36dab6615e48db1b4cb60515b3568ff328c87c22330a2bef692b9a68b52561573953b39d3cbd03ac49be058d93
SSDEEP

24576:GyMrGI96ZsJoC0xIwucHRYcWLTxRk6j6IxVapeqBAkxybUHNlD2Sq+:VM10Zsiiwu+SxqDwSxWKNlDm

Score

10^/10

redline luka terra discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

luka

185.161.248.75:4132

Attributes

auth_value
44560bcd37d6bf076da309730fdb519a

Extracted

Family

redline

Botnet

terra

185.161.248.75:4132

Attributes

auth_value
60df3f535f8aa4e264f78041983592d2

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

o5301643.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	o5301643.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	o5301643.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	o5301643.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	o5301643.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	o5301643.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	o5301643.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

s0639690.exelegends.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Control Panel\International\Geo\Nation	s0639690.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Control Panel\International\Geo\Nation	legends.exe

Executes dropped EXE 13 IoCs

Processes:

z9508213.exez5390702.exeo5301643.exep7919426.exer5669826.exer5669826.exer5669826.exes0639690.exes0639690.exelegends.exelegends.exelegends.exelegends.exe

pid	process
876	z9508213.exe
3396	z5390702.exe
2688	o5301643.exe
3668	p7919426.exe
2536	r5669826.exe
4668	r5669826.exe
1916	r5669826.exe
3552	s0639690.exe
852	s0639690.exe
648	legends.exe
1628	legends.exe
4372	legends.exe
464	legends.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

o5301643.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	o5301643.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	o5301643.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

z9508213.exez5390702.exee04e5d101d0d716311b6b71e2958c3493199b14d787f0da6b22a84b78f71e93a.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z9508213.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z9508213.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z5390702.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z5390702.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	e04e5d101d0d716311b6b71e2958c3493199b14d787f0da6b22a84b78f71e93a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	e04e5d101d0d716311b6b71e2958c3493199b14d787f0da6b22a84b78f71e93a.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 3 IoCs

Processes:

r5669826.exes0639690.exelegends.exe

description	pid	process	target process
PID 2536 set thread context of 1916	2536	r5669826.exe	r5669826.exe
PID 3552 set thread context of 852	3552	s0639690.exe	s0639690.exe
PID 648 set thread context of 1628	648	legends.exe	legends.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2432 3668 WerFault.exe p7919426.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1048 schtasks.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

o5301643.exer5669826.exe

pid process

2688 o5301643.exe
2688 o5301643.exe
1916 r5669826.exe
1916 r5669826.exe

pid	pid_target	process	target process
2432	3668	WerFault.exe	p7919426.exe

pid	process
1048	schtasks.exe

pid	process
2688	o5301643.exe
2688	o5301643.exe
1916	r5669826.exe
1916	r5669826.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

o5301643.exer5669826.exes0639690.exelegends.exer5669826.exelegends.exe

description	pid	process
Token: SeDebugPrivilege	2688	o5301643.exe
Token: SeDebugPrivilege	2536	r5669826.exe
Token: SeDebugPrivilege	3552	s0639690.exe
Token: SeDebugPrivilege	648	legends.exe
Token: SeDebugPrivilege	1916	r5669826.exe
Token: SeDebugPrivilege	4372	legends.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

s0639690.exe

pid process

852 s0639690.exe

pid	process
852	s0639690.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

e04e5d101d0d716311b6b71e2958c3493199b14d787f0da6b22a84b78f71e93a.exez9508213.exez5390702.exer5669826.exes0639690.exes0639690.exelegends.exelegends.execmd.exe

description	pid	process	target process
PID 1656 wrote to memory of 876	1656	e04e5d101d0d716311b6b71e2958c3493199b14d787f0da6b22a84b78f71e93a.exe	z9508213.exe
PID 1656 wrote to memory of 876	1656	e04e5d101d0d716311b6b71e2958c3493199b14d787f0da6b22a84b78f71e93a.exe	z9508213.exe
PID 1656 wrote to memory of 876	1656	e04e5d101d0d716311b6b71e2958c3493199b14d787f0da6b22a84b78f71e93a.exe	z9508213.exe
PID 876 wrote to memory of 3396	876	z9508213.exe	z5390702.exe
PID 876 wrote to memory of 3396	876	z9508213.exe	z5390702.exe
PID 876 wrote to memory of 3396	876	z9508213.exe	z5390702.exe
PID 3396 wrote to memory of 2688	3396	z5390702.exe	o5301643.exe
PID 3396 wrote to memory of 2688	3396	z5390702.exe	o5301643.exe
PID 3396 wrote to memory of 2688	3396	z5390702.exe	o5301643.exe
PID 3396 wrote to memory of 3668	3396	z5390702.exe	p7919426.exe
PID 3396 wrote to memory of 3668	3396	z5390702.exe	p7919426.exe
PID 3396 wrote to memory of 3668	3396	z5390702.exe	p7919426.exe
PID 876 wrote to memory of 2536	876	z9508213.exe	r5669826.exe
PID 876 wrote to memory of 2536	876	z9508213.exe	r5669826.exe
PID 876 wrote to memory of 2536	876	z9508213.exe	r5669826.exe
PID 2536 wrote to memory of 4668	2536	r5669826.exe	r5669826.exe
PID 2536 wrote to memory of 4668	2536	r5669826.exe	r5669826.exe
PID 2536 wrote to memory of 4668	2536	r5669826.exe	r5669826.exe
PID 2536 wrote to memory of 4668	2536	r5669826.exe	r5669826.exe
PID 2536 wrote to memory of 1916	2536	r5669826.exe	r5669826.exe
PID 2536 wrote to memory of 1916	2536	r5669826.exe	r5669826.exe
PID 2536 wrote to memory of 1916	2536	r5669826.exe	r5669826.exe
PID 2536 wrote to memory of 1916	2536	r5669826.exe	r5669826.exe
PID 2536 wrote to memory of 1916	2536	r5669826.exe	r5669826.exe
PID 2536 wrote to memory of 1916	2536	r5669826.exe	r5669826.exe
PID 2536 wrote to memory of 1916	2536	r5669826.exe	r5669826.exe
PID 2536 wrote to memory of 1916	2536	r5669826.exe	r5669826.exe
PID 1656 wrote to memory of 3552	1656	e04e5d101d0d716311b6b71e2958c3493199b14d787f0da6b22a84b78f71e93a.exe	s0639690.exe
PID 1656 wrote to memory of 3552	1656	e04e5d101d0d716311b6b71e2958c3493199b14d787f0da6b22a84b78f71e93a.exe	s0639690.exe
PID 1656 wrote to memory of 3552	1656	e04e5d101d0d716311b6b71e2958c3493199b14d787f0da6b22a84b78f71e93a.exe	s0639690.exe
PID 3552 wrote to memory of 852	3552	s0639690.exe	s0639690.exe
PID 3552 wrote to memory of 852	3552	s0639690.exe	s0639690.exe
PID 3552 wrote to memory of 852	3552	s0639690.exe	s0639690.exe
PID 3552 wrote to memory of 852	3552	s0639690.exe	s0639690.exe
PID 3552 wrote to memory of 852	3552	s0639690.exe	s0639690.exe
PID 3552 wrote to memory of 852	3552	s0639690.exe	s0639690.exe
PID 3552 wrote to memory of 852	3552	s0639690.exe	s0639690.exe
PID 3552 wrote to memory of 852	3552	s0639690.exe	s0639690.exe
PID 3552 wrote to memory of 852	3552	s0639690.exe	s0639690.exe
PID 3552 wrote to memory of 852	3552	s0639690.exe	s0639690.exe
PID 852 wrote to memory of 648	852	s0639690.exe	legends.exe
PID 852 wrote to memory of 648	852	s0639690.exe	legends.exe
PID 852 wrote to memory of 648	852	s0639690.exe	legends.exe
PID 648 wrote to memory of 1628	648	legends.exe	legends.exe
PID 648 wrote to memory of 1628	648	legends.exe	legends.exe
PID 648 wrote to memory of 1628	648	legends.exe	legends.exe
PID 648 wrote to memory of 1628	648	legends.exe	legends.exe
PID 648 wrote to memory of 1628	648	legends.exe	legends.exe
PID 648 wrote to memory of 1628	648	legends.exe	legends.exe
PID 648 wrote to memory of 1628	648	legends.exe	legends.exe
PID 648 wrote to memory of 1628	648	legends.exe	legends.exe
PID 648 wrote to memory of 1628	648	legends.exe	legends.exe
PID 648 wrote to memory of 1628	648	legends.exe	legends.exe
PID 1628 wrote to memory of 1048	1628	legends.exe	schtasks.exe
PID 1628 wrote to memory of 1048	1628	legends.exe	schtasks.exe
PID 1628 wrote to memory of 1048	1628	legends.exe	schtasks.exe
PID 1628 wrote to memory of 4016	1628	legends.exe	cmd.exe
PID 1628 wrote to memory of 4016	1628	legends.exe	cmd.exe
PID 1628 wrote to memory of 4016	1628	legends.exe	cmd.exe
PID 4016 wrote to memory of 3612	4016	cmd.exe	cmd.exe
PID 4016 wrote to memory of 3612	4016	cmd.exe	cmd.exe
PID 4016 wrote to memory of 3612	4016	cmd.exe	cmd.exe
PID 4016 wrote to memory of 4752	4016	cmd.exe	cacls.exe
PID 4016 wrote to memory of 4752	4016	cmd.exe	cacls.exe

C:\Users\Admin\AppData\Local\Temp\e04e5d101d0d716311b6b71e2958c3493199b14d787f0da6b22a84b78f71e93a.exe
"C:\Users\Admin\AppData\Local\Temp\e04e5d101d0d716311b6b71e2958c3493199b14d787f0da6b22a84b78f71e93a.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1656

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z9508213.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z9508213.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:876

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5390702.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5390702.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3396

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o5301643.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o5301643.exe
4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2688

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p7919426.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p7919426.exe
4⤵
- Executes dropped EXE
PID:3668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3668 -s 928
5⤵
- Program crash
PID:2432

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r5669826.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r5669826.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2536

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r5669826.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r5669826.exe
4⤵
- Executes dropped EXE
PID:4668

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r5669826.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r5669826.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1916

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s0639690.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s0639690.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3552

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s0639690.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s0639690.exe
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:852

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
"C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:648

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1628

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legends.exe /TR "C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe" /F
6⤵
- Creates scheduled task(s)
PID:1048

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legends.exe" /P "Admin:N"&&CACLS "legends.exe" /P "Admin:R" /E&&echo Y|CACLS "..\41bde21dc7" /P "Admin:N"&&CACLS "..\41bde21dc7" /P "Admin:R" /E&&Exit
6⤵
- Suspicious use of WriteProcessMemory
PID:4016

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
7⤵
PID:3612

C:\Windows\SysWOW64\cacls.exe
CACLS "legends.exe" /P "Admin:N"
7⤵
PID:4752

C:\Windows\SysWOW64\cacls.exe
CACLS "legends.exe" /P "Admin:R" /E
7⤵
PID:764

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
7⤵
PID:1816

C:\Windows\SysWOW64\cacls.exe
CACLS "..\41bde21dc7" /P "Admin:N"
7⤵
PID:1604

C:\Windows\SysWOW64\cacls.exe
CACLS "..\41bde21dc7" /P "Admin:R" /E
7⤵
PID:4188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 3668 -ip 3668
1⤵
PID:4428

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4372

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
2⤵
- Executes dropped EXE
PID:464

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
2⤵
PID:1148

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\legends.exe.log
Filesize
425B

MD5
4eaca4566b22b01cd3bc115b9b0b2196

SHA1
e743e0792c19f71740416e7b3c061d9f1336bf94

SHA256
34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

SHA512
bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\r5669826.exe.log
Filesize
425B

MD5
4eaca4566b22b01cd3bc115b9b0b2196

SHA1
e743e0792c19f71740416e7b3c061d9f1336bf94

SHA256
34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

SHA512
bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
961KB

MD5
be455e7f26ac5ea23e7f92c4e734dee7

SHA1
c9e2784598708802fe10216b7e2d5a4c4683eac5

SHA256
4982796c99a590f49c0673c088b63992e226044e7ded33fbb7a6eff2ef1e56c6

SHA512
31bc64e3f448b79446a94f63e97b050cf515b99496c7b360f0519f9ac75549d2699d19bf3fc9012cfe0529e3f951153bcc22a6190246ecba1f3db788d993aed6

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
961KB

MD5
be455e7f26ac5ea23e7f92c4e734dee7

SHA1
c9e2784598708802fe10216b7e2d5a4c4683eac5

SHA256
4982796c99a590f49c0673c088b63992e226044e7ded33fbb7a6eff2ef1e56c6

SHA512
31bc64e3f448b79446a94f63e97b050cf515b99496c7b360f0519f9ac75549d2699d19bf3fc9012cfe0529e3f951153bcc22a6190246ecba1f3db788d993aed6

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
961KB

MD5
be455e7f26ac5ea23e7f92c4e734dee7

SHA1
c9e2784598708802fe10216b7e2d5a4c4683eac5

SHA256
4982796c99a590f49c0673c088b63992e226044e7ded33fbb7a6eff2ef1e56c6

SHA512
31bc64e3f448b79446a94f63e97b050cf515b99496c7b360f0519f9ac75549d2699d19bf3fc9012cfe0529e3f951153bcc22a6190246ecba1f3db788d993aed6

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
961KB

MD5
be455e7f26ac5ea23e7f92c4e734dee7

SHA1
c9e2784598708802fe10216b7e2d5a4c4683eac5

SHA256
4982796c99a590f49c0673c088b63992e226044e7ded33fbb7a6eff2ef1e56c6

SHA512
31bc64e3f448b79446a94f63e97b050cf515b99496c7b360f0519f9ac75549d2699d19bf3fc9012cfe0529e3f951153bcc22a6190246ecba1f3db788d993aed6

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
961KB

MD5
be455e7f26ac5ea23e7f92c4e734dee7

SHA1
c9e2784598708802fe10216b7e2d5a4c4683eac5

SHA256
4982796c99a590f49c0673c088b63992e226044e7ded33fbb7a6eff2ef1e56c6

SHA512
31bc64e3f448b79446a94f63e97b050cf515b99496c7b360f0519f9ac75549d2699d19bf3fc9012cfe0529e3f951153bcc22a6190246ecba1f3db788d993aed6

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
961KB

MD5
be455e7f26ac5ea23e7f92c4e734dee7

SHA1
c9e2784598708802fe10216b7e2d5a4c4683eac5

SHA256
4982796c99a590f49c0673c088b63992e226044e7ded33fbb7a6eff2ef1e56c6

SHA512
31bc64e3f448b79446a94f63e97b050cf515b99496c7b360f0519f9ac75549d2699d19bf3fc9012cfe0529e3f951153bcc22a6190246ecba1f3db788d993aed6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s0639690.exe
Filesize
961KB

MD5
be455e7f26ac5ea23e7f92c4e734dee7

SHA1
c9e2784598708802fe10216b7e2d5a4c4683eac5

SHA256
4982796c99a590f49c0673c088b63992e226044e7ded33fbb7a6eff2ef1e56c6

SHA512
31bc64e3f448b79446a94f63e97b050cf515b99496c7b360f0519f9ac75549d2699d19bf3fc9012cfe0529e3f951153bcc22a6190246ecba1f3db788d993aed6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s0639690.exe
Filesize
961KB

MD5
be455e7f26ac5ea23e7f92c4e734dee7

SHA1
c9e2784598708802fe10216b7e2d5a4c4683eac5

SHA256
4982796c99a590f49c0673c088b63992e226044e7ded33fbb7a6eff2ef1e56c6

SHA512
31bc64e3f448b79446a94f63e97b050cf515b99496c7b360f0519f9ac75549d2699d19bf3fc9012cfe0529e3f951153bcc22a6190246ecba1f3db788d993aed6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s0639690.exe
Filesize
961KB

MD5
be455e7f26ac5ea23e7f92c4e734dee7

SHA1
c9e2784598708802fe10216b7e2d5a4c4683eac5

SHA256
4982796c99a590f49c0673c088b63992e226044e7ded33fbb7a6eff2ef1e56c6

SHA512
31bc64e3f448b79446a94f63e97b050cf515b99496c7b360f0519f9ac75549d2699d19bf3fc9012cfe0529e3f951153bcc22a6190246ecba1f3db788d993aed6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z9508213.exe
Filesize
702KB

MD5
a2b4010c2ea5808ea21639d4a0588765

SHA1
602d9a30ff933f1320aa3d99cf2a4153d03cc667

SHA256
c68f9a03c7870b7d05c55c270d0910883e979f0e9c46e20d6efd9315c15d1650

SHA512
ad898339409a18b9409b26eee5a9a4248f2c2f2b44c7e95339e8ea468fc2c5ceb5426dc81754051065806b06bbd9aba12ad9eb27561aeddd23617b303cc0cba1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z9508213.exe
Filesize
702KB

MD5
a2b4010c2ea5808ea21639d4a0588765

SHA1
602d9a30ff933f1320aa3d99cf2a4153d03cc667

SHA256
c68f9a03c7870b7d05c55c270d0910883e979f0e9c46e20d6efd9315c15d1650

SHA512
ad898339409a18b9409b26eee5a9a4248f2c2f2b44c7e95339e8ea468fc2c5ceb5426dc81754051065806b06bbd9aba12ad9eb27561aeddd23617b303cc0cba1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r5669826.exe
Filesize
905KB

MD5
a72cbe4f4f6ceb4faefd618a6447dbaf

SHA1
b8029d77dd6df75d6eeba0ad32216a27d979e380

SHA256
4f59cccd4105c79ee651294ef50c6248a76d272bc8ff87f25f57a551eafd4475

SHA512
4b496a2780514e8daac949cb7b25722c249a1b6617f22d55304de8347477ca7802a4b3fa82e986585aad74d54293c5eb302123306dfc5a1ce1ab33fa3c12b16b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r5669826.exe
Filesize
905KB

MD5
a72cbe4f4f6ceb4faefd618a6447dbaf

SHA1
b8029d77dd6df75d6eeba0ad32216a27d979e380

SHA256
4f59cccd4105c79ee651294ef50c6248a76d272bc8ff87f25f57a551eafd4475

SHA512
4b496a2780514e8daac949cb7b25722c249a1b6617f22d55304de8347477ca7802a4b3fa82e986585aad74d54293c5eb302123306dfc5a1ce1ab33fa3c12b16b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r5669826.exe
Filesize
905KB

MD5
a72cbe4f4f6ceb4faefd618a6447dbaf

SHA1
b8029d77dd6df75d6eeba0ad32216a27d979e380

SHA256
4f59cccd4105c79ee651294ef50c6248a76d272bc8ff87f25f57a551eafd4475

SHA512
4b496a2780514e8daac949cb7b25722c249a1b6617f22d55304de8347477ca7802a4b3fa82e986585aad74d54293c5eb302123306dfc5a1ce1ab33fa3c12b16b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r5669826.exe
Filesize
905KB

MD5
a72cbe4f4f6ceb4faefd618a6447dbaf

SHA1
b8029d77dd6df75d6eeba0ad32216a27d979e380

SHA256
4f59cccd4105c79ee651294ef50c6248a76d272bc8ff87f25f57a551eafd4475

SHA512
4b496a2780514e8daac949cb7b25722c249a1b6617f22d55304de8347477ca7802a4b3fa82e986585aad74d54293c5eb302123306dfc5a1ce1ab33fa3c12b16b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5390702.exe
Filesize
306KB

MD5
5f186e0064818e254b6b6af01a8409fb

SHA1
eb430b9303aecc5be13398a78bd30e4576c576d1

SHA256
504ccaaf5de1b2783a3e760e89420daaf3c48034745365cacf0d5411cf75c828

SHA512
4bd658f21370fc7c23b274f597dfa24fec7c5947b4720f63b9d9e919da8e45463d37471f6fa02f7964be351fe1c33f514b186a3d78afed81df01fdc904bc7327

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5390702.exe
Filesize
306KB

MD5
5f186e0064818e254b6b6af01a8409fb

SHA1
eb430b9303aecc5be13398a78bd30e4576c576d1

SHA256
504ccaaf5de1b2783a3e760e89420daaf3c48034745365cacf0d5411cf75c828

SHA512
4bd658f21370fc7c23b274f597dfa24fec7c5947b4720f63b9d9e919da8e45463d37471f6fa02f7964be351fe1c33f514b186a3d78afed81df01fdc904bc7327

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o5301643.exe
Filesize
185KB

MD5
be5ace7590ee1bc95350c858c33ebe90

SHA1
7bb57cacde52a8bf5c784b08c0168fb892d9c6a0

SHA256
bcecb81d1349ffe25fdc5fe729b192255ebec85fbfcf66a357bff3d0de97f4e3

SHA512
ce1ddc512052f466650e77a62c8d2fad5410253135dc9654e692734e5e17fc0b48c7b50a7ae274744b2b94e5bd60946ec49ce4d47b23fa8309e9d49e13407e7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o5301643.exe
Filesize
185KB

MD5
be5ace7590ee1bc95350c858c33ebe90

SHA1
7bb57cacde52a8bf5c784b08c0168fb892d9c6a0

SHA256
bcecb81d1349ffe25fdc5fe729b192255ebec85fbfcf66a357bff3d0de97f4e3

SHA512
ce1ddc512052f466650e77a62c8d2fad5410253135dc9654e692734e5e17fc0b48c7b50a7ae274744b2b94e5bd60946ec49ce4d47b23fa8309e9d49e13407e7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p7919426.exe
Filesize
145KB

MD5
db621cf7bb350333ef33e0bbae6fe8da

SHA1
3218770056c5e5349ca466d333fecbdc46e3a5ac

SHA256
6ff1af4614045aeb630c456fdd4f0ea02c9052bdd4ec99079c3bee165699f89b

SHA512
3a4eda2c72f38dd2d59da86aa78a3c3afcacfbc2fadaf21302771b4054c585115c2b281bfd1d92dd258165ab236bcf667aa8417d522ffe760db1f8f47a3377fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p7919426.exe
Filesize
145KB

MD5
db621cf7bb350333ef33e0bbae6fe8da

SHA1
3218770056c5e5349ca466d333fecbdc46e3a5ac

SHA256
6ff1af4614045aeb630c456fdd4f0ea02c9052bdd4ec99079c3bee165699f89b

SHA512
3a4eda2c72f38dd2d59da86aa78a3c3afcacfbc2fadaf21302771b4054c585115c2b281bfd1d92dd258165ab236bcf667aa8417d522ffe760db1f8f47a3377fa

Download Submit
memory/648-237-0x00000000075F0000-0x0000000007600000-memory.dmp

Filesize
64KB

Download
memory/852-235-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/852-214-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/852-217-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/852-218-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/852-220-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1628-241-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1628-243-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1628-245-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1628-246-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1628-249-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1916-221-0x0000000005740000-0x00000000057D2000-memory.dmp

Filesize
584KB

Download
memory/1916-247-0x00000000063F0000-0x0000000006466000-memory.dmp

Filesize
472KB

Download
memory/1916-200-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1916-213-0x00000000053D0000-0x00000000053E0000-memory.dmp

Filesize
64KB

Download
memory/1916-252-0x0000000007440000-0x000000000796C000-memory.dmp

Filesize
5.2MB

Download
memory/1916-251-0x0000000006D40000-0x0000000006F02000-memory.dmp

Filesize
1.8MB

Download
memory/1916-248-0x0000000006470000-0x00000000064C0000-memory.dmp

Filesize
320KB

Download
memory/1916-222-0x0000000005F80000-0x0000000005FE6000-memory.dmp

Filesize
408KB

Download
memory/1916-208-0x00000000058F0000-0x0000000005F08000-memory.dmp

Filesize
6.1MB

Download
memory/1916-209-0x0000000005470000-0x000000000557A000-memory.dmp

Filesize
1.0MB

Download
memory/1916-242-0x00000000053D0000-0x00000000053E0000-memory.dmp

Filesize
64KB

Download
memory/1916-211-0x00000000053A0000-0x00000000053B2000-memory.dmp

Filesize
72KB

Download
memory/1916-212-0x0000000005420000-0x000000000545C000-memory.dmp

Filesize
240KB

Download
memory/2536-197-0x00000000009D0000-0x0000000000AB8000-memory.dmp

Filesize
928KB

Download
memory/2536-198-0x00000000078A0000-0x00000000078B0000-memory.dmp

Filesize
64KB

Download
memory/2688-175-0x0000000002500000-0x0000000002516000-memory.dmp

Filesize
88KB

Download
memory/2688-161-0x0000000002500000-0x0000000002516000-memory.dmp

Filesize
88KB

Download
memory/2688-181-0x0000000002500000-0x0000000002516000-memory.dmp

Filesize
88KB

Download
memory/2688-179-0x0000000002500000-0x0000000002516000-memory.dmp

Filesize
88KB

Download
memory/2688-177-0x0000000002500000-0x0000000002516000-memory.dmp

Filesize
88KB

Download
memory/2688-185-0x0000000002500000-0x0000000002516000-memory.dmp

Filesize
88KB

Download
memory/2688-186-0x0000000004BB0000-0x0000000004BC0000-memory.dmp

Filesize
64KB

Download
memory/2688-173-0x0000000002500000-0x0000000002516000-memory.dmp

Filesize
88KB

Download
memory/2688-171-0x0000000002500000-0x0000000002516000-memory.dmp

Filesize
88KB

Download
memory/2688-169-0x0000000002500000-0x0000000002516000-memory.dmp

Filesize
88KB

Download
memory/2688-167-0x0000000002500000-0x0000000002516000-memory.dmp

Filesize
88KB

Download
memory/2688-165-0x0000000002500000-0x0000000002516000-memory.dmp

Filesize
88KB

Download
memory/2688-163-0x0000000002500000-0x0000000002516000-memory.dmp

Filesize
88KB

Download
memory/2688-183-0x0000000002500000-0x0000000002516000-memory.dmp

Filesize
88KB

Download
memory/2688-154-0x0000000004BC0000-0x0000000005164000-memory.dmp

Filesize
5.6MB

Download
memory/2688-158-0x0000000002500000-0x0000000002516000-memory.dmp

Filesize
88KB

Download
memory/2688-159-0x0000000002500000-0x0000000002516000-memory.dmp

Filesize
88KB

Download
memory/2688-155-0x0000000004BB0000-0x0000000004BC0000-memory.dmp

Filesize
64KB

Download
memory/2688-187-0x0000000004BB0000-0x0000000004BC0000-memory.dmp

Filesize
64KB

Download
memory/2688-157-0x0000000004BB0000-0x0000000004BC0000-memory.dmp

Filesize
64KB

Download
memory/2688-188-0x0000000004BB0000-0x0000000004BC0000-memory.dmp

Filesize
64KB

Download
memory/2688-156-0x0000000004BB0000-0x0000000004BC0000-memory.dmp

Filesize
64KB

Download
memory/3552-207-0x0000000000AF0000-0x0000000000BE6000-memory.dmp

Filesize
984KB

Download
memory/3552-210-0x0000000007900000-0x0000000007910000-memory.dmp

Filesize
64KB

Download
memory/3668-193-0x00000000001C0000-0x00000000001EA000-memory.dmp

Filesize
168KB

Download
memory/4372-255-0x0000000007C80000-0x0000000007C90000-memory.dmp

Filesize
64KB

Download