redline | e10a82f81335c791b660602e8b382ba6d32f34f87d748bf78ea084785022fe3d

Analysis

max time kernel
139s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
14-05-2023 18:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e10a82f81335c791b660602e8b382ba6d32f34f87d748bf78ea084785022fe3d.exe
Size

1.1MB
MD5

92333496a04a90cdc78725940436c319
SHA1

38132e6460af6b22928fe8d43eb653232dd43b94
SHA256

e10a82f81335c791b660602e8b382ba6d32f34f87d748bf78ea084785022fe3d
SHA512

8d6bc40014928a6574e31c6a0c1f908d23b25462eeb6d82538d0a71cb587bfe3d147b8ece9a82e8d675e20f5211bd7ec23ddb4571912fc78ef17960d2b228c96
SSDEEP

24576:Vyec8IdrNr5B+GCL/Yz0jFn1MPVM/QN9JCSozZy9rIxq0:wKIdZNB+Ge+MSPaYpW29

Score

10^/10

redline luka terra discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

luka

185.161.248.75:4132

Attributes

auth_value
44560bcd37d6bf076da309730fdb519a

Extracted

Family

redline

Botnet

terra

185.161.248.75:4132

Attributes

auth_value
60df3f535f8aa4e264f78041983592d2

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

o4321671.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	o4321671.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	o4321671.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	o4321671.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	o4321671.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	o4321671.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	o4321671.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

s0814615.exelegends.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Control Panel\International\Geo\Nation	s0814615.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Control Panel\International\Geo\Nation	legends.exe

Executes dropped EXE 13 IoCs

Processes:

z0678849.exez4726281.exeo4321671.exep3637470.exer7935593.exer7935593.exes0814615.exes0814615.exelegends.exelegends.exelegends.exelegends.exelegends.exe

pid	process
4388	z0678849.exe
2796	z4726281.exe
5012	o4321671.exe
4436	p3637470.exe
3412	r7935593.exe
4476	r7935593.exe
364	s0814615.exe
2852	s0814615.exe
1388	legends.exe
5084	legends.exe
3752	legends.exe
4828	legends.exe
3796	legends.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

o4321671.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	o4321671.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	o4321671.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

e10a82f81335c791b660602e8b382ba6d32f34f87d748bf78ea084785022fe3d.exez0678849.exez4726281.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	e10a82f81335c791b660602e8b382ba6d32f34f87d748bf78ea084785022fe3d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	e10a82f81335c791b660602e8b382ba6d32f34f87d748bf78ea084785022fe3d.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z0678849.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z0678849.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z4726281.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z4726281.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 4 IoCs

Processes:

r7935593.exes0814615.exelegends.exelegends.exe

description	pid	process	target process
PID 3412 set thread context of 4476	3412	r7935593.exe	r7935593.exe
PID 364 set thread context of 2852	364	s0814615.exe	s0814615.exe
PID 1388 set thread context of 3752	1388	legends.exe	legends.exe
PID 4828 set thread context of 3796	4828	legends.exe	legends.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2644 4436 WerFault.exe p3637470.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1076 schtasks.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

o4321671.exer7935593.exe

pid process

5012 o4321671.exe
5012 o4321671.exe
4476 r7935593.exe
4476 r7935593.exe

pid	pid_target	process	target process
2644	4436	WerFault.exe	p3637470.exe

pid	process
1076	schtasks.exe

pid	process
5012	o4321671.exe
5012	o4321671.exe
4476	r7935593.exe
4476	r7935593.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

o4321671.exer7935593.exes0814615.exelegends.exer7935593.exelegends.exe

description	pid	process
Token: SeDebugPrivilege	5012	o4321671.exe
Token: SeDebugPrivilege	3412	r7935593.exe
Token: SeDebugPrivilege	364	s0814615.exe
Token: SeDebugPrivilege	1388	legends.exe
Token: SeDebugPrivilege	4476	r7935593.exe
Token: SeDebugPrivilege	4828	legends.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

s0814615.exe

pid process

2852 s0814615.exe

pid	process
2852	s0814615.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

e10a82f81335c791b660602e8b382ba6d32f34f87d748bf78ea084785022fe3d.exez0678849.exez4726281.exer7935593.exes0814615.exes0814615.exelegends.exelegends.execmd.exe

description	pid	process	target process
PID 444 wrote to memory of 4388	444	e10a82f81335c791b660602e8b382ba6d32f34f87d748bf78ea084785022fe3d.exe	z0678849.exe
PID 444 wrote to memory of 4388	444	e10a82f81335c791b660602e8b382ba6d32f34f87d748bf78ea084785022fe3d.exe	z0678849.exe
PID 444 wrote to memory of 4388	444	e10a82f81335c791b660602e8b382ba6d32f34f87d748bf78ea084785022fe3d.exe	z0678849.exe
PID 4388 wrote to memory of 2796	4388	z0678849.exe	z4726281.exe
PID 4388 wrote to memory of 2796	4388	z0678849.exe	z4726281.exe
PID 4388 wrote to memory of 2796	4388	z0678849.exe	z4726281.exe
PID 2796 wrote to memory of 5012	2796	z4726281.exe	o4321671.exe
PID 2796 wrote to memory of 5012	2796	z4726281.exe	o4321671.exe
PID 2796 wrote to memory of 5012	2796	z4726281.exe	o4321671.exe
PID 2796 wrote to memory of 4436	2796	z4726281.exe	p3637470.exe
PID 2796 wrote to memory of 4436	2796	z4726281.exe	p3637470.exe
PID 2796 wrote to memory of 4436	2796	z4726281.exe	p3637470.exe
PID 4388 wrote to memory of 3412	4388	z0678849.exe	r7935593.exe
PID 4388 wrote to memory of 3412	4388	z0678849.exe	r7935593.exe
PID 4388 wrote to memory of 3412	4388	z0678849.exe	r7935593.exe
PID 3412 wrote to memory of 4476	3412	r7935593.exe	r7935593.exe
PID 3412 wrote to memory of 4476	3412	r7935593.exe	r7935593.exe
PID 3412 wrote to memory of 4476	3412	r7935593.exe	r7935593.exe
PID 3412 wrote to memory of 4476	3412	r7935593.exe	r7935593.exe
PID 3412 wrote to memory of 4476	3412	r7935593.exe	r7935593.exe
PID 3412 wrote to memory of 4476	3412	r7935593.exe	r7935593.exe
PID 3412 wrote to memory of 4476	3412	r7935593.exe	r7935593.exe
PID 3412 wrote to memory of 4476	3412	r7935593.exe	r7935593.exe
PID 444 wrote to memory of 364	444	e10a82f81335c791b660602e8b382ba6d32f34f87d748bf78ea084785022fe3d.exe	s0814615.exe
PID 444 wrote to memory of 364	444	e10a82f81335c791b660602e8b382ba6d32f34f87d748bf78ea084785022fe3d.exe	s0814615.exe
PID 444 wrote to memory of 364	444	e10a82f81335c791b660602e8b382ba6d32f34f87d748bf78ea084785022fe3d.exe	s0814615.exe
PID 364 wrote to memory of 2852	364	s0814615.exe	s0814615.exe
PID 364 wrote to memory of 2852	364	s0814615.exe	s0814615.exe
PID 364 wrote to memory of 2852	364	s0814615.exe	s0814615.exe
PID 364 wrote to memory of 2852	364	s0814615.exe	s0814615.exe
PID 364 wrote to memory of 2852	364	s0814615.exe	s0814615.exe
PID 364 wrote to memory of 2852	364	s0814615.exe	s0814615.exe
PID 364 wrote to memory of 2852	364	s0814615.exe	s0814615.exe
PID 364 wrote to memory of 2852	364	s0814615.exe	s0814615.exe
PID 364 wrote to memory of 2852	364	s0814615.exe	s0814615.exe
PID 364 wrote to memory of 2852	364	s0814615.exe	s0814615.exe
PID 2852 wrote to memory of 1388	2852	s0814615.exe	legends.exe
PID 2852 wrote to memory of 1388	2852	s0814615.exe	legends.exe
PID 2852 wrote to memory of 1388	2852	s0814615.exe	legends.exe
PID 1388 wrote to memory of 5084	1388	legends.exe	legends.exe
PID 1388 wrote to memory of 5084	1388	legends.exe	legends.exe
PID 1388 wrote to memory of 5084	1388	legends.exe	legends.exe
PID 1388 wrote to memory of 5084	1388	legends.exe	legends.exe
PID 1388 wrote to memory of 3752	1388	legends.exe	legends.exe
PID 1388 wrote to memory of 3752	1388	legends.exe	legends.exe
PID 1388 wrote to memory of 3752	1388	legends.exe	legends.exe
PID 1388 wrote to memory of 3752	1388	legends.exe	legends.exe
PID 1388 wrote to memory of 3752	1388	legends.exe	legends.exe
PID 1388 wrote to memory of 3752	1388	legends.exe	legends.exe
PID 1388 wrote to memory of 3752	1388	legends.exe	legends.exe
PID 1388 wrote to memory of 3752	1388	legends.exe	legends.exe
PID 1388 wrote to memory of 3752	1388	legends.exe	legends.exe
PID 1388 wrote to memory of 3752	1388	legends.exe	legends.exe
PID 3752 wrote to memory of 1076	3752	legends.exe	schtasks.exe
PID 3752 wrote to memory of 1076	3752	legends.exe	schtasks.exe
PID 3752 wrote to memory of 1076	3752	legends.exe	schtasks.exe
PID 3752 wrote to memory of 4244	3752	legends.exe	cmd.exe
PID 3752 wrote to memory of 4244	3752	legends.exe	cmd.exe
PID 3752 wrote to memory of 4244	3752	legends.exe	cmd.exe
PID 4244 wrote to memory of 2932	4244	cmd.exe	cmd.exe
PID 4244 wrote to memory of 2932	4244	cmd.exe	cmd.exe
PID 4244 wrote to memory of 2932	4244	cmd.exe	cmd.exe
PID 4244 wrote to memory of 264	4244	cmd.exe	cacls.exe
PID 4244 wrote to memory of 264	4244	cmd.exe	cacls.exe

C:\Users\Admin\AppData\Local\Temp\e10a82f81335c791b660602e8b382ba6d32f34f87d748bf78ea084785022fe3d.exe
"C:\Users\Admin\AppData\Local\Temp\e10a82f81335c791b660602e8b382ba6d32f34f87d748bf78ea084785022fe3d.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:444

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0678849.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0678849.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4388

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4726281.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4726281.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2796

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o4321671.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o4321671.exe
4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5012

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p3637470.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p3637470.exe
4⤵
- Executes dropped EXE
PID:4436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4436 -s 928
5⤵
- Program crash
PID:2644

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r7935593.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r7935593.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3412

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r7935593.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r7935593.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4476

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s0814615.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s0814615.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:364

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s0814615.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s0814615.exe
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2852

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
"C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1388

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
5⤵
- Executes dropped EXE
PID:5084

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3752

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legends.exe /TR "C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe" /F
6⤵
- Creates scheduled task(s)
PID:1076

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legends.exe" /P "Admin:N"&&CACLS "legends.exe" /P "Admin:R" /E&&echo Y|CACLS "..\41bde21dc7" /P "Admin:N"&&CACLS "..\41bde21dc7" /P "Admin:R" /E&&Exit
6⤵
- Suspicious use of WriteProcessMemory
PID:4244

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
7⤵
PID:2932

C:\Windows\SysWOW64\cacls.exe
CACLS "legends.exe" /P "Admin:N"
7⤵
PID:264

C:\Windows\SysWOW64\cacls.exe
CACLS "legends.exe" /P "Admin:R" /E
7⤵
PID:216

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
7⤵
PID:5024

C:\Windows\SysWOW64\cacls.exe
CACLS "..\41bde21dc7" /P "Admin:N"
7⤵
PID:1028

C:\Windows\SysWOW64\cacls.exe
CACLS "..\41bde21dc7" /P "Admin:R" /E
7⤵
PID:4820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 4436 -ip 4436
1⤵
PID:4264

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4828

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
2⤵
- Executes dropped EXE
PID:3796

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\legends.exe.log
Filesize
425B

MD5
4eaca4566b22b01cd3bc115b9b0b2196

SHA1
e743e0792c19f71740416e7b3c061d9f1336bf94

SHA256
34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

SHA512
bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\r7935593.exe.log
Filesize
425B

MD5
4eaca4566b22b01cd3bc115b9b0b2196

SHA1
e743e0792c19f71740416e7b3c061d9f1336bf94

SHA256
34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

SHA512
bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
961KB

MD5
8687f5c122416c988c5d9d50af45dbcd

SHA1
dc76f0030f6b4e7ddc8df0c75a98d5e4f195204e

SHA256
409ffef0fe23f64c126d04c66f744018b31a246e06b55f0468ddd62b117b2653

SHA512
5754fd202c229cc5429b75d4a023f543b9f74911aa094b3deaab3eeca1bfe521fc049ecede5f810e022f1923727c1fd10fbd4b9a64e66935e5da258f903e43c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
961KB

MD5
8687f5c122416c988c5d9d50af45dbcd

SHA1
dc76f0030f6b4e7ddc8df0c75a98d5e4f195204e

SHA256
409ffef0fe23f64c126d04c66f744018b31a246e06b55f0468ddd62b117b2653

SHA512
5754fd202c229cc5429b75d4a023f543b9f74911aa094b3deaab3eeca1bfe521fc049ecede5f810e022f1923727c1fd10fbd4b9a64e66935e5da258f903e43c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
961KB

MD5
8687f5c122416c988c5d9d50af45dbcd

SHA1
dc76f0030f6b4e7ddc8df0c75a98d5e4f195204e

SHA256
409ffef0fe23f64c126d04c66f744018b31a246e06b55f0468ddd62b117b2653

SHA512
5754fd202c229cc5429b75d4a023f543b9f74911aa094b3deaab3eeca1bfe521fc049ecede5f810e022f1923727c1fd10fbd4b9a64e66935e5da258f903e43c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
961KB

MD5
8687f5c122416c988c5d9d50af45dbcd

SHA1
dc76f0030f6b4e7ddc8df0c75a98d5e4f195204e

SHA256
409ffef0fe23f64c126d04c66f744018b31a246e06b55f0468ddd62b117b2653

SHA512
5754fd202c229cc5429b75d4a023f543b9f74911aa094b3deaab3eeca1bfe521fc049ecede5f810e022f1923727c1fd10fbd4b9a64e66935e5da258f903e43c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
961KB

MD5
8687f5c122416c988c5d9d50af45dbcd

SHA1
dc76f0030f6b4e7ddc8df0c75a98d5e4f195204e

SHA256
409ffef0fe23f64c126d04c66f744018b31a246e06b55f0468ddd62b117b2653

SHA512
5754fd202c229cc5429b75d4a023f543b9f74911aa094b3deaab3eeca1bfe521fc049ecede5f810e022f1923727c1fd10fbd4b9a64e66935e5da258f903e43c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
961KB

MD5
8687f5c122416c988c5d9d50af45dbcd

SHA1
dc76f0030f6b4e7ddc8df0c75a98d5e4f195204e

SHA256
409ffef0fe23f64c126d04c66f744018b31a246e06b55f0468ddd62b117b2653

SHA512
5754fd202c229cc5429b75d4a023f543b9f74911aa094b3deaab3eeca1bfe521fc049ecede5f810e022f1923727c1fd10fbd4b9a64e66935e5da258f903e43c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
961KB

MD5
8687f5c122416c988c5d9d50af45dbcd

SHA1
dc76f0030f6b4e7ddc8df0c75a98d5e4f195204e

SHA256
409ffef0fe23f64c126d04c66f744018b31a246e06b55f0468ddd62b117b2653

SHA512
5754fd202c229cc5429b75d4a023f543b9f74911aa094b3deaab3eeca1bfe521fc049ecede5f810e022f1923727c1fd10fbd4b9a64e66935e5da258f903e43c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s0814615.exe
Filesize
961KB

MD5
8687f5c122416c988c5d9d50af45dbcd

SHA1
dc76f0030f6b4e7ddc8df0c75a98d5e4f195204e

SHA256
409ffef0fe23f64c126d04c66f744018b31a246e06b55f0468ddd62b117b2653

SHA512
5754fd202c229cc5429b75d4a023f543b9f74911aa094b3deaab3eeca1bfe521fc049ecede5f810e022f1923727c1fd10fbd4b9a64e66935e5da258f903e43c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s0814615.exe
Filesize
961KB

MD5
8687f5c122416c988c5d9d50af45dbcd

SHA1
dc76f0030f6b4e7ddc8df0c75a98d5e4f195204e

SHA256
409ffef0fe23f64c126d04c66f744018b31a246e06b55f0468ddd62b117b2653

SHA512
5754fd202c229cc5429b75d4a023f543b9f74911aa094b3deaab3eeca1bfe521fc049ecede5f810e022f1923727c1fd10fbd4b9a64e66935e5da258f903e43c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s0814615.exe
Filesize
961KB

MD5
8687f5c122416c988c5d9d50af45dbcd

SHA1
dc76f0030f6b4e7ddc8df0c75a98d5e4f195204e

SHA256
409ffef0fe23f64c126d04c66f744018b31a246e06b55f0468ddd62b117b2653

SHA512
5754fd202c229cc5429b75d4a023f543b9f74911aa094b3deaab3eeca1bfe521fc049ecede5f810e022f1923727c1fd10fbd4b9a64e66935e5da258f903e43c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0678849.exe
Filesize
702KB

MD5
c4bd8a665f2c6dd16977ad90944efae0

SHA1
d54c42228ba38fa055bcaf72961cf8d725bf9ee0

SHA256
c6e2ab60c1385e08ec042b030839d7a046d616a9fb4a1de3aec4e2cad34c215c

SHA512
b6a2291b3d475ab3568b72dfcb2d6de6ef2597433d2e8be77f90e4c3a6c732a5f2d60a2667dd3ca5e1a7a175d67d2c84bb22fc0505bad47ef77780ac3b7ab822

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0678849.exe
Filesize
702KB

MD5
c4bd8a665f2c6dd16977ad90944efae0

SHA1
d54c42228ba38fa055bcaf72961cf8d725bf9ee0

SHA256
c6e2ab60c1385e08ec042b030839d7a046d616a9fb4a1de3aec4e2cad34c215c

SHA512
b6a2291b3d475ab3568b72dfcb2d6de6ef2597433d2e8be77f90e4c3a6c732a5f2d60a2667dd3ca5e1a7a175d67d2c84bb22fc0505bad47ef77780ac3b7ab822

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r7935593.exe
Filesize
905KB

MD5
ae649c1eb646d5754912385643b1b4bb

SHA1
33971975109ed87fdd637b330e4711faa0e9f601

SHA256
bff9481a1d8e4c631ce43326a05c1d17d0c0c2ba360ea01ee2931497f4e533b9

SHA512
ee1d0ca1ea1222503183dee86f18eda5781eaf595394966d79d37fa8e4e7ccc91c4c8cce99c2ee9e82bda369a1385da9df932b96b23a78b90cc274a8216ef606

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r7935593.exe
Filesize
905KB

MD5
ae649c1eb646d5754912385643b1b4bb

SHA1
33971975109ed87fdd637b330e4711faa0e9f601

SHA256
bff9481a1d8e4c631ce43326a05c1d17d0c0c2ba360ea01ee2931497f4e533b9

SHA512
ee1d0ca1ea1222503183dee86f18eda5781eaf595394966d79d37fa8e4e7ccc91c4c8cce99c2ee9e82bda369a1385da9df932b96b23a78b90cc274a8216ef606

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r7935593.exe
Filesize
905KB

MD5
ae649c1eb646d5754912385643b1b4bb

SHA1
33971975109ed87fdd637b330e4711faa0e9f601

SHA256
bff9481a1d8e4c631ce43326a05c1d17d0c0c2ba360ea01ee2931497f4e533b9

SHA512
ee1d0ca1ea1222503183dee86f18eda5781eaf595394966d79d37fa8e4e7ccc91c4c8cce99c2ee9e82bda369a1385da9df932b96b23a78b90cc274a8216ef606

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4726281.exe
Filesize
306KB

MD5
334d673a6767ea02c040a4d37da1b089

SHA1
1119351b47e7c762216e85e80512782afac3610c

SHA256
2c41a58a3e1e1644d00b993cf741bcb9814e032eef050d153b373171915af911

SHA512
793aa3695042cb8876d1ed5400eafbea0eb22f0f42d235ae3648ecaa4991f02e6c461c02eea9461d042cf186fee7a2bf4c3e31ba331c7c9ab52321a2405ed561

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4726281.exe
Filesize
306KB

MD5
334d673a6767ea02c040a4d37da1b089

SHA1
1119351b47e7c762216e85e80512782afac3610c

SHA256
2c41a58a3e1e1644d00b993cf741bcb9814e032eef050d153b373171915af911

SHA512
793aa3695042cb8876d1ed5400eafbea0eb22f0f42d235ae3648ecaa4991f02e6c461c02eea9461d042cf186fee7a2bf4c3e31ba331c7c9ab52321a2405ed561

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o4321671.exe
Filesize
185KB

MD5
51f2c8701086c796f01308be159fae64

SHA1
6d277b1c1766d3a3e197325247d347f14bcdaa2b

SHA256
7130b298bc12b47fd0a0563602b5035890b16a73374b1fe1e74caf3670a820fe

SHA512
ec06af118718de591cb9527b0a18bb2ddd821695c547d090d5e0ae806ed2de3d4615bfd8201cbdf28ddf3bcc761df5c1907e871c5a7aea281b4a4094e2f597aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o4321671.exe
Filesize
185KB

MD5
51f2c8701086c796f01308be159fae64

SHA1
6d277b1c1766d3a3e197325247d347f14bcdaa2b

SHA256
7130b298bc12b47fd0a0563602b5035890b16a73374b1fe1e74caf3670a820fe

SHA512
ec06af118718de591cb9527b0a18bb2ddd821695c547d090d5e0ae806ed2de3d4615bfd8201cbdf28ddf3bcc761df5c1907e871c5a7aea281b4a4094e2f597aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p3637470.exe
Filesize
145KB

MD5
5506641729e767e3d2127db747714ab6

SHA1
db0f4a753735b7b79707021e6a3c90cc08155bea

SHA256
3fd94b81867a04ea381630c667b21790dfa737d031ee6196fe85e33febd252ee

SHA512
03152aaa4ce485e14579d152b59d17e4e8ed52b070e7e3dd68c7ffa9cb1f75093d61791d831eb8bd6fd2c84c1e42420064d0494e57e52388c07eb367d5162637

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p3637470.exe
Filesize
145KB

MD5
5506641729e767e3d2127db747714ab6

SHA1
db0f4a753735b7b79707021e6a3c90cc08155bea

SHA256
3fd94b81867a04ea381630c667b21790dfa737d031ee6196fe85e33febd252ee

SHA512
03152aaa4ce485e14579d152b59d17e4e8ed52b070e7e3dd68c7ffa9cb1f75093d61791d831eb8bd6fd2c84c1e42420064d0494e57e52388c07eb367d5162637

Download Submit
memory/364-206-0x00000000007C0000-0x00000000008B6000-memory.dmp

Filesize
984KB

Download
memory/364-207-0x0000000007720000-0x0000000007730000-memory.dmp

Filesize
64KB

Download
memory/1388-235-0x0000000007910000-0x0000000007920000-memory.dmp

Filesize
64KB

Download
memory/2852-213-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2852-233-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2852-219-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2852-217-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2852-216-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3412-197-0x00000000004B0000-0x0000000000598000-memory.dmp

Filesize
928KB

Download
memory/3412-198-0x0000000007260000-0x0000000007270000-memory.dmp

Filesize
64KB

Download
memory/3752-248-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3752-247-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3752-245-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3752-244-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3796-258-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3796-257-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3796-256-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4436-193-0x0000000000F20000-0x0000000000F4A000-memory.dmp

Filesize
168KB

Download
memory/4476-208-0x0000000005920000-0x0000000005F38000-memory.dmp

Filesize
6.1MB

Download
memory/4476-250-0x0000000006D70000-0x0000000006F32000-memory.dmp

Filesize
1.8MB

Download
memory/4476-209-0x00000000054A0000-0x00000000055AA000-memory.dmp

Filesize
1.0MB

Download
memory/4476-210-0x00000000053D0000-0x00000000053E2000-memory.dmp

Filesize
72KB

Download
memory/4476-211-0x0000000005440000-0x000000000547C000-memory.dmp

Filesize
240KB

Download
memory/4476-212-0x00000000053F0000-0x0000000005400000-memory.dmp

Filesize
64KB

Download
memory/4476-251-0x0000000007470000-0x000000000799C000-memory.dmp

Filesize
5.2MB

Download
memory/4476-237-0x0000000006460000-0x00000000064D6000-memory.dmp

Filesize
472KB

Download
memory/4476-238-0x00000000063E0000-0x0000000006430000-memory.dmp

Filesize
320KB

Download
memory/4476-240-0x00000000053F0000-0x0000000005400000-memory.dmp

Filesize
64KB

Download
memory/4476-199-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4476-236-0x0000000005810000-0x0000000005876000-memory.dmp

Filesize
408KB

Download
memory/4476-234-0x0000000005770000-0x0000000005802000-memory.dmp

Filesize
584KB

Download
memory/5012-175-0x0000000002510000-0x0000000002526000-memory.dmp

Filesize
88KB

Download
memory/5012-163-0x0000000002510000-0x0000000002526000-memory.dmp

Filesize
88KB

Download
memory/5012-161-0x0000000002510000-0x0000000002526000-memory.dmp

Filesize
88KB

Download
memory/5012-159-0x0000000002510000-0x0000000002526000-memory.dmp

Filesize
88KB

Download
memory/5012-165-0x0000000002510000-0x0000000002526000-memory.dmp

Filesize
88KB

Download
memory/5012-167-0x0000000002510000-0x0000000002526000-memory.dmp

Filesize
88KB

Download
memory/5012-169-0x0000000002510000-0x0000000002526000-memory.dmp

Filesize
88KB

Download
memory/5012-158-0x0000000002510000-0x0000000002526000-memory.dmp

Filesize
88KB

Download
memory/5012-171-0x0000000002510000-0x0000000002526000-memory.dmp

Filesize
88KB

Download
memory/5012-157-0x0000000004B80000-0x0000000004B90000-memory.dmp

Filesize
64KB

Download
memory/5012-173-0x0000000002510000-0x0000000002526000-memory.dmp

Filesize
88KB

Download
memory/5012-187-0x0000000004B80000-0x0000000004B90000-memory.dmp

Filesize
64KB

Download
memory/5012-177-0x0000000002510000-0x0000000002526000-memory.dmp

Filesize
88KB

Download
memory/5012-179-0x0000000002510000-0x0000000002526000-memory.dmp

Filesize
88KB

Download
memory/5012-181-0x0000000002510000-0x0000000002526000-memory.dmp

Filesize
88KB

Download
memory/5012-183-0x0000000002510000-0x0000000002526000-memory.dmp

Filesize
88KB

Download
memory/5012-156-0x0000000004B80000-0x0000000004B90000-memory.dmp

Filesize
64KB

Download
memory/5012-155-0x0000000004B80000-0x0000000004B90000-memory.dmp

Filesize
64KB

Download
memory/5012-154-0x0000000004B90000-0x0000000005134000-memory.dmp

Filesize
5.6MB

Download
memory/5012-185-0x0000000002510000-0x0000000002526000-memory.dmp

Filesize
88KB

Download
memory/5012-186-0x0000000004B80000-0x0000000004B90000-memory.dmp

Filesize
64KB

Download
memory/5012-188-0x0000000004B80000-0x0000000004B90000-memory.dmp

Filesize
64KB

Download