redline | dd4f68077b2a4a74f21d8853cd68c222c6084e93ec059c07069bd1cd9bce3fc6

Analysis

max time kernel
150s
max time network
186s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
14-05-2023 18:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dd4f68077b2a4a74f21d8853cd68c222c6084e93ec059c07069bd1cd9bce3fc6.exe
Size

1.1MB
MD5

f0a5660b3e2f4415e541ec315e61ec86
SHA1

be0d422e8ee50c6b9271a715a4069a523c27ec18
SHA256

dd4f68077b2a4a74f21d8853cd68c222c6084e93ec059c07069bd1cd9bce3fc6
SHA512

8945c673faa1f18fe18e0d811cfbb7c5a976073ea186bdf0d637f62853f846d2c46a9dafc919d4ccd911520513618130df9ddf9566a9ba669be47388b4d9eb3c
SSDEEP

24576:Pyr6wNDxkVckkEuGsjT7Jc0BWcncv6ZUV67wRhTTvCK5taD9:aLGVOEudjW4WwypV67wRhT+KLaD

Score

10^/10

redline luka terra discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

luka

185.161.248.75:4132

Attributes

auth_value
44560bcd37d6bf076da309730fdb519a

Extracted

Family

redline

Botnet

terra

185.161.248.75:4132

Attributes

auth_value
60df3f535f8aa4e264f78041983592d2

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

o8896352.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	o8896352.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	o8896352.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	o8896352.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	o8896352.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	o8896352.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	o8896352.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

legends.exes2633756.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Control Panel\International\Geo\Nation	legends.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Control Panel\International\Geo\Nation	s2633756.exe

Executes dropped EXE 14 IoCs

Processes:

z6032440.exez8141745.exeo8896352.exep8711113.exer3520392.exer3520392.exer3520392.exes2633756.exes2633756.exes2633756.exelegends.exelegends.exelegends.exelegends.exe

pid	process
4176	z6032440.exe
1104	z8141745.exe
4432	o8896352.exe
4104	p8711113.exe
3612	r3520392.exe
2700	r3520392.exe
4524	r3520392.exe
3376	s2633756.exe
4656	s2633756.exe
4272	s2633756.exe
3044	legends.exe
5116	legends.exe
2088	legends.exe
2072	legends.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

2244 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2244	rundll32.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

o8896352.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	o8896352.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	o8896352.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

dd4f68077b2a4a74f21d8853cd68c222c6084e93ec059c07069bd1cd9bce3fc6.exez6032440.exez8141745.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	dd4f68077b2a4a74f21d8853cd68c222c6084e93ec059c07069bd1cd9bce3fc6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	dd4f68077b2a4a74f21d8853cd68c222c6084e93ec059c07069bd1cd9bce3fc6.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z6032440.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z6032440.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z8141745.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z8141745.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 4 IoCs

Processes:

r3520392.exes2633756.exelegends.exelegends.exe

description	pid	process	target process
PID 3612 set thread context of 4524	3612	r3520392.exe	r3520392.exe
PID 3376 set thread context of 4272	3376	s2633756.exe	s2633756.exe
PID 3044 set thread context of 5116	3044	legends.exe	legends.exe
PID 2088 set thread context of 2072	2088	legends.exe	legends.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4536 4104 WerFault.exe p8711113.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1392 schtasks.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

o8896352.exer3520392.exe

pid process

4432 o8896352.exe
4432 o8896352.exe
4524 r3520392.exe
4524 r3520392.exe

pid	pid_target	process	target process
4536	4104	WerFault.exe	p8711113.exe

pid	process
1392	schtasks.exe

pid	process
4432	o8896352.exe
4432	o8896352.exe
4524	r3520392.exe
4524	r3520392.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

o8896352.exer3520392.exes2633756.exelegends.exer3520392.exelegends.exe

description	pid	process
Token: SeDebugPrivilege	4432	o8896352.exe
Token: SeDebugPrivilege	3612	r3520392.exe
Token: SeDebugPrivilege	3376	s2633756.exe
Token: SeDebugPrivilege	3044	legends.exe
Token: SeDebugPrivilege	4524	r3520392.exe
Token: SeDebugPrivilege	2088	legends.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

s2633756.exe

pid process

4272 s2633756.exe

pid	process
4272	s2633756.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

dd4f68077b2a4a74f21d8853cd68c222c6084e93ec059c07069bd1cd9bce3fc6.exez6032440.exez8141745.exer3520392.exes2633756.exes2633756.exelegends.exelegends.exe

description	pid	process	target process
PID 1636 wrote to memory of 4176	1636	dd4f68077b2a4a74f21d8853cd68c222c6084e93ec059c07069bd1cd9bce3fc6.exe	z6032440.exe
PID 1636 wrote to memory of 4176	1636	dd4f68077b2a4a74f21d8853cd68c222c6084e93ec059c07069bd1cd9bce3fc6.exe	z6032440.exe
PID 1636 wrote to memory of 4176	1636	dd4f68077b2a4a74f21d8853cd68c222c6084e93ec059c07069bd1cd9bce3fc6.exe	z6032440.exe
PID 4176 wrote to memory of 1104	4176	z6032440.exe	z8141745.exe
PID 4176 wrote to memory of 1104	4176	z6032440.exe	z8141745.exe
PID 4176 wrote to memory of 1104	4176	z6032440.exe	z8141745.exe
PID 1104 wrote to memory of 4432	1104	z8141745.exe	o8896352.exe
PID 1104 wrote to memory of 4432	1104	z8141745.exe	o8896352.exe
PID 1104 wrote to memory of 4432	1104	z8141745.exe	o8896352.exe
PID 1104 wrote to memory of 4104	1104	z8141745.exe	p8711113.exe
PID 1104 wrote to memory of 4104	1104	z8141745.exe	p8711113.exe
PID 1104 wrote to memory of 4104	1104	z8141745.exe	p8711113.exe
PID 4176 wrote to memory of 3612	4176	z6032440.exe	r3520392.exe
PID 4176 wrote to memory of 3612	4176	z6032440.exe	r3520392.exe
PID 4176 wrote to memory of 3612	4176	z6032440.exe	r3520392.exe
PID 3612 wrote to memory of 2700	3612	r3520392.exe	r3520392.exe
PID 3612 wrote to memory of 2700	3612	r3520392.exe	r3520392.exe
PID 3612 wrote to memory of 2700	3612	r3520392.exe	r3520392.exe
PID 3612 wrote to memory of 2700	3612	r3520392.exe	r3520392.exe
PID 3612 wrote to memory of 2700	3612	r3520392.exe	r3520392.exe
PID 3612 wrote to memory of 2700	3612	r3520392.exe	r3520392.exe
PID 3612 wrote to memory of 2700	3612	r3520392.exe	r3520392.exe
PID 3612 wrote to memory of 4524	3612	r3520392.exe	r3520392.exe
PID 3612 wrote to memory of 4524	3612	r3520392.exe	r3520392.exe
PID 3612 wrote to memory of 4524	3612	r3520392.exe	r3520392.exe
PID 3612 wrote to memory of 4524	3612	r3520392.exe	r3520392.exe
PID 3612 wrote to memory of 4524	3612	r3520392.exe	r3520392.exe
PID 3612 wrote to memory of 4524	3612	r3520392.exe	r3520392.exe
PID 3612 wrote to memory of 4524	3612	r3520392.exe	r3520392.exe
PID 3612 wrote to memory of 4524	3612	r3520392.exe	r3520392.exe
PID 1636 wrote to memory of 3376	1636	dd4f68077b2a4a74f21d8853cd68c222c6084e93ec059c07069bd1cd9bce3fc6.exe	s2633756.exe
PID 1636 wrote to memory of 3376	1636	dd4f68077b2a4a74f21d8853cd68c222c6084e93ec059c07069bd1cd9bce3fc6.exe	s2633756.exe
PID 1636 wrote to memory of 3376	1636	dd4f68077b2a4a74f21d8853cd68c222c6084e93ec059c07069bd1cd9bce3fc6.exe	s2633756.exe
PID 3376 wrote to memory of 4656	3376	s2633756.exe	s2633756.exe
PID 3376 wrote to memory of 4656	3376	s2633756.exe	s2633756.exe
PID 3376 wrote to memory of 4656	3376	s2633756.exe	s2633756.exe
PID 3376 wrote to memory of 4656	3376	s2633756.exe	s2633756.exe
PID 3376 wrote to memory of 4272	3376	s2633756.exe	s2633756.exe
PID 3376 wrote to memory of 4272	3376	s2633756.exe	s2633756.exe
PID 3376 wrote to memory of 4272	3376	s2633756.exe	s2633756.exe
PID 3376 wrote to memory of 4272	3376	s2633756.exe	s2633756.exe
PID 3376 wrote to memory of 4272	3376	s2633756.exe	s2633756.exe
PID 3376 wrote to memory of 4272	3376	s2633756.exe	s2633756.exe
PID 3376 wrote to memory of 4272	3376	s2633756.exe	s2633756.exe
PID 3376 wrote to memory of 4272	3376	s2633756.exe	s2633756.exe
PID 3376 wrote to memory of 4272	3376	s2633756.exe	s2633756.exe
PID 3376 wrote to memory of 4272	3376	s2633756.exe	s2633756.exe
PID 4272 wrote to memory of 3044	4272	s2633756.exe	legends.exe
PID 4272 wrote to memory of 3044	4272	s2633756.exe	legends.exe
PID 4272 wrote to memory of 3044	4272	s2633756.exe	legends.exe
PID 3044 wrote to memory of 5116	3044	legends.exe	legends.exe
PID 3044 wrote to memory of 5116	3044	legends.exe	legends.exe
PID 3044 wrote to memory of 5116	3044	legends.exe	legends.exe
PID 3044 wrote to memory of 5116	3044	legends.exe	legends.exe
PID 3044 wrote to memory of 5116	3044	legends.exe	legends.exe
PID 3044 wrote to memory of 5116	3044	legends.exe	legends.exe
PID 3044 wrote to memory of 5116	3044	legends.exe	legends.exe
PID 3044 wrote to memory of 5116	3044	legends.exe	legends.exe
PID 3044 wrote to memory of 5116	3044	legends.exe	legends.exe
PID 3044 wrote to memory of 5116	3044	legends.exe	legends.exe
PID 5116 wrote to memory of 1392	5116	legends.exe	schtasks.exe
PID 5116 wrote to memory of 1392	5116	legends.exe	schtasks.exe
PID 5116 wrote to memory of 1392	5116	legends.exe	schtasks.exe
PID 5116 wrote to memory of 4736	5116	legends.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\dd4f68077b2a4a74f21d8853cd68c222c6084e93ec059c07069bd1cd9bce3fc6.exe
"C:\Users\Admin\AppData\Local\Temp\dd4f68077b2a4a74f21d8853cd68c222c6084e93ec059c07069bd1cd9bce3fc6.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1636

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6032440.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6032440.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4176

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z8141745.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z8141745.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1104

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o8896352.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o8896352.exe
4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4432

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p8711113.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p8711113.exe
4⤵
- Executes dropped EXE
PID:4104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4104 -s 928
5⤵
- Program crash
PID:4536

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r3520392.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r3520392.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3612

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r3520392.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r3520392.exe
4⤵
- Executes dropped EXE
PID:2700

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r3520392.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r3520392.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4524

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s2633756.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s2633756.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3376

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s2633756.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s2633756.exe
3⤵
- Executes dropped EXE
PID:4656

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s2633756.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s2633756.exe
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4272

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
"C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3044

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5116

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legends.exe /TR "C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe" /F
6⤵
- Creates scheduled task(s)
PID:1392

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legends.exe" /P "Admin:N"&&CACLS "legends.exe" /P "Admin:R" /E&&echo Y|CACLS "..\41bde21dc7" /P "Admin:N"&&CACLS "..\41bde21dc7" /P "Admin:R" /E&&Exit
6⤵
PID:4736

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
7⤵
PID:1364

C:\Windows\SysWOW64\cacls.exe
CACLS "legends.exe" /P "Admin:N"
7⤵
PID:800

C:\Windows\SysWOW64\cacls.exe
CACLS "legends.exe" /P "Admin:R" /E
7⤵
PID:2296

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
7⤵
PID:4892

C:\Windows\SysWOW64\cacls.exe
CACLS "..\41bde21dc7" /P "Admin:N"
7⤵
PID:2356

C:\Windows\SysWOW64\cacls.exe
CACLS "..\41bde21dc7" /P "Admin:R" /E
7⤵
PID:2196

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
6⤵
- Loads dropped DLL
PID:2244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 176 -p 4104 -ip 4104
1⤵
PID:4776

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2088

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
2⤵
- Executes dropped EXE
PID:2072

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\legends.exe.log
Filesize
425B

MD5
4eaca4566b22b01cd3bc115b9b0b2196

SHA1
e743e0792c19f71740416e7b3c061d9f1336bf94

SHA256
34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

SHA512
bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\r3520392.exe.log
Filesize
425B

MD5
4eaca4566b22b01cd3bc115b9b0b2196

SHA1
e743e0792c19f71740416e7b3c061d9f1336bf94

SHA256
34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

SHA512
bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
961KB

MD5
2cebd32a2a2787f3ff30b12ecfe3fb3b

SHA1
9cad10a8f38144c4dc401317f792e6ce6394d210

SHA256
87a7a5193b4a4d1e3c3cf04e3d396ce239081ba934f7591fe5a26ce127b71325

SHA512
bf8bb1d15e1f500a0392934141ac023b13bcd71715a23bd08f1ff36c76f5ce460a67273afb819baaa0d0ee90bd67be76b2e39aab141756dbd58bb8d5a14fbe5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
961KB

MD5
2cebd32a2a2787f3ff30b12ecfe3fb3b

SHA1
9cad10a8f38144c4dc401317f792e6ce6394d210

SHA256
87a7a5193b4a4d1e3c3cf04e3d396ce239081ba934f7591fe5a26ce127b71325

SHA512
bf8bb1d15e1f500a0392934141ac023b13bcd71715a23bd08f1ff36c76f5ce460a67273afb819baaa0d0ee90bd67be76b2e39aab141756dbd58bb8d5a14fbe5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
961KB

MD5
2cebd32a2a2787f3ff30b12ecfe3fb3b

SHA1
9cad10a8f38144c4dc401317f792e6ce6394d210

SHA256
87a7a5193b4a4d1e3c3cf04e3d396ce239081ba934f7591fe5a26ce127b71325

SHA512
bf8bb1d15e1f500a0392934141ac023b13bcd71715a23bd08f1ff36c76f5ce460a67273afb819baaa0d0ee90bd67be76b2e39aab141756dbd58bb8d5a14fbe5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
961KB

MD5
2cebd32a2a2787f3ff30b12ecfe3fb3b

SHA1
9cad10a8f38144c4dc401317f792e6ce6394d210

SHA256
87a7a5193b4a4d1e3c3cf04e3d396ce239081ba934f7591fe5a26ce127b71325

SHA512
bf8bb1d15e1f500a0392934141ac023b13bcd71715a23bd08f1ff36c76f5ce460a67273afb819baaa0d0ee90bd67be76b2e39aab141756dbd58bb8d5a14fbe5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
961KB

MD5
2cebd32a2a2787f3ff30b12ecfe3fb3b

SHA1
9cad10a8f38144c4dc401317f792e6ce6394d210

SHA256
87a7a5193b4a4d1e3c3cf04e3d396ce239081ba934f7591fe5a26ce127b71325

SHA512
bf8bb1d15e1f500a0392934141ac023b13bcd71715a23bd08f1ff36c76f5ce460a67273afb819baaa0d0ee90bd67be76b2e39aab141756dbd58bb8d5a14fbe5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
961KB

MD5
2cebd32a2a2787f3ff30b12ecfe3fb3b

SHA1
9cad10a8f38144c4dc401317f792e6ce6394d210

SHA256
87a7a5193b4a4d1e3c3cf04e3d396ce239081ba934f7591fe5a26ce127b71325

SHA512
bf8bb1d15e1f500a0392934141ac023b13bcd71715a23bd08f1ff36c76f5ce460a67273afb819baaa0d0ee90bd67be76b2e39aab141756dbd58bb8d5a14fbe5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s2633756.exe
Filesize
961KB

MD5
2cebd32a2a2787f3ff30b12ecfe3fb3b

SHA1
9cad10a8f38144c4dc401317f792e6ce6394d210

SHA256
87a7a5193b4a4d1e3c3cf04e3d396ce239081ba934f7591fe5a26ce127b71325

SHA512
bf8bb1d15e1f500a0392934141ac023b13bcd71715a23bd08f1ff36c76f5ce460a67273afb819baaa0d0ee90bd67be76b2e39aab141756dbd58bb8d5a14fbe5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s2633756.exe
Filesize
961KB

MD5
2cebd32a2a2787f3ff30b12ecfe3fb3b

SHA1
9cad10a8f38144c4dc401317f792e6ce6394d210

SHA256
87a7a5193b4a4d1e3c3cf04e3d396ce239081ba934f7591fe5a26ce127b71325

SHA512
bf8bb1d15e1f500a0392934141ac023b13bcd71715a23bd08f1ff36c76f5ce460a67273afb819baaa0d0ee90bd67be76b2e39aab141756dbd58bb8d5a14fbe5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s2633756.exe
Filesize
961KB

MD5
2cebd32a2a2787f3ff30b12ecfe3fb3b

SHA1
9cad10a8f38144c4dc401317f792e6ce6394d210

SHA256
87a7a5193b4a4d1e3c3cf04e3d396ce239081ba934f7591fe5a26ce127b71325

SHA512
bf8bb1d15e1f500a0392934141ac023b13bcd71715a23bd08f1ff36c76f5ce460a67273afb819baaa0d0ee90bd67be76b2e39aab141756dbd58bb8d5a14fbe5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s2633756.exe
Filesize
961KB

MD5
2cebd32a2a2787f3ff30b12ecfe3fb3b

SHA1
9cad10a8f38144c4dc401317f792e6ce6394d210

SHA256
87a7a5193b4a4d1e3c3cf04e3d396ce239081ba934f7591fe5a26ce127b71325

SHA512
bf8bb1d15e1f500a0392934141ac023b13bcd71715a23bd08f1ff36c76f5ce460a67273afb819baaa0d0ee90bd67be76b2e39aab141756dbd58bb8d5a14fbe5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6032440.exe
Filesize
702KB

MD5
856186fcef9aeefea6b4e30fd06db515

SHA1
1cead46523a070644508f6f9562918cdeba94600

SHA256
9df638516575de8a6b8517e90c3ba8d318ff5d73b5f92c35be7adda036922427

SHA512
9fb9c55fa11e3651609e30f394fbbe7a8eca30db99cc4eaba80e45eacb27a2e526beeeee64809ac424a4e4f5bd500ab9222a2485573d78f29a96ec580a49e65b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6032440.exe
Filesize
702KB

MD5
856186fcef9aeefea6b4e30fd06db515

SHA1
1cead46523a070644508f6f9562918cdeba94600

SHA256
9df638516575de8a6b8517e90c3ba8d318ff5d73b5f92c35be7adda036922427

SHA512
9fb9c55fa11e3651609e30f394fbbe7a8eca30db99cc4eaba80e45eacb27a2e526beeeee64809ac424a4e4f5bd500ab9222a2485573d78f29a96ec580a49e65b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r3520392.exe
Filesize
904KB

MD5
61b6c8d90cc12415ed8f44b6e4bc1d82

SHA1
bce6fd174dba2081f2574206eedca524849d843e

SHA256
633e5ea5fb15975e7cf5b5231c2034c890b1a9903c2f078341e86517f24c7684

SHA512
bded625276304fec78fccfbda0f3a7c8a6993563ef2e8c8c5808cc4941169a3c982d88a858cd1e7361a8e7bab0c24061292fcc12da5b649391d362712f0e3732

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r3520392.exe
Filesize
904KB

MD5
61b6c8d90cc12415ed8f44b6e4bc1d82

SHA1
bce6fd174dba2081f2574206eedca524849d843e

SHA256
633e5ea5fb15975e7cf5b5231c2034c890b1a9903c2f078341e86517f24c7684

SHA512
bded625276304fec78fccfbda0f3a7c8a6993563ef2e8c8c5808cc4941169a3c982d88a858cd1e7361a8e7bab0c24061292fcc12da5b649391d362712f0e3732

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r3520392.exe
Filesize
904KB

MD5
61b6c8d90cc12415ed8f44b6e4bc1d82

SHA1
bce6fd174dba2081f2574206eedca524849d843e

SHA256
633e5ea5fb15975e7cf5b5231c2034c890b1a9903c2f078341e86517f24c7684

SHA512
bded625276304fec78fccfbda0f3a7c8a6993563ef2e8c8c5808cc4941169a3c982d88a858cd1e7361a8e7bab0c24061292fcc12da5b649391d362712f0e3732

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r3520392.exe
Filesize
904KB

MD5
61b6c8d90cc12415ed8f44b6e4bc1d82

SHA1
bce6fd174dba2081f2574206eedca524849d843e

SHA256
633e5ea5fb15975e7cf5b5231c2034c890b1a9903c2f078341e86517f24c7684

SHA512
bded625276304fec78fccfbda0f3a7c8a6993563ef2e8c8c5808cc4941169a3c982d88a858cd1e7361a8e7bab0c24061292fcc12da5b649391d362712f0e3732

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z8141745.exe
Filesize
306KB

MD5
12503abccf92b15c2b5c26c950bd1e67

SHA1
3b70f00069c658f64052c46b134bf72978ffba23

SHA256
a1915bc26cd720725bca9338c9a64da230eefc0d22ae56a563942406641b3a54

SHA512
6e9d6b7e77327a955d9b7a68219e268327e9165a93941d4d3c1aa94bc7c6e4c025522771aee30201337b7f7f94fb210fd927b4d15e820f9020dac1869992685c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z8141745.exe
Filesize
306KB

MD5
12503abccf92b15c2b5c26c950bd1e67

SHA1
3b70f00069c658f64052c46b134bf72978ffba23

SHA256
a1915bc26cd720725bca9338c9a64da230eefc0d22ae56a563942406641b3a54

SHA512
6e9d6b7e77327a955d9b7a68219e268327e9165a93941d4d3c1aa94bc7c6e4c025522771aee30201337b7f7f94fb210fd927b4d15e820f9020dac1869992685c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o8896352.exe
Filesize
185KB

MD5
f5250f0a5a85d589a843b77f5850063c

SHA1
f815910cfe0cec2e10a05ef3a063f3b946b28ca2

SHA256
d3fc4addea294fb61dccdf49fc348dc9ff998da431f0e492a0f9cf5c3287fd74

SHA512
50b0514568c225912e09823a61b5277b4b3d6b8741d0d98f2cc438dc10bc694623f65659ad7b16bff3763982f0dd29cb7a9dee39fd8c171020106cfda822f4a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o8896352.exe
Filesize
185KB

MD5
f5250f0a5a85d589a843b77f5850063c

SHA1
f815910cfe0cec2e10a05ef3a063f3b946b28ca2

SHA256
d3fc4addea294fb61dccdf49fc348dc9ff998da431f0e492a0f9cf5c3287fd74

SHA512
50b0514568c225912e09823a61b5277b4b3d6b8741d0d98f2cc438dc10bc694623f65659ad7b16bff3763982f0dd29cb7a9dee39fd8c171020106cfda822f4a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p8711113.exe
Filesize
145KB

MD5
dc890cab3c239420428bde5678602e2d

SHA1
751d399f9cb259310ba7f9d4259d725d8e4a280d

SHA256
c98b7b4b7235e9f8271b9e93e3d24676b0d8ec22e3f1db7fd28e82f65a519995

SHA512
072020fd788155330da5e6c6080248d0e72770ecf331ec264d5ae147159711329f353c6a3457308912b7c71bc07249a9791b632c79fb0288b6f3b06bca4ffe1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p8711113.exe
Filesize
145KB

MD5
dc890cab3c239420428bde5678602e2d

SHA1
751d399f9cb259310ba7f9d4259d725d8e4a280d

SHA256
c98b7b4b7235e9f8271b9e93e3d24676b0d8ec22e3f1db7fd28e82f65a519995

SHA512
072020fd788155330da5e6c6080248d0e72770ecf331ec264d5ae147159711329f353c6a3457308912b7c71bc07249a9791b632c79fb0288b6f3b06bca4ffe1b

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
73c0c85e39b9a63b42f6c4ff6d634f8b

SHA1
efb047b4177ad78268f6fc8bf959f58f1123eb51

SHA256
477252e3531300fe2a21a679fba3664803179e91a1a4d5dd44080dbd41126368

SHA512
ca32507717c2c099d54a5473fb062083237f7fda9c076e9a957b70072f41a78eedf9244b50862b81d00374297e3795021ad6db943c8408da50b1da8b5ed4a643

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
73c0c85e39b9a63b42f6c4ff6d634f8b

SHA1
efb047b4177ad78268f6fc8bf959f58f1123eb51

SHA256
477252e3531300fe2a21a679fba3664803179e91a1a4d5dd44080dbd41126368

SHA512
ca32507717c2c099d54a5473fb062083237f7fda9c076e9a957b70072f41a78eedf9244b50862b81d00374297e3795021ad6db943c8408da50b1da8b5ed4a643

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
73c0c85e39b9a63b42f6c4ff6d634f8b

SHA1
efb047b4177ad78268f6fc8bf959f58f1123eb51

SHA256
477252e3531300fe2a21a679fba3664803179e91a1a4d5dd44080dbd41126368

SHA512
ca32507717c2c099d54a5473fb062083237f7fda9c076e9a957b70072f41a78eedf9244b50862b81d00374297e3795021ad6db943c8408da50b1da8b5ed4a643

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
memory/2072-261-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2072-260-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2072-259-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2088-256-0x0000000006E30000-0x0000000006E40000-memory.dmp

Filesize
64KB

Download
memory/3044-240-0x0000000007820000-0x0000000007830000-memory.dmp

Filesize
64KB

Download
memory/3376-210-0x00000000071A0000-0x00000000071B0000-memory.dmp

Filesize
64KB

Download
memory/3376-207-0x0000000000390000-0x0000000000486000-memory.dmp

Filesize
984KB

Download
memory/3612-197-0x0000000000840000-0x0000000000928000-memory.dmp

Filesize
928KB

Download
memory/3612-198-0x00000000075B0000-0x00000000075C0000-memory.dmp

Filesize
64KB

Download
memory/4104-193-0x0000000000450000-0x000000000047A000-memory.dmp

Filesize
168KB

Download
memory/4272-227-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4272-215-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4272-239-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4272-218-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4272-219-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4432-179-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/4432-165-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/4432-154-0x0000000004AB0000-0x0000000005054000-memory.dmp

Filesize
5.6MB

Download
memory/4432-155-0x0000000004AA0000-0x0000000004AB0000-memory.dmp

Filesize
64KB

Download
memory/4432-156-0x0000000004AA0000-0x0000000004AB0000-memory.dmp

Filesize
64KB

Download
memory/4432-157-0x0000000004AA0000-0x0000000004AB0000-memory.dmp

Filesize
64KB

Download
memory/4432-158-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/4432-188-0x0000000004AA0000-0x0000000004AB0000-memory.dmp

Filesize
64KB

Download
memory/4432-187-0x0000000004AA0000-0x0000000004AB0000-memory.dmp

Filesize
64KB

Download
memory/4432-186-0x0000000004AA0000-0x0000000004AB0000-memory.dmp

Filesize
64KB

Download
memory/4432-159-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/4432-161-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/4432-185-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/4432-163-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/4432-183-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/4432-167-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/4432-181-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/4432-177-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/4432-175-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/4432-173-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/4432-169-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/4432-171-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/4524-221-0x0000000005E40000-0x0000000005ED2000-memory.dmp

Filesize
584KB

Download
memory/4524-211-0x00000000052C0000-0x00000000052D2000-memory.dmp

Filesize
72KB

Download
memory/4524-230-0x0000000007270000-0x000000000779C000-memory.dmp

Filesize
5.2MB

Download
memory/4524-209-0x0000000005390000-0x000000000549A000-memory.dmp

Filesize
1.0MB

Download
memory/4524-212-0x00000000055F0000-0x0000000005600000-memory.dmp

Filesize
64KB

Download
memory/4524-252-0x0000000006E40000-0x0000000006EB6000-memory.dmp

Filesize
472KB

Download
memory/4524-253-0x0000000006EC0000-0x0000000006F10000-memory.dmp

Filesize
320KB

Download
memory/4524-241-0x00000000055F0000-0x0000000005600000-memory.dmp

Filesize
64KB

Download
memory/4524-213-0x0000000005320000-0x000000000535C000-memory.dmp

Filesize
240KB

Download
memory/4524-208-0x0000000005820000-0x0000000005E38000-memory.dmp

Filesize
6.1MB

Download
memory/4524-222-0x0000000005780000-0x00000000057E6000-memory.dmp

Filesize
408KB

Download
memory/4524-226-0x0000000006B70000-0x0000000006D32000-memory.dmp

Filesize
1.8MB

Download
memory/4524-200-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/5116-245-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5116-246-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5116-248-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5116-250-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5116-279-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5116-249-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download