redline | e21634605f0da9eed3640707ef20d30634972f4e603d1600c41d18db1fdcf076

Analysis

max time kernel
160s
max time network
170s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
14-05-2023 18:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e21634605f0da9eed3640707ef20d30634972f4e603d1600c41d18db1fdcf076.exe
Size

1.1MB
MD5

d154debd02464dc69a4c9cfd6c592dca
SHA1

cd0c2f06d8953e908525becf265aed62882a24b5
SHA256

e21634605f0da9eed3640707ef20d30634972f4e603d1600c41d18db1fdcf076
SHA512

48eca8be0a020ba9c8a58bd5eba4fdd7633e8f3a3957a90462b98b616e103ac0dc3f1066efb0a9a0397c7c1ce3a35d2964ef7a2226b4257ba9c34f71185f4e74
SSDEEP

24576:+yWYeAYYvg9F3d2WdC6SsG1bDI0WxK03n/AlBHWNpNZyLw2GFmEst2:NWYe/ZEWdEsW9WzoWPyc2Gn4

Score

10^/10

redline larry warum discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

larry

185.161.248.75:4132

Attributes

auth_value
9039557bb7a08f5f2f60e2b71e1dee0e

Extracted

Family

redline

Botnet

warum

185.161.248.75:4132

Attributes

auth_value
0bdb2dda91dadc65f555dee088a6a2a4

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

o8502217.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	o8502217.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	o8502217.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	o8502217.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	o8502217.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	o8502217.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	o8502217.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

legends.exes4076073.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	legends.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	s4076073.exe

Executes dropped EXE 12 IoCs

Processes:

z2444823.exez2432530.exeo8502217.exep3157693.exer1149656.exer1149656.exes4076073.exes4076073.exelegends.exelegends.exelegends.exelegends.exe

pid	process
5060	z2444823.exe
4592	z2432530.exe
400	o8502217.exe
3420	p3157693.exe
2484	r1149656.exe
376	r1149656.exe
2600	s4076073.exe
3900	s4076073.exe
3540	legends.exe
1436	legends.exe
3516	legends.exe
4272	legends.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

o8502217.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	o8502217.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	o8502217.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

z2432530.exee21634605f0da9eed3640707ef20d30634972f4e603d1600c41d18db1fdcf076.exez2444823.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z2432530.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z2432530.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	e21634605f0da9eed3640707ef20d30634972f4e603d1600c41d18db1fdcf076.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	e21634605f0da9eed3640707ef20d30634972f4e603d1600c41d18db1fdcf076.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z2444823.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z2444823.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 4 IoCs

Processes:

r1149656.exes4076073.exelegends.exelegends.exe

description	pid	process	target process
PID 2484 set thread context of 376	2484	r1149656.exe	r1149656.exe
PID 2600 set thread context of 3900	2600	s4076073.exe	s4076073.exe
PID 3540 set thread context of 1436	3540	legends.exe	legends.exe
PID 3516 set thread context of 4272	3516	legends.exe	legends.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1468 schtasks.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

o8502217.exep3157693.exer1149656.exe

pid process

400 o8502217.exe
400 o8502217.exe
3420 p3157693.exe
3420 p3157693.exe
376 r1149656.exe
376 r1149656.exe

pid	process
1468	schtasks.exe

pid	process
400	o8502217.exe
400	o8502217.exe
3420	p3157693.exe
3420	p3157693.exe
376	r1149656.exe
376	r1149656.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

o8502217.exep3157693.exer1149656.exes4076073.exer1149656.exelegends.exelegends.exe

description	pid	process
Token: SeDebugPrivilege	400	o8502217.exe
Token: SeDebugPrivilege	3420	p3157693.exe
Token: SeDebugPrivilege	2484	r1149656.exe
Token: SeDebugPrivilege	2600	s4076073.exe
Token: SeDebugPrivilege	376	r1149656.exe
Token: SeDebugPrivilege	3540	legends.exe
Token: SeDebugPrivilege	3516	legends.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

s4076073.exe

pid process

3900 s4076073.exe

pid	process
3900	s4076073.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

e21634605f0da9eed3640707ef20d30634972f4e603d1600c41d18db1fdcf076.exez2444823.exez2432530.exer1149656.exes4076073.exes4076073.exelegends.exelegends.execmd.exe

description	pid	process	target process
PID 1452 wrote to memory of 5060	1452	e21634605f0da9eed3640707ef20d30634972f4e603d1600c41d18db1fdcf076.exe	z2444823.exe
PID 1452 wrote to memory of 5060	1452	e21634605f0da9eed3640707ef20d30634972f4e603d1600c41d18db1fdcf076.exe	z2444823.exe
PID 1452 wrote to memory of 5060	1452	e21634605f0da9eed3640707ef20d30634972f4e603d1600c41d18db1fdcf076.exe	z2444823.exe
PID 5060 wrote to memory of 4592	5060	z2444823.exe	z2432530.exe
PID 5060 wrote to memory of 4592	5060	z2444823.exe	z2432530.exe
PID 5060 wrote to memory of 4592	5060	z2444823.exe	z2432530.exe
PID 4592 wrote to memory of 400	4592	z2432530.exe	o8502217.exe
PID 4592 wrote to memory of 400	4592	z2432530.exe	o8502217.exe
PID 4592 wrote to memory of 400	4592	z2432530.exe	o8502217.exe
PID 4592 wrote to memory of 3420	4592	z2432530.exe	p3157693.exe
PID 4592 wrote to memory of 3420	4592	z2432530.exe	p3157693.exe
PID 4592 wrote to memory of 3420	4592	z2432530.exe	p3157693.exe
PID 5060 wrote to memory of 2484	5060	z2444823.exe	r1149656.exe
PID 5060 wrote to memory of 2484	5060	z2444823.exe	r1149656.exe
PID 5060 wrote to memory of 2484	5060	z2444823.exe	r1149656.exe
PID 2484 wrote to memory of 376	2484	r1149656.exe	r1149656.exe
PID 2484 wrote to memory of 376	2484	r1149656.exe	r1149656.exe
PID 2484 wrote to memory of 376	2484	r1149656.exe	r1149656.exe
PID 2484 wrote to memory of 376	2484	r1149656.exe	r1149656.exe
PID 2484 wrote to memory of 376	2484	r1149656.exe	r1149656.exe
PID 2484 wrote to memory of 376	2484	r1149656.exe	r1149656.exe
PID 2484 wrote to memory of 376	2484	r1149656.exe	r1149656.exe
PID 2484 wrote to memory of 376	2484	r1149656.exe	r1149656.exe
PID 1452 wrote to memory of 2600	1452	e21634605f0da9eed3640707ef20d30634972f4e603d1600c41d18db1fdcf076.exe	s4076073.exe
PID 1452 wrote to memory of 2600	1452	e21634605f0da9eed3640707ef20d30634972f4e603d1600c41d18db1fdcf076.exe	s4076073.exe
PID 1452 wrote to memory of 2600	1452	e21634605f0da9eed3640707ef20d30634972f4e603d1600c41d18db1fdcf076.exe	s4076073.exe
PID 2600 wrote to memory of 3900	2600	s4076073.exe	s4076073.exe
PID 2600 wrote to memory of 3900	2600	s4076073.exe	s4076073.exe
PID 2600 wrote to memory of 3900	2600	s4076073.exe	s4076073.exe
PID 2600 wrote to memory of 3900	2600	s4076073.exe	s4076073.exe
PID 2600 wrote to memory of 3900	2600	s4076073.exe	s4076073.exe
PID 2600 wrote to memory of 3900	2600	s4076073.exe	s4076073.exe
PID 2600 wrote to memory of 3900	2600	s4076073.exe	s4076073.exe
PID 2600 wrote to memory of 3900	2600	s4076073.exe	s4076073.exe
PID 2600 wrote to memory of 3900	2600	s4076073.exe	s4076073.exe
PID 2600 wrote to memory of 3900	2600	s4076073.exe	s4076073.exe
PID 3900 wrote to memory of 3540	3900	s4076073.exe	legends.exe
PID 3900 wrote to memory of 3540	3900	s4076073.exe	legends.exe
PID 3900 wrote to memory of 3540	3900	s4076073.exe	legends.exe
PID 3540 wrote to memory of 1436	3540	legends.exe	legends.exe
PID 3540 wrote to memory of 1436	3540	legends.exe	legends.exe
PID 3540 wrote to memory of 1436	3540	legends.exe	legends.exe
PID 3540 wrote to memory of 1436	3540	legends.exe	legends.exe
PID 3540 wrote to memory of 1436	3540	legends.exe	legends.exe
PID 3540 wrote to memory of 1436	3540	legends.exe	legends.exe
PID 3540 wrote to memory of 1436	3540	legends.exe	legends.exe
PID 3540 wrote to memory of 1436	3540	legends.exe	legends.exe
PID 3540 wrote to memory of 1436	3540	legends.exe	legends.exe
PID 3540 wrote to memory of 1436	3540	legends.exe	legends.exe
PID 1436 wrote to memory of 1468	1436	legends.exe	schtasks.exe
PID 1436 wrote to memory of 1468	1436	legends.exe	schtasks.exe
PID 1436 wrote to memory of 1468	1436	legends.exe	schtasks.exe
PID 1436 wrote to memory of 4992	1436	legends.exe	cmd.exe
PID 1436 wrote to memory of 4992	1436	legends.exe	cmd.exe
PID 1436 wrote to memory of 4992	1436	legends.exe	cmd.exe
PID 4992 wrote to memory of 5016	4992	cmd.exe	cmd.exe
PID 4992 wrote to memory of 5016	4992	cmd.exe	cmd.exe
PID 4992 wrote to memory of 5016	4992	cmd.exe	cmd.exe
PID 4992 wrote to memory of 4968	4992	cmd.exe	cacls.exe
PID 4992 wrote to memory of 4968	4992	cmd.exe	cacls.exe
PID 4992 wrote to memory of 4968	4992	cmd.exe	cacls.exe
PID 4992 wrote to memory of 1296	4992	cmd.exe	cacls.exe
PID 4992 wrote to memory of 1296	4992	cmd.exe	cacls.exe
PID 4992 wrote to memory of 1296	4992	cmd.exe	cacls.exe

C:\Users\Admin\AppData\Local\Temp\e21634605f0da9eed3640707ef20d30634972f4e603d1600c41d18db1fdcf076.exe
"C:\Users\Admin\AppData\Local\Temp\e21634605f0da9eed3640707ef20d30634972f4e603d1600c41d18db1fdcf076.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1452

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2444823.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2444823.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5060

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2432530.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2432530.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4592

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o8502217.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o8502217.exe
4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:400

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p3157693.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p3157693.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3420

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r1149656.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r1149656.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2484

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r1149656.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r1149656.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:376

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s4076073.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s4076073.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2600

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s4076073.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s4076073.exe
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3900

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
"C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3540

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1436

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legends.exe /TR "C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe" /F
6⤵
- Creates scheduled task(s)
PID:1468

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legends.exe" /P "Admin:N"&&CACLS "legends.exe" /P "Admin:R" /E&&echo Y|CACLS "..\41bde21dc7" /P "Admin:N"&&CACLS "..\41bde21dc7" /P "Admin:R" /E&&Exit
6⤵
- Suspicious use of WriteProcessMemory
PID:4992

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
7⤵
PID:5016

C:\Windows\SysWOW64\cacls.exe
CACLS "legends.exe" /P "Admin:N"
7⤵
PID:4968

C:\Windows\SysWOW64\cacls.exe
CACLS "legends.exe" /P "Admin:R" /E
7⤵
PID:1296

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
7⤵
PID:1696

C:\Windows\SysWOW64\cacls.exe
CACLS "..\41bde21dc7" /P "Admin:N"
7⤵
PID:2140

C:\Windows\SysWOW64\cacls.exe
CACLS "..\41bde21dc7" /P "Admin:R" /E
7⤵
PID:3520

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3516

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
2⤵
- Executes dropped EXE
PID:4272

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\legends.exe.log
Filesize
425B

MD5
4eaca4566b22b01cd3bc115b9b0b2196

SHA1
e743e0792c19f71740416e7b3c061d9f1336bf94

SHA256
34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

SHA512
bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\r1149656.exe.log
Filesize
425B

MD5
4eaca4566b22b01cd3bc115b9b0b2196

SHA1
e743e0792c19f71740416e7b3c061d9f1336bf94

SHA256
34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

SHA512
bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
962KB

MD5
a228a5d7ff267446cb8037093beeafe7

SHA1
f1dd0a4f07a0c380ae29953b8fb1e81180a390ae

SHA256
1004c29120b51cdf05e7e1b4ec3ef1771973112170859e783c870472741d8a02

SHA512
1973c262e62b5bbf16cfa147bcc45cd65ad2cd06507725285e0e5db26230e1cc350ac08335cff1d8f2ae4a69e9d24ad9717499fd0fb3eaf884bf7e554b81524d

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
962KB

MD5
a228a5d7ff267446cb8037093beeafe7

SHA1
f1dd0a4f07a0c380ae29953b8fb1e81180a390ae

SHA256
1004c29120b51cdf05e7e1b4ec3ef1771973112170859e783c870472741d8a02

SHA512
1973c262e62b5bbf16cfa147bcc45cd65ad2cd06507725285e0e5db26230e1cc350ac08335cff1d8f2ae4a69e9d24ad9717499fd0fb3eaf884bf7e554b81524d

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
962KB

MD5
a228a5d7ff267446cb8037093beeafe7

SHA1
f1dd0a4f07a0c380ae29953b8fb1e81180a390ae

SHA256
1004c29120b51cdf05e7e1b4ec3ef1771973112170859e783c870472741d8a02

SHA512
1973c262e62b5bbf16cfa147bcc45cd65ad2cd06507725285e0e5db26230e1cc350ac08335cff1d8f2ae4a69e9d24ad9717499fd0fb3eaf884bf7e554b81524d

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
962KB

MD5
a228a5d7ff267446cb8037093beeafe7

SHA1
f1dd0a4f07a0c380ae29953b8fb1e81180a390ae

SHA256
1004c29120b51cdf05e7e1b4ec3ef1771973112170859e783c870472741d8a02

SHA512
1973c262e62b5bbf16cfa147bcc45cd65ad2cd06507725285e0e5db26230e1cc350ac08335cff1d8f2ae4a69e9d24ad9717499fd0fb3eaf884bf7e554b81524d

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
962KB

MD5
a228a5d7ff267446cb8037093beeafe7

SHA1
f1dd0a4f07a0c380ae29953b8fb1e81180a390ae

SHA256
1004c29120b51cdf05e7e1b4ec3ef1771973112170859e783c870472741d8a02

SHA512
1973c262e62b5bbf16cfa147bcc45cd65ad2cd06507725285e0e5db26230e1cc350ac08335cff1d8f2ae4a69e9d24ad9717499fd0fb3eaf884bf7e554b81524d

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
962KB

MD5
a228a5d7ff267446cb8037093beeafe7

SHA1
f1dd0a4f07a0c380ae29953b8fb1e81180a390ae

SHA256
1004c29120b51cdf05e7e1b4ec3ef1771973112170859e783c870472741d8a02

SHA512
1973c262e62b5bbf16cfa147bcc45cd65ad2cd06507725285e0e5db26230e1cc350ac08335cff1d8f2ae4a69e9d24ad9717499fd0fb3eaf884bf7e554b81524d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s4076073.exe
Filesize
962KB

MD5
a228a5d7ff267446cb8037093beeafe7

SHA1
f1dd0a4f07a0c380ae29953b8fb1e81180a390ae

SHA256
1004c29120b51cdf05e7e1b4ec3ef1771973112170859e783c870472741d8a02

SHA512
1973c262e62b5bbf16cfa147bcc45cd65ad2cd06507725285e0e5db26230e1cc350ac08335cff1d8f2ae4a69e9d24ad9717499fd0fb3eaf884bf7e554b81524d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s4076073.exe
Filesize
962KB

MD5
a228a5d7ff267446cb8037093beeafe7

SHA1
f1dd0a4f07a0c380ae29953b8fb1e81180a390ae

SHA256
1004c29120b51cdf05e7e1b4ec3ef1771973112170859e783c870472741d8a02

SHA512
1973c262e62b5bbf16cfa147bcc45cd65ad2cd06507725285e0e5db26230e1cc350ac08335cff1d8f2ae4a69e9d24ad9717499fd0fb3eaf884bf7e554b81524d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s4076073.exe
Filesize
962KB

MD5
a228a5d7ff267446cb8037093beeafe7

SHA1
f1dd0a4f07a0c380ae29953b8fb1e81180a390ae

SHA256
1004c29120b51cdf05e7e1b4ec3ef1771973112170859e783c870472741d8a02

SHA512
1973c262e62b5bbf16cfa147bcc45cd65ad2cd06507725285e0e5db26230e1cc350ac08335cff1d8f2ae4a69e9d24ad9717499fd0fb3eaf884bf7e554b81524d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2444823.exe
Filesize
702KB

MD5
ac8bb9449af16c36d84a587fe8a733b0

SHA1
af3e6985ddfe37f5bf710d3afcf123e0c4e7bfc0

SHA256
58602c848b06eb73861b99cb62cc0e8f533f073eac1d469ed5bae47ee491f257

SHA512
6f0855d8544f657222b453f5060ddf120ae0d9f66e6fc61a6c9907c736cd2b1056efcfa65667067f2c8ed2ebf6e398a0bc38f5b79a4fc501e34a5782d39199c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2444823.exe
Filesize
702KB

MD5
ac8bb9449af16c36d84a587fe8a733b0

SHA1
af3e6985ddfe37f5bf710d3afcf123e0c4e7bfc0

SHA256
58602c848b06eb73861b99cb62cc0e8f533f073eac1d469ed5bae47ee491f257

SHA512
6f0855d8544f657222b453f5060ddf120ae0d9f66e6fc61a6c9907c736cd2b1056efcfa65667067f2c8ed2ebf6e398a0bc38f5b79a4fc501e34a5782d39199c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r1149656.exe
Filesize
903KB

MD5
1c046a52c94190536779dec1bb87bd71

SHA1
9070972480687b3cc9da99a1078016433b34a0d3

SHA256
5d0b8940f8309423893e89a99e34c0e587f8fc301c800eaf71284630fe91cf46

SHA512
f69f8f4e9ddd288507dd2dfa6780f7f64e8a88b112f78180f394f3d09be13aff3ad3d49c7ff8fa84c7b9d0f2ae724ec0bd864f4ea686ef27c1e24daa2fca5b17

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r1149656.exe
Filesize
903KB

MD5
1c046a52c94190536779dec1bb87bd71

SHA1
9070972480687b3cc9da99a1078016433b34a0d3

SHA256
5d0b8940f8309423893e89a99e34c0e587f8fc301c800eaf71284630fe91cf46

SHA512
f69f8f4e9ddd288507dd2dfa6780f7f64e8a88b112f78180f394f3d09be13aff3ad3d49c7ff8fa84c7b9d0f2ae724ec0bd864f4ea686ef27c1e24daa2fca5b17

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r1149656.exe
Filesize
903KB

MD5
1c046a52c94190536779dec1bb87bd71

SHA1
9070972480687b3cc9da99a1078016433b34a0d3

SHA256
5d0b8940f8309423893e89a99e34c0e587f8fc301c800eaf71284630fe91cf46

SHA512
f69f8f4e9ddd288507dd2dfa6780f7f64e8a88b112f78180f394f3d09be13aff3ad3d49c7ff8fa84c7b9d0f2ae724ec0bd864f4ea686ef27c1e24daa2fca5b17

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2432530.exe
Filesize
305KB

MD5
3d8b18965d3b89897eb8e17fbb9cd0c2

SHA1
8759d084f843dd99a53414ee3b958a79e6078a7f

SHA256
4213c937f12aee0088389e91dae66cb84e64db5b32d5ebd4cbd8fa7b257fcee6

SHA512
98f1f98d1d09ddd3c7d20843151190bfdb6b05214c4cfda73c17dcfaf4cf74d0d4170dad272ee4f15ce20b92b2ab0cc61d9bb418fcb84d9b400a67457b9e691f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2432530.exe
Filesize
305KB

MD5
3d8b18965d3b89897eb8e17fbb9cd0c2

SHA1
8759d084f843dd99a53414ee3b958a79e6078a7f

SHA256
4213c937f12aee0088389e91dae66cb84e64db5b32d5ebd4cbd8fa7b257fcee6

SHA512
98f1f98d1d09ddd3c7d20843151190bfdb6b05214c4cfda73c17dcfaf4cf74d0d4170dad272ee4f15ce20b92b2ab0cc61d9bb418fcb84d9b400a67457b9e691f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o8502217.exe
Filesize
183KB

MD5
1ce84246b46599e9248874bcbbf530db

SHA1
a4afb0e770a4282f745838866fa8353b784939ef

SHA256
ff06df4c261f2ff9876d1c51f72771a635472c26f21368edf9ab37362d19e81b

SHA512
5c9e8d8745b1af16e347f4cee9eed602dfc8e6e99e7f367089e6438a23fa01285ac2e85a463a621a826b9743031f30dae842c81d1cd5d1bcb7835ba82d0b31fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o8502217.exe
Filesize
183KB

MD5
1ce84246b46599e9248874bcbbf530db

SHA1
a4afb0e770a4282f745838866fa8353b784939ef

SHA256
ff06df4c261f2ff9876d1c51f72771a635472c26f21368edf9ab37362d19e81b

SHA512
5c9e8d8745b1af16e347f4cee9eed602dfc8e6e99e7f367089e6438a23fa01285ac2e85a463a621a826b9743031f30dae842c81d1cd5d1bcb7835ba82d0b31fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p3157693.exe
Filesize
145KB

MD5
26b2da1a39ece11eba4ea772c5f37b21

SHA1
88c3ff0196bae50bce5ef0c1e8f655a417b2dfc8

SHA256
95506a29694de6d721368b85e077b9c8e94430ee41c6284e334459c83b167c42

SHA512
e5c9ab68f5ec14c2decb2de6e01a698f13cd8553a3e3cf349e4bb5673998da56ac47e24defe6a94e57d3aa911cbc7eca23e8ce25a93622b4a61367c1ecc64d21

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p3157693.exe
Filesize
145KB

MD5
26b2da1a39ece11eba4ea772c5f37b21

SHA1
88c3ff0196bae50bce5ef0c1e8f655a417b2dfc8

SHA256
95506a29694de6d721368b85e077b9c8e94430ee41c6284e334459c83b167c42

SHA512
e5c9ab68f5ec14c2decb2de6e01a698f13cd8553a3e3cf349e4bb5673998da56ac47e24defe6a94e57d3aa911cbc7eca23e8ce25a93622b4a61367c1ecc64d21

Download Submit
memory/376-215-0x0000000005A50000-0x0000000005A60000-memory.dmp

Filesize
64KB

Download
memory/376-211-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/400-166-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/400-160-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/400-187-0x0000000004A50000-0x0000000004A60000-memory.dmp

Filesize
64KB

Download
memory/400-185-0x0000000004A50000-0x0000000004A60000-memory.dmp

Filesize
64KB

Download
memory/400-184-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/400-182-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/400-180-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/400-178-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/400-154-0x0000000004A60000-0x0000000005004000-memory.dmp

Filesize
5.6MB

Download
memory/400-155-0x0000000004A50000-0x0000000004A60000-memory.dmp

Filesize
64KB

Download
memory/400-157-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/400-156-0x0000000004A50000-0x0000000004A60000-memory.dmp

Filesize
64KB

Download
memory/400-176-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/400-174-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/400-172-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/400-170-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/400-168-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/400-164-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/400-158-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/400-162-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/400-186-0x0000000004A50000-0x0000000004A60000-memory.dmp

Filesize
64KB

Download
memory/1436-246-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1436-247-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1436-249-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1436-250-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2484-210-0x0000000007C50000-0x0000000007C60000-memory.dmp

Filesize
64KB

Download
memory/2484-209-0x0000000000E30000-0x0000000000F18000-memory.dmp

Filesize
928KB

Download
memory/2600-220-0x0000000007160000-0x0000000007170000-memory.dmp

Filesize
64KB

Download
memory/2600-219-0x00000000002D0000-0x00000000003C6000-memory.dmp

Filesize
984KB

Download
memory/3420-201-0x0000000006CE0000-0x0000000006EA2000-memory.dmp

Filesize
1.8MB

Download
memory/3420-194-0x0000000005460000-0x000000000556A000-memory.dmp

Filesize
1.0MB

Download
memory/3420-192-0x00000000009C0000-0x00000000009EA000-memory.dmp

Filesize
168KB

Download
memory/3420-193-0x0000000005900000-0x0000000005F18000-memory.dmp

Filesize
6.1MB

Download
memory/3420-204-0x0000000006670000-0x00000000066C0000-memory.dmp

Filesize
320KB

Download
memory/3420-203-0x0000000006FB0000-0x0000000007026000-memory.dmp

Filesize
472KB

Download
memory/3420-195-0x0000000005390000-0x00000000053A2000-memory.dmp

Filesize
72KB

Download
memory/3420-202-0x00000000073E0000-0x000000000790C000-memory.dmp

Filesize
5.2MB

Download
memory/3420-200-0x0000000006300000-0x0000000006366000-memory.dmp

Filesize
408KB

Download
memory/3420-196-0x0000000005570000-0x00000000055AC000-memory.dmp

Filesize
240KB

Download
memory/3420-197-0x0000000005420000-0x0000000005430000-memory.dmp

Filesize
64KB

Download
memory/3420-199-0x0000000006260000-0x00000000062F2000-memory.dmp

Filesize
584KB

Download
memory/3420-198-0x0000000005420000-0x0000000005430000-memory.dmp

Filesize
64KB

Download
memory/3516-254-0x0000000007990000-0x00000000079A0000-memory.dmp

Filesize
64KB

Download
memory/3540-242-0x0000000007A90000-0x0000000007AA0000-memory.dmp

Filesize
64KB

Download
memory/3900-241-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3900-230-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3900-225-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3900-224-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3900-221-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4272-258-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4272-257-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4272-259-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download