redline | a8c48a199060009258e7f7907ea6caf91298283116a55722e2ad45bfe0609f71

Analysis

max time kernel
136s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
14-05-2023 20:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a8c48a199060009258e7f7907ea6caf91298283116a55722e2ad45bfe0609f71.exe
Size

1.1MB
MD5

080d125acb6c66b2d4b5e2996d05934b
SHA1

0d9a9ea4781dc611dedb15b132b1e8604adceecb
SHA256

a8c48a199060009258e7f7907ea6caf91298283116a55722e2ad45bfe0609f71
SHA512

4e3364646eac8d946d6dabe7f9a9d89e5c59a94522e48a47142a563c857a6300f4635819559a765a267a0b615c696990f6e9cffad6c42b5bd9f085138e70aaf0
SSDEEP

24576:sykPQFcu3qq7cQtwEiPO6pEuOGerCiaF9981pbTPEjQMBzDa+x:bkorHtViPLqXGe+YwBzh

Score

10^/10

redline horor linda discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

linda

185.161.248.75:4132

Attributes

auth_value
21cdc21d041667b9c1679f88a1146770

Extracted

Family

redline

Botnet

horor

185.161.248.75:4132

Attributes

auth_value
b8d506fe48db15c38fb031d07f42d529

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

o6494364.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	o6494364.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	o6494364.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	o6494364.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	o6494364.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	o6494364.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	o6494364.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

s4140293.exelegends.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	s4140293.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	legends.exe

Executes dropped EXE 14 IoCs

Processes:

z3102466.exez1631840.exeo6494364.exep4343388.exer9693547.exer9693547.exes4140293.exes4140293.exelegends.exelegends.exelegends.exelegends.exelegends.exelegends.exe

pid	process
1856	z3102466.exe
2024	z1631840.exe
1228	o6494364.exe
2856	p4343388.exe
3724	r9693547.exe
2636	r9693547.exe
4512	s4140293.exe
2668	s4140293.exe
2288	legends.exe
844	legends.exe
1880	legends.exe
1912	legends.exe
4552	legends.exe
3936	legends.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

1624 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1624	rundll32.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

o6494364.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	o6494364.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	o6494364.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

a8c48a199060009258e7f7907ea6caf91298283116a55722e2ad45bfe0609f71.exez3102466.exez1631840.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	a8c48a199060009258e7f7907ea6caf91298283116a55722e2ad45bfe0609f71.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	a8c48a199060009258e7f7907ea6caf91298283116a55722e2ad45bfe0609f71.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z3102466.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z3102466.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z1631840.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z1631840.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 5 IoCs

Processes:

r9693547.exes4140293.exelegends.exelegends.exelegends.exe

description	pid	process	target process
PID 3724 set thread context of 2636	3724	r9693547.exe	r9693547.exe
PID 4512 set thread context of 2668	4512	s4140293.exe	s4140293.exe
PID 2288 set thread context of 844	2288	legends.exe	legends.exe
PID 1880 set thread context of 1912	1880	legends.exe	legends.exe
PID 4552 set thread context of 3936	4552	legends.exe	legends.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4600 2856 WerFault.exe p4343388.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1796 schtasks.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

o6494364.exer9693547.exe

pid process

1228 o6494364.exe
1228 o6494364.exe
2636 r9693547.exe
2636 r9693547.exe

pid	pid_target	process	target process
4600	2856	WerFault.exe	p4343388.exe

pid	process
1796	schtasks.exe

pid	process
1228	o6494364.exe
1228	o6494364.exe
2636	r9693547.exe
2636	r9693547.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

o6494364.exer9693547.exes4140293.exelegends.exer9693547.exelegends.exelegends.exe

description	pid	process
Token: SeDebugPrivilege	1228	o6494364.exe
Token: SeDebugPrivilege	3724	r9693547.exe
Token: SeDebugPrivilege	4512	s4140293.exe
Token: SeDebugPrivilege	2288	legends.exe
Token: SeDebugPrivilege	2636	r9693547.exe
Token: SeDebugPrivilege	1880	legends.exe
Token: SeDebugPrivilege	4552	legends.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

s4140293.exe

pid process

2668 s4140293.exe

pid	process
2668	s4140293.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

a8c48a199060009258e7f7907ea6caf91298283116a55722e2ad45bfe0609f71.exez3102466.exez1631840.exer9693547.exes4140293.exes4140293.exelegends.exelegends.execmd.exe

description	pid	process	target process
PID 1224 wrote to memory of 1856	1224	a8c48a199060009258e7f7907ea6caf91298283116a55722e2ad45bfe0609f71.exe	z3102466.exe
PID 1224 wrote to memory of 1856	1224	a8c48a199060009258e7f7907ea6caf91298283116a55722e2ad45bfe0609f71.exe	z3102466.exe
PID 1224 wrote to memory of 1856	1224	a8c48a199060009258e7f7907ea6caf91298283116a55722e2ad45bfe0609f71.exe	z3102466.exe
PID 1856 wrote to memory of 2024	1856	z3102466.exe	z1631840.exe
PID 1856 wrote to memory of 2024	1856	z3102466.exe	z1631840.exe
PID 1856 wrote to memory of 2024	1856	z3102466.exe	z1631840.exe
PID 2024 wrote to memory of 1228	2024	z1631840.exe	o6494364.exe
PID 2024 wrote to memory of 1228	2024	z1631840.exe	o6494364.exe
PID 2024 wrote to memory of 1228	2024	z1631840.exe	o6494364.exe
PID 2024 wrote to memory of 2856	2024	z1631840.exe	p4343388.exe
PID 2024 wrote to memory of 2856	2024	z1631840.exe	p4343388.exe
PID 2024 wrote to memory of 2856	2024	z1631840.exe	p4343388.exe
PID 1856 wrote to memory of 3724	1856	z3102466.exe	r9693547.exe
PID 1856 wrote to memory of 3724	1856	z3102466.exe	r9693547.exe
PID 1856 wrote to memory of 3724	1856	z3102466.exe	r9693547.exe
PID 3724 wrote to memory of 2636	3724	r9693547.exe	r9693547.exe
PID 3724 wrote to memory of 2636	3724	r9693547.exe	r9693547.exe
PID 3724 wrote to memory of 2636	3724	r9693547.exe	r9693547.exe
PID 3724 wrote to memory of 2636	3724	r9693547.exe	r9693547.exe
PID 3724 wrote to memory of 2636	3724	r9693547.exe	r9693547.exe
PID 3724 wrote to memory of 2636	3724	r9693547.exe	r9693547.exe
PID 3724 wrote to memory of 2636	3724	r9693547.exe	r9693547.exe
PID 3724 wrote to memory of 2636	3724	r9693547.exe	r9693547.exe
PID 1224 wrote to memory of 4512	1224	a8c48a199060009258e7f7907ea6caf91298283116a55722e2ad45bfe0609f71.exe	s4140293.exe
PID 1224 wrote to memory of 4512	1224	a8c48a199060009258e7f7907ea6caf91298283116a55722e2ad45bfe0609f71.exe	s4140293.exe
PID 1224 wrote to memory of 4512	1224	a8c48a199060009258e7f7907ea6caf91298283116a55722e2ad45bfe0609f71.exe	s4140293.exe
PID 4512 wrote to memory of 2668	4512	s4140293.exe	s4140293.exe
PID 4512 wrote to memory of 2668	4512	s4140293.exe	s4140293.exe
PID 4512 wrote to memory of 2668	4512	s4140293.exe	s4140293.exe
PID 4512 wrote to memory of 2668	4512	s4140293.exe	s4140293.exe
PID 4512 wrote to memory of 2668	4512	s4140293.exe	s4140293.exe
PID 4512 wrote to memory of 2668	4512	s4140293.exe	s4140293.exe
PID 4512 wrote to memory of 2668	4512	s4140293.exe	s4140293.exe
PID 4512 wrote to memory of 2668	4512	s4140293.exe	s4140293.exe
PID 4512 wrote to memory of 2668	4512	s4140293.exe	s4140293.exe
PID 4512 wrote to memory of 2668	4512	s4140293.exe	s4140293.exe
PID 2668 wrote to memory of 2288	2668	s4140293.exe	legends.exe
PID 2668 wrote to memory of 2288	2668	s4140293.exe	legends.exe
PID 2668 wrote to memory of 2288	2668	s4140293.exe	legends.exe
PID 2288 wrote to memory of 844	2288	legends.exe	legends.exe
PID 2288 wrote to memory of 844	2288	legends.exe	legends.exe
PID 2288 wrote to memory of 844	2288	legends.exe	legends.exe
PID 2288 wrote to memory of 844	2288	legends.exe	legends.exe
PID 2288 wrote to memory of 844	2288	legends.exe	legends.exe
PID 2288 wrote to memory of 844	2288	legends.exe	legends.exe
PID 2288 wrote to memory of 844	2288	legends.exe	legends.exe
PID 2288 wrote to memory of 844	2288	legends.exe	legends.exe
PID 2288 wrote to memory of 844	2288	legends.exe	legends.exe
PID 2288 wrote to memory of 844	2288	legends.exe	legends.exe
PID 844 wrote to memory of 1796	844	legends.exe	schtasks.exe
PID 844 wrote to memory of 1796	844	legends.exe	schtasks.exe
PID 844 wrote to memory of 1796	844	legends.exe	schtasks.exe
PID 844 wrote to memory of 4900	844	legends.exe	cmd.exe
PID 844 wrote to memory of 4900	844	legends.exe	cmd.exe
PID 844 wrote to memory of 4900	844	legends.exe	cmd.exe
PID 4900 wrote to memory of 3060	4900	cmd.exe	cmd.exe
PID 4900 wrote to memory of 3060	4900	cmd.exe	cmd.exe
PID 4900 wrote to memory of 3060	4900	cmd.exe	cmd.exe
PID 4900 wrote to memory of 5012	4900	cmd.exe	cacls.exe
PID 4900 wrote to memory of 5012	4900	cmd.exe	cacls.exe
PID 4900 wrote to memory of 5012	4900	cmd.exe	cacls.exe
PID 4900 wrote to memory of 4984	4900	cmd.exe	cacls.exe
PID 4900 wrote to memory of 4984	4900	cmd.exe	cacls.exe
PID 4900 wrote to memory of 4984	4900	cmd.exe	cacls.exe

C:\Users\Admin\AppData\Local\Temp\a8c48a199060009258e7f7907ea6caf91298283116a55722e2ad45bfe0609f71.exe
"C:\Users\Admin\AppData\Local\Temp\a8c48a199060009258e7f7907ea6caf91298283116a55722e2ad45bfe0609f71.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1224

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3102466.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3102466.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1856

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1631840.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1631840.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2024

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o6494364.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o6494364.exe
4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1228

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p4343388.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p4343388.exe
4⤵
- Executes dropped EXE
PID:2856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2856 -s 928
5⤵
- Program crash
PID:4600

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r9693547.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r9693547.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3724

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r9693547.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r9693547.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2636

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s4140293.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s4140293.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4512

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s4140293.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s4140293.exe
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2668

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
"C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2288

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:844

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legends.exe /TR "C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe" /F
6⤵
- Creates scheduled task(s)
PID:1796

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legends.exe" /P "Admin:N"&&CACLS "legends.exe" /P "Admin:R" /E&&echo Y|CACLS "..\41bde21dc7" /P "Admin:N"&&CACLS "..\41bde21dc7" /P "Admin:R" /E&&Exit
6⤵
- Suspicious use of WriteProcessMemory
PID:4900

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
7⤵
PID:3060

C:\Windows\SysWOW64\cacls.exe
CACLS "legends.exe" /P "Admin:N"
7⤵
PID:5012

C:\Windows\SysWOW64\cacls.exe
CACLS "legends.exe" /P "Admin:R" /E
7⤵
PID:4984

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
7⤵
PID:3240

C:\Windows\SysWOW64\cacls.exe
CACLS "..\41bde21dc7" /P "Admin:N"
7⤵
PID:1860

C:\Windows\SysWOW64\cacls.exe
CACLS "..\41bde21dc7" /P "Admin:R" /E
7⤵
PID:3588

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
6⤵
- Loads dropped DLL
PID:1624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2856 -ip 2856
1⤵
PID:3028

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1880

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
2⤵
- Executes dropped EXE
PID:1912

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4552

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
2⤵
- Executes dropped EXE
PID:3936

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\legends.exe.log
Filesize
425B

MD5
4eaca4566b22b01cd3bc115b9b0b2196

SHA1
e743e0792c19f71740416e7b3c061d9f1336bf94

SHA256
34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

SHA512
bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\r9693547.exe.log
Filesize
425B

MD5
4eaca4566b22b01cd3bc115b9b0b2196

SHA1
e743e0792c19f71740416e7b3c061d9f1336bf94

SHA256
34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

SHA512
bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
961KB

MD5
201032a3a1e7c445bb04e8778b0ffc74

SHA1
cead23da8bab7e5e9eca877c45ec8521fed9c96c

SHA256
1c3763a5ddba02b32bda39fde967eaf78d34c5ea0d9e1e3d344f9c38b627a9a4

SHA512
4f3302a8b23e3606f366502acf8e7f78c8d48d77b5e75ed3172e3b4b1d5d5e07392591c8ddab9016c28ca0a6bb24ac6e35675ba827dae232d4eae9a0cb91c45b

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
961KB

MD5
201032a3a1e7c445bb04e8778b0ffc74

SHA1
cead23da8bab7e5e9eca877c45ec8521fed9c96c

SHA256
1c3763a5ddba02b32bda39fde967eaf78d34c5ea0d9e1e3d344f9c38b627a9a4

SHA512
4f3302a8b23e3606f366502acf8e7f78c8d48d77b5e75ed3172e3b4b1d5d5e07392591c8ddab9016c28ca0a6bb24ac6e35675ba827dae232d4eae9a0cb91c45b

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
961KB

MD5
201032a3a1e7c445bb04e8778b0ffc74

SHA1
cead23da8bab7e5e9eca877c45ec8521fed9c96c

SHA256
1c3763a5ddba02b32bda39fde967eaf78d34c5ea0d9e1e3d344f9c38b627a9a4

SHA512
4f3302a8b23e3606f366502acf8e7f78c8d48d77b5e75ed3172e3b4b1d5d5e07392591c8ddab9016c28ca0a6bb24ac6e35675ba827dae232d4eae9a0cb91c45b

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
961KB

MD5
201032a3a1e7c445bb04e8778b0ffc74

SHA1
cead23da8bab7e5e9eca877c45ec8521fed9c96c

SHA256
1c3763a5ddba02b32bda39fde967eaf78d34c5ea0d9e1e3d344f9c38b627a9a4

SHA512
4f3302a8b23e3606f366502acf8e7f78c8d48d77b5e75ed3172e3b4b1d5d5e07392591c8ddab9016c28ca0a6bb24ac6e35675ba827dae232d4eae9a0cb91c45b

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
961KB

MD5
201032a3a1e7c445bb04e8778b0ffc74

SHA1
cead23da8bab7e5e9eca877c45ec8521fed9c96c

SHA256
1c3763a5ddba02b32bda39fde967eaf78d34c5ea0d9e1e3d344f9c38b627a9a4

SHA512
4f3302a8b23e3606f366502acf8e7f78c8d48d77b5e75ed3172e3b4b1d5d5e07392591c8ddab9016c28ca0a6bb24ac6e35675ba827dae232d4eae9a0cb91c45b

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
961KB

MD5
201032a3a1e7c445bb04e8778b0ffc74

SHA1
cead23da8bab7e5e9eca877c45ec8521fed9c96c

SHA256
1c3763a5ddba02b32bda39fde967eaf78d34c5ea0d9e1e3d344f9c38b627a9a4

SHA512
4f3302a8b23e3606f366502acf8e7f78c8d48d77b5e75ed3172e3b4b1d5d5e07392591c8ddab9016c28ca0a6bb24ac6e35675ba827dae232d4eae9a0cb91c45b

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
961KB

MD5
201032a3a1e7c445bb04e8778b0ffc74

SHA1
cead23da8bab7e5e9eca877c45ec8521fed9c96c

SHA256
1c3763a5ddba02b32bda39fde967eaf78d34c5ea0d9e1e3d344f9c38b627a9a4

SHA512
4f3302a8b23e3606f366502acf8e7f78c8d48d77b5e75ed3172e3b4b1d5d5e07392591c8ddab9016c28ca0a6bb24ac6e35675ba827dae232d4eae9a0cb91c45b

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
961KB

MD5
201032a3a1e7c445bb04e8778b0ffc74

SHA1
cead23da8bab7e5e9eca877c45ec8521fed9c96c

SHA256
1c3763a5ddba02b32bda39fde967eaf78d34c5ea0d9e1e3d344f9c38b627a9a4

SHA512
4f3302a8b23e3606f366502acf8e7f78c8d48d77b5e75ed3172e3b4b1d5d5e07392591c8ddab9016c28ca0a6bb24ac6e35675ba827dae232d4eae9a0cb91c45b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s4140293.exe
Filesize
961KB

MD5
201032a3a1e7c445bb04e8778b0ffc74

SHA1
cead23da8bab7e5e9eca877c45ec8521fed9c96c

SHA256
1c3763a5ddba02b32bda39fde967eaf78d34c5ea0d9e1e3d344f9c38b627a9a4

SHA512
4f3302a8b23e3606f366502acf8e7f78c8d48d77b5e75ed3172e3b4b1d5d5e07392591c8ddab9016c28ca0a6bb24ac6e35675ba827dae232d4eae9a0cb91c45b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s4140293.exe
Filesize
961KB

MD5
201032a3a1e7c445bb04e8778b0ffc74

SHA1
cead23da8bab7e5e9eca877c45ec8521fed9c96c

SHA256
1c3763a5ddba02b32bda39fde967eaf78d34c5ea0d9e1e3d344f9c38b627a9a4

SHA512
4f3302a8b23e3606f366502acf8e7f78c8d48d77b5e75ed3172e3b4b1d5d5e07392591c8ddab9016c28ca0a6bb24ac6e35675ba827dae232d4eae9a0cb91c45b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s4140293.exe
Filesize
961KB

MD5
201032a3a1e7c445bb04e8778b0ffc74

SHA1
cead23da8bab7e5e9eca877c45ec8521fed9c96c

SHA256
1c3763a5ddba02b32bda39fde967eaf78d34c5ea0d9e1e3d344f9c38b627a9a4

SHA512
4f3302a8b23e3606f366502acf8e7f78c8d48d77b5e75ed3172e3b4b1d5d5e07392591c8ddab9016c28ca0a6bb24ac6e35675ba827dae232d4eae9a0cb91c45b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3102466.exe
Filesize
703KB

MD5
249b04394ecc60157b7cd3a358f4c473

SHA1
f4bb5c77235560e8d241daac47cdb686bb4f8fed

SHA256
30dfee883cadf85606e765a15384e36c423c990abe095664b2d85d220f1f60a6

SHA512
2abe9272fa550886bb0698f1ee2d998f2cae7c1461bd035922310880849665d40213b2cedb2ef36bd80ad0f51fdc65216abb3629c51de1bea1c71a0e799fa3f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3102466.exe
Filesize
703KB

MD5
249b04394ecc60157b7cd3a358f4c473

SHA1
f4bb5c77235560e8d241daac47cdb686bb4f8fed

SHA256
30dfee883cadf85606e765a15384e36c423c990abe095664b2d85d220f1f60a6

SHA512
2abe9272fa550886bb0698f1ee2d998f2cae7c1461bd035922310880849665d40213b2cedb2ef36bd80ad0f51fdc65216abb3629c51de1bea1c71a0e799fa3f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r9693547.exe
Filesize
903KB

MD5
565e0eb16ba76418c5da6f66b907f07c

SHA1
acac23f441bae5b5d150a15d37386772a29243be

SHA256
06fdc7f957e70cfccb83768938fe4df3e560fa51236f07dbcbcbbcdb85c355d5

SHA512
b77760b39e7130d984750914089b2ec0a9f83846a4d543a927a7c0c09e690834deb87dadf6f168aea38b65d337ef8c93b499018669c367c77a1dec34cc6edf43

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r9693547.exe
Filesize
903KB

MD5
565e0eb16ba76418c5da6f66b907f07c

SHA1
acac23f441bae5b5d150a15d37386772a29243be

SHA256
06fdc7f957e70cfccb83768938fe4df3e560fa51236f07dbcbcbbcdb85c355d5

SHA512
b77760b39e7130d984750914089b2ec0a9f83846a4d543a927a7c0c09e690834deb87dadf6f168aea38b65d337ef8c93b499018669c367c77a1dec34cc6edf43

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r9693547.exe
Filesize
903KB

MD5
565e0eb16ba76418c5da6f66b907f07c

SHA1
acac23f441bae5b5d150a15d37386772a29243be

SHA256
06fdc7f957e70cfccb83768938fe4df3e560fa51236f07dbcbcbbcdb85c355d5

SHA512
b77760b39e7130d984750914089b2ec0a9f83846a4d543a927a7c0c09e690834deb87dadf6f168aea38b65d337ef8c93b499018669c367c77a1dec34cc6edf43

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1631840.exe
Filesize
305KB

MD5
0bc80615690a08fba0f5201ad932bdf6

SHA1
a142f8ee1ff05d568f31e48bcf501c0a8d56c7ee

SHA256
194da671f76d39fec285230a64b09bf559c8e6dfc4b6b178cc22f9d68b1374e5

SHA512
44243639b1864109d8f714944487142aacc4347219adc9fa254e4d8145c8ed109c4b4016fbc6e3d9e11ce83a51ffb6a8f180f592bb12e8cd1df2a11aef1fdd25

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1631840.exe
Filesize
305KB

MD5
0bc80615690a08fba0f5201ad932bdf6

SHA1
a142f8ee1ff05d568f31e48bcf501c0a8d56c7ee

SHA256
194da671f76d39fec285230a64b09bf559c8e6dfc4b6b178cc22f9d68b1374e5

SHA512
44243639b1864109d8f714944487142aacc4347219adc9fa254e4d8145c8ed109c4b4016fbc6e3d9e11ce83a51ffb6a8f180f592bb12e8cd1df2a11aef1fdd25

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o6494364.exe
Filesize
184KB

MD5
7a07b62af1848ade834d062827bf77aa

SHA1
344f1b9209deef46eb69845730405b645b91f202

SHA256
5548939024740749812b78c78d21d3fcf4266719cc90e0465ac7fe68bcdcc93b

SHA512
46016c7e3534c9c9b3d7deaad5b0c3469b4eecdc214033d369d4b28f2d5dfc9445dbd841a30faa5e13aa9bd89ac0a2f96a6c37aba1ca9630b8ac658060ff242e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o6494364.exe
Filesize
184KB

MD5
7a07b62af1848ade834d062827bf77aa

SHA1
344f1b9209deef46eb69845730405b645b91f202

SHA256
5548939024740749812b78c78d21d3fcf4266719cc90e0465ac7fe68bcdcc93b

SHA512
46016c7e3534c9c9b3d7deaad5b0c3469b4eecdc214033d369d4b28f2d5dfc9445dbd841a30faa5e13aa9bd89ac0a2f96a6c37aba1ca9630b8ac658060ff242e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p4343388.exe
Filesize
145KB

MD5
e7c025a9fa1c2053065c025ba81c4971

SHA1
9fc48b17bd1d12a45adb17065d991e456cf7509b

SHA256
c2ad4e42dbbfee1254e622ee9de177ee1ec1a97d662eb57d114d7f9a4b6ae013

SHA512
af5fbe5267266396bedd34d06b9c23d38b2277d2d688612a2c2397e27058b65d47716713b161f847a8cddaf033a7e9c3e34822da5deea64bcc0ea9c401f555a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p4343388.exe
Filesize
145KB

MD5
e7c025a9fa1c2053065c025ba81c4971

SHA1
9fc48b17bd1d12a45adb17065d991e456cf7509b

SHA256
c2ad4e42dbbfee1254e622ee9de177ee1ec1a97d662eb57d114d7f9a4b6ae013

SHA512
af5fbe5267266396bedd34d06b9c23d38b2277d2d688612a2c2397e27058b65d47716713b161f847a8cddaf033a7e9c3e34822da5deea64bcc0ea9c401f555a3

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
73c0c85e39b9a63b42f6c4ff6d634f8b

SHA1
efb047b4177ad78268f6fc8bf959f58f1123eb51

SHA256
477252e3531300fe2a21a679fba3664803179e91a1a4d5dd44080dbd41126368

SHA512
ca32507717c2c099d54a5473fb062083237f7fda9c076e9a957b70072f41a78eedf9244b50862b81d00374297e3795021ad6db943c8408da50b1da8b5ed4a643

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
73c0c85e39b9a63b42f6c4ff6d634f8b

SHA1
efb047b4177ad78268f6fc8bf959f58f1123eb51

SHA256
477252e3531300fe2a21a679fba3664803179e91a1a4d5dd44080dbd41126368

SHA512
ca32507717c2c099d54a5473fb062083237f7fda9c076e9a957b70072f41a78eedf9244b50862b81d00374297e3795021ad6db943c8408da50b1da8b5ed4a643

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
73c0c85e39b9a63b42f6c4ff6d634f8b

SHA1
efb047b4177ad78268f6fc8bf959f58f1123eb51

SHA256
477252e3531300fe2a21a679fba3664803179e91a1a4d5dd44080dbd41126368

SHA512
ca32507717c2c099d54a5473fb062083237f7fda9c076e9a957b70072f41a78eedf9244b50862b81d00374297e3795021ad6db943c8408da50b1da8b5ed4a643

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
memory/844-240-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/844-241-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/844-243-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/844-244-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/844-276-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1228-181-0x0000000002530000-0x0000000002546000-memory.dmp

Filesize
88KB

Download
memory/1228-163-0x0000000002530000-0x0000000002546000-memory.dmp

Filesize
88KB

Download
memory/1228-154-0x0000000004B10000-0x00000000050B4000-memory.dmp

Filesize
5.6MB

Download
memory/1228-155-0x0000000004B00000-0x0000000004B10000-memory.dmp

Filesize
64KB

Download
memory/1228-156-0x0000000004B00000-0x0000000004B10000-memory.dmp

Filesize
64KB

Download
memory/1228-188-0x0000000004B00000-0x0000000004B10000-memory.dmp

Filesize
64KB

Download
memory/1228-187-0x0000000004B00000-0x0000000004B10000-memory.dmp

Filesize
64KB

Download
memory/1228-157-0x0000000004B00000-0x0000000004B10000-memory.dmp

Filesize
64KB

Download
memory/1228-158-0x0000000002530000-0x0000000002546000-memory.dmp

Filesize
88KB

Download
memory/1228-159-0x0000000002530000-0x0000000002546000-memory.dmp

Filesize
88KB

Download
memory/1228-161-0x0000000002530000-0x0000000002546000-memory.dmp

Filesize
88KB

Download
memory/1228-183-0x0000000002530000-0x0000000002546000-memory.dmp

Filesize
88KB

Download
memory/1228-185-0x0000000002530000-0x0000000002546000-memory.dmp

Filesize
88KB

Download
memory/1228-167-0x0000000002530000-0x0000000002546000-memory.dmp

Filesize
88KB

Download
memory/1228-165-0x0000000002530000-0x0000000002546000-memory.dmp

Filesize
88KB

Download
memory/1228-186-0x0000000004B00000-0x0000000004B10000-memory.dmp

Filesize
64KB

Download
memory/1228-177-0x0000000002530000-0x0000000002546000-memory.dmp

Filesize
88KB

Download
memory/1228-179-0x0000000002530000-0x0000000002546000-memory.dmp

Filesize
88KB

Download
memory/1228-175-0x0000000002530000-0x0000000002546000-memory.dmp

Filesize
88KB

Download
memory/1228-169-0x0000000002530000-0x0000000002546000-memory.dmp

Filesize
88KB

Download
memory/1228-171-0x0000000002530000-0x0000000002546000-memory.dmp

Filesize
88KB

Download
memory/1228-173-0x0000000002530000-0x0000000002546000-memory.dmp

Filesize
88KB

Download
memory/1880-253-0x00000000074A0000-0x00000000074B0000-memory.dmp

Filesize
64KB

Download
memory/1912-256-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1912-257-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1912-258-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2288-234-0x0000000007700000-0x0000000007710000-memory.dmp

Filesize
64KB

Download
memory/2636-211-0x00000000057E0000-0x000000000581C000-memory.dmp

Filesize
240KB

Download
memory/2636-236-0x0000000005BF0000-0x0000000005C56000-memory.dmp

Filesize
408KB

Download
memory/2636-207-0x0000000005D00000-0x0000000006318000-memory.dmp

Filesize
6.1MB

Download
memory/2636-208-0x0000000005850000-0x000000000595A000-memory.dmp

Filesize
1.0MB

Download
memory/2636-246-0x0000000006E80000-0x0000000006EF6000-memory.dmp

Filesize
472KB

Download
memory/2636-247-0x0000000006F00000-0x0000000006F50000-memory.dmp

Filesize
320KB

Download
memory/2636-248-0x0000000007120000-0x00000000072E2000-memory.dmp

Filesize
1.8MB

Download
memory/2636-249-0x0000000007820000-0x0000000007D4C000-memory.dmp

Filesize
5.2MB

Download
memory/2636-250-0x0000000005AA0000-0x0000000005AB0000-memory.dmp

Filesize
64KB

Download
memory/2636-199-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2636-212-0x0000000005AA0000-0x0000000005AB0000-memory.dmp

Filesize
64KB

Download
memory/2636-235-0x0000000005B50000-0x0000000005BE2000-memory.dmp

Filesize
584KB

Download
memory/2636-210-0x0000000005780000-0x0000000005792000-memory.dmp

Filesize
72KB

Download
memory/2668-213-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2668-233-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2668-219-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2668-216-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2668-217-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2856-193-0x0000000000070000-0x000000000009A000-memory.dmp

Filesize
168KB

Download
memory/3724-198-0x0000000001680000-0x0000000001690000-memory.dmp

Filesize
64KB

Download
memory/3724-197-0x0000000000BD0000-0x0000000000CB8000-memory.dmp

Filesize
928KB

Download
memory/3936-283-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3936-284-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3936-285-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4512-206-0x0000000000730000-0x0000000000826000-memory.dmp

Filesize
984KB

Download
memory/4512-209-0x0000000007570000-0x0000000007580000-memory.dmp

Filesize
64KB

Download
memory/4552-280-0x0000000007E00000-0x0000000007E10000-memory.dmp

Filesize
64KB

Download