redline | 5541609924fdc054ce123eac0c1651d2ca2f85ff8f2f89a883599ca542131c01

Analysis

max time kernel
137s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
14/05/2023, 19:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5541609924fdc054ce123eac0c1651d2ca2f85ff8f2f89a883599ca542131c01.exe
Size

1.1MB
MD5

04984482d3aeeeb3bebe131de65fd891
SHA1

e2ed149d973158e2cf594b2524297679de3a4af6
SHA256

5541609924fdc054ce123eac0c1651d2ca2f85ff8f2f89a883599ca542131c01
SHA512

235d1474fee1299c3b1194d73f1f07ec4ffb8248f184adcb33cb331521fcd60d9da8f8dc85784cbb954f1ae02f4f5cfe6b174b779bf1e2f636e5d145dca9386a
SSDEEP

24576:tyDy3x8Hp1hQAn/EtMPNO2jQkE/+il6pB9pq7yWjR22aSIkr75rWR:IUMAA/2MXQkEGNB9pEjR23SIK

Score

10^/10

redline horor linda discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

linda

185.161.248.75:4132

Attributes

auth_value
21cdc21d041667b9c1679f88a1146770

Extracted

Family

redline

Botnet

horor

185.161.248.75:4132

Attributes

auth_value
b8d506fe48db15c38fb031d07f42d529

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	o3610258.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	o3610258.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	o3610258.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	o3610258.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	o3610258.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	o3610258.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Control Panel\International\Geo\Nation	s9384325.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Control Panel\International\Geo\Nation	legends.exe

Executes dropped EXE 17 IoCs

pid	Process
1276	z9564351.exe
4352	z8655906.exe
4736	o3610258.exe
224	p9234861.exe
3964	r7218939.exe
4160	r7218939.exe
1844	s9384325.exe
4952	s9384325.exe
3060	legends.exe
2776	legends.exe
2600	legends.exe
4676	legends.exe
2812	legends.exe
3364	legends.exe
3768	legends.exe
3504	legends.exe
1992	legends.exe

Loads dropped DLL 1 IoCs

pid	Process
1772	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	o3610258.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	o3610258.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	5541609924fdc054ce123eac0c1651d2ca2f85ff8f2f89a883599ca542131c01.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5541609924fdc054ce123eac0c1651d2ca2f85ff8f2f89a883599ca542131c01.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z9564351.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z9564351.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z8655906.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z8655906.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 3964 set thread context of 4160	3964	r7218939.exe	92
PID 1844 set thread context of 4952	1844	s9384325.exe	94
PID 3060 set thread context of 2776	3060	legends.exe	96
PID 2600 set thread context of 2812	2600	legends.exe	114
PID 3364 set thread context of 1992	3364	legends.exe	119

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3640	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
460	224	WerFault.exe	87

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1816	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4736	o3610258.exe
4736	o3610258.exe
4160	r7218939.exe
4160	r7218939.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	4736	o3610258.exe
Token: SeDebugPrivilege	3964	r7218939.exe
Token: SeDebugPrivilege	1844	s9384325.exe
Token: SeDebugPrivilege	3060	legends.exe
Token: SeDebugPrivilege	4160	r7218939.exe
Token: SeDebugPrivilege	2600	legends.exe
Token: SeDebugPrivilege	3364	legends.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4952	s9384325.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4780 wrote to memory of 1276	4780	5541609924fdc054ce123eac0c1651d2ca2f85ff8f2f89a883599ca542131c01.exe	81
PID 4780 wrote to memory of 1276	4780	5541609924fdc054ce123eac0c1651d2ca2f85ff8f2f89a883599ca542131c01.exe	81
PID 4780 wrote to memory of 1276	4780	5541609924fdc054ce123eac0c1651d2ca2f85ff8f2f89a883599ca542131c01.exe	81
PID 1276 wrote to memory of 4352	1276	z9564351.exe	82
PID 1276 wrote to memory of 4352	1276	z9564351.exe	82
PID 1276 wrote to memory of 4352	1276	z9564351.exe	82
PID 4352 wrote to memory of 4736	4352	z8655906.exe	83
PID 4352 wrote to memory of 4736	4352	z8655906.exe	83
PID 4352 wrote to memory of 4736	4352	z8655906.exe	83
PID 4352 wrote to memory of 224	4352	z8655906.exe	87
PID 4352 wrote to memory of 224	4352	z8655906.exe	87
PID 4352 wrote to memory of 224	4352	z8655906.exe	87
PID 1276 wrote to memory of 3964	1276	z9564351.exe	91
PID 1276 wrote to memory of 3964	1276	z9564351.exe	91
PID 1276 wrote to memory of 3964	1276	z9564351.exe	91
PID 3964 wrote to memory of 4160	3964	r7218939.exe	92
PID 3964 wrote to memory of 4160	3964	r7218939.exe	92
PID 3964 wrote to memory of 4160	3964	r7218939.exe	92
PID 3964 wrote to memory of 4160	3964	r7218939.exe	92
PID 3964 wrote to memory of 4160	3964	r7218939.exe	92
PID 3964 wrote to memory of 4160	3964	r7218939.exe	92
PID 3964 wrote to memory of 4160	3964	r7218939.exe	92
PID 3964 wrote to memory of 4160	3964	r7218939.exe	92
PID 4780 wrote to memory of 1844	4780	5541609924fdc054ce123eac0c1651d2ca2f85ff8f2f89a883599ca542131c01.exe	93
PID 4780 wrote to memory of 1844	4780	5541609924fdc054ce123eac0c1651d2ca2f85ff8f2f89a883599ca542131c01.exe	93
PID 4780 wrote to memory of 1844	4780	5541609924fdc054ce123eac0c1651d2ca2f85ff8f2f89a883599ca542131c01.exe	93
PID 1844 wrote to memory of 4952	1844	s9384325.exe	94
PID 1844 wrote to memory of 4952	1844	s9384325.exe	94
PID 1844 wrote to memory of 4952	1844	s9384325.exe	94
PID 1844 wrote to memory of 4952	1844	s9384325.exe	94
PID 1844 wrote to memory of 4952	1844	s9384325.exe	94
PID 1844 wrote to memory of 4952	1844	s9384325.exe	94
PID 1844 wrote to memory of 4952	1844	s9384325.exe	94
PID 1844 wrote to memory of 4952	1844	s9384325.exe	94
PID 1844 wrote to memory of 4952	1844	s9384325.exe	94
PID 1844 wrote to memory of 4952	1844	s9384325.exe	94
PID 4952 wrote to memory of 3060	4952	s9384325.exe	95
PID 4952 wrote to memory of 3060	4952	s9384325.exe	95
PID 4952 wrote to memory of 3060	4952	s9384325.exe	95
PID 3060 wrote to memory of 2776	3060	legends.exe	96
PID 3060 wrote to memory of 2776	3060	legends.exe	96
PID 3060 wrote to memory of 2776	3060	legends.exe	96
PID 3060 wrote to memory of 2776	3060	legends.exe	96
PID 3060 wrote to memory of 2776	3060	legends.exe	96
PID 3060 wrote to memory of 2776	3060	legends.exe	96
PID 3060 wrote to memory of 2776	3060	legends.exe	96
PID 3060 wrote to memory of 2776	3060	legends.exe	96
PID 3060 wrote to memory of 2776	3060	legends.exe	96
PID 3060 wrote to memory of 2776	3060	legends.exe	96
PID 2776 wrote to memory of 1816	2776	legends.exe	97
PID 2776 wrote to memory of 1816	2776	legends.exe	97
PID 2776 wrote to memory of 1816	2776	legends.exe	97
PID 2776 wrote to memory of 4792	2776	legends.exe	99
PID 2776 wrote to memory of 4792	2776	legends.exe	99
PID 2776 wrote to memory of 4792	2776	legends.exe	99
PID 4792 wrote to memory of 5104	4792	cmd.exe	101
PID 4792 wrote to memory of 5104	4792	cmd.exe	101
PID 4792 wrote to memory of 5104	4792	cmd.exe	101
PID 4792 wrote to memory of 2972	4792	cmd.exe	102
PID 4792 wrote to memory of 2972	4792	cmd.exe	102
PID 4792 wrote to memory of 2972	4792	cmd.exe	102
PID 4792 wrote to memory of 2996	4792	cmd.exe	103
PID 4792 wrote to memory of 2996	4792	cmd.exe	103
PID 4792 wrote to memory of 2996	4792	cmd.exe	103

C:\Users\Admin\AppData\Local\Temp\5541609924fdc054ce123eac0c1651d2ca2f85ff8f2f89a883599ca542131c01.exe
"C:\Users\Admin\AppData\Local\Temp\5541609924fdc054ce123eac0c1651d2ca2f85ff8f2f89a883599ca542131c01.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4780
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z9564351.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z9564351.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1276
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z8655906.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z8655906.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4352
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o3610258.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o3610258.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4736
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p9234861.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p9234861.exe
      4⤵
      Executes dropped EXE
      PID:224
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 224 -s 928
        5⤵
        Program crash
        
        PID:460
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r7218939.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r7218939.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3964
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r7218939.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r7218939.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4160
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s9384325.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s9384325.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1844
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s9384325.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s9384325.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:4952
  - - C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
      "C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3060
    - - C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
        
        C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2776
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legends.exe /TR "C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe" /F
        6⤵
        Creates scheduled task(s)
        
        PID:1816
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legends.exe" /P "Admin:N"&&CACLS "legends.exe" /P "Admin:R" /E&&echo Y|CACLS "..\41bde21dc7" /P "Admin:N"&&CACLS "..\41bde21dc7" /P "Admin:R" /E&&Exit
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "legends.exe" /P "Admin:N"
        7⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "legends.exe" /P "Admin:R" /E
        7⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        
        PID:4392
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\41bde21dc7" /P "Admin:N"
        7⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\41bde21dc7" /P "Admin:R" /E
        7⤵
        
        PID:4576
      - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
        6⤵
        Loads dropped DLL
        
        PID:1772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 224 -ip 224
1⤵
PID:4236

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2600
- C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
  C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
  2⤵
  - Executes dropped EXE
  PID:4676
- C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
  C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
  2⤵
  - Executes dropped EXE
  PID:2812

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3364
- C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
  C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
  2⤵
  - Executes dropped EXE
  PID:3768
- C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
  C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
  2⤵
  - Executes dropped EXE
  PID:3504
- C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
  C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
  2⤵
  - Executes dropped EXE
  PID:1992

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start wuauserv
1⤵
- Launches sc.exe
PID:3640

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\legends.exe.log

Filesize
425B

MD5
4eaca4566b22b01cd3bc115b9b0b2196

SHA1
e743e0792c19f71740416e7b3c061d9f1336bf94

SHA256
34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

SHA512
bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\r7218939.exe.log

Filesize
425B

MD5
4eaca4566b22b01cd3bc115b9b0b2196

SHA1
e743e0792c19f71740416e7b3c061d9f1336bf94

SHA256
34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

SHA512
bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
961KB

MD5
9051bc6e904cd64d7d89d6aa38507a49

SHA1
ab1ccdb123e1185fe2a9f5f728bfc00388f63815

SHA256
5e42445cd52c9403c8c99ea717ce0ad97074d74f5674dab3175d07f6e6d6c9c5

SHA512
8a5ec43da9d84c92a9379be7b06861034a8dbe539c7927de8e48e6201229d1cb2cda6f7f96d11f3cb927690bbb931f7b84de93ffd50c315961312d85797bf198

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
961KB

MD5
9051bc6e904cd64d7d89d6aa38507a49

SHA1
ab1ccdb123e1185fe2a9f5f728bfc00388f63815

SHA256
5e42445cd52c9403c8c99ea717ce0ad97074d74f5674dab3175d07f6e6d6c9c5

SHA512
8a5ec43da9d84c92a9379be7b06861034a8dbe539c7927de8e48e6201229d1cb2cda6f7f96d11f3cb927690bbb931f7b84de93ffd50c315961312d85797bf198

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
961KB

MD5
9051bc6e904cd64d7d89d6aa38507a49

SHA1
ab1ccdb123e1185fe2a9f5f728bfc00388f63815

SHA256
5e42445cd52c9403c8c99ea717ce0ad97074d74f5674dab3175d07f6e6d6c9c5

SHA512
8a5ec43da9d84c92a9379be7b06861034a8dbe539c7927de8e48e6201229d1cb2cda6f7f96d11f3cb927690bbb931f7b84de93ffd50c315961312d85797bf198

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
961KB

MD5
9051bc6e904cd64d7d89d6aa38507a49

SHA1
ab1ccdb123e1185fe2a9f5f728bfc00388f63815

SHA256
5e42445cd52c9403c8c99ea717ce0ad97074d74f5674dab3175d07f6e6d6c9c5

SHA512
8a5ec43da9d84c92a9379be7b06861034a8dbe539c7927de8e48e6201229d1cb2cda6f7f96d11f3cb927690bbb931f7b84de93ffd50c315961312d85797bf198

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
961KB

MD5
9051bc6e904cd64d7d89d6aa38507a49

SHA1
ab1ccdb123e1185fe2a9f5f728bfc00388f63815

SHA256
5e42445cd52c9403c8c99ea717ce0ad97074d74f5674dab3175d07f6e6d6c9c5

SHA512
8a5ec43da9d84c92a9379be7b06861034a8dbe539c7927de8e48e6201229d1cb2cda6f7f96d11f3cb927690bbb931f7b84de93ffd50c315961312d85797bf198

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
961KB

MD5
9051bc6e904cd64d7d89d6aa38507a49

SHA1
ab1ccdb123e1185fe2a9f5f728bfc00388f63815

SHA256
5e42445cd52c9403c8c99ea717ce0ad97074d74f5674dab3175d07f6e6d6c9c5

SHA512
8a5ec43da9d84c92a9379be7b06861034a8dbe539c7927de8e48e6201229d1cb2cda6f7f96d11f3cb927690bbb931f7b84de93ffd50c315961312d85797bf198

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
961KB

MD5
9051bc6e904cd64d7d89d6aa38507a49

SHA1
ab1ccdb123e1185fe2a9f5f728bfc00388f63815

SHA256
5e42445cd52c9403c8c99ea717ce0ad97074d74f5674dab3175d07f6e6d6c9c5

SHA512
8a5ec43da9d84c92a9379be7b06861034a8dbe539c7927de8e48e6201229d1cb2cda6f7f96d11f3cb927690bbb931f7b84de93ffd50c315961312d85797bf198

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
961KB

MD5
9051bc6e904cd64d7d89d6aa38507a49

SHA1
ab1ccdb123e1185fe2a9f5f728bfc00388f63815

SHA256
5e42445cd52c9403c8c99ea717ce0ad97074d74f5674dab3175d07f6e6d6c9c5

SHA512
8a5ec43da9d84c92a9379be7b06861034a8dbe539c7927de8e48e6201229d1cb2cda6f7f96d11f3cb927690bbb931f7b84de93ffd50c315961312d85797bf198

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
961KB

MD5
9051bc6e904cd64d7d89d6aa38507a49

SHA1
ab1ccdb123e1185fe2a9f5f728bfc00388f63815

SHA256
5e42445cd52c9403c8c99ea717ce0ad97074d74f5674dab3175d07f6e6d6c9c5

SHA512
8a5ec43da9d84c92a9379be7b06861034a8dbe539c7927de8e48e6201229d1cb2cda6f7f96d11f3cb927690bbb931f7b84de93ffd50c315961312d85797bf198

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
961KB

MD5
9051bc6e904cd64d7d89d6aa38507a49

SHA1
ab1ccdb123e1185fe2a9f5f728bfc00388f63815

SHA256
5e42445cd52c9403c8c99ea717ce0ad97074d74f5674dab3175d07f6e6d6c9c5

SHA512
8a5ec43da9d84c92a9379be7b06861034a8dbe539c7927de8e48e6201229d1cb2cda6f7f96d11f3cb927690bbb931f7b84de93ffd50c315961312d85797bf198

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
961KB

MD5
9051bc6e904cd64d7d89d6aa38507a49

SHA1
ab1ccdb123e1185fe2a9f5f728bfc00388f63815

SHA256
5e42445cd52c9403c8c99ea717ce0ad97074d74f5674dab3175d07f6e6d6c9c5

SHA512
8a5ec43da9d84c92a9379be7b06861034a8dbe539c7927de8e48e6201229d1cb2cda6f7f96d11f3cb927690bbb931f7b84de93ffd50c315961312d85797bf198

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s9384325.exe

Filesize
961KB

MD5
9051bc6e904cd64d7d89d6aa38507a49

SHA1
ab1ccdb123e1185fe2a9f5f728bfc00388f63815

SHA256
5e42445cd52c9403c8c99ea717ce0ad97074d74f5674dab3175d07f6e6d6c9c5

SHA512
8a5ec43da9d84c92a9379be7b06861034a8dbe539c7927de8e48e6201229d1cb2cda6f7f96d11f3cb927690bbb931f7b84de93ffd50c315961312d85797bf198

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s9384325.exe

Filesize
961KB

MD5
9051bc6e904cd64d7d89d6aa38507a49

SHA1
ab1ccdb123e1185fe2a9f5f728bfc00388f63815

SHA256
5e42445cd52c9403c8c99ea717ce0ad97074d74f5674dab3175d07f6e6d6c9c5

SHA512
8a5ec43da9d84c92a9379be7b06861034a8dbe539c7927de8e48e6201229d1cb2cda6f7f96d11f3cb927690bbb931f7b84de93ffd50c315961312d85797bf198

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s9384325.exe

Filesize
961KB

MD5
9051bc6e904cd64d7d89d6aa38507a49

SHA1
ab1ccdb123e1185fe2a9f5f728bfc00388f63815

SHA256
5e42445cd52c9403c8c99ea717ce0ad97074d74f5674dab3175d07f6e6d6c9c5

SHA512
8a5ec43da9d84c92a9379be7b06861034a8dbe539c7927de8e48e6201229d1cb2cda6f7f96d11f3cb927690bbb931f7b84de93ffd50c315961312d85797bf198

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z9564351.exe

Filesize
702KB

MD5
07689af2ac4d0ddb2087b2e13c2ca8cd

SHA1
aef602bc5964b8e74a2063bf4f1ff27a71052e0a

SHA256
8ca7bdd0fa71bf74b574a7065cd6e096ceb99c7ac7601af8b27f9bbd4357d79b

SHA512
92d96fab9e61ace797535534150573881352b92ae088cdc24b7e2ed9417957c0ec686007d1a57202294966aa9c7872af0e3364e0bfa5587917f8dc57b71bdca6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z9564351.exe

Filesize
702KB

MD5
07689af2ac4d0ddb2087b2e13c2ca8cd

SHA1
aef602bc5964b8e74a2063bf4f1ff27a71052e0a

SHA256
8ca7bdd0fa71bf74b574a7065cd6e096ceb99c7ac7601af8b27f9bbd4357d79b

SHA512
92d96fab9e61ace797535534150573881352b92ae088cdc24b7e2ed9417957c0ec686007d1a57202294966aa9c7872af0e3364e0bfa5587917f8dc57b71bdca6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r7218939.exe

Filesize
903KB

MD5
8f2ef7b6a6caee1c02a5e686d5033f59

SHA1
91d4128578d15695f47c22bb49244291c0024f38

SHA256
47528b5b2e5f79f69110ee444c1406a8970b6bc80e59938edb0a33a608194ea1

SHA512
7d6093ed561b4dfe20f6229d172f497d9498bcd503de30f77b587eda41d7f7ed9f8bbb213252deefa57f1d1609eb8ae9edfe05349b1fa1a695504a5603ac3cff

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r7218939.exe

Filesize
903KB

MD5
8f2ef7b6a6caee1c02a5e686d5033f59

SHA1
91d4128578d15695f47c22bb49244291c0024f38

SHA256
47528b5b2e5f79f69110ee444c1406a8970b6bc80e59938edb0a33a608194ea1

SHA512
7d6093ed561b4dfe20f6229d172f497d9498bcd503de30f77b587eda41d7f7ed9f8bbb213252deefa57f1d1609eb8ae9edfe05349b1fa1a695504a5603ac3cff

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r7218939.exe

Filesize
903KB

MD5
8f2ef7b6a6caee1c02a5e686d5033f59

SHA1
91d4128578d15695f47c22bb49244291c0024f38

SHA256
47528b5b2e5f79f69110ee444c1406a8970b6bc80e59938edb0a33a608194ea1

SHA512
7d6093ed561b4dfe20f6229d172f497d9498bcd503de30f77b587eda41d7f7ed9f8bbb213252deefa57f1d1609eb8ae9edfe05349b1fa1a695504a5603ac3cff

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z8655906.exe

Filesize
305KB

MD5
207f02c0ed037ae0f4f3dcb07b2f9d88

SHA1
42a3610cba82666b643f1a0d4a243924fedd6738

SHA256
fecf60f9386b262016694b1e98c6a79fcfe72a310df76f28b201e720bfc5aad7

SHA512
a5968a9913d58a4ce66d75587c1b63dba4dfdfb176ef4475f48f8e44c95994f470b681d7555c69e1b2c0999c950a326cd2a46aeec61029a2c3ece8a18e3c189b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z8655906.exe

Filesize
305KB

MD5
207f02c0ed037ae0f4f3dcb07b2f9d88

SHA1
42a3610cba82666b643f1a0d4a243924fedd6738

SHA256
fecf60f9386b262016694b1e98c6a79fcfe72a310df76f28b201e720bfc5aad7

SHA512
a5968a9913d58a4ce66d75587c1b63dba4dfdfb176ef4475f48f8e44c95994f470b681d7555c69e1b2c0999c950a326cd2a46aeec61029a2c3ece8a18e3c189b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o3610258.exe

Filesize
184KB

MD5
be991172ef92f39d3bd2025ac0792591

SHA1
3a6d517f664a7ef05499fe9d78a9d8647382a87e

SHA256
3315dcd00f462888896f0100647321086a887280e421c44e78659d8cc48bc073

SHA512
d8ddc8fccb37c671092c1baf86ac5e96d45e879c9e7ff8057055f09906d279828b288d4a1a916b31e3df1bd20f916c595f94fcd95a549cc3ccf7fbc9a47973be

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o3610258.exe

Filesize
184KB

MD5
be991172ef92f39d3bd2025ac0792591

SHA1
3a6d517f664a7ef05499fe9d78a9d8647382a87e

SHA256
3315dcd00f462888896f0100647321086a887280e421c44e78659d8cc48bc073

SHA512
d8ddc8fccb37c671092c1baf86ac5e96d45e879c9e7ff8057055f09906d279828b288d4a1a916b31e3df1bd20f916c595f94fcd95a549cc3ccf7fbc9a47973be

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p9234861.exe

Filesize
145KB

MD5
f638bcf61beb57bcaf5e54afef8b5d83

SHA1
2dfe41298fcffd1887719a08ca71afd2bcfade24

SHA256
46fbc9cf3046795c7c061caadfba2f4a1e6e7e689b91ddddb6a63319a83e1ebe

SHA512
10301dbb4437ea62f17c975c9d5a4857394dc3a9077cc7cc4f0959a807d5b9a46db2b14576ad04bf02bb32e51b42b66c43bfca050224afc722ce56fc808bae84

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p9234861.exe

Filesize
145KB

MD5
f638bcf61beb57bcaf5e54afef8b5d83

SHA1
2dfe41298fcffd1887719a08ca71afd2bcfade24

SHA256
46fbc9cf3046795c7c061caadfba2f4a1e6e7e689b91ddddb6a63319a83e1ebe

SHA512
10301dbb4437ea62f17c975c9d5a4857394dc3a9077cc7cc4f0959a807d5b9a46db2b14576ad04bf02bb32e51b42b66c43bfca050224afc722ce56fc808bae84

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
89KB

MD5
73c0c85e39b9a63b42f6c4ff6d634f8b

SHA1
efb047b4177ad78268f6fc8bf959f58f1123eb51

SHA256
477252e3531300fe2a21a679fba3664803179e91a1a4d5dd44080dbd41126368

SHA512
ca32507717c2c099d54a5473fb062083237f7fda9c076e9a957b70072f41a78eedf9244b50862b81d00374297e3795021ad6db943c8408da50b1da8b5ed4a643

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
89KB

MD5
73c0c85e39b9a63b42f6c4ff6d634f8b

SHA1
efb047b4177ad78268f6fc8bf959f58f1123eb51

SHA256
477252e3531300fe2a21a679fba3664803179e91a1a4d5dd44080dbd41126368

SHA512
ca32507717c2c099d54a5473fb062083237f7fda9c076e9a957b70072f41a78eedf9244b50862b81d00374297e3795021ad6db943c8408da50b1da8b5ed4a643

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
89KB

MD5
73c0c85e39b9a63b42f6c4ff6d634f8b

SHA1
efb047b4177ad78268f6fc8bf959f58f1123eb51

SHA256
477252e3531300fe2a21a679fba3664803179e91a1a4d5dd44080dbd41126368

SHA512
ca32507717c2c099d54a5473fb062083237f7fda9c076e9a957b70072f41a78eedf9244b50862b81d00374297e3795021ad6db943c8408da50b1da8b5ed4a643

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
memory/224-192-0x00000000005E0000-0x000000000060A000-memory.dmp

Filesize
168KB

Download
memory/1844-207-0x0000000007370000-0x0000000007380000-memory.dmp

Filesize
64KB

Download
memory/1844-205-0x0000000000550000-0x0000000000646000-memory.dmp

Filesize
984KB

Download
memory/1992-286-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1992-284-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1992-285-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2600-251-0x00000000076A0000-0x00000000076B0000-memory.dmp

Filesize
64KB

Download
memory/2776-246-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2776-247-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2776-244-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2776-243-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2776-275-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2812-255-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2812-256-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2812-257-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3060-233-0x0000000007630000-0x0000000007640000-memory.dmp

Filesize
64KB

Download
memory/3364-279-0x00000000074C0000-0x00000000074D0000-memory.dmp

Filesize
64KB

Download
memory/3964-196-0x0000000000570000-0x0000000000658000-memory.dmp

Filesize
928KB

Download
memory/3964-197-0x0000000007310000-0x0000000007320000-memory.dmp

Filesize
64KB

Download
memory/4160-210-0x0000000005020000-0x000000000505C000-memory.dmp

Filesize
240KB

Download
memory/4160-211-0x0000000005310000-0x0000000005320000-memory.dmp

Filesize
64KB

Download
memory/4160-198-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4160-206-0x0000000005510000-0x0000000005B28000-memory.dmp

Filesize
6.1MB

Download
memory/4160-208-0x0000000005090000-0x000000000519A000-memory.dmp

Filesize
1.0MB

Download
memory/4160-209-0x0000000004FC0000-0x0000000004FD2000-memory.dmp

Filesize
72KB

Download
memory/4160-234-0x00000000053C0000-0x0000000005452000-memory.dmp

Filesize
584KB

Download
memory/4160-235-0x0000000005460000-0x00000000054C6000-memory.dmp

Filesize
408KB

Download
memory/4160-236-0x0000000006020000-0x0000000006096000-memory.dmp

Filesize
472KB

Download
memory/4160-237-0x0000000006690000-0x00000000066E0000-memory.dmp

Filesize
320KB

Download
memory/4160-238-0x00000000068B0000-0x0000000006A72000-memory.dmp

Filesize
1.8MB

Download
memory/4160-239-0x0000000006FB0000-0x00000000074DC000-memory.dmp

Filesize
5.2MB

Download
memory/4736-185-0x0000000002180000-0x0000000002190000-memory.dmp

Filesize
64KB

Download
memory/4736-164-0x0000000002660000-0x0000000002676000-memory.dmp

Filesize
88KB

Download
memory/4736-154-0x0000000004AD0000-0x0000000005074000-memory.dmp

Filesize
5.6MB

Download
memory/4736-155-0x0000000002660000-0x0000000002676000-memory.dmp

Filesize
88KB

Download
memory/4736-156-0x0000000002660000-0x0000000002676000-memory.dmp

Filesize
88KB

Download
memory/4736-187-0x0000000002180000-0x0000000002190000-memory.dmp

Filesize
64KB

Download
memory/4736-186-0x0000000002180000-0x0000000002190000-memory.dmp

Filesize
64KB

Download
memory/4736-158-0x0000000002660000-0x0000000002676000-memory.dmp

Filesize
88KB

Download
memory/4736-184-0x0000000002660000-0x0000000002676000-memory.dmp

Filesize
88KB

Download
memory/4736-182-0x0000000002660000-0x0000000002676000-memory.dmp

Filesize
88KB

Download
memory/4736-180-0x0000000002660000-0x0000000002676000-memory.dmp

Filesize
88KB

Download
memory/4736-178-0x0000000002660000-0x0000000002676000-memory.dmp

Filesize
88KB

Download
memory/4736-176-0x0000000002660000-0x0000000002676000-memory.dmp

Filesize
88KB

Download
memory/4736-175-0x0000000002180000-0x0000000002190000-memory.dmp

Filesize
64KB

Download
memory/4736-172-0x0000000002660000-0x0000000002676000-memory.dmp

Filesize
88KB

Download
memory/4736-173-0x0000000002180000-0x0000000002190000-memory.dmp

Filesize
64KB

Download
memory/4736-170-0x0000000002660000-0x0000000002676000-memory.dmp

Filesize
88KB

Download
memory/4736-168-0x0000000002660000-0x0000000002676000-memory.dmp

Filesize
88KB

Download
memory/4736-166-0x0000000002660000-0x0000000002676000-memory.dmp

Filesize
88KB

Download
memory/4736-160-0x0000000002660000-0x0000000002676000-memory.dmp

Filesize
88KB

Download
memory/4736-162-0x0000000002660000-0x0000000002676000-memory.dmp

Filesize
88KB

Download
memory/4952-212-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4952-218-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4952-216-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4952-215-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4952-232-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download