redline | b512a91109ddbb97d4e3a0588976dcc08bf777fcc036c7649eeaaa0c15176f60

Analysis

max time kernel
149s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
14-05-2023 20:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b512a91109ddbb97d4e3a0588976dcc08bf777fcc036c7649eeaaa0c15176f60.exe
Size

1.1MB
MD5

41b5ce0c99e184f46763bc52252b6945
SHA1

9feeeaf78c5b371501751440ec57f2ff97313ebb
SHA256

b512a91109ddbb97d4e3a0588976dcc08bf777fcc036c7649eeaaa0c15176f60
SHA512

3d9d7add716e43dc7f0d01df5eae203647cd53993d83515488b1b8e08fc283e5271dc239a0d7f454bc160f27d6910802197fd8b7464ab9bee8ffaa28bc366454
SSDEEP

24576:+y0x4Gg4tUjmzOs2ThqNzNmJ/3AP1xCGSHBiRQ50e9L:N0hgqYUOs8izNmJ/assH

Score

10^/10

redline horor linda discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

linda

185.161.248.75:4132

Attributes

auth_value
21cdc21d041667b9c1679f88a1146770

Extracted

Family

redline

Botnet

horor

185.161.248.75:4132

Attributes

auth_value
b8d506fe48db15c38fb031d07f42d529

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

o7352979.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	o7352979.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	o7352979.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	o7352979.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	o7352979.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	o7352979.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	o7352979.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

s9858493.exelegends.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Control Panel\International\Geo\Nation	s9858493.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Control Panel\International\Geo\Nation	legends.exe

Executes dropped EXE 15 IoCs

Processes:

z7624067.exez4586589.exeo7352979.exep7517534.exer1264013.exer1264013.exes9858493.exes9858493.exelegends.exelegends.exelegends.exelegends.exelegends.exelegends.exelegends.exe

pid	process
2780	z7624067.exe
4916	z4586589.exe
2412	o7352979.exe
4140	p7517534.exe
4124	r1264013.exe
736	r1264013.exe
2196	s9858493.exe
4528	s9858493.exe
2356	legends.exe
1132	legends.exe
264	legends.exe
4700	legends.exe
2828	legends.exe
3876	legends.exe
1224	legends.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

4708 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4708	rundll32.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

o7352979.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	o7352979.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	o7352979.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

z7624067.exez4586589.exeb512a91109ddbb97d4e3a0588976dcc08bf777fcc036c7649eeaaa0c15176f60.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z7624067.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z4586589.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z4586589.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	b512a91109ddbb97d4e3a0588976dcc08bf777fcc036c7649eeaaa0c15176f60.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	b512a91109ddbb97d4e3a0588976dcc08bf777fcc036c7649eeaaa0c15176f60.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z7624067.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 5 IoCs

Processes:

r1264013.exes9858493.exelegends.exelegends.exelegends.exe

description	pid	process	target process
PID 4124 set thread context of 736	4124	r1264013.exe	r1264013.exe
PID 2196 set thread context of 4528	2196	s9858493.exe	s9858493.exe
PID 2356 set thread context of 1132	2356	legends.exe	legends.exe
PID 264 set thread context of 4700	264	legends.exe	legends.exe
PID 2828 set thread context of 1224	2828	legends.exe	legends.exe

Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

4300 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

3236 4140 WerFault.exe p7517534.exe
1532 1224 WerFault.exe legends.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4596 schtasks.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

o7352979.exer1264013.exe

pid process

2412 o7352979.exe
2412 o7352979.exe
736 r1264013.exe
736 r1264013.exe

pid	process
4300	sc.exe

pid	pid_target	process	target process
3236	4140	WerFault.exe	p7517534.exe
1532	1224	WerFault.exe	legends.exe

pid	process
4596	schtasks.exe

pid	process
2412	o7352979.exe
2412	o7352979.exe
736	r1264013.exe
736	r1264013.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

o7352979.exer1264013.exes9858493.exelegends.exer1264013.exelegends.exelegends.exe

description	pid	process
Token: SeDebugPrivilege	2412	o7352979.exe
Token: SeDebugPrivilege	4124	r1264013.exe
Token: SeDebugPrivilege	2196	s9858493.exe
Token: SeDebugPrivilege	2356	legends.exe
Token: SeDebugPrivilege	736	r1264013.exe
Token: SeDebugPrivilege	264	legends.exe
Token: SeDebugPrivilege	2828	legends.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

s9858493.exe

pid process

4528 s9858493.exe

pid	process
4528	s9858493.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

b512a91109ddbb97d4e3a0588976dcc08bf777fcc036c7649eeaaa0c15176f60.exez7624067.exez4586589.exer1264013.exes9858493.exes9858493.exelegends.exelegends.execmd.exe

description	pid	process	target process
PID 1688 wrote to memory of 2780	1688	b512a91109ddbb97d4e3a0588976dcc08bf777fcc036c7649eeaaa0c15176f60.exe	z7624067.exe
PID 1688 wrote to memory of 2780	1688	b512a91109ddbb97d4e3a0588976dcc08bf777fcc036c7649eeaaa0c15176f60.exe	z7624067.exe
PID 1688 wrote to memory of 2780	1688	b512a91109ddbb97d4e3a0588976dcc08bf777fcc036c7649eeaaa0c15176f60.exe	z7624067.exe
PID 2780 wrote to memory of 4916	2780	z7624067.exe	z4586589.exe
PID 2780 wrote to memory of 4916	2780	z7624067.exe	z4586589.exe
PID 2780 wrote to memory of 4916	2780	z7624067.exe	z4586589.exe
PID 4916 wrote to memory of 2412	4916	z4586589.exe	o7352979.exe
PID 4916 wrote to memory of 2412	4916	z4586589.exe	o7352979.exe
PID 4916 wrote to memory of 2412	4916	z4586589.exe	o7352979.exe
PID 4916 wrote to memory of 4140	4916	z4586589.exe	p7517534.exe
PID 4916 wrote to memory of 4140	4916	z4586589.exe	p7517534.exe
PID 4916 wrote to memory of 4140	4916	z4586589.exe	p7517534.exe
PID 2780 wrote to memory of 4124	2780	z7624067.exe	r1264013.exe
PID 2780 wrote to memory of 4124	2780	z7624067.exe	r1264013.exe
PID 2780 wrote to memory of 4124	2780	z7624067.exe	r1264013.exe
PID 4124 wrote to memory of 736	4124	r1264013.exe	r1264013.exe
PID 4124 wrote to memory of 736	4124	r1264013.exe	r1264013.exe
PID 4124 wrote to memory of 736	4124	r1264013.exe	r1264013.exe
PID 4124 wrote to memory of 736	4124	r1264013.exe	r1264013.exe
PID 4124 wrote to memory of 736	4124	r1264013.exe	r1264013.exe
PID 4124 wrote to memory of 736	4124	r1264013.exe	r1264013.exe
PID 4124 wrote to memory of 736	4124	r1264013.exe	r1264013.exe
PID 4124 wrote to memory of 736	4124	r1264013.exe	r1264013.exe
PID 1688 wrote to memory of 2196	1688	b512a91109ddbb97d4e3a0588976dcc08bf777fcc036c7649eeaaa0c15176f60.exe	s9858493.exe
PID 1688 wrote to memory of 2196	1688	b512a91109ddbb97d4e3a0588976dcc08bf777fcc036c7649eeaaa0c15176f60.exe	s9858493.exe
PID 1688 wrote to memory of 2196	1688	b512a91109ddbb97d4e3a0588976dcc08bf777fcc036c7649eeaaa0c15176f60.exe	s9858493.exe
PID 2196 wrote to memory of 4528	2196	s9858493.exe	s9858493.exe
PID 2196 wrote to memory of 4528	2196	s9858493.exe	s9858493.exe
PID 2196 wrote to memory of 4528	2196	s9858493.exe	s9858493.exe
PID 2196 wrote to memory of 4528	2196	s9858493.exe	s9858493.exe
PID 2196 wrote to memory of 4528	2196	s9858493.exe	s9858493.exe
PID 2196 wrote to memory of 4528	2196	s9858493.exe	s9858493.exe
PID 2196 wrote to memory of 4528	2196	s9858493.exe	s9858493.exe
PID 2196 wrote to memory of 4528	2196	s9858493.exe	s9858493.exe
PID 2196 wrote to memory of 4528	2196	s9858493.exe	s9858493.exe
PID 2196 wrote to memory of 4528	2196	s9858493.exe	s9858493.exe
PID 4528 wrote to memory of 2356	4528	s9858493.exe	legends.exe
PID 4528 wrote to memory of 2356	4528	s9858493.exe	legends.exe
PID 4528 wrote to memory of 2356	4528	s9858493.exe	legends.exe
PID 2356 wrote to memory of 1132	2356	legends.exe	legends.exe
PID 2356 wrote to memory of 1132	2356	legends.exe	legends.exe
PID 2356 wrote to memory of 1132	2356	legends.exe	legends.exe
PID 2356 wrote to memory of 1132	2356	legends.exe	legends.exe
PID 2356 wrote to memory of 1132	2356	legends.exe	legends.exe
PID 2356 wrote to memory of 1132	2356	legends.exe	legends.exe
PID 2356 wrote to memory of 1132	2356	legends.exe	legends.exe
PID 2356 wrote to memory of 1132	2356	legends.exe	legends.exe
PID 2356 wrote to memory of 1132	2356	legends.exe	legends.exe
PID 2356 wrote to memory of 1132	2356	legends.exe	legends.exe
PID 1132 wrote to memory of 4596	1132	legends.exe	schtasks.exe
PID 1132 wrote to memory of 4596	1132	legends.exe	schtasks.exe
PID 1132 wrote to memory of 4596	1132	legends.exe	schtasks.exe
PID 1132 wrote to memory of 1288	1132	legends.exe	cmd.exe
PID 1132 wrote to memory of 1288	1132	legends.exe	cmd.exe
PID 1132 wrote to memory of 1288	1132	legends.exe	cmd.exe
PID 1288 wrote to memory of 4820	1288	cmd.exe	cmd.exe
PID 1288 wrote to memory of 4820	1288	cmd.exe	cmd.exe
PID 1288 wrote to memory of 4820	1288	cmd.exe	cmd.exe
PID 1288 wrote to memory of 4144	1288	cmd.exe	cacls.exe
PID 1288 wrote to memory of 4144	1288	cmd.exe	cacls.exe
PID 1288 wrote to memory of 4144	1288	cmd.exe	cacls.exe
PID 1288 wrote to memory of 4408	1288	cmd.exe	cacls.exe
PID 1288 wrote to memory of 4408	1288	cmd.exe	cacls.exe
PID 1288 wrote to memory of 4408	1288	cmd.exe	cacls.exe

C:\Users\Admin\AppData\Local\Temp\b512a91109ddbb97d4e3a0588976dcc08bf777fcc036c7649eeaaa0c15176f60.exe
"C:\Users\Admin\AppData\Local\Temp\b512a91109ddbb97d4e3a0588976dcc08bf777fcc036c7649eeaaa0c15176f60.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1688

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7624067.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7624067.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2780

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4586589.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4586589.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4916

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o7352979.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o7352979.exe
4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2412

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p7517534.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p7517534.exe
4⤵
- Executes dropped EXE
PID:4140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 928
5⤵
- Program crash
PID:3236

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r1264013.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r1264013.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4124

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r1264013.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r1264013.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:736

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s9858493.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s9858493.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2196

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s9858493.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s9858493.exe
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4528

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
"C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2356

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1132

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legends.exe /TR "C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe" /F
6⤵
- Creates scheduled task(s)
PID:4596

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legends.exe" /P "Admin:N"&&CACLS "legends.exe" /P "Admin:R" /E&&echo Y|CACLS "..\41bde21dc7" /P "Admin:N"&&CACLS "..\41bde21dc7" /P "Admin:R" /E&&Exit
6⤵
- Suspicious use of WriteProcessMemory
PID:1288

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
7⤵
PID:4820

C:\Windows\SysWOW64\cacls.exe
CACLS "legends.exe" /P "Admin:N"
7⤵
PID:4144

C:\Windows\SysWOW64\cacls.exe
CACLS "legends.exe" /P "Admin:R" /E
7⤵
PID:4408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
7⤵
PID:4032

C:\Windows\SysWOW64\cacls.exe
CACLS "..\41bde21dc7" /P "Admin:N"
7⤵
PID:688

C:\Windows\SysWOW64\cacls.exe
CACLS "..\41bde21dc7" /P "Admin:R" /E
7⤵
PID:4520

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
6⤵
- Loads dropped DLL
PID:4708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4140 -ip 4140
1⤵
PID:3428

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:264

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
2⤵
- Executes dropped EXE
PID:4700

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start wuauserv
1⤵
- Launches sc.exe
PID:4300

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2828

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
2⤵
- Executes dropped EXE
PID:3876

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
2⤵
- Executes dropped EXE
PID:1224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1224 -s 12
3⤵
- Program crash
PID:1532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1224 -ip 1224
1⤵
PID:3772

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\legends.exe.log
Filesize
425B

MD5
4eaca4566b22b01cd3bc115b9b0b2196

SHA1
e743e0792c19f71740416e7b3c061d9f1336bf94

SHA256
34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

SHA512
bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\r1264013.exe.log
Filesize
425B

MD5
4eaca4566b22b01cd3bc115b9b0b2196

SHA1
e743e0792c19f71740416e7b3c061d9f1336bf94

SHA256
34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

SHA512
bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
961KB

MD5
a908667eec87022cb90804ded40b82e0

SHA1
d7fd546d2c308db007fb30506d0b1e4c160c6c0b

SHA256
bc5c75d8f0d25086896711174486768b02e291aad16f10430438edc479dae4d7

SHA512
0898a7517d34916a79e042de9d92961c4c9b42c24eb1dc2e66d491e537a52dd8df7172130907e2406c2faa030ddfdce6975ac9508320ffd48fa71c1bd3c20a35

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
961KB

MD5
a908667eec87022cb90804ded40b82e0

SHA1
d7fd546d2c308db007fb30506d0b1e4c160c6c0b

SHA256
bc5c75d8f0d25086896711174486768b02e291aad16f10430438edc479dae4d7

SHA512
0898a7517d34916a79e042de9d92961c4c9b42c24eb1dc2e66d491e537a52dd8df7172130907e2406c2faa030ddfdce6975ac9508320ffd48fa71c1bd3c20a35

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
961KB

MD5
a908667eec87022cb90804ded40b82e0

SHA1
d7fd546d2c308db007fb30506d0b1e4c160c6c0b

SHA256
bc5c75d8f0d25086896711174486768b02e291aad16f10430438edc479dae4d7

SHA512
0898a7517d34916a79e042de9d92961c4c9b42c24eb1dc2e66d491e537a52dd8df7172130907e2406c2faa030ddfdce6975ac9508320ffd48fa71c1bd3c20a35

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
961KB

MD5
a908667eec87022cb90804ded40b82e0

SHA1
d7fd546d2c308db007fb30506d0b1e4c160c6c0b

SHA256
bc5c75d8f0d25086896711174486768b02e291aad16f10430438edc479dae4d7

SHA512
0898a7517d34916a79e042de9d92961c4c9b42c24eb1dc2e66d491e537a52dd8df7172130907e2406c2faa030ddfdce6975ac9508320ffd48fa71c1bd3c20a35

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
961KB

MD5
a908667eec87022cb90804ded40b82e0

SHA1
d7fd546d2c308db007fb30506d0b1e4c160c6c0b

SHA256
bc5c75d8f0d25086896711174486768b02e291aad16f10430438edc479dae4d7

SHA512
0898a7517d34916a79e042de9d92961c4c9b42c24eb1dc2e66d491e537a52dd8df7172130907e2406c2faa030ddfdce6975ac9508320ffd48fa71c1bd3c20a35

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
961KB

MD5
a908667eec87022cb90804ded40b82e0

SHA1
d7fd546d2c308db007fb30506d0b1e4c160c6c0b

SHA256
bc5c75d8f0d25086896711174486768b02e291aad16f10430438edc479dae4d7

SHA512
0898a7517d34916a79e042de9d92961c4c9b42c24eb1dc2e66d491e537a52dd8df7172130907e2406c2faa030ddfdce6975ac9508320ffd48fa71c1bd3c20a35

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
961KB

MD5
a908667eec87022cb90804ded40b82e0

SHA1
d7fd546d2c308db007fb30506d0b1e4c160c6c0b

SHA256
bc5c75d8f0d25086896711174486768b02e291aad16f10430438edc479dae4d7

SHA512
0898a7517d34916a79e042de9d92961c4c9b42c24eb1dc2e66d491e537a52dd8df7172130907e2406c2faa030ddfdce6975ac9508320ffd48fa71c1bd3c20a35

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
961KB

MD5
a908667eec87022cb90804ded40b82e0

SHA1
d7fd546d2c308db007fb30506d0b1e4c160c6c0b

SHA256
bc5c75d8f0d25086896711174486768b02e291aad16f10430438edc479dae4d7

SHA512
0898a7517d34916a79e042de9d92961c4c9b42c24eb1dc2e66d491e537a52dd8df7172130907e2406c2faa030ddfdce6975ac9508320ffd48fa71c1bd3c20a35

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
961KB

MD5
a908667eec87022cb90804ded40b82e0

SHA1
d7fd546d2c308db007fb30506d0b1e4c160c6c0b

SHA256
bc5c75d8f0d25086896711174486768b02e291aad16f10430438edc479dae4d7

SHA512
0898a7517d34916a79e042de9d92961c4c9b42c24eb1dc2e66d491e537a52dd8df7172130907e2406c2faa030ddfdce6975ac9508320ffd48fa71c1bd3c20a35

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s9858493.exe
Filesize
961KB

MD5
a908667eec87022cb90804ded40b82e0

SHA1
d7fd546d2c308db007fb30506d0b1e4c160c6c0b

SHA256
bc5c75d8f0d25086896711174486768b02e291aad16f10430438edc479dae4d7

SHA512
0898a7517d34916a79e042de9d92961c4c9b42c24eb1dc2e66d491e537a52dd8df7172130907e2406c2faa030ddfdce6975ac9508320ffd48fa71c1bd3c20a35

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s9858493.exe
Filesize
961KB

MD5
a908667eec87022cb90804ded40b82e0

SHA1
d7fd546d2c308db007fb30506d0b1e4c160c6c0b

SHA256
bc5c75d8f0d25086896711174486768b02e291aad16f10430438edc479dae4d7

SHA512
0898a7517d34916a79e042de9d92961c4c9b42c24eb1dc2e66d491e537a52dd8df7172130907e2406c2faa030ddfdce6975ac9508320ffd48fa71c1bd3c20a35

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s9858493.exe
Filesize
961KB

MD5
a908667eec87022cb90804ded40b82e0

SHA1
d7fd546d2c308db007fb30506d0b1e4c160c6c0b

SHA256
bc5c75d8f0d25086896711174486768b02e291aad16f10430438edc479dae4d7

SHA512
0898a7517d34916a79e042de9d92961c4c9b42c24eb1dc2e66d491e537a52dd8df7172130907e2406c2faa030ddfdce6975ac9508320ffd48fa71c1bd3c20a35

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7624067.exe
Filesize
703KB

MD5
b4730b4826e7c4f846ea23448cf8a6aa

SHA1
3b360ab35584b564298893cce1f130ddb0980186

SHA256
1cac0f55add344ab2535ee891677fc988fa87c0ea51fb46c5fa86cb3365d017a

SHA512
4ded0b6b4ad98c7aa90fdaba7438ac4db1c11b91c953652bca683cd07209a4d58c5505bceb8a86893473ea19c3e699d2ebeae003a7def0d8e1e6fc3237430111

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7624067.exe
Filesize
703KB

MD5
b4730b4826e7c4f846ea23448cf8a6aa

SHA1
3b360ab35584b564298893cce1f130ddb0980186

SHA256
1cac0f55add344ab2535ee891677fc988fa87c0ea51fb46c5fa86cb3365d017a

SHA512
4ded0b6b4ad98c7aa90fdaba7438ac4db1c11b91c953652bca683cd07209a4d58c5505bceb8a86893473ea19c3e699d2ebeae003a7def0d8e1e6fc3237430111

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r1264013.exe
Filesize
903KB

MD5
07b86fca5b9a9328386081f6c600012d

SHA1
d43fc59d15634cfef949bfa5bb67bd9ebdfec8f2

SHA256
92eab129eb6632784e82a8f9cbb2ec9c2a9e2d123d717ed59b87d17bb60c3366

SHA512
5e01fb62124f77f3adf4fa91f6a038d9c1454fa24a349528b84c8b406ef5b1d3baeac4f6829b06a4fcbf0cae84536f7ef9e9435d77716dedadae8ba49ef69b9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r1264013.exe
Filesize
903KB

MD5
07b86fca5b9a9328386081f6c600012d

SHA1
d43fc59d15634cfef949bfa5bb67bd9ebdfec8f2

SHA256
92eab129eb6632784e82a8f9cbb2ec9c2a9e2d123d717ed59b87d17bb60c3366

SHA512
5e01fb62124f77f3adf4fa91f6a038d9c1454fa24a349528b84c8b406ef5b1d3baeac4f6829b06a4fcbf0cae84536f7ef9e9435d77716dedadae8ba49ef69b9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r1264013.exe
Filesize
903KB

MD5
07b86fca5b9a9328386081f6c600012d

SHA1
d43fc59d15634cfef949bfa5bb67bd9ebdfec8f2

SHA256
92eab129eb6632784e82a8f9cbb2ec9c2a9e2d123d717ed59b87d17bb60c3366

SHA512
5e01fb62124f77f3adf4fa91f6a038d9c1454fa24a349528b84c8b406ef5b1d3baeac4f6829b06a4fcbf0cae84536f7ef9e9435d77716dedadae8ba49ef69b9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4586589.exe
Filesize
305KB

MD5
799864c44b71850b1d868f5e145d8845

SHA1
c7abf7dfe1c34b9d1fd1f6e0705fd456512625c4

SHA256
773360c7a83b58ee4bcb888c1ced7617807c9bcd6c8bb55297341f4ce5579b82

SHA512
cb9df37a9c8e714e8244e4eaa8bb7a03c77122c232407de8db69b93885ce2c4bf95e2f5c05c83b8fe672da9ba6427889a66b3e6032e41eac070934a8ea9d68b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4586589.exe
Filesize
305KB

MD5
799864c44b71850b1d868f5e145d8845

SHA1
c7abf7dfe1c34b9d1fd1f6e0705fd456512625c4

SHA256
773360c7a83b58ee4bcb888c1ced7617807c9bcd6c8bb55297341f4ce5579b82

SHA512
cb9df37a9c8e714e8244e4eaa8bb7a03c77122c232407de8db69b93885ce2c4bf95e2f5c05c83b8fe672da9ba6427889a66b3e6032e41eac070934a8ea9d68b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o7352979.exe
Filesize
184KB

MD5
8c1b05fb6e8cdf1c5c245a93a5c4e9f6

SHA1
92c46344d8a607363729295a338115a577ac16fb

SHA256
918a8764ce82491627ab38183a42f543513960a452d12ce134520c38a02a8d37

SHA512
8975f6b1d2a74927d3c5a8f55f896bde10471de0844b52c1d50aa196355e21fcb115d873ab5d625cc34b7b74e8aa994929ef466d7d00e85df2c6d8a8b4463231

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o7352979.exe
Filesize
184KB

MD5
8c1b05fb6e8cdf1c5c245a93a5c4e9f6

SHA1
92c46344d8a607363729295a338115a577ac16fb

SHA256
918a8764ce82491627ab38183a42f543513960a452d12ce134520c38a02a8d37

SHA512
8975f6b1d2a74927d3c5a8f55f896bde10471de0844b52c1d50aa196355e21fcb115d873ab5d625cc34b7b74e8aa994929ef466d7d00e85df2c6d8a8b4463231

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p7517534.exe
Filesize
145KB

MD5
8c023e7da28814de925c3aa737d82f22

SHA1
7b994ce28ea40b9af5c1337a8f11ea1312828dbd

SHA256
dfa724ca58d101dd002b34e2ed6eb02a28fc4f0143b33d7490298d15dc49ee0a

SHA512
54f1f6c6144b5eb7524449157a493b207fb8a4f63abad56d03679ac1907a6f9635c6aabd3cdaff022229eabfc7aa29722c89c025931d2be3b37868793d59f4ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p7517534.exe
Filesize
145KB

MD5
8c023e7da28814de925c3aa737d82f22

SHA1
7b994ce28ea40b9af5c1337a8f11ea1312828dbd

SHA256
dfa724ca58d101dd002b34e2ed6eb02a28fc4f0143b33d7490298d15dc49ee0a

SHA512
54f1f6c6144b5eb7524449157a493b207fb8a4f63abad56d03679ac1907a6f9635c6aabd3cdaff022229eabfc7aa29722c89c025931d2be3b37868793d59f4ce

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
73c0c85e39b9a63b42f6c4ff6d634f8b

SHA1
efb047b4177ad78268f6fc8bf959f58f1123eb51

SHA256
477252e3531300fe2a21a679fba3664803179e91a1a4d5dd44080dbd41126368

SHA512
ca32507717c2c099d54a5473fb062083237f7fda9c076e9a957b70072f41a78eedf9244b50862b81d00374297e3795021ad6db943c8408da50b1da8b5ed4a643

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
73c0c85e39b9a63b42f6c4ff6d634f8b

SHA1
efb047b4177ad78268f6fc8bf959f58f1123eb51

SHA256
477252e3531300fe2a21a679fba3664803179e91a1a4d5dd44080dbd41126368

SHA512
ca32507717c2c099d54a5473fb062083237f7fda9c076e9a957b70072f41a78eedf9244b50862b81d00374297e3795021ad6db943c8408da50b1da8b5ed4a643

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
73c0c85e39b9a63b42f6c4ff6d634f8b

SHA1
efb047b4177ad78268f6fc8bf959f58f1123eb51

SHA256
477252e3531300fe2a21a679fba3664803179e91a1a4d5dd44080dbd41126368

SHA512
ca32507717c2c099d54a5473fb062083237f7fda9c076e9a957b70072f41a78eedf9244b50862b81d00374297e3795021ad6db943c8408da50b1da8b5ed4a643

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
memory/264-272-0x00000000078E0000-0x00000000078F0000-memory.dmp

Filesize
64KB

Download
memory/736-234-0x0000000005A40000-0x0000000005AA6000-memory.dmp

Filesize
408KB

Download
memory/736-235-0x0000000006630000-0x00000000066C2000-memory.dmp

Filesize
584KB

Download
memory/736-245-0x00000000070B0000-0x0000000007272000-memory.dmp

Filesize
1.8MB

Download
memory/736-246-0x00000000077B0000-0x0000000007CDC000-memory.dmp

Filesize
5.2MB

Download
memory/736-198-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/736-247-0x00000000056C0000-0x00000000056D0000-memory.dmp

Filesize
64KB

Download
memory/736-248-0x00000000069A0000-0x0000000006A16000-memory.dmp

Filesize
472KB

Download
memory/736-249-0x0000000006A20000-0x0000000006A70000-memory.dmp

Filesize
320KB

Download
memory/736-209-0x0000000005750000-0x000000000578C000-memory.dmp

Filesize
240KB

Download
memory/736-211-0x00000000056C0000-0x00000000056D0000-memory.dmp

Filesize
64KB

Download
memory/736-206-0x0000000005C30000-0x0000000006248000-memory.dmp

Filesize
6.1MB

Download
memory/736-207-0x00000000057A0000-0x00000000058AA000-memory.dmp

Filesize
1.0MB

Download
memory/736-208-0x00000000056F0000-0x0000000005702000-memory.dmp

Filesize
72KB

Download
memory/1132-239-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1132-267-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1132-243-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1132-242-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1132-240-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2196-205-0x0000000000E60000-0x0000000000F56000-memory.dmp

Filesize
984KB

Download
memory/2196-210-0x0000000007C80000-0x0000000007C90000-memory.dmp

Filesize
64KB

Download
memory/2356-233-0x0000000007AE0000-0x0000000007AF0000-memory.dmp

Filesize
64KB

Download
memory/2412-166-0x0000000004AA0000-0x0000000004AB6000-memory.dmp

Filesize
88KB

Download
memory/2412-162-0x0000000004AA0000-0x0000000004AB6000-memory.dmp

Filesize
88KB

Download
memory/2412-154-0x0000000004C50000-0x00000000051F4000-memory.dmp

Filesize
5.6MB

Download
memory/2412-187-0x0000000004C40000-0x0000000004C50000-memory.dmp

Filesize
64KB

Download
memory/2412-155-0x0000000004C40000-0x0000000004C50000-memory.dmp

Filesize
64KB

Download
memory/2412-186-0x0000000004C40000-0x0000000004C50000-memory.dmp

Filesize
64KB

Download
memory/2412-185-0x0000000004C40000-0x0000000004C50000-memory.dmp

Filesize
64KB

Download
memory/2412-182-0x0000000004AA0000-0x0000000004AB6000-memory.dmp

Filesize
88KB

Download
memory/2412-156-0x0000000004C40000-0x0000000004C50000-memory.dmp

Filesize
64KB

Download
memory/2412-184-0x0000000004AA0000-0x0000000004AB6000-memory.dmp

Filesize
88KB

Download
memory/2412-157-0x0000000004AA0000-0x0000000004AB6000-memory.dmp

Filesize
88KB

Download
memory/2412-158-0x0000000004AA0000-0x0000000004AB6000-memory.dmp

Filesize
88KB

Download
memory/2412-180-0x0000000004AA0000-0x0000000004AB6000-memory.dmp

Filesize
88KB

Download
memory/2412-178-0x0000000004AA0000-0x0000000004AB6000-memory.dmp

Filesize
88KB

Download
memory/2412-176-0x0000000004AA0000-0x0000000004AB6000-memory.dmp

Filesize
88KB

Download
memory/2412-174-0x0000000004AA0000-0x0000000004AB6000-memory.dmp

Filesize
88KB

Download
memory/2412-172-0x0000000004AA0000-0x0000000004AB6000-memory.dmp

Filesize
88KB

Download
memory/2412-170-0x0000000004AA0000-0x0000000004AB6000-memory.dmp

Filesize
88KB

Download
memory/2412-168-0x0000000004AA0000-0x0000000004AB6000-memory.dmp

Filesize
88KB

Download
memory/2412-160-0x0000000004AA0000-0x0000000004AB6000-memory.dmp

Filesize
88KB

Download
memory/2412-164-0x0000000004AA0000-0x0000000004AB6000-memory.dmp

Filesize
88KB

Download
memory/4124-197-0x0000000007E70000-0x0000000007E80000-memory.dmp

Filesize
64KB

Download
memory/4124-196-0x0000000000FB0000-0x0000000001098000-memory.dmp

Filesize
928KB

Download
memory/4140-192-0x00000000003B0000-0x00000000003DA000-memory.dmp

Filesize
168KB

Download
memory/4528-212-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4528-215-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4528-216-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4528-220-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4528-232-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4700-275-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4700-276-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4700-277-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download