redline | d40884a144f90ef45ac8e98d6c4729630da2a1cca9c08633641a4396dc0fefd0

Analysis

max time kernel
135s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
18/05/2023, 08:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d40884a144f90ef45ac8e98d6c4729630da2a1cca9c08633641a4396dc0fefd0.exe
Size

1.0MB
MD5

241a1120ed1ce9d0290f746309c77f68
SHA1

482527f6e5f1af41240ee6ac3c8024e60b936839
SHA256

d40884a144f90ef45ac8e98d6c4729630da2a1cca9c08633641a4396dc0fefd0
SHA512

9406cdac67d02a6234c07f84663f2474d2dd4c20f607224964dc539898a7b0f060581237569e5e7b07b498a558b72604ffdc3e23f693ec77ec85137959f8bd56
SSDEEP

12288:KMr1y90X2vq0z7BiYjmnsqa9xyQshkX7oJR9ntOgLU4B2Lj+v/B/8C2OB4gWpUF6:3ygw3ljyhhk6R9twNLSbmgWqJMTCW

Score

10^/10

redline luna discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

luna

77.91.68.253:4138

Attributes

auth_value
16dec8addb01db1c11c59667022ef7a2

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	o6659460.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	o6659460.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	o6659460.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	o6659460.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	o6659460.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	o6659460.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 20 IoCs

resource	yara_rule
behavioral1/memory/2472-205-0x0000000004990000-0x00000000049CC000-memory.dmp	family_redline
behavioral1/memory/2472-206-0x0000000004990000-0x00000000049CC000-memory.dmp	family_redline
behavioral1/memory/2472-208-0x0000000004990000-0x00000000049CC000-memory.dmp	family_redline
behavioral1/memory/2472-210-0x0000000004990000-0x00000000049CC000-memory.dmp	family_redline
behavioral1/memory/2472-212-0x0000000004990000-0x00000000049CC000-memory.dmp	family_redline
behavioral1/memory/2472-214-0x0000000004990000-0x00000000049CC000-memory.dmp	family_redline
behavioral1/memory/2472-216-0x0000000004990000-0x00000000049CC000-memory.dmp	family_redline
behavioral1/memory/2472-218-0x0000000004990000-0x00000000049CC000-memory.dmp	family_redline
behavioral1/memory/2472-220-0x0000000004990000-0x00000000049CC000-memory.dmp	family_redline
behavioral1/memory/2472-222-0x0000000004990000-0x00000000049CC000-memory.dmp	family_redline
behavioral1/memory/2472-224-0x0000000004990000-0x00000000049CC000-memory.dmp	family_redline
behavioral1/memory/2472-226-0x0000000004990000-0x00000000049CC000-memory.dmp	family_redline
behavioral1/memory/2472-228-0x0000000004990000-0x00000000049CC000-memory.dmp	family_redline
behavioral1/memory/2472-230-0x0000000004990000-0x00000000049CC000-memory.dmp	family_redline
behavioral1/memory/2472-232-0x0000000004990000-0x00000000049CC000-memory.dmp	family_redline
behavioral1/memory/2472-234-0x0000000004990000-0x00000000049CC000-memory.dmp	family_redline
behavioral1/memory/2472-236-0x0000000004990000-0x00000000049CC000-memory.dmp	family_redline
behavioral1/memory/2472-238-0x0000000004990000-0x00000000049CC000-memory.dmp	family_redline
behavioral1/memory/2472-240-0x0000000004990000-0x00000000049CC000-memory.dmp	family_redline
behavioral1/memory/2472-327-0x0000000004A10000-0x0000000004A20000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	s7299101.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	legends.exe

Executes dropped EXE 13 IoCs

pid	Process
1324	z2928405.exe
4472	z2810332.exe
1988	o6659460.exe
4872	p7845580.exe
2472	r5263743.exe
2368	s7299101.exe
4000	s7299101.exe
2284	legends.exe
1068	legends.exe
4556	legends.exe
3092	legends.exe
3144	legends.exe
1780	legends.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	o6659460.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	o6659460.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	d40884a144f90ef45ac8e98d6c4729630da2a1cca9c08633641a4396dc0fefd0.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z2928405.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z2928405.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z2810332.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z2810332.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	d40884a144f90ef45ac8e98d6c4729630da2a1cca9c08633641a4396dc0fefd0.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2368 set thread context of 4000	2368	s7299101.exe	93
PID 2284 set thread context of 4556	2284	legends.exe	96
PID 3092 set thread context of 1780	3092	legends.exe	110

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1848	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1988	o6659460.exe
1988	o6659460.exe
4872	p7845580.exe
4872	p7845580.exe
2472	r5263743.exe
2472	r5263743.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	1988	o6659460.exe
Token: SeDebugPrivilege	4872	p7845580.exe
Token: SeDebugPrivilege	2472	r5263743.exe
Token: SeDebugPrivilege	2368	s7299101.exe
Token: SeDebugPrivilege	2284	legends.exe
Token: SeDebugPrivilege	3092	legends.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4000	s7299101.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3420 wrote to memory of 1324	3420	d40884a144f90ef45ac8e98d6c4729630da2a1cca9c08633641a4396dc0fefd0.exe	86
PID 3420 wrote to memory of 1324	3420	d40884a144f90ef45ac8e98d6c4729630da2a1cca9c08633641a4396dc0fefd0.exe	86
PID 3420 wrote to memory of 1324	3420	d40884a144f90ef45ac8e98d6c4729630da2a1cca9c08633641a4396dc0fefd0.exe	86
PID 1324 wrote to memory of 4472	1324	z2928405.exe	87
PID 1324 wrote to memory of 4472	1324	z2928405.exe	87
PID 1324 wrote to memory of 4472	1324	z2928405.exe	87
PID 4472 wrote to memory of 1988	4472	z2810332.exe	88
PID 4472 wrote to memory of 1988	4472	z2810332.exe	88
PID 4472 wrote to memory of 1988	4472	z2810332.exe	88
PID 4472 wrote to memory of 4872	4472	z2810332.exe	89
PID 4472 wrote to memory of 4872	4472	z2810332.exe	89
PID 4472 wrote to memory of 4872	4472	z2810332.exe	89
PID 1324 wrote to memory of 2472	1324	z2928405.exe	91
PID 1324 wrote to memory of 2472	1324	z2928405.exe	91
PID 1324 wrote to memory of 2472	1324	z2928405.exe	91
PID 3420 wrote to memory of 2368	3420	d40884a144f90ef45ac8e98d6c4729630da2a1cca9c08633641a4396dc0fefd0.exe	92
PID 3420 wrote to memory of 2368	3420	d40884a144f90ef45ac8e98d6c4729630da2a1cca9c08633641a4396dc0fefd0.exe	92
PID 3420 wrote to memory of 2368	3420	d40884a144f90ef45ac8e98d6c4729630da2a1cca9c08633641a4396dc0fefd0.exe	92
PID 2368 wrote to memory of 4000	2368	s7299101.exe	93
PID 2368 wrote to memory of 4000	2368	s7299101.exe	93
PID 2368 wrote to memory of 4000	2368	s7299101.exe	93
PID 2368 wrote to memory of 4000	2368	s7299101.exe	93
PID 2368 wrote to memory of 4000	2368	s7299101.exe	93
PID 2368 wrote to memory of 4000	2368	s7299101.exe	93
PID 2368 wrote to memory of 4000	2368	s7299101.exe	93
PID 2368 wrote to memory of 4000	2368	s7299101.exe	93
PID 2368 wrote to memory of 4000	2368	s7299101.exe	93
PID 2368 wrote to memory of 4000	2368	s7299101.exe	93
PID 4000 wrote to memory of 2284	4000	s7299101.exe	94
PID 4000 wrote to memory of 2284	4000	s7299101.exe	94
PID 4000 wrote to memory of 2284	4000	s7299101.exe	94
PID 2284 wrote to memory of 1068	2284	legends.exe	95
PID 2284 wrote to memory of 1068	2284	legends.exe	95
PID 2284 wrote to memory of 1068	2284	legends.exe	95
PID 2284 wrote to memory of 1068	2284	legends.exe	95
PID 2284 wrote to memory of 4556	2284	legends.exe	96
PID 2284 wrote to memory of 4556	2284	legends.exe	96
PID 2284 wrote to memory of 4556	2284	legends.exe	96
PID 2284 wrote to memory of 4556	2284	legends.exe	96
PID 2284 wrote to memory of 4556	2284	legends.exe	96
PID 2284 wrote to memory of 4556	2284	legends.exe	96
PID 2284 wrote to memory of 4556	2284	legends.exe	96
PID 2284 wrote to memory of 4556	2284	legends.exe	96
PID 2284 wrote to memory of 4556	2284	legends.exe	96
PID 2284 wrote to memory of 4556	2284	legends.exe	96
PID 3828 wrote to memory of 2180	3828	cmd.exe	101
PID 3828 wrote to memory of 2180	3828	cmd.exe	101
PID 3828 wrote to memory of 2180	3828	cmd.exe	101
PID 3828 wrote to memory of 1280	3828	cmd.exe	102
PID 3828 wrote to memory of 1280	3828	cmd.exe	102
PID 3828 wrote to memory of 1280	3828	cmd.exe	102
PID 3828 wrote to memory of 3064	3828	cmd.exe	103
PID 3828 wrote to memory of 3064	3828	cmd.exe	103
PID 3828 wrote to memory of 3064	3828	cmd.exe	103
PID 3828 wrote to memory of 2688	3828	cmd.exe	104
PID 3828 wrote to memory of 2688	3828	cmd.exe	104
PID 3828 wrote to memory of 2688	3828	cmd.exe	104
PID 3828 wrote to memory of 1160	3828	cmd.exe	105
PID 3828 wrote to memory of 1160	3828	cmd.exe	105
PID 3828 wrote to memory of 1160	3828	cmd.exe	105
PID 3828 wrote to memory of 3712	3828	cmd.exe	106
PID 3828 wrote to memory of 3712	3828	cmd.exe	106
PID 3828 wrote to memory of 3712	3828	cmd.exe	106
PID 3092 wrote to memory of 3144	3092	legends.exe	109

C:\Users\Admin\AppData\Local\Temp\d40884a144f90ef45ac8e98d6c4729630da2a1cca9c08633641a4396dc0fefd0.exe
"C:\Users\Admin\AppData\Local\Temp\d40884a144f90ef45ac8e98d6c4729630da2a1cca9c08633641a4396dc0fefd0.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3420
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2928405.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2928405.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1324
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2810332.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2810332.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4472
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o6659460.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o6659460.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1988
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p7845580.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p7845580.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4872
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r5263743.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r5263743.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2472
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s7299101.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s7299101.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2368
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s7299101.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s7299101.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:4000
  - - C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
      "C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2284
    - - C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
        
        C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
        5⤵
        Executes dropped EXE
        
        PID:1068
    - - C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
        
        C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4556
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legends.exe /TR "C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe" /F
        6⤵
        Creates scheduled task(s)
        
        PID:1848
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legends.exe" /P "Admin:N"&&CACLS "legends.exe" /P "Admin:R" /E&&echo Y|CACLS "..\41bde21dc7" /P "Admin:N"&&CACLS "..\41bde21dc7" /P "Admin:R" /E&&Exit
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "legends.exe" /P "Admin:N"
        7⤵
        
        PID:1280
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "legends.exe" /P "Admin:R" /E
        7⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\41bde21dc7" /P "Admin:N"
        7⤵
        
        PID:1160
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\41bde21dc7" /P "Admin:R" /E
        7⤵
        
        PID:3712
      - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
        6⤵
        
        PID:1036

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3092
- C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
  C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
  2⤵
  - Executes dropped EXE
  PID:3144
- C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
  C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
  2⤵
  - Executes dropped EXE
  PID:1780

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\legends.exe.log

Filesize
425B

MD5
4eaca4566b22b01cd3bc115b9b0b2196

SHA1
e743e0792c19f71740416e7b3c061d9f1336bf94

SHA256
34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

SHA512
bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
962KB

MD5
5cc1b3d18dbbeb79d5821196b4766ca1

SHA1
300c0d907c7e61092ae96680a1e1b103f1b25d6e

SHA256
c6d6cc4741ca8732f7c007c87f391183787a2a9ee5957a6c4eb177a8955494c1

SHA512
1bba84bf014d8f5a79117e235d60e7a4283a2b6b551ebd37c0bf1e046596b462cdad6e4f160ff7b312de3e15459a0b59cb915d59994dc24e3add6d548d080578

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
962KB

MD5
5cc1b3d18dbbeb79d5821196b4766ca1

SHA1
300c0d907c7e61092ae96680a1e1b103f1b25d6e

SHA256
c6d6cc4741ca8732f7c007c87f391183787a2a9ee5957a6c4eb177a8955494c1

SHA512
1bba84bf014d8f5a79117e235d60e7a4283a2b6b551ebd37c0bf1e046596b462cdad6e4f160ff7b312de3e15459a0b59cb915d59994dc24e3add6d548d080578

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
962KB

MD5
5cc1b3d18dbbeb79d5821196b4766ca1

SHA1
300c0d907c7e61092ae96680a1e1b103f1b25d6e

SHA256
c6d6cc4741ca8732f7c007c87f391183787a2a9ee5957a6c4eb177a8955494c1

SHA512
1bba84bf014d8f5a79117e235d60e7a4283a2b6b551ebd37c0bf1e046596b462cdad6e4f160ff7b312de3e15459a0b59cb915d59994dc24e3add6d548d080578

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
962KB

MD5
5cc1b3d18dbbeb79d5821196b4766ca1

SHA1
300c0d907c7e61092ae96680a1e1b103f1b25d6e

SHA256
c6d6cc4741ca8732f7c007c87f391183787a2a9ee5957a6c4eb177a8955494c1

SHA512
1bba84bf014d8f5a79117e235d60e7a4283a2b6b551ebd37c0bf1e046596b462cdad6e4f160ff7b312de3e15459a0b59cb915d59994dc24e3add6d548d080578

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
962KB

MD5
5cc1b3d18dbbeb79d5821196b4766ca1

SHA1
300c0d907c7e61092ae96680a1e1b103f1b25d6e

SHA256
c6d6cc4741ca8732f7c007c87f391183787a2a9ee5957a6c4eb177a8955494c1

SHA512
1bba84bf014d8f5a79117e235d60e7a4283a2b6b551ebd37c0bf1e046596b462cdad6e4f160ff7b312de3e15459a0b59cb915d59994dc24e3add6d548d080578

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
962KB

MD5
5cc1b3d18dbbeb79d5821196b4766ca1

SHA1
300c0d907c7e61092ae96680a1e1b103f1b25d6e

SHA256
c6d6cc4741ca8732f7c007c87f391183787a2a9ee5957a6c4eb177a8955494c1

SHA512
1bba84bf014d8f5a79117e235d60e7a4283a2b6b551ebd37c0bf1e046596b462cdad6e4f160ff7b312de3e15459a0b59cb915d59994dc24e3add6d548d080578

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
962KB

MD5
5cc1b3d18dbbeb79d5821196b4766ca1

SHA1
300c0d907c7e61092ae96680a1e1b103f1b25d6e

SHA256
c6d6cc4741ca8732f7c007c87f391183787a2a9ee5957a6c4eb177a8955494c1

SHA512
1bba84bf014d8f5a79117e235d60e7a4283a2b6b551ebd37c0bf1e046596b462cdad6e4f160ff7b312de3e15459a0b59cb915d59994dc24e3add6d548d080578

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
962KB

MD5
5cc1b3d18dbbeb79d5821196b4766ca1

SHA1
300c0d907c7e61092ae96680a1e1b103f1b25d6e

SHA256
c6d6cc4741ca8732f7c007c87f391183787a2a9ee5957a6c4eb177a8955494c1

SHA512
1bba84bf014d8f5a79117e235d60e7a4283a2b6b551ebd37c0bf1e046596b462cdad6e4f160ff7b312de3e15459a0b59cb915d59994dc24e3add6d548d080578

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s7299101.exe

Filesize
962KB

MD5
5cc1b3d18dbbeb79d5821196b4766ca1

SHA1
300c0d907c7e61092ae96680a1e1b103f1b25d6e

SHA256
c6d6cc4741ca8732f7c007c87f391183787a2a9ee5957a6c4eb177a8955494c1

SHA512
1bba84bf014d8f5a79117e235d60e7a4283a2b6b551ebd37c0bf1e046596b462cdad6e4f160ff7b312de3e15459a0b59cb915d59994dc24e3add6d548d080578

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s7299101.exe

Filesize
962KB

MD5
5cc1b3d18dbbeb79d5821196b4766ca1

SHA1
300c0d907c7e61092ae96680a1e1b103f1b25d6e

SHA256
c6d6cc4741ca8732f7c007c87f391183787a2a9ee5957a6c4eb177a8955494c1

SHA512
1bba84bf014d8f5a79117e235d60e7a4283a2b6b551ebd37c0bf1e046596b462cdad6e4f160ff7b312de3e15459a0b59cb915d59994dc24e3add6d548d080578

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s7299101.exe

Filesize
962KB

MD5
5cc1b3d18dbbeb79d5821196b4766ca1

SHA1
300c0d907c7e61092ae96680a1e1b103f1b25d6e

SHA256
c6d6cc4741ca8732f7c007c87f391183787a2a9ee5957a6c4eb177a8955494c1

SHA512
1bba84bf014d8f5a79117e235d60e7a4283a2b6b551ebd37c0bf1e046596b462cdad6e4f160ff7b312de3e15459a0b59cb915d59994dc24e3add6d548d080578

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2928405.exe

Filesize
585KB

MD5
616daf30fddf7835bd2bbe6905e5a180

SHA1
b31301194108892e738860518379e3a66e8aca14

SHA256
e9fa585e114f0417fd501d24ccaa5a48e0242c15325e120acad5e669f29b7f84

SHA512
f064e8577eadf287aff4285557ae849a72a4d3b0cedde1ac0b779782cbcde1ffc4c486767ae479a5e942c75f1d1884908922937e9b4151557f83dc70fdb0bdd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2928405.exe

Filesize
585KB

MD5
616daf30fddf7835bd2bbe6905e5a180

SHA1
b31301194108892e738860518379e3a66e8aca14

SHA256
e9fa585e114f0417fd501d24ccaa5a48e0242c15325e120acad5e669f29b7f84

SHA512
f064e8577eadf287aff4285557ae849a72a4d3b0cedde1ac0b779782cbcde1ffc4c486767ae479a5e942c75f1d1884908922937e9b4151557f83dc70fdb0bdd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r5263743.exe

Filesize
284KB

MD5
d421bff0f8568083c35cb1fa8cbe4695

SHA1
4dbe96f56129c8494a6e4417a068a90078821d0f

SHA256
46eab7e760efe76212da65e9f8bf6c1f4a2143817fbb97a84bb48f6f4f6a5b8d

SHA512
53d8d54229267c2050272df3462e1593dbbc4a7e1286fa8912d585a9146b51de3d6fc9297ba2ce63577deb4726342e9bba4d8f9424c5259e3848864747415bf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r5263743.exe

Filesize
284KB

MD5
d421bff0f8568083c35cb1fa8cbe4695

SHA1
4dbe96f56129c8494a6e4417a068a90078821d0f

SHA256
46eab7e760efe76212da65e9f8bf6c1f4a2143817fbb97a84bb48f6f4f6a5b8d

SHA512
53d8d54229267c2050272df3462e1593dbbc4a7e1286fa8912d585a9146b51de3d6fc9297ba2ce63577deb4726342e9bba4d8f9424c5259e3848864747415bf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2810332.exe

Filesize
306KB

MD5
24239e2b67f5890071ac9819eb72d7f4

SHA1
814d6d7f8986e79baf8d6f7e120f1fb5e12e22ea

SHA256
1a09823c7c57d6078fe6de4222110e0b2241dc45c198c94074a3b7ed1cc30a00

SHA512
bb1e81db1973885b7aeedbb95090556081870e1c1ebe00b2b654978cc78f5445368a28a5194fb25acd329f1416f15a7681b7cf239b8399f512c892ee25d61e74

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2810332.exe

Filesize
306KB

MD5
24239e2b67f5890071ac9819eb72d7f4

SHA1
814d6d7f8986e79baf8d6f7e120f1fb5e12e22ea

SHA256
1a09823c7c57d6078fe6de4222110e0b2241dc45c198c94074a3b7ed1cc30a00

SHA512
bb1e81db1973885b7aeedbb95090556081870e1c1ebe00b2b654978cc78f5445368a28a5194fb25acd329f1416f15a7681b7cf239b8399f512c892ee25d61e74

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o6659460.exe

Filesize
184KB

MD5
e763f5a95325210974831a8525593bb2

SHA1
969186aeed2edcb9450a5e52d2eb14f36fcdb001

SHA256
bfe0049da04ead1e7274b230f65b4589c46c58323383bc7c6d52a2df09e98452

SHA512
96474317aed8617c6ddf2c4e063f8a419287e7e5940deb056a6ff175cbf3a6f9b3968041eea2abcc9357a4fc14061a347810a1e0dffa5b1973a9096ad8d3f7ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o6659460.exe

Filesize
184KB

MD5
e763f5a95325210974831a8525593bb2

SHA1
969186aeed2edcb9450a5e52d2eb14f36fcdb001

SHA256
bfe0049da04ead1e7274b230f65b4589c46c58323383bc7c6d52a2df09e98452

SHA512
96474317aed8617c6ddf2c4e063f8a419287e7e5940deb056a6ff175cbf3a6f9b3968041eea2abcc9357a4fc14061a347810a1e0dffa5b1973a9096ad8d3f7ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p7845580.exe

Filesize
145KB

MD5
a174a9685d60308a9972afe27308b971

SHA1
a50e2c4f525b5b586564bd3ca86c06aa8312a0cd

SHA256
121764e47fb683b71ff0a0fcf1b6f09f2f3413c440747e1aa8a2f5703c370413

SHA512
9f3fb51ea330d7c5ad51c03f40cea7ba592eadf9e26ef48207ac8674dafc988c97f1e71f5705f1cd6e7d22553ff525d95b4bc87b16f433b6c97dbaaafb31378e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p7845580.exe

Filesize
145KB

MD5
a174a9685d60308a9972afe27308b971

SHA1
a50e2c4f525b5b586564bd3ca86c06aa8312a0cd

SHA256
121764e47fb683b71ff0a0fcf1b6f09f2f3413c440747e1aa8a2f5703c370413

SHA512
9f3fb51ea330d7c5ad51c03f40cea7ba592eadf9e26ef48207ac8674dafc988c97f1e71f5705f1cd6e7d22553ff525d95b4bc87b16f433b6c97dbaaafb31378e

Download Submit
memory/1780-1164-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1988-154-0x0000000004B00000-0x0000000004B10000-memory.dmp

Filesize
64KB

Download
memory/1988-167-0x0000000004AA0000-0x0000000004AB7000-memory.dmp

Filesize
92KB

Download
memory/1988-181-0x0000000004AA0000-0x0000000004AB7000-memory.dmp

Filesize
92KB

Download
memory/1988-183-0x0000000004AA0000-0x0000000004AB7000-memory.dmp

Filesize
92KB

Download
memory/1988-177-0x0000000004AA0000-0x0000000004AB7000-memory.dmp

Filesize
92KB

Download
memory/1988-175-0x0000000004AA0000-0x0000000004AB7000-memory.dmp

Filesize
92KB

Download
memory/1988-173-0x0000000004AA0000-0x0000000004AB7000-memory.dmp

Filesize
92KB

Download
memory/1988-171-0x0000000004AA0000-0x0000000004AB7000-memory.dmp

Filesize
92KB

Download
memory/1988-169-0x0000000004AA0000-0x0000000004AB7000-memory.dmp

Filesize
92KB

Download
memory/1988-179-0x0000000004AA0000-0x0000000004AB7000-memory.dmp

Filesize
92KB

Download
memory/1988-165-0x0000000004AA0000-0x0000000004AB7000-memory.dmp

Filesize
92KB

Download
memory/1988-155-0x0000000004B10000-0x00000000050B4000-memory.dmp

Filesize
5.6MB

Download
memory/1988-163-0x0000000004AA0000-0x0000000004AB7000-memory.dmp

Filesize
92KB

Download
memory/1988-161-0x0000000004AA0000-0x0000000004AB7000-memory.dmp

Filesize
92KB

Download
memory/1988-159-0x0000000004AA0000-0x0000000004AB7000-memory.dmp

Filesize
92KB

Download
memory/1988-157-0x0000000004AA0000-0x0000000004AB7000-memory.dmp

Filesize
92KB

Download
memory/1988-156-0x0000000004AA0000-0x0000000004AB7000-memory.dmp

Filesize
92KB

Download
memory/2284-1146-0x00000000075D0000-0x00000000075E0000-memory.dmp

Filesize
64KB

Download
memory/2368-1123-0x0000000000AB0000-0x0000000000BA8000-memory.dmp

Filesize
992KB

Download
memory/2368-1124-0x0000000007990000-0x00000000079A0000-memory.dmp

Filesize
64KB

Download
memory/2472-214-0x0000000004990000-0x00000000049CC000-memory.dmp

Filesize
240KB

Download
memory/2472-210-0x0000000004990000-0x00000000049CC000-memory.dmp

Filesize
240KB

Download
memory/2472-220-0x0000000004990000-0x00000000049CC000-memory.dmp

Filesize
240KB

Download
memory/2472-222-0x0000000004990000-0x00000000049CC000-memory.dmp

Filesize
240KB

Download
memory/2472-224-0x0000000004990000-0x00000000049CC000-memory.dmp

Filesize
240KB

Download
memory/2472-226-0x0000000004990000-0x00000000049CC000-memory.dmp

Filesize
240KB

Download
memory/2472-228-0x0000000004990000-0x00000000049CC000-memory.dmp

Filesize
240KB

Download
memory/2472-230-0x0000000004990000-0x00000000049CC000-memory.dmp

Filesize
240KB

Download
memory/2472-232-0x0000000004990000-0x00000000049CC000-memory.dmp

Filesize
240KB

Download
memory/2472-234-0x0000000004990000-0x00000000049CC000-memory.dmp

Filesize
240KB

Download
memory/2472-236-0x0000000004990000-0x00000000049CC000-memory.dmp

Filesize
240KB

Download
memory/2472-238-0x0000000004990000-0x00000000049CC000-memory.dmp

Filesize
240KB

Download
memory/2472-240-0x0000000004990000-0x00000000049CC000-memory.dmp

Filesize
240KB

Download
memory/2472-327-0x0000000004A10000-0x0000000004A20000-memory.dmp

Filesize
64KB

Download
memory/2472-329-0x0000000004A10000-0x0000000004A20000-memory.dmp

Filesize
64KB

Download
memory/2472-331-0x0000000004A10000-0x0000000004A20000-memory.dmp

Filesize
64KB

Download
memory/2472-1116-0x0000000004A10000-0x0000000004A20000-memory.dmp

Filesize
64KB

Download
memory/2472-1117-0x0000000004A10000-0x0000000004A20000-memory.dmp

Filesize
64KB

Download
memory/2472-1118-0x0000000004A10000-0x0000000004A20000-memory.dmp

Filesize
64KB

Download
memory/2472-216-0x0000000004990000-0x00000000049CC000-memory.dmp

Filesize
240KB

Download
memory/2472-212-0x0000000004990000-0x00000000049CC000-memory.dmp

Filesize
240KB

Download
memory/2472-218-0x0000000004990000-0x00000000049CC000-memory.dmp

Filesize
240KB

Download
memory/2472-208-0x0000000004990000-0x00000000049CC000-memory.dmp

Filesize
240KB

Download
memory/2472-206-0x0000000004990000-0x00000000049CC000-memory.dmp

Filesize
240KB

Download
memory/2472-205-0x0000000004990000-0x00000000049CC000-memory.dmp

Filesize
240KB

Download
memory/3092-1158-0x0000000007630000-0x0000000007640000-memory.dmp

Filesize
64KB

Download
memory/4000-1131-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4000-1145-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4556-1151-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4556-1154-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4872-194-0x0000000005810000-0x00000000058A2000-memory.dmp

Filesize
584KB

Download
memory/4872-192-0x0000000004D00000-0x0000000004D3C000-memory.dmp

Filesize
240KB

Download
memory/4872-193-0x0000000004D50000-0x0000000004D60000-memory.dmp

Filesize
64KB

Download
memory/4872-197-0x0000000005CC0000-0x0000000005D10000-memory.dmp

Filesize
320KB

Download
memory/4872-191-0x0000000004CA0000-0x0000000004CB2000-memory.dmp

Filesize
72KB

Download
memory/4872-190-0x0000000004D70000-0x0000000004E7A000-memory.dmp

Filesize
1.0MB

Download
memory/4872-195-0x0000000005150000-0x00000000051B6000-memory.dmp

Filesize
408KB

Download
memory/4872-189-0x00000000051F0000-0x0000000005808000-memory.dmp

Filesize
6.1MB

Download
memory/4872-188-0x0000000000410000-0x000000000043A000-memory.dmp

Filesize
168KB

Download
memory/4872-196-0x0000000006370000-0x00000000063E6000-memory.dmp

Filesize
472KB

Download
memory/4872-198-0x0000000004D50000-0x0000000004D60000-memory.dmp

Filesize
64KB

Download
memory/4872-199-0x00000000065C0000-0x0000000006782000-memory.dmp

Filesize
1.8MB

Download
memory/4872-200-0x0000000006CC0000-0x00000000071EC000-memory.dmp

Filesize
5.2MB

Download