redline | cdf7b25b498e708f3d8f1100b740bb5eab55e6870ee239e3218a645d8a17f403

Analysis

max time kernel
144s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
18/05/2023, 14:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cdf7b25b498e708f3d8f1100b740bb5eab55e6870ee239e3218a645d8a17f403.exe
Size

1.0MB
MD5

a70ecc353c7d887786dedf7018c81b5a
SHA1

a4cc9a263bab80b680d651428e61076e1bf7e589
SHA256

cdf7b25b498e708f3d8f1100b740bb5eab55e6870ee239e3218a645d8a17f403
SHA512

55deaf4cc26b60e006f657d87ccf5971185cb4965d3f44c3ee2fae5bee492af59f29a446ec4e49c9e01fb1fbdede99f63f3c9f85058ee1190337cbd4c13130d4
SSDEEP

12288:6Mrfy90dfjcZ4gTNEpXmsMhFSWUMvkFlgW/KY3TBdXAwH0NaFu1ScGEmFtzzz48c:NyKv3IhFSsvElgkKY3Tfj0aST65zUf

Score

10^/10

redline luna discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

luna

77.91.68.253:4138

Attributes

auth_value
16dec8addb01db1c11c59667022ef7a2

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	o7337109.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	o7337109.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	o7337109.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	o7337109.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	o7337109.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	o7337109.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 19 IoCs

resource	yara_rule
behavioral2/memory/228-213-0x0000000004F80000-0x0000000004FBC000-memory.dmp	family_redline
behavioral2/memory/228-216-0x0000000004F80000-0x0000000004FBC000-memory.dmp	family_redline
behavioral2/memory/228-218-0x0000000004F80000-0x0000000004FBC000-memory.dmp	family_redline
behavioral2/memory/228-214-0x0000000004F80000-0x0000000004FBC000-memory.dmp	family_redline
behavioral2/memory/228-220-0x0000000004F80000-0x0000000004FBC000-memory.dmp	family_redline
behavioral2/memory/228-222-0x0000000004F80000-0x0000000004FBC000-memory.dmp	family_redline
behavioral2/memory/228-224-0x0000000004F80000-0x0000000004FBC000-memory.dmp	family_redline
behavioral2/memory/228-226-0x0000000004F80000-0x0000000004FBC000-memory.dmp	family_redline
behavioral2/memory/228-228-0x0000000004F80000-0x0000000004FBC000-memory.dmp	family_redline
behavioral2/memory/228-230-0x0000000004F80000-0x0000000004FBC000-memory.dmp	family_redline
behavioral2/memory/228-232-0x0000000004F80000-0x0000000004FBC000-memory.dmp	family_redline
behavioral2/memory/228-234-0x0000000004F80000-0x0000000004FBC000-memory.dmp	family_redline
behavioral2/memory/228-236-0x0000000004F80000-0x0000000004FBC000-memory.dmp	family_redline
behavioral2/memory/228-238-0x0000000004F80000-0x0000000004FBC000-memory.dmp	family_redline
behavioral2/memory/228-240-0x0000000004F80000-0x0000000004FBC000-memory.dmp	family_redline
behavioral2/memory/228-242-0x0000000004F80000-0x0000000004FBC000-memory.dmp	family_redline
behavioral2/memory/228-244-0x0000000004F80000-0x0000000004FBC000-memory.dmp	family_redline
behavioral2/memory/228-246-0x0000000004F80000-0x0000000004FBC000-memory.dmp	family_redline
behavioral2/memory/228-248-0x0000000004F80000-0x0000000004FBC000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	s9191594.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	legends.exe

Executes dropped EXE 11 IoCs

pid	Process
3572	z6505486.exe
4488	z9073601.exe
1456	o7337109.exe
748	p8052265.exe
228	r4419888.exe
4964	s9191594.exe
3372	s9191594.exe
3176	legends.exe
3724	legends.exe
2508	legends.exe
4324	legends.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	o7337109.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	o7337109.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z9073601.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	cdf7b25b498e708f3d8f1100b740bb5eab55e6870ee239e3218a645d8a17f403.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	cdf7b25b498e708f3d8f1100b740bb5eab55e6870ee239e3218a645d8a17f403.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z6505486.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z6505486.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z9073601.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4964 set thread context of 3372	4964	s9191594.exe	92
PID 3176 set thread context of 3724	3176	legends.exe	94
PID 2508 set thread context of 4324	2508	legends.exe	107

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
2076	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1456	o7337109.exe
1456	o7337109.exe
748	p8052265.exe
748	p8052265.exe
228	r4419888.exe
228	r4419888.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	1456	o7337109.exe
Token: SeDebugPrivilege	748	p8052265.exe
Token: SeDebugPrivilege	228	r4419888.exe
Token: SeDebugPrivilege	4964	s9191594.exe
Token: SeDebugPrivilege	3176	legends.exe
Token: SeDebugPrivilege	2508	legends.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3372	s9191594.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5052 wrote to memory of 3572	5052	cdf7b25b498e708f3d8f1100b740bb5eab55e6870ee239e3218a645d8a17f403.exe	85
PID 5052 wrote to memory of 3572	5052	cdf7b25b498e708f3d8f1100b740bb5eab55e6870ee239e3218a645d8a17f403.exe	85
PID 5052 wrote to memory of 3572	5052	cdf7b25b498e708f3d8f1100b740bb5eab55e6870ee239e3218a645d8a17f403.exe	85
PID 3572 wrote to memory of 4488	3572	z6505486.exe	86
PID 3572 wrote to memory of 4488	3572	z6505486.exe	86
PID 3572 wrote to memory of 4488	3572	z6505486.exe	86
PID 4488 wrote to memory of 1456	4488	z9073601.exe	87
PID 4488 wrote to memory of 1456	4488	z9073601.exe	87
PID 4488 wrote to memory of 1456	4488	z9073601.exe	87
PID 4488 wrote to memory of 748	4488	z9073601.exe	88
PID 4488 wrote to memory of 748	4488	z9073601.exe	88
PID 4488 wrote to memory of 748	4488	z9073601.exe	88
PID 3572 wrote to memory of 228	3572	z6505486.exe	89
PID 3572 wrote to memory of 228	3572	z6505486.exe	89
PID 3572 wrote to memory of 228	3572	z6505486.exe	89
PID 5052 wrote to memory of 4964	5052	cdf7b25b498e708f3d8f1100b740bb5eab55e6870ee239e3218a645d8a17f403.exe	91
PID 5052 wrote to memory of 4964	5052	cdf7b25b498e708f3d8f1100b740bb5eab55e6870ee239e3218a645d8a17f403.exe	91
PID 5052 wrote to memory of 4964	5052	cdf7b25b498e708f3d8f1100b740bb5eab55e6870ee239e3218a645d8a17f403.exe	91
PID 4964 wrote to memory of 3372	4964	s9191594.exe	92
PID 4964 wrote to memory of 3372	4964	s9191594.exe	92
PID 4964 wrote to memory of 3372	4964	s9191594.exe	92
PID 4964 wrote to memory of 3372	4964	s9191594.exe	92
PID 4964 wrote to memory of 3372	4964	s9191594.exe	92
PID 4964 wrote to memory of 3372	4964	s9191594.exe	92
PID 4964 wrote to memory of 3372	4964	s9191594.exe	92
PID 4964 wrote to memory of 3372	4964	s9191594.exe	92
PID 4964 wrote to memory of 3372	4964	s9191594.exe	92
PID 4964 wrote to memory of 3372	4964	s9191594.exe	92
PID 3372 wrote to memory of 3176	3372	s9191594.exe	93
PID 3372 wrote to memory of 3176	3372	s9191594.exe	93
PID 3372 wrote to memory of 3176	3372	s9191594.exe	93
PID 3176 wrote to memory of 3724	3176	legends.exe	94
PID 3176 wrote to memory of 3724	3176	legends.exe	94
PID 3176 wrote to memory of 3724	3176	legends.exe	94
PID 3176 wrote to memory of 3724	3176	legends.exe	94
PID 3176 wrote to memory of 3724	3176	legends.exe	94
PID 3176 wrote to memory of 3724	3176	legends.exe	94
PID 3176 wrote to memory of 3724	3176	legends.exe	94
PID 3176 wrote to memory of 3724	3176	legends.exe	94
PID 3176 wrote to memory of 3724	3176	legends.exe	94
PID 3176 wrote to memory of 3724	3176	legends.exe	94
PID 1052 wrote to memory of 1116	1052	cmd.exe	99
PID 1052 wrote to memory of 1116	1052	cmd.exe	99
PID 1052 wrote to memory of 1116	1052	cmd.exe	99
PID 1052 wrote to memory of 3484	1052	cmd.exe	100
PID 1052 wrote to memory of 3484	1052	cmd.exe	100
PID 1052 wrote to memory of 3484	1052	cmd.exe	100
PID 1052 wrote to memory of 2604	1052	cmd.exe	101
PID 1052 wrote to memory of 2604	1052	cmd.exe	101
PID 1052 wrote to memory of 2604	1052	cmd.exe	101
PID 1052 wrote to memory of 2976	1052	cmd.exe	102
PID 1052 wrote to memory of 2976	1052	cmd.exe	102
PID 1052 wrote to memory of 2976	1052	cmd.exe	102
PID 1052 wrote to memory of 528	1052	cmd.exe	103
PID 1052 wrote to memory of 528	1052	cmd.exe	103
PID 1052 wrote to memory of 528	1052	cmd.exe	103
PID 1052 wrote to memory of 2792	1052	cmd.exe	104
PID 1052 wrote to memory of 2792	1052	cmd.exe	104
PID 1052 wrote to memory of 2792	1052	cmd.exe	104
PID 2508 wrote to memory of 4324	2508	legends.exe	107
PID 2508 wrote to memory of 4324	2508	legends.exe	107
PID 2508 wrote to memory of 4324	2508	legends.exe	107
PID 2508 wrote to memory of 4324	2508	legends.exe	107
PID 2508 wrote to memory of 4324	2508	legends.exe	107

C:\Users\Admin\AppData\Local\Temp\cdf7b25b498e708f3d8f1100b740bb5eab55e6870ee239e3218a645d8a17f403.exe
"C:\Users\Admin\AppData\Local\Temp\cdf7b25b498e708f3d8f1100b740bb5eab55e6870ee239e3218a645d8a17f403.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5052
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6505486.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6505486.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3572
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9073601.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9073601.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4488
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o7337109.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o7337109.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1456
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p8052265.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p8052265.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:748
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r4419888.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r4419888.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:228
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s9191594.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s9191594.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4964
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s9191594.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s9191594.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:3372
  - - C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
      "C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3176
    - - C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
        
        C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3724
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legends.exe /TR "C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe" /F
        6⤵
        Creates scheduled task(s)
        
        PID:2076
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legends.exe" /P "Admin:N"&&CACLS "legends.exe" /P "Admin:R" /E&&echo Y|CACLS "..\41bde21dc7" /P "Admin:N"&&CACLS "..\41bde21dc7" /P "Admin:R" /E&&Exit
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        
        PID:1116
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "legends.exe" /P "Admin:N"
        7⤵
        
        PID:3484
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "legends.exe" /P "Admin:R" /E
        7⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\41bde21dc7" /P "Admin:N"
        7⤵
        
        PID:528
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\41bde21dc7" /P "Admin:R" /E
        7⤵
        
        PID:2792
      - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
        6⤵
        
        PID:2152

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2508
- C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
  C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
  2⤵
  - Executes dropped EXE
  PID:4324

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\legends.exe.log

Filesize
425B

MD5
4eaca4566b22b01cd3bc115b9b0b2196

SHA1
e743e0792c19f71740416e7b3c061d9f1336bf94

SHA256
34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

SHA512
bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
962KB

MD5
299d533797b29c02788150e29b431175

SHA1
a168c83a955d4698df5ee620e08f34d41e906085

SHA256
1715b9fcb8b892655cacee20fe34b8eea1d1ce533b159277136ebbf426ddf2d2

SHA512
7e0975a6c6bcfe692ea13eba744e8b263b0f397aa2616a6eede0698e6779c3dc05ebcb81513321624e0217c26f74f865116da2b2d5754df1a94e0c8f913adfd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
962KB

MD5
299d533797b29c02788150e29b431175

SHA1
a168c83a955d4698df5ee620e08f34d41e906085

SHA256
1715b9fcb8b892655cacee20fe34b8eea1d1ce533b159277136ebbf426ddf2d2

SHA512
7e0975a6c6bcfe692ea13eba744e8b263b0f397aa2616a6eede0698e6779c3dc05ebcb81513321624e0217c26f74f865116da2b2d5754df1a94e0c8f913adfd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
962KB

MD5
299d533797b29c02788150e29b431175

SHA1
a168c83a955d4698df5ee620e08f34d41e906085

SHA256
1715b9fcb8b892655cacee20fe34b8eea1d1ce533b159277136ebbf426ddf2d2

SHA512
7e0975a6c6bcfe692ea13eba744e8b263b0f397aa2616a6eede0698e6779c3dc05ebcb81513321624e0217c26f74f865116da2b2d5754df1a94e0c8f913adfd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
962KB

MD5
299d533797b29c02788150e29b431175

SHA1
a168c83a955d4698df5ee620e08f34d41e906085

SHA256
1715b9fcb8b892655cacee20fe34b8eea1d1ce533b159277136ebbf426ddf2d2

SHA512
7e0975a6c6bcfe692ea13eba744e8b263b0f397aa2616a6eede0698e6779c3dc05ebcb81513321624e0217c26f74f865116da2b2d5754df1a94e0c8f913adfd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
962KB

MD5
299d533797b29c02788150e29b431175

SHA1
a168c83a955d4698df5ee620e08f34d41e906085

SHA256
1715b9fcb8b892655cacee20fe34b8eea1d1ce533b159277136ebbf426ddf2d2

SHA512
7e0975a6c6bcfe692ea13eba744e8b263b0f397aa2616a6eede0698e6779c3dc05ebcb81513321624e0217c26f74f865116da2b2d5754df1a94e0c8f913adfd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
962KB

MD5
299d533797b29c02788150e29b431175

SHA1
a168c83a955d4698df5ee620e08f34d41e906085

SHA256
1715b9fcb8b892655cacee20fe34b8eea1d1ce533b159277136ebbf426ddf2d2

SHA512
7e0975a6c6bcfe692ea13eba744e8b263b0f397aa2616a6eede0698e6779c3dc05ebcb81513321624e0217c26f74f865116da2b2d5754df1a94e0c8f913adfd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s9191594.exe

Filesize
962KB

MD5
299d533797b29c02788150e29b431175

SHA1
a168c83a955d4698df5ee620e08f34d41e906085

SHA256
1715b9fcb8b892655cacee20fe34b8eea1d1ce533b159277136ebbf426ddf2d2

SHA512
7e0975a6c6bcfe692ea13eba744e8b263b0f397aa2616a6eede0698e6779c3dc05ebcb81513321624e0217c26f74f865116da2b2d5754df1a94e0c8f913adfd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s9191594.exe

Filesize
962KB

MD5
299d533797b29c02788150e29b431175

SHA1
a168c83a955d4698df5ee620e08f34d41e906085

SHA256
1715b9fcb8b892655cacee20fe34b8eea1d1ce533b159277136ebbf426ddf2d2

SHA512
7e0975a6c6bcfe692ea13eba744e8b263b0f397aa2616a6eede0698e6779c3dc05ebcb81513321624e0217c26f74f865116da2b2d5754df1a94e0c8f913adfd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s9191594.exe

Filesize
962KB

MD5
299d533797b29c02788150e29b431175

SHA1
a168c83a955d4698df5ee620e08f34d41e906085

SHA256
1715b9fcb8b892655cacee20fe34b8eea1d1ce533b159277136ebbf426ddf2d2

SHA512
7e0975a6c6bcfe692ea13eba744e8b263b0f397aa2616a6eede0698e6779c3dc05ebcb81513321624e0217c26f74f865116da2b2d5754df1a94e0c8f913adfd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6505486.exe

Filesize
585KB

MD5
e3243cd346a23fc0f0008a770e05f9c2

SHA1
260e7d6705c29408b08fdfaf400f2da2c54560e2

SHA256
5373659ace859398e822a13d6c91d67dcc0f206a3cf52c198a54ceeef4f6eb57

SHA512
377de0751953c7b3d0eb5a9a3667fb17342b08db6227fb55f05ea29edad0dc53eaba2067201fd5aaca81993eeb0a42724b109abddd19034cfbc054210c8934be

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6505486.exe

Filesize
585KB

MD5
e3243cd346a23fc0f0008a770e05f9c2

SHA1
260e7d6705c29408b08fdfaf400f2da2c54560e2

SHA256
5373659ace859398e822a13d6c91d67dcc0f206a3cf52c198a54ceeef4f6eb57

SHA512
377de0751953c7b3d0eb5a9a3667fb17342b08db6227fb55f05ea29edad0dc53eaba2067201fd5aaca81993eeb0a42724b109abddd19034cfbc054210c8934be

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r4419888.exe

Filesize
284KB

MD5
df00df9406fe0be1461a9b08463670a3

SHA1
5495a8e1fc7bb6ccc4b861e1354a352d2c55ef61

SHA256
bb72fe236241de101f46729007b4c1dbf52751f1542c1cd23750c3968aedf5c9

SHA512
17d79c34e3395244493e591e47a84c8600cad583695104448190f380b6ebddf60bf0586b7387f46f80caa68864662e637c0f5480472febe11fbaa95969ac88b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r4419888.exe

Filesize
284KB

MD5
df00df9406fe0be1461a9b08463670a3

SHA1
5495a8e1fc7bb6ccc4b861e1354a352d2c55ef61

SHA256
bb72fe236241de101f46729007b4c1dbf52751f1542c1cd23750c3968aedf5c9

SHA512
17d79c34e3395244493e591e47a84c8600cad583695104448190f380b6ebddf60bf0586b7387f46f80caa68864662e637c0f5480472febe11fbaa95969ac88b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9073601.exe

Filesize
305KB

MD5
b9e64b9c0a3e0cd295546fdf457f74f6

SHA1
28735899750c29c6fceed4b40871a4750e82546a

SHA256
022dc9bdab5b85abe789a5455f7b86522986445aac7946baefee8ba8358031d6

SHA512
93cb592d38098ddceb618591b7305645b114cb6167555a0e7c071492a6ef5e409d6d2b16be7749bb3436047956c3534b8bace35de5dc55b2d97a5abe9ad2afde

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9073601.exe

Filesize
305KB

MD5
b9e64b9c0a3e0cd295546fdf457f74f6

SHA1
28735899750c29c6fceed4b40871a4750e82546a

SHA256
022dc9bdab5b85abe789a5455f7b86522986445aac7946baefee8ba8358031d6

SHA512
93cb592d38098ddceb618591b7305645b114cb6167555a0e7c071492a6ef5e409d6d2b16be7749bb3436047956c3534b8bace35de5dc55b2d97a5abe9ad2afde

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o7337109.exe

Filesize
184KB

MD5
98e0f43c45433fab60c0d2ded77d5784

SHA1
fbb664214a9b5fc02325cb0eca3bfb888b9e870c

SHA256
21e86e0fe02c466461a69e5cf0163e09601143112586fef22a8a5375d9fe54e0

SHA512
2972f06d28c14ed5b2ee81673683bc4a6190142e2bde646aeebafe78d563cda967a81c2e19727b21fa4d472b565950b9c929cf205e5f87ef4f857f92d8a3dd35

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o7337109.exe

Filesize
184KB

MD5
98e0f43c45433fab60c0d2ded77d5784

SHA1
fbb664214a9b5fc02325cb0eca3bfb888b9e870c

SHA256
21e86e0fe02c466461a69e5cf0163e09601143112586fef22a8a5375d9fe54e0

SHA512
2972f06d28c14ed5b2ee81673683bc4a6190142e2bde646aeebafe78d563cda967a81c2e19727b21fa4d472b565950b9c929cf205e5f87ef4f857f92d8a3dd35

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p8052265.exe

Filesize
145KB

MD5
dd27661aac2ced6a43aaa1626e030cb0

SHA1
d260a13bf613f1fe763733d43b63d7fa1488b5d6

SHA256
ff1b4721839e3566a808be441b8092c507250204d4b44bc2e7bccac3605aa05a

SHA512
15dc6f5eecb965c70793f5c4d722789c305c8271190fe89d44090f3334d60b4f741cf61b67bca320808141af75de6c210fffc101ac160db7bf25a3a06cb0b4d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p8052265.exe

Filesize
145KB

MD5
dd27661aac2ced6a43aaa1626e030cb0

SHA1
d260a13bf613f1fe763733d43b63d7fa1488b5d6

SHA256
ff1b4721839e3566a808be441b8092c507250204d4b44bc2e7bccac3605aa05a

SHA512
15dc6f5eecb965c70793f5c4d722789c305c8271190fe89d44090f3334d60b4f741cf61b67bca320808141af75de6c210fffc101ac160db7bf25a3a06cb0b4d1

Download Submit
memory/228-248-0x0000000004F80000-0x0000000004FBC000-memory.dmp

Filesize
240KB

Download
memory/228-211-0x00000000049C0000-0x00000000049D0000-memory.dmp

Filesize
64KB

Download
memory/228-1124-0x00000000049C0000-0x00000000049D0000-memory.dmp

Filesize
64KB

Download
memory/228-1123-0x00000000049C0000-0x00000000049D0000-memory.dmp

Filesize
64KB

Download
memory/228-1122-0x00000000049C0000-0x00000000049D0000-memory.dmp

Filesize
64KB

Download
memory/228-1121-0x00000000049C0000-0x00000000049D0000-memory.dmp

Filesize
64KB

Download
memory/228-246-0x0000000004F80000-0x0000000004FBC000-memory.dmp

Filesize
240KB

Download
memory/228-244-0x0000000004F80000-0x0000000004FBC000-memory.dmp

Filesize
240KB

Download
memory/228-242-0x0000000004F80000-0x0000000004FBC000-memory.dmp

Filesize
240KB

Download
memory/228-240-0x0000000004F80000-0x0000000004FBC000-memory.dmp

Filesize
240KB

Download
memory/228-238-0x0000000004F80000-0x0000000004FBC000-memory.dmp

Filesize
240KB

Download
memory/228-236-0x0000000004F80000-0x0000000004FBC000-memory.dmp

Filesize
240KB

Download
memory/228-234-0x0000000004F80000-0x0000000004FBC000-memory.dmp

Filesize
240KB

Download
memory/228-232-0x0000000004F80000-0x0000000004FBC000-memory.dmp

Filesize
240KB

Download
memory/228-230-0x0000000004F80000-0x0000000004FBC000-memory.dmp

Filesize
240KB

Download
memory/228-228-0x0000000004F80000-0x0000000004FBC000-memory.dmp

Filesize
240KB

Download
memory/228-226-0x0000000004F80000-0x0000000004FBC000-memory.dmp

Filesize
240KB

Download
memory/228-224-0x0000000004F80000-0x0000000004FBC000-memory.dmp

Filesize
240KB

Download
memory/228-222-0x0000000004F80000-0x0000000004FBC000-memory.dmp

Filesize
240KB

Download
memory/228-220-0x0000000004F80000-0x0000000004FBC000-memory.dmp

Filesize
240KB

Download
memory/228-214-0x0000000004F80000-0x0000000004FBC000-memory.dmp

Filesize
240KB

Download
memory/228-218-0x0000000004F80000-0x0000000004FBC000-memory.dmp

Filesize
240KB

Download
memory/228-216-0x0000000004F80000-0x0000000004FBC000-memory.dmp

Filesize
240KB

Download
memory/228-213-0x0000000004F80000-0x0000000004FBC000-memory.dmp

Filesize
240KB

Download
memory/228-212-0x00000000049C0000-0x00000000049D0000-memory.dmp

Filesize
64KB

Download
memory/228-210-0x00000000049C0000-0x00000000049D0000-memory.dmp

Filesize
64KB

Download
memory/748-201-0x0000000006640000-0x0000000006802000-memory.dmp

Filesize
1.8MB

Download
memory/748-195-0x0000000004DE0000-0x0000000004EEA000-memory.dmp

Filesize
1.0MB

Download
memory/748-193-0x0000000000430000-0x000000000045A000-memory.dmp

Filesize
168KB

Download
memory/748-205-0x00000000065A0000-0x00000000065F0000-memory.dmp

Filesize
320KB

Download
memory/748-204-0x0000000006520000-0x0000000006596000-memory.dmp

Filesize
472KB

Download
memory/748-203-0x00000000050E0000-0x00000000050F0000-memory.dmp

Filesize
64KB

Download
memory/748-202-0x0000000006D40000-0x000000000726C000-memory.dmp

Filesize
5.2MB

Download
memory/748-194-0x00000000052F0000-0x0000000005908000-memory.dmp

Filesize
6.1MB

Download
memory/748-200-0x0000000005230000-0x0000000005296000-memory.dmp

Filesize
408KB

Download
memory/748-199-0x0000000005190000-0x0000000005222000-memory.dmp

Filesize
584KB

Download
memory/748-198-0x0000000004CF0000-0x0000000004D2C000-memory.dmp

Filesize
240KB

Download
memory/748-197-0x00000000050E0000-0x00000000050F0000-memory.dmp

Filesize
64KB

Download
memory/748-196-0x0000000004CD0000-0x0000000004CE2000-memory.dmp

Filesize
72KB

Download
memory/1456-187-0x0000000004B40000-0x0000000004B50000-memory.dmp

Filesize
64KB

Download
memory/1456-183-0x0000000004B40000-0x0000000004B50000-memory.dmp

Filesize
64KB

Download
memory/1456-176-0x0000000004970000-0x0000000004987000-memory.dmp

Filesize
92KB

Download
memory/1456-178-0x0000000004970000-0x0000000004987000-memory.dmp

Filesize
92KB

Download
memory/1456-180-0x0000000004970000-0x0000000004987000-memory.dmp

Filesize
92KB

Download
memory/1456-188-0x0000000004B40000-0x0000000004B50000-memory.dmp

Filesize
64KB

Download
memory/1456-186-0x0000000004B40000-0x0000000004B50000-memory.dmp

Filesize
64KB

Download
memory/1456-172-0x0000000004970000-0x0000000004987000-memory.dmp

Filesize
92KB

Download
memory/1456-174-0x0000000004970000-0x0000000004987000-memory.dmp

Filesize
92KB

Download
memory/1456-185-0x0000000004B40000-0x0000000004B50000-memory.dmp

Filesize
64KB

Download
memory/1456-184-0x0000000004B40000-0x0000000004B50000-memory.dmp

Filesize
64KB

Download
memory/1456-182-0x0000000004970000-0x0000000004987000-memory.dmp

Filesize
92KB

Download
memory/1456-170-0x0000000004970000-0x0000000004987000-memory.dmp

Filesize
92KB

Download
memory/1456-168-0x0000000004970000-0x0000000004987000-memory.dmp

Filesize
92KB

Download
memory/1456-154-0x0000000004B50000-0x00000000050F4000-memory.dmp

Filesize
5.6MB

Download
memory/1456-155-0x0000000004970000-0x0000000004987000-memory.dmp

Filesize
92KB

Download
memory/1456-166-0x0000000004970000-0x0000000004987000-memory.dmp

Filesize
92KB

Download
memory/1456-164-0x0000000004970000-0x0000000004987000-memory.dmp

Filesize
92KB

Download
memory/1456-156-0x0000000004970000-0x0000000004987000-memory.dmp

Filesize
92KB

Download
memory/1456-162-0x0000000004970000-0x0000000004987000-memory.dmp

Filesize
92KB

Download
memory/1456-158-0x0000000004970000-0x0000000004987000-memory.dmp

Filesize
92KB

Download
memory/1456-160-0x0000000004970000-0x0000000004987000-memory.dmp

Filesize
92KB

Download
memory/3176-1152-0x0000000007170000-0x0000000007180000-memory.dmp

Filesize
64KB

Download
memory/3372-1151-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3372-1139-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3724-1156-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3724-1159-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4324-1167-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4964-1130-0x0000000007B10000-0x0000000007B20000-memory.dmp

Filesize
64KB

Download
memory/4964-1129-0x0000000000D10000-0x0000000000E08000-memory.dmp

Filesize
992KB

Download