redline | 33dafa4a59da34abe8818cb7019910fe63be879fec5555ed8a85a1ba716b30de

Analysis

max time kernel
150s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
19/05/2023, 01:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

33dafa4a59da34abe8818cb7019910fe63be879fec5555ed8a85a1ba716b30de.exe
Size

1021KB
MD5

94a6af3127d7bad601226d34fbe8ecc3
SHA1

70016cc45c10bfbeeacd6802939b84144a025aed
SHA256

33dafa4a59da34abe8818cb7019910fe63be879fec5555ed8a85a1ba716b30de
SHA512

fd4f4af2ed0205cb72d508930a3252790a65a3597d2bbc4039dc6de87578c8d15b3e8d267ea2b2d4102b6cd9f79116ef0cb4fe98ae6be18e1c29133b435b1c29
SSDEEP

12288:2Mrny90nJlcMxACNl+K1dBiJu6EofYY523Yhuz+8lz0v47x8HoUHjmkbHQ9eZ9u:5yUlccr+K5iZf9aQ+lx8HzDw98k

Score

10^/10

redline lols discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

lols

77.91.68.253:41783

Attributes

auth_value
07dccfc2986896754e6cde616a0a7868

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	o2349678.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	o2349678.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	o2349678.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	o2349678.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	o2349678.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	o2349678.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 19 IoCs

resource	yara_rule
behavioral1/memory/2652-198-0x0000000004F50000-0x0000000004F8C000-memory.dmp	family_redline
behavioral1/memory/2652-197-0x0000000004F50000-0x0000000004F8C000-memory.dmp	family_redline
behavioral1/memory/2652-200-0x0000000004F50000-0x0000000004F8C000-memory.dmp	family_redline
behavioral1/memory/2652-202-0x0000000004F50000-0x0000000004F8C000-memory.dmp	family_redline
behavioral1/memory/2652-204-0x0000000004F50000-0x0000000004F8C000-memory.dmp	family_redline
behavioral1/memory/2652-206-0x0000000004F50000-0x0000000004F8C000-memory.dmp	family_redline
behavioral1/memory/2652-208-0x0000000004F50000-0x0000000004F8C000-memory.dmp	family_redline
behavioral1/memory/2652-210-0x0000000004F50000-0x0000000004F8C000-memory.dmp	family_redline
behavioral1/memory/2652-212-0x0000000004F50000-0x0000000004F8C000-memory.dmp	family_redline
behavioral1/memory/2652-214-0x0000000004F50000-0x0000000004F8C000-memory.dmp	family_redline
behavioral1/memory/2652-218-0x0000000004F50000-0x0000000004F8C000-memory.dmp	family_redline
behavioral1/memory/2652-216-0x0000000004F50000-0x0000000004F8C000-memory.dmp	family_redline
behavioral1/memory/2652-220-0x0000000004F50000-0x0000000004F8C000-memory.dmp	family_redline
behavioral1/memory/2652-223-0x0000000004F50000-0x0000000004F8C000-memory.dmp	family_redline
behavioral1/memory/2652-227-0x0000000004F50000-0x0000000004F8C000-memory.dmp	family_redline
behavioral1/memory/2652-229-0x0000000004F50000-0x0000000004F8C000-memory.dmp	family_redline
behavioral1/memory/2652-231-0x0000000004F50000-0x0000000004F8C000-memory.dmp	family_redline
behavioral1/memory/2652-233-0x0000000004F50000-0x0000000004F8C000-memory.dmp	family_redline
behavioral1/memory/2652-235-0x0000000004F50000-0x0000000004F8C000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Control Panel\International\Geo\Nation	s2741720.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Control Panel\International\Geo\Nation	legends.exe

Executes dropped EXE 14 IoCs

pid	Process
4368	z9959511.exe
800	z2283980.exe
2260	o2349678.exe
3204	p7911142.exe
2652	r1316637.exe
4756	s2741720.exe
1436	s2741720.exe
4124	legends.exe
1648	legends.exe
4460	legends.exe
628	legends.exe
2140	legends.exe
1328	legends.exe
1508	legends.exe

Loads dropped DLL 1 IoCs

pid	Process
3408	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	o2349678.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	o2349678.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	33dafa4a59da34abe8818cb7019910fe63be879fec5555ed8a85a1ba716b30de.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z9959511.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z9959511.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z2283980.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z2283980.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	33dafa4a59da34abe8818cb7019910fe63be879fec5555ed8a85a1ba716b30de.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4756 set thread context of 1436	4756	s2741720.exe	99
PID 4124 set thread context of 4460	4124	legends.exe	102
PID 628 set thread context of 2140	628	legends.exe	114

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
688	3204	WerFault.exe	92

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3804	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2260	o2349678.exe
2260	o2349678.exe
2652	r1316637.exe
2652	r1316637.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2260	o2349678.exe
Token: SeDebugPrivilege	2652	r1316637.exe
Token: SeDebugPrivilege	4756	s2741720.exe
Token: SeDebugPrivilege	4124	legends.exe
Token: SeDebugPrivilege	628	legends.exe
Token: SeDebugPrivilege	1328	legends.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1436	s2741720.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 220 wrote to memory of 4368	220	33dafa4a59da34abe8818cb7019910fe63be879fec5555ed8a85a1ba716b30de.exe	83
PID 220 wrote to memory of 4368	220	33dafa4a59da34abe8818cb7019910fe63be879fec5555ed8a85a1ba716b30de.exe	83
PID 220 wrote to memory of 4368	220	33dafa4a59da34abe8818cb7019910fe63be879fec5555ed8a85a1ba716b30de.exe	83
PID 4368 wrote to memory of 800	4368	z9959511.exe	84
PID 4368 wrote to memory of 800	4368	z9959511.exe	84
PID 4368 wrote to memory of 800	4368	z9959511.exe	84
PID 800 wrote to memory of 2260	800	z2283980.exe	85
PID 800 wrote to memory of 2260	800	z2283980.exe	85
PID 800 wrote to memory of 2260	800	z2283980.exe	85
PID 800 wrote to memory of 3204	800	z2283980.exe	92
PID 800 wrote to memory of 3204	800	z2283980.exe	92
PID 800 wrote to memory of 3204	800	z2283980.exe	92
PID 4368 wrote to memory of 2652	4368	z9959511.exe	95
PID 4368 wrote to memory of 2652	4368	z9959511.exe	95
PID 4368 wrote to memory of 2652	4368	z9959511.exe	95
PID 220 wrote to memory of 4756	220	33dafa4a59da34abe8818cb7019910fe63be879fec5555ed8a85a1ba716b30de.exe	98
PID 220 wrote to memory of 4756	220	33dafa4a59da34abe8818cb7019910fe63be879fec5555ed8a85a1ba716b30de.exe	98
PID 220 wrote to memory of 4756	220	33dafa4a59da34abe8818cb7019910fe63be879fec5555ed8a85a1ba716b30de.exe	98
PID 4756 wrote to memory of 1436	4756	s2741720.exe	99
PID 4756 wrote to memory of 1436	4756	s2741720.exe	99
PID 4756 wrote to memory of 1436	4756	s2741720.exe	99
PID 4756 wrote to memory of 1436	4756	s2741720.exe	99
PID 4756 wrote to memory of 1436	4756	s2741720.exe	99
PID 4756 wrote to memory of 1436	4756	s2741720.exe	99
PID 4756 wrote to memory of 1436	4756	s2741720.exe	99
PID 4756 wrote to memory of 1436	4756	s2741720.exe	99
PID 4756 wrote to memory of 1436	4756	s2741720.exe	99
PID 4756 wrote to memory of 1436	4756	s2741720.exe	99
PID 1436 wrote to memory of 4124	1436	s2741720.exe	100
PID 1436 wrote to memory of 4124	1436	s2741720.exe	100
PID 1436 wrote to memory of 4124	1436	s2741720.exe	100
PID 4124 wrote to memory of 1648	4124	legends.exe	101
PID 4124 wrote to memory of 1648	4124	legends.exe	101
PID 4124 wrote to memory of 1648	4124	legends.exe	101
PID 4124 wrote to memory of 1648	4124	legends.exe	101
PID 4124 wrote to memory of 4460	4124	legends.exe	102
PID 4124 wrote to memory of 4460	4124	legends.exe	102
PID 4124 wrote to memory of 4460	4124	legends.exe	102
PID 4124 wrote to memory of 4460	4124	legends.exe	102
PID 4124 wrote to memory of 4460	4124	legends.exe	102
PID 4124 wrote to memory of 4460	4124	legends.exe	102
PID 4124 wrote to memory of 4460	4124	legends.exe	102
PID 4124 wrote to memory of 4460	4124	legends.exe	102
PID 4124 wrote to memory of 4460	4124	legends.exe	102
PID 4124 wrote to memory of 4460	4124	legends.exe	102
PID 4460 wrote to memory of 3804	4460	legends.exe	103
PID 4460 wrote to memory of 3804	4460	legends.exe	103
PID 4460 wrote to memory of 3804	4460	legends.exe	103
PID 4460 wrote to memory of 3904	4460	legends.exe	105
PID 4460 wrote to memory of 3904	4460	legends.exe	105
PID 4460 wrote to memory of 3904	4460	legends.exe	105
PID 3904 wrote to memory of 808	3904	cmd.exe	107
PID 3904 wrote to memory of 808	3904	cmd.exe	107
PID 3904 wrote to memory of 808	3904	cmd.exe	107
PID 3904 wrote to memory of 4264	3904	cmd.exe	108
PID 3904 wrote to memory of 4264	3904	cmd.exe	108
PID 3904 wrote to memory of 4264	3904	cmd.exe	108
PID 3904 wrote to memory of 2220	3904	cmd.exe	109
PID 3904 wrote to memory of 2220	3904	cmd.exe	109
PID 3904 wrote to memory of 2220	3904	cmd.exe	109
PID 3904 wrote to memory of 3460	3904	cmd.exe	110
PID 3904 wrote to memory of 3460	3904	cmd.exe	110
PID 3904 wrote to memory of 3460	3904	cmd.exe	110
PID 3904 wrote to memory of 2824	3904	cmd.exe	111

C:\Users\Admin\AppData\Local\Temp\33dafa4a59da34abe8818cb7019910fe63be879fec5555ed8a85a1ba716b30de.exe
"C:\Users\Admin\AppData\Local\Temp\33dafa4a59da34abe8818cb7019910fe63be879fec5555ed8a85a1ba716b30de.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:220
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z9959511.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z9959511.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4368
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2283980.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2283980.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:800
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o2349678.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o2349678.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2260
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p7911142.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p7911142.exe
      4⤵
      Executes dropped EXE
      PID:3204
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3204 -s 928
        5⤵
        Program crash
        
        PID:688
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r1316637.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r1316637.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2652
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s2741720.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s2741720.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4756
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s2741720.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s2741720.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:1436
  - - C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
      "C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4124
    - - C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
        
        C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
        5⤵
        Executes dropped EXE
        
        PID:1648
    - - C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
        
        C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4460
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legends.exe /TR "C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe" /F
        6⤵
        Creates scheduled task(s)
        
        PID:3804
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legends.exe" /P "Admin:N"&&CACLS "legends.exe" /P "Admin:R" /E&&echo Y|CACLS "..\41bde21dc7" /P "Admin:N"&&CACLS "..\41bde21dc7" /P "Admin:R" /E&&Exit
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        
        PID:808
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "legends.exe" /P "Admin:N"
        7⤵
        
        PID:4264
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "legends.exe" /P "Admin:R" /E
        7⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        
        PID:3460
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\41bde21dc7" /P "Admin:N"
        7⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\41bde21dc7" /P "Admin:R" /E
        7⤵
        
        PID:4284
      - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
        6⤵
        Loads dropped DLL
        
        PID:3408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 208 -p 3204 -ip 3204
1⤵
PID:2304

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:628
- C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
  C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
  2⤵
  - Executes dropped EXE
  PID:2140

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1328
- C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
  C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
  2⤵
  - Executes dropped EXE
  PID:1508
- C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
  C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
  2⤵
  PID:4660

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\legends.exe.log

Filesize
425B

MD5
4eaca4566b22b01cd3bc115b9b0b2196

SHA1
e743e0792c19f71740416e7b3c061d9f1336bf94

SHA256
34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

SHA512
bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
962KB

MD5
3dfee1eb4192170fea70d8b812fb9781

SHA1
6014ab038dcf4beaab7eee3ecf3c814a0965f45a

SHA256
6edb45436f9f8b63e6a6b8aed6be21243021a72deeb409c9c156807b0e8b5ca7

SHA512
abedfd638cf477b521577d4626b0ef1c8cc8cdabaff528f4a3fc4d8470cfd88e57ba2f3df03f487f4bd216732cbab47f6217f9abe7b000eed6f72a47b84a2a31

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
962KB

MD5
3dfee1eb4192170fea70d8b812fb9781

SHA1
6014ab038dcf4beaab7eee3ecf3c814a0965f45a

SHA256
6edb45436f9f8b63e6a6b8aed6be21243021a72deeb409c9c156807b0e8b5ca7

SHA512
abedfd638cf477b521577d4626b0ef1c8cc8cdabaff528f4a3fc4d8470cfd88e57ba2f3df03f487f4bd216732cbab47f6217f9abe7b000eed6f72a47b84a2a31

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
962KB

MD5
3dfee1eb4192170fea70d8b812fb9781

SHA1
6014ab038dcf4beaab7eee3ecf3c814a0965f45a

SHA256
6edb45436f9f8b63e6a6b8aed6be21243021a72deeb409c9c156807b0e8b5ca7

SHA512
abedfd638cf477b521577d4626b0ef1c8cc8cdabaff528f4a3fc4d8470cfd88e57ba2f3df03f487f4bd216732cbab47f6217f9abe7b000eed6f72a47b84a2a31

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
962KB

MD5
3dfee1eb4192170fea70d8b812fb9781

SHA1
6014ab038dcf4beaab7eee3ecf3c814a0965f45a

SHA256
6edb45436f9f8b63e6a6b8aed6be21243021a72deeb409c9c156807b0e8b5ca7

SHA512
abedfd638cf477b521577d4626b0ef1c8cc8cdabaff528f4a3fc4d8470cfd88e57ba2f3df03f487f4bd216732cbab47f6217f9abe7b000eed6f72a47b84a2a31

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
962KB

MD5
3dfee1eb4192170fea70d8b812fb9781

SHA1
6014ab038dcf4beaab7eee3ecf3c814a0965f45a

SHA256
6edb45436f9f8b63e6a6b8aed6be21243021a72deeb409c9c156807b0e8b5ca7

SHA512
abedfd638cf477b521577d4626b0ef1c8cc8cdabaff528f4a3fc4d8470cfd88e57ba2f3df03f487f4bd216732cbab47f6217f9abe7b000eed6f72a47b84a2a31

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
962KB

MD5
3dfee1eb4192170fea70d8b812fb9781

SHA1
6014ab038dcf4beaab7eee3ecf3c814a0965f45a

SHA256
6edb45436f9f8b63e6a6b8aed6be21243021a72deeb409c9c156807b0e8b5ca7

SHA512
abedfd638cf477b521577d4626b0ef1c8cc8cdabaff528f4a3fc4d8470cfd88e57ba2f3df03f487f4bd216732cbab47f6217f9abe7b000eed6f72a47b84a2a31

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
962KB

MD5
3dfee1eb4192170fea70d8b812fb9781

SHA1
6014ab038dcf4beaab7eee3ecf3c814a0965f45a

SHA256
6edb45436f9f8b63e6a6b8aed6be21243021a72deeb409c9c156807b0e8b5ca7

SHA512
abedfd638cf477b521577d4626b0ef1c8cc8cdabaff528f4a3fc4d8470cfd88e57ba2f3df03f487f4bd216732cbab47f6217f9abe7b000eed6f72a47b84a2a31

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
962KB

MD5
3dfee1eb4192170fea70d8b812fb9781

SHA1
6014ab038dcf4beaab7eee3ecf3c814a0965f45a

SHA256
6edb45436f9f8b63e6a6b8aed6be21243021a72deeb409c9c156807b0e8b5ca7

SHA512
abedfd638cf477b521577d4626b0ef1c8cc8cdabaff528f4a3fc4d8470cfd88e57ba2f3df03f487f4bd216732cbab47f6217f9abe7b000eed6f72a47b84a2a31

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
962KB

MD5
3dfee1eb4192170fea70d8b812fb9781

SHA1
6014ab038dcf4beaab7eee3ecf3c814a0965f45a

SHA256
6edb45436f9f8b63e6a6b8aed6be21243021a72deeb409c9c156807b0e8b5ca7

SHA512
abedfd638cf477b521577d4626b0ef1c8cc8cdabaff528f4a3fc4d8470cfd88e57ba2f3df03f487f4bd216732cbab47f6217f9abe7b000eed6f72a47b84a2a31

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s2741720.exe

Filesize
962KB

MD5
3dfee1eb4192170fea70d8b812fb9781

SHA1
6014ab038dcf4beaab7eee3ecf3c814a0965f45a

SHA256
6edb45436f9f8b63e6a6b8aed6be21243021a72deeb409c9c156807b0e8b5ca7

SHA512
abedfd638cf477b521577d4626b0ef1c8cc8cdabaff528f4a3fc4d8470cfd88e57ba2f3df03f487f4bd216732cbab47f6217f9abe7b000eed6f72a47b84a2a31

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s2741720.exe

Filesize
962KB

MD5
3dfee1eb4192170fea70d8b812fb9781

SHA1
6014ab038dcf4beaab7eee3ecf3c814a0965f45a

SHA256
6edb45436f9f8b63e6a6b8aed6be21243021a72deeb409c9c156807b0e8b5ca7

SHA512
abedfd638cf477b521577d4626b0ef1c8cc8cdabaff528f4a3fc4d8470cfd88e57ba2f3df03f487f4bd216732cbab47f6217f9abe7b000eed6f72a47b84a2a31

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s2741720.exe

Filesize
962KB

MD5
3dfee1eb4192170fea70d8b812fb9781

SHA1
6014ab038dcf4beaab7eee3ecf3c814a0965f45a

SHA256
6edb45436f9f8b63e6a6b8aed6be21243021a72deeb409c9c156807b0e8b5ca7

SHA512
abedfd638cf477b521577d4626b0ef1c8cc8cdabaff528f4a3fc4d8470cfd88e57ba2f3df03f487f4bd216732cbab47f6217f9abe7b000eed6f72a47b84a2a31

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z9959511.exe

Filesize
576KB

MD5
2bb0831ce83dcdbc1ce17aa8831e8df4

SHA1
55b3c85330ac90c94e9b9602c5e900a497ed7497

SHA256
18667f948bb64530ea735760144b5c092e2b890de63f9284c5202ee30034f3c4

SHA512
aec8ffcc269fac2bf2a054804e30924959d74b166ac11f3d7fd1dcaca82eefe205cd109311c95c393491e7e206210506e7df4fb004050cd113214d6e521e2ae3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z9959511.exe

Filesize
576KB

MD5
2bb0831ce83dcdbc1ce17aa8831e8df4

SHA1
55b3c85330ac90c94e9b9602c5e900a497ed7497

SHA256
18667f948bb64530ea735760144b5c092e2b890de63f9284c5202ee30034f3c4

SHA512
aec8ffcc269fac2bf2a054804e30924959d74b166ac11f3d7fd1dcaca82eefe205cd109311c95c393491e7e206210506e7df4fb004050cd113214d6e521e2ae3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r1316637.exe

Filesize
284KB

MD5
c433bfb714b9755e1a1d8fd3515e6489

SHA1
5dc4fc99519dc8ec7f7b07d172f74c2f01a15f6f

SHA256
3a78e3509d4fe71792bdc3f6bd31e7b37cc6ffea6210c5b2ced9a933edffbd91

SHA512
458246f928c74ff1b21bd2997f53923d6852beb6322a0a9adc34a6624894815c2ebee954a0089586478ba87c2ab39753f863a6f9f376de597454c8e6eeb137bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r1316637.exe

Filesize
284KB

MD5
c433bfb714b9755e1a1d8fd3515e6489

SHA1
5dc4fc99519dc8ec7f7b07d172f74c2f01a15f6f

SHA256
3a78e3509d4fe71792bdc3f6bd31e7b37cc6ffea6210c5b2ced9a933edffbd91

SHA512
458246f928c74ff1b21bd2997f53923d6852beb6322a0a9adc34a6624894815c2ebee954a0089586478ba87c2ab39753f863a6f9f376de597454c8e6eeb137bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2283980.exe

Filesize
305KB

MD5
eabab107eb2778cf12a1fdc7344e9bd2

SHA1
b5e63882b65c3d3238b17ee60480759ff8d6f929

SHA256
d4b24bfb50ec20e09d46757ac3fcf95339d67bbc58a1d20532faac9398e7c547

SHA512
32012ce906a78895711971aa7406961ecf93c1df288845c7a8fb94034fdf601bc634cfc91910eff2dc0991217080baa19b4c87a4252ca29a147fe7f5a20c3aa1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2283980.exe

Filesize
305KB

MD5
eabab107eb2778cf12a1fdc7344e9bd2

SHA1
b5e63882b65c3d3238b17ee60480759ff8d6f929

SHA256
d4b24bfb50ec20e09d46757ac3fcf95339d67bbc58a1d20532faac9398e7c547

SHA512
32012ce906a78895711971aa7406961ecf93c1df288845c7a8fb94034fdf601bc634cfc91910eff2dc0991217080baa19b4c87a4252ca29a147fe7f5a20c3aa1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o2349678.exe

Filesize
184KB

MD5
4c94e0df16c58143287479c74f3e54e7

SHA1
f93129b20ac587e95b91f611d4c58b3005b140a9

SHA256
c55f04038db70d84fe431937ecf878573a31f0777ea612ad482f76c9a9968a2f

SHA512
72d63fafde9940b14b6ffcad664c287adadee194d8bd3cd685916814ab2b6be4fee82cd6af2035433a1ec39609d2a4ca74cffa414a92182c06ccd4d86b085f09

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o2349678.exe

Filesize
184KB

MD5
4c94e0df16c58143287479c74f3e54e7

SHA1
f93129b20ac587e95b91f611d4c58b3005b140a9

SHA256
c55f04038db70d84fe431937ecf878573a31f0777ea612ad482f76c9a9968a2f

SHA512
72d63fafde9940b14b6ffcad664c287adadee194d8bd3cd685916814ab2b6be4fee82cd6af2035433a1ec39609d2a4ca74cffa414a92182c06ccd4d86b085f09

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p7911142.exe

Filesize
145KB

MD5
6633962990a012aad8ac3cc9d3b7ed8e

SHA1
f110187812482b500120d4c7be03c5d377f3532d

SHA256
d78edbeb1d5a18a5570de6e461b7400a748dd7dd6f7889387f688d564f5d0049

SHA512
c757735ec6b3ea5956dc011c8774e9caec1337aeab5010e49e7a100b40612c335857d963137fa0a5084a321586ef3b6d130af37dda9da8737b47faad02d7230c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p7911142.exe

Filesize
145KB

MD5
6633962990a012aad8ac3cc9d3b7ed8e

SHA1
f110187812482b500120d4c7be03c5d377f3532d

SHA256
d78edbeb1d5a18a5570de6e461b7400a748dd7dd6f7889387f688d564f5d0049

SHA512
c757735ec6b3ea5956dc011c8774e9caec1337aeab5010e49e7a100b40612c335857d963137fa0a5084a321586ef3b6d130af37dda9da8737b47faad02d7230c

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
89KB

MD5
73c0c85e39b9a63b42f6c4ff6d634f8b

SHA1
efb047b4177ad78268f6fc8bf959f58f1123eb51

SHA256
477252e3531300fe2a21a679fba3664803179e91a1a4d5dd44080dbd41126368

SHA512
ca32507717c2c099d54a5473fb062083237f7fda9c076e9a957b70072f41a78eedf9244b50862b81d00374297e3795021ad6db943c8408da50b1da8b5ed4a643

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
89KB

MD5
73c0c85e39b9a63b42f6c4ff6d634f8b

SHA1
efb047b4177ad78268f6fc8bf959f58f1123eb51

SHA256
477252e3531300fe2a21a679fba3664803179e91a1a4d5dd44080dbd41126368

SHA512
ca32507717c2c099d54a5473fb062083237f7fda9c076e9a957b70072f41a78eedf9244b50862b81d00374297e3795021ad6db943c8408da50b1da8b5ed4a643

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
89KB

MD5
73c0c85e39b9a63b42f6c4ff6d634f8b

SHA1
efb047b4177ad78268f6fc8bf959f58f1123eb51

SHA256
477252e3531300fe2a21a679fba3664803179e91a1a4d5dd44080dbd41126368

SHA512
ca32507717c2c099d54a5473fb062083237f7fda9c076e9a957b70072f41a78eedf9244b50862b81d00374297e3795021ad6db943c8408da50b1da8b5ed4a643

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
memory/628-1164-0x0000000007A20000-0x0000000007A30000-memory.dmp

Filesize
64KB

Download
memory/1436-1135-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1436-1149-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2140-1169-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2260-156-0x0000000004CF0000-0x0000000004D00000-memory.dmp

Filesize
64KB

Download
memory/2260-188-0x0000000004CF0000-0x0000000004D00000-memory.dmp

Filesize
64KB

Download
memory/2260-187-0x0000000004CF0000-0x0000000004D00000-memory.dmp

Filesize
64KB

Download
memory/2260-186-0x0000000004CF0000-0x0000000004D00000-memory.dmp

Filesize
64KB

Download
memory/2260-185-0x0000000002650000-0x0000000002666000-memory.dmp

Filesize
88KB

Download
memory/2260-183-0x0000000002650000-0x0000000002666000-memory.dmp

Filesize
88KB

Download
memory/2260-181-0x0000000002650000-0x0000000002666000-memory.dmp

Filesize
88KB

Download
memory/2260-179-0x0000000002650000-0x0000000002666000-memory.dmp

Filesize
88KB

Download
memory/2260-177-0x0000000002650000-0x0000000002666000-memory.dmp

Filesize
88KB

Download
memory/2260-175-0x0000000002650000-0x0000000002666000-memory.dmp

Filesize
88KB

Download
memory/2260-173-0x0000000002650000-0x0000000002666000-memory.dmp

Filesize
88KB

Download
memory/2260-171-0x0000000002650000-0x0000000002666000-memory.dmp

Filesize
88KB

Download
memory/2260-169-0x0000000002650000-0x0000000002666000-memory.dmp

Filesize
88KB

Download
memory/2260-167-0x0000000002650000-0x0000000002666000-memory.dmp

Filesize
88KB

Download
memory/2260-165-0x0000000002650000-0x0000000002666000-memory.dmp

Filesize
88KB

Download
memory/2260-163-0x0000000002650000-0x0000000002666000-memory.dmp

Filesize
88KB

Download
memory/2260-161-0x0000000002650000-0x0000000002666000-memory.dmp

Filesize
88KB

Download
memory/2260-159-0x0000000002650000-0x0000000002666000-memory.dmp

Filesize
88KB

Download
memory/2260-158-0x0000000002650000-0x0000000002666000-memory.dmp

Filesize
88KB

Download
memory/2260-157-0x0000000004CF0000-0x0000000004D00000-memory.dmp

Filesize
64KB

Download
memory/2260-155-0x0000000004D00000-0x00000000052A4000-memory.dmp

Filesize
5.6MB

Download
memory/2260-154-0x0000000004CF0000-0x0000000004D00000-memory.dmp

Filesize
64KB

Download
memory/2652-223-0x0000000004F50000-0x0000000004F8C000-memory.dmp

Filesize
240KB

Download
memory/2652-231-0x0000000004F50000-0x0000000004F8C000-memory.dmp

Filesize
240KB

Download
memory/2652-1108-0x00000000051B0000-0x00000000057C8000-memory.dmp

Filesize
6.1MB

Download
memory/2652-1109-0x0000000005850000-0x000000000595A000-memory.dmp

Filesize
1.0MB

Download
memory/2652-1110-0x0000000005990000-0x00000000059A2000-memory.dmp

Filesize
72KB

Download
memory/2652-1111-0x00000000059B0000-0x00000000059EC000-memory.dmp

Filesize
240KB

Download
memory/2652-1112-0x0000000004910000-0x0000000004920000-memory.dmp

Filesize
64KB

Download
memory/2652-1113-0x0000000005CA0000-0x0000000005D32000-memory.dmp

Filesize
584KB

Download
memory/2652-1114-0x0000000005D40000-0x0000000005DA6000-memory.dmp

Filesize
408KB

Download
memory/2652-1115-0x0000000004910000-0x0000000004920000-memory.dmp

Filesize
64KB

Download
memory/2652-1116-0x0000000004910000-0x0000000004920000-memory.dmp

Filesize
64KB

Download
memory/2652-1117-0x0000000004910000-0x0000000004920000-memory.dmp

Filesize
64KB

Download
memory/2652-1118-0x0000000006440000-0x00000000064B6000-memory.dmp

Filesize
472KB

Download
memory/2652-1119-0x00000000064D0000-0x0000000006520000-memory.dmp

Filesize
320KB

Download
memory/2652-1120-0x0000000006790000-0x0000000006952000-memory.dmp

Filesize
1.8MB

Download
memory/2652-1121-0x0000000004910000-0x0000000004920000-memory.dmp

Filesize
64KB

Download
memory/2652-233-0x0000000004F50000-0x0000000004F8C000-memory.dmp

Filesize
240KB

Download
memory/2652-1122-0x0000000006970000-0x0000000006E9C000-memory.dmp

Filesize
5.2MB

Download
memory/2652-198-0x0000000004F50000-0x0000000004F8C000-memory.dmp

Filesize
240KB

Download
memory/2652-197-0x0000000004F50000-0x0000000004F8C000-memory.dmp

Filesize
240KB

Download
memory/2652-200-0x0000000004F50000-0x0000000004F8C000-memory.dmp

Filesize
240KB

Download
memory/2652-235-0x0000000004F50000-0x0000000004F8C000-memory.dmp

Filesize
240KB

Download
memory/2652-229-0x0000000004F50000-0x0000000004F8C000-memory.dmp

Filesize
240KB

Download
memory/2652-227-0x0000000004F50000-0x0000000004F8C000-memory.dmp

Filesize
240KB

Download
memory/2652-226-0x0000000004910000-0x0000000004920000-memory.dmp

Filesize
64KB

Download
memory/2652-224-0x0000000004910000-0x0000000004920000-memory.dmp

Filesize
64KB

Download
memory/2652-222-0x0000000004910000-0x0000000004920000-memory.dmp

Filesize
64KB

Download
memory/2652-202-0x0000000004F50000-0x0000000004F8C000-memory.dmp

Filesize
240KB

Download
memory/2652-220-0x0000000004F50000-0x0000000004F8C000-memory.dmp

Filesize
240KB

Download
memory/2652-216-0x0000000004F50000-0x0000000004F8C000-memory.dmp

Filesize
240KB

Download
memory/2652-204-0x0000000004F50000-0x0000000004F8C000-memory.dmp

Filesize
240KB

Download
memory/2652-206-0x0000000004F50000-0x0000000004F8C000-memory.dmp

Filesize
240KB

Download
memory/2652-218-0x0000000004F50000-0x0000000004F8C000-memory.dmp

Filesize
240KB

Download
memory/2652-214-0x0000000004F50000-0x0000000004F8C000-memory.dmp

Filesize
240KB

Download
memory/2652-212-0x0000000004F50000-0x0000000004F8C000-memory.dmp

Filesize
240KB

Download
memory/2652-210-0x0000000004F50000-0x0000000004F8C000-memory.dmp

Filesize
240KB

Download
memory/2652-208-0x0000000004F50000-0x0000000004F8C000-memory.dmp

Filesize
240KB

Download
memory/3204-193-0x0000000000C60000-0x0000000000C8A000-memory.dmp

Filesize
168KB

Download
memory/4124-1150-0x0000000007810000-0x0000000007820000-memory.dmp

Filesize
64KB

Download
memory/4460-1161-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4460-1158-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4756-1128-0x0000000003200000-0x0000000003210000-memory.dmp

Filesize
64KB

Download
memory/4756-1127-0x0000000000E80000-0x0000000000F78000-memory.dmp

Filesize
992KB

Download