redline | a99866b28b2bf7df0a8da0547e1949e1e07fcbc7a4c8c9963d04316ec67dc925

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
19-05-2023 03:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a99866b28b2bf7df0a8da0547e1949e1e07fcbc7a4c8c9963d04316ec67dc925.exe
Size

1021KB
MD5

0048f87d699fdcb22a5ae0903f0154de
SHA1

619413d7ecd0712c3c2b059c033adb40606685d9
SHA256

a99866b28b2bf7df0a8da0547e1949e1e07fcbc7a4c8c9963d04316ec67dc925
SHA512

c49f51101a9bf24c472c265e8aef054e606c8d1f720efaa76bf8e4afc0ece2815ab1d4681e9b8d9f20a24dc395e428ef81c268d64e36888b12b18e5a241ce4b8
SSDEEP

24576:ZyO3tjsZnSPseKzbETib0EdqDUiaoZivYPPXrYO95YLZoFCdY/my:MONMnSPdKZ0EdSaoZivIbBoLZK6

Score

10^/10

redline lols discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

lols

77.91.68.253:41783

Attributes

auth_value
07dccfc2986896754e6cde616a0a7868

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	o4597886.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	o4597886.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	o4597886.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	o4597886.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	o4597886.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	o4597886.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 21 IoCs

resource	yara_rule
behavioral1/memory/2252-196-0x0000000002430000-0x000000000246C000-memory.dmp	family_redline
behavioral1/memory/2252-197-0x0000000002430000-0x000000000246C000-memory.dmp	family_redline
behavioral1/memory/2252-199-0x0000000002430000-0x000000000246C000-memory.dmp	family_redline
behavioral1/memory/2252-201-0x0000000002430000-0x000000000246C000-memory.dmp	family_redline
behavioral1/memory/2252-203-0x0000000002430000-0x000000000246C000-memory.dmp	family_redline
behavioral1/memory/2252-205-0x0000000002430000-0x000000000246C000-memory.dmp	family_redline
behavioral1/memory/2252-207-0x0000000002430000-0x000000000246C000-memory.dmp	family_redline
behavioral1/memory/2252-209-0x0000000002430000-0x000000000246C000-memory.dmp	family_redline
behavioral1/memory/2252-211-0x0000000002430000-0x000000000246C000-memory.dmp	family_redline
behavioral1/memory/2252-213-0x0000000002430000-0x000000000246C000-memory.dmp	family_redline
behavioral1/memory/2252-215-0x0000000002430000-0x000000000246C000-memory.dmp	family_redline
behavioral1/memory/2252-217-0x0000000002430000-0x000000000246C000-memory.dmp	family_redline
behavioral1/memory/2252-219-0x0000000002430000-0x000000000246C000-memory.dmp	family_redline
behavioral1/memory/2252-221-0x0000000002430000-0x000000000246C000-memory.dmp	family_redline
behavioral1/memory/2252-223-0x0000000002430000-0x000000000246C000-memory.dmp	family_redline
behavioral1/memory/2252-227-0x0000000002430000-0x000000000246C000-memory.dmp	family_redline
behavioral1/memory/2252-225-0x0000000002430000-0x000000000246C000-memory.dmp	family_redline
behavioral1/memory/2252-229-0x0000000002430000-0x000000000246C000-memory.dmp	family_redline
behavioral1/memory/2252-231-0x0000000002430000-0x000000000246C000-memory.dmp	family_redline
behavioral1/memory/2252-460-0x0000000004B40000-0x0000000004B50000-memory.dmp	family_redline
behavioral1/memory/2252-1115-0x0000000004B40000-0x0000000004B50000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Control Panel\International\Geo\Nation	s0670809.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Control Panel\International\Geo\Nation	legends.exe

Executes dropped EXE 14 IoCs

pid	Process
4540	z9680442.exe
4120	z5683646.exe
4820	o4597886.exe
4772	p2004938.exe
2252	r6878218.exe
1200	s0670809.exe
1144	s0670809.exe
4200	s0670809.exe
2512	legends.exe
3044	legends.exe
3064	legends.exe
2748	legends.exe
4832	legends.exe
432	legends.exe

Loads dropped DLL 1 IoCs

pid	Process
4496	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	o4597886.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	o4597886.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	a99866b28b2bf7df0a8da0547e1949e1e07fcbc7a4c8c9963d04316ec67dc925.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	a99866b28b2bf7df0a8da0547e1949e1e07fcbc7a4c8c9963d04316ec67dc925.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z9680442.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z9680442.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z5683646.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z5683646.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1200 set thread context of 4200	1200	s0670809.exe	103
PID 2512 set thread context of 3044	2512	legends.exe	105
PID 3064 set thread context of 2748	3064	legends.exe	117
PID 4832 set thread context of 432	4832	legends.exe	122

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3684	4772	WerFault.exe	92

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3464	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4820	o4597886.exe
4820	o4597886.exe
2252	r6878218.exe
2252	r6878218.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	4820	o4597886.exe
Token: SeDebugPrivilege	2252	r6878218.exe
Token: SeDebugPrivilege	1200	s0670809.exe
Token: SeDebugPrivilege	2512	legends.exe
Token: SeDebugPrivilege	3064	legends.exe
Token: SeDebugPrivilege	4832	legends.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4200	s0670809.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4836 wrote to memory of 4540	4836	a99866b28b2bf7df0a8da0547e1949e1e07fcbc7a4c8c9963d04316ec67dc925.exe	85
PID 4836 wrote to memory of 4540	4836	a99866b28b2bf7df0a8da0547e1949e1e07fcbc7a4c8c9963d04316ec67dc925.exe	85
PID 4836 wrote to memory of 4540	4836	a99866b28b2bf7df0a8da0547e1949e1e07fcbc7a4c8c9963d04316ec67dc925.exe	85
PID 4540 wrote to memory of 4120	4540	z9680442.exe	86
PID 4540 wrote to memory of 4120	4540	z9680442.exe	86
PID 4540 wrote to memory of 4120	4540	z9680442.exe	86
PID 4120 wrote to memory of 4820	4120	z5683646.exe	87
PID 4120 wrote to memory of 4820	4120	z5683646.exe	87
PID 4120 wrote to memory of 4820	4120	z5683646.exe	87
PID 4120 wrote to memory of 4772	4120	z5683646.exe	92
PID 4120 wrote to memory of 4772	4120	z5683646.exe	92
PID 4120 wrote to memory of 4772	4120	z5683646.exe	92
PID 4540 wrote to memory of 2252	4540	z9680442.exe	98
PID 4540 wrote to memory of 2252	4540	z9680442.exe	98
PID 4540 wrote to memory of 2252	4540	z9680442.exe	98
PID 4836 wrote to memory of 1200	4836	a99866b28b2bf7df0a8da0547e1949e1e07fcbc7a4c8c9963d04316ec67dc925.exe	100
PID 4836 wrote to memory of 1200	4836	a99866b28b2bf7df0a8da0547e1949e1e07fcbc7a4c8c9963d04316ec67dc925.exe	100
PID 4836 wrote to memory of 1200	4836	a99866b28b2bf7df0a8da0547e1949e1e07fcbc7a4c8c9963d04316ec67dc925.exe	100
PID 1200 wrote to memory of 1144	1200	s0670809.exe	101
PID 1200 wrote to memory of 1144	1200	s0670809.exe	101
PID 1200 wrote to memory of 1144	1200	s0670809.exe	101
PID 1200 wrote to memory of 1144	1200	s0670809.exe	101
PID 1200 wrote to memory of 4200	1200	s0670809.exe	103
PID 1200 wrote to memory of 4200	1200	s0670809.exe	103
PID 1200 wrote to memory of 4200	1200	s0670809.exe	103
PID 1200 wrote to memory of 4200	1200	s0670809.exe	103
PID 1200 wrote to memory of 4200	1200	s0670809.exe	103
PID 1200 wrote to memory of 4200	1200	s0670809.exe	103
PID 1200 wrote to memory of 4200	1200	s0670809.exe	103
PID 1200 wrote to memory of 4200	1200	s0670809.exe	103
PID 1200 wrote to memory of 4200	1200	s0670809.exe	103
PID 1200 wrote to memory of 4200	1200	s0670809.exe	103
PID 4200 wrote to memory of 2512	4200	s0670809.exe	104
PID 4200 wrote to memory of 2512	4200	s0670809.exe	104
PID 4200 wrote to memory of 2512	4200	s0670809.exe	104
PID 2512 wrote to memory of 3044	2512	legends.exe	105
PID 2512 wrote to memory of 3044	2512	legends.exe	105
PID 2512 wrote to memory of 3044	2512	legends.exe	105
PID 2512 wrote to memory of 3044	2512	legends.exe	105
PID 2512 wrote to memory of 3044	2512	legends.exe	105
PID 2512 wrote to memory of 3044	2512	legends.exe	105
PID 2512 wrote to memory of 3044	2512	legends.exe	105
PID 2512 wrote to memory of 3044	2512	legends.exe	105
PID 2512 wrote to memory of 3044	2512	legends.exe	105
PID 2512 wrote to memory of 3044	2512	legends.exe	105
PID 3044 wrote to memory of 3464	3044	legends.exe	106
PID 3044 wrote to memory of 3464	3044	legends.exe	106
PID 3044 wrote to memory of 3464	3044	legends.exe	106
PID 3044 wrote to memory of 3452	3044	legends.exe	108
PID 3044 wrote to memory of 3452	3044	legends.exe	108
PID 3044 wrote to memory of 3452	3044	legends.exe	108
PID 3452 wrote to memory of 4100	3452	cmd.exe	110
PID 3452 wrote to memory of 4100	3452	cmd.exe	110
PID 3452 wrote to memory of 4100	3452	cmd.exe	110
PID 3452 wrote to memory of 3432	3452	cmd.exe	111
PID 3452 wrote to memory of 3432	3452	cmd.exe	111
PID 3452 wrote to memory of 3432	3452	cmd.exe	111
PID 3452 wrote to memory of 3088	3452	cmd.exe	112
PID 3452 wrote to memory of 3088	3452	cmd.exe	112
PID 3452 wrote to memory of 3088	3452	cmd.exe	112
PID 3452 wrote to memory of 3588	3452	cmd.exe	113
PID 3452 wrote to memory of 3588	3452	cmd.exe	113
PID 3452 wrote to memory of 3588	3452	cmd.exe	113
PID 3452 wrote to memory of 776	3452	cmd.exe	114

C:\Users\Admin\AppData\Local\Temp\a99866b28b2bf7df0a8da0547e1949e1e07fcbc7a4c8c9963d04316ec67dc925.exe
"C:\Users\Admin\AppData\Local\Temp\a99866b28b2bf7df0a8da0547e1949e1e07fcbc7a4c8c9963d04316ec67dc925.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4836
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z9680442.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z9680442.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4540
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5683646.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5683646.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4120
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o4597886.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o4597886.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4820
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p2004938.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p2004938.exe
      4⤵
      Executes dropped EXE
      PID:4772
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4772 -s 928
        5⤵
        Program crash
        
        PID:3684
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r6878218.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r6878218.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2252
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s0670809.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s0670809.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1200
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s0670809.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s0670809.exe
    3⤵
    - Executes dropped EXE
    PID:1144
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s0670809.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s0670809.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:4200
  - - C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
      "C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2512
    - - C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
        
        C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3044
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legends.exe /TR "C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe" /F
        6⤵
        Creates scheduled task(s)
        
        PID:3464
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legends.exe" /P "Admin:N"&&CACLS "legends.exe" /P "Admin:R" /E&&echo Y|CACLS "..\41bde21dc7" /P "Admin:N"&&CACLS "..\41bde21dc7" /P "Admin:R" /E&&Exit
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        
        PID:4100
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "legends.exe" /P "Admin:N"
        7⤵
        
        PID:3432
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "legends.exe" /P "Admin:R" /E
        7⤵
        
        PID:3088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\41bde21dc7" /P "Admin:N"
        7⤵
        
        PID:776
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\41bde21dc7" /P "Admin:R" /E
        7⤵
        
        PID:3096
      - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
        6⤵
        Loads dropped DLL
        
        PID:4496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4772 -ip 4772
1⤵
PID:2116

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3064
- C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
  C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
  2⤵
  - Executes dropped EXE
  PID:2748

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4832
- C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
  C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
  2⤵
  - Executes dropped EXE
  PID:432

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\legends.exe.log

Filesize
425B

MD5
4eaca4566b22b01cd3bc115b9b0b2196

SHA1
e743e0792c19f71740416e7b3c061d9f1336bf94

SHA256
34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

SHA512
bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
962KB

MD5
11ee8cdfed9e90d61e7b08344603e260

SHA1
139f6d8d394704445e7d292e42e3a2dfb86ddcbf

SHA256
870b097c2568a42d8ff5024a21d68ea5cc5345ab34251d45f9f7bfbc3704fde4

SHA512
88b65cda9abcfc19e2f677651c0a1cf3e880c74d72ec89d8ffc141fcd09e324cc5737665ce797fae2a0020ce96cf305d01b0c4b584a25be06d0c53bc32a53fd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
962KB

MD5
11ee8cdfed9e90d61e7b08344603e260

SHA1
139f6d8d394704445e7d292e42e3a2dfb86ddcbf

SHA256
870b097c2568a42d8ff5024a21d68ea5cc5345ab34251d45f9f7bfbc3704fde4

SHA512
88b65cda9abcfc19e2f677651c0a1cf3e880c74d72ec89d8ffc141fcd09e324cc5737665ce797fae2a0020ce96cf305d01b0c4b584a25be06d0c53bc32a53fd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
962KB

MD5
11ee8cdfed9e90d61e7b08344603e260

SHA1
139f6d8d394704445e7d292e42e3a2dfb86ddcbf

SHA256
870b097c2568a42d8ff5024a21d68ea5cc5345ab34251d45f9f7bfbc3704fde4

SHA512
88b65cda9abcfc19e2f677651c0a1cf3e880c74d72ec89d8ffc141fcd09e324cc5737665ce797fae2a0020ce96cf305d01b0c4b584a25be06d0c53bc32a53fd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
962KB

MD5
11ee8cdfed9e90d61e7b08344603e260

SHA1
139f6d8d394704445e7d292e42e3a2dfb86ddcbf

SHA256
870b097c2568a42d8ff5024a21d68ea5cc5345ab34251d45f9f7bfbc3704fde4

SHA512
88b65cda9abcfc19e2f677651c0a1cf3e880c74d72ec89d8ffc141fcd09e324cc5737665ce797fae2a0020ce96cf305d01b0c4b584a25be06d0c53bc32a53fd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
962KB

MD5
11ee8cdfed9e90d61e7b08344603e260

SHA1
139f6d8d394704445e7d292e42e3a2dfb86ddcbf

SHA256
870b097c2568a42d8ff5024a21d68ea5cc5345ab34251d45f9f7bfbc3704fde4

SHA512
88b65cda9abcfc19e2f677651c0a1cf3e880c74d72ec89d8ffc141fcd09e324cc5737665ce797fae2a0020ce96cf305d01b0c4b584a25be06d0c53bc32a53fd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
962KB

MD5
11ee8cdfed9e90d61e7b08344603e260

SHA1
139f6d8d394704445e7d292e42e3a2dfb86ddcbf

SHA256
870b097c2568a42d8ff5024a21d68ea5cc5345ab34251d45f9f7bfbc3704fde4

SHA512
88b65cda9abcfc19e2f677651c0a1cf3e880c74d72ec89d8ffc141fcd09e324cc5737665ce797fae2a0020ce96cf305d01b0c4b584a25be06d0c53bc32a53fd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
962KB

MD5
11ee8cdfed9e90d61e7b08344603e260

SHA1
139f6d8d394704445e7d292e42e3a2dfb86ddcbf

SHA256
870b097c2568a42d8ff5024a21d68ea5cc5345ab34251d45f9f7bfbc3704fde4

SHA512
88b65cda9abcfc19e2f677651c0a1cf3e880c74d72ec89d8ffc141fcd09e324cc5737665ce797fae2a0020ce96cf305d01b0c4b584a25be06d0c53bc32a53fd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
962KB

MD5
11ee8cdfed9e90d61e7b08344603e260

SHA1
139f6d8d394704445e7d292e42e3a2dfb86ddcbf

SHA256
870b097c2568a42d8ff5024a21d68ea5cc5345ab34251d45f9f7bfbc3704fde4

SHA512
88b65cda9abcfc19e2f677651c0a1cf3e880c74d72ec89d8ffc141fcd09e324cc5737665ce797fae2a0020ce96cf305d01b0c4b584a25be06d0c53bc32a53fd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s0670809.exe

Filesize
962KB

MD5
11ee8cdfed9e90d61e7b08344603e260

SHA1
139f6d8d394704445e7d292e42e3a2dfb86ddcbf

SHA256
870b097c2568a42d8ff5024a21d68ea5cc5345ab34251d45f9f7bfbc3704fde4

SHA512
88b65cda9abcfc19e2f677651c0a1cf3e880c74d72ec89d8ffc141fcd09e324cc5737665ce797fae2a0020ce96cf305d01b0c4b584a25be06d0c53bc32a53fd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s0670809.exe

Filesize
962KB

MD5
11ee8cdfed9e90d61e7b08344603e260

SHA1
139f6d8d394704445e7d292e42e3a2dfb86ddcbf

SHA256
870b097c2568a42d8ff5024a21d68ea5cc5345ab34251d45f9f7bfbc3704fde4

SHA512
88b65cda9abcfc19e2f677651c0a1cf3e880c74d72ec89d8ffc141fcd09e324cc5737665ce797fae2a0020ce96cf305d01b0c4b584a25be06d0c53bc32a53fd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s0670809.exe

Filesize
962KB

MD5
11ee8cdfed9e90d61e7b08344603e260

SHA1
139f6d8d394704445e7d292e42e3a2dfb86ddcbf

SHA256
870b097c2568a42d8ff5024a21d68ea5cc5345ab34251d45f9f7bfbc3704fde4

SHA512
88b65cda9abcfc19e2f677651c0a1cf3e880c74d72ec89d8ffc141fcd09e324cc5737665ce797fae2a0020ce96cf305d01b0c4b584a25be06d0c53bc32a53fd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s0670809.exe

Filesize
962KB

MD5
11ee8cdfed9e90d61e7b08344603e260

SHA1
139f6d8d394704445e7d292e42e3a2dfb86ddcbf

SHA256
870b097c2568a42d8ff5024a21d68ea5cc5345ab34251d45f9f7bfbc3704fde4

SHA512
88b65cda9abcfc19e2f677651c0a1cf3e880c74d72ec89d8ffc141fcd09e324cc5737665ce797fae2a0020ce96cf305d01b0c4b584a25be06d0c53bc32a53fd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z9680442.exe

Filesize
576KB

MD5
0a7c25e874dc30a91d99e0f1e5d2c62f

SHA1
bcfd83031e7a3802f9e1e51a319617dbdfa4f6b3

SHA256
b4a9af05da958dede83b3f1a37c88311f4b0c144d513384523ee1d964a7c31c2

SHA512
33ca7853b384409a0e07f29c638fab2576b1218affe6e98daf3628d52a0455d70fd87cc14cc3e538f5cb5078182f15a2d406b27d3f477c74f73c80dbc2ad369c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z9680442.exe

Filesize
576KB

MD5
0a7c25e874dc30a91d99e0f1e5d2c62f

SHA1
bcfd83031e7a3802f9e1e51a319617dbdfa4f6b3

SHA256
b4a9af05da958dede83b3f1a37c88311f4b0c144d513384523ee1d964a7c31c2

SHA512
33ca7853b384409a0e07f29c638fab2576b1218affe6e98daf3628d52a0455d70fd87cc14cc3e538f5cb5078182f15a2d406b27d3f477c74f73c80dbc2ad369c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r6878218.exe

Filesize
284KB

MD5
e89e1ebf128a7c3d1c366fbcd7d8b5b1

SHA1
f3de3a243a76435498f0ed3dd84840cfc2ad4441

SHA256
86a228aeddd04904f7647904f9cbaff9efb3762dbd797d37c12dfa2ed17feae5

SHA512
4861e5682a92fa295549159ab5f5e3f82acc500293bfc3c724b58ff597aeb4cfb1b580c88b36f5ebdb256e7cffec37d5615ab679e195cc6fb0445db9af489dcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r6878218.exe

Filesize
284KB

MD5
e89e1ebf128a7c3d1c366fbcd7d8b5b1

SHA1
f3de3a243a76435498f0ed3dd84840cfc2ad4441

SHA256
86a228aeddd04904f7647904f9cbaff9efb3762dbd797d37c12dfa2ed17feae5

SHA512
4861e5682a92fa295549159ab5f5e3f82acc500293bfc3c724b58ff597aeb4cfb1b580c88b36f5ebdb256e7cffec37d5615ab679e195cc6fb0445db9af489dcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5683646.exe

Filesize
305KB

MD5
7815b2df2bc10505e12478f32e822e35

SHA1
36bc0ed27a47ea0fdc65a737a38f98a310481c9f

SHA256
6b2e3e5ef1c4cf470d519a269a3ca9bad49971bfa9f39a9683b2ad0ed06ebc66

SHA512
16376fc1ea86ab1e192a6344628f30541f3626b24e627a8657f30eecfd6fb1c923769a815a9233ad940ea728eeb2543aae198e1d177905036e0148c93315cd6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5683646.exe

Filesize
305KB

MD5
7815b2df2bc10505e12478f32e822e35

SHA1
36bc0ed27a47ea0fdc65a737a38f98a310481c9f

SHA256
6b2e3e5ef1c4cf470d519a269a3ca9bad49971bfa9f39a9683b2ad0ed06ebc66

SHA512
16376fc1ea86ab1e192a6344628f30541f3626b24e627a8657f30eecfd6fb1c923769a815a9233ad940ea728eeb2543aae198e1d177905036e0148c93315cd6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o4597886.exe

Filesize
184KB

MD5
4c94e0df16c58143287479c74f3e54e7

SHA1
f93129b20ac587e95b91f611d4c58b3005b140a9

SHA256
c55f04038db70d84fe431937ecf878573a31f0777ea612ad482f76c9a9968a2f

SHA512
72d63fafde9940b14b6ffcad664c287adadee194d8bd3cd685916814ab2b6be4fee82cd6af2035433a1ec39609d2a4ca74cffa414a92182c06ccd4d86b085f09

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o4597886.exe

Filesize
184KB

MD5
4c94e0df16c58143287479c74f3e54e7

SHA1
f93129b20ac587e95b91f611d4c58b3005b140a9

SHA256
c55f04038db70d84fe431937ecf878573a31f0777ea612ad482f76c9a9968a2f

SHA512
72d63fafde9940b14b6ffcad664c287adadee194d8bd3cd685916814ab2b6be4fee82cd6af2035433a1ec39609d2a4ca74cffa414a92182c06ccd4d86b085f09

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p2004938.exe

Filesize
145KB

MD5
6633962990a012aad8ac3cc9d3b7ed8e

SHA1
f110187812482b500120d4c7be03c5d377f3532d

SHA256
d78edbeb1d5a18a5570de6e461b7400a748dd7dd6f7889387f688d564f5d0049

SHA512
c757735ec6b3ea5956dc011c8774e9caec1337aeab5010e49e7a100b40612c335857d963137fa0a5084a321586ef3b6d130af37dda9da8737b47faad02d7230c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p2004938.exe

Filesize
145KB

MD5
6633962990a012aad8ac3cc9d3b7ed8e

SHA1
f110187812482b500120d4c7be03c5d377f3532d

SHA256
d78edbeb1d5a18a5570de6e461b7400a748dd7dd6f7889387f688d564f5d0049

SHA512
c757735ec6b3ea5956dc011c8774e9caec1337aeab5010e49e7a100b40612c335857d963137fa0a5084a321586ef3b6d130af37dda9da8737b47faad02d7230c

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
89KB

MD5
73c0c85e39b9a63b42f6c4ff6d634f8b

SHA1
efb047b4177ad78268f6fc8bf959f58f1123eb51

SHA256
477252e3531300fe2a21a679fba3664803179e91a1a4d5dd44080dbd41126368

SHA512
ca32507717c2c099d54a5473fb062083237f7fda9c076e9a957b70072f41a78eedf9244b50862b81d00374297e3795021ad6db943c8408da50b1da8b5ed4a643

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
89KB

MD5
73c0c85e39b9a63b42f6c4ff6d634f8b

SHA1
efb047b4177ad78268f6fc8bf959f58f1123eb51

SHA256
477252e3531300fe2a21a679fba3664803179e91a1a4d5dd44080dbd41126368

SHA512
ca32507717c2c099d54a5473fb062083237f7fda9c076e9a957b70072f41a78eedf9244b50862b81d00374297e3795021ad6db943c8408da50b1da8b5ed4a643

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
89KB

MD5
73c0c85e39b9a63b42f6c4ff6d634f8b

SHA1
efb047b4177ad78268f6fc8bf959f58f1123eb51

SHA256
477252e3531300fe2a21a679fba3664803179e91a1a4d5dd44080dbd41126368

SHA512
ca32507717c2c099d54a5473fb062083237f7fda9c076e9a957b70072f41a78eedf9244b50862b81d00374297e3795021ad6db943c8408da50b1da8b5ed4a643

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
memory/432-1194-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1200-1125-0x00000000075C0000-0x00000000075D0000-memory.dmp

Filesize
64KB

Download
memory/1200-1124-0x0000000000750000-0x0000000000848000-memory.dmp

Filesize
992KB

Download
memory/2252-223-0x0000000002430000-0x000000000246C000-memory.dmp

Filesize
240KB

Download
memory/2252-1116-0x00000000066C0000-0x0000000006882000-memory.dmp

Filesize
1.8MB

Download
memory/2252-196-0x0000000002430000-0x000000000246C000-memory.dmp

Filesize
240KB

Download
memory/2252-197-0x0000000002430000-0x000000000246C000-memory.dmp

Filesize
240KB

Download
memory/2252-199-0x0000000002430000-0x000000000246C000-memory.dmp

Filesize
240KB

Download
memory/2252-201-0x0000000002430000-0x000000000246C000-memory.dmp

Filesize
240KB

Download
memory/2252-203-0x0000000002430000-0x000000000246C000-memory.dmp

Filesize
240KB

Download
memory/2252-205-0x0000000002430000-0x000000000246C000-memory.dmp

Filesize
240KB

Download
memory/2252-207-0x0000000002430000-0x000000000246C000-memory.dmp

Filesize
240KB

Download
memory/2252-209-0x0000000002430000-0x000000000246C000-memory.dmp

Filesize
240KB

Download
memory/2252-211-0x0000000002430000-0x000000000246C000-memory.dmp

Filesize
240KB

Download
memory/2252-213-0x0000000002430000-0x000000000246C000-memory.dmp

Filesize
240KB

Download
memory/2252-215-0x0000000002430000-0x000000000246C000-memory.dmp

Filesize
240KB

Download
memory/2252-217-0x0000000002430000-0x000000000246C000-memory.dmp

Filesize
240KB

Download
memory/2252-219-0x0000000002430000-0x000000000246C000-memory.dmp

Filesize
240KB

Download
memory/2252-221-0x0000000002430000-0x000000000246C000-memory.dmp

Filesize
240KB

Download
memory/2252-1119-0x0000000006F80000-0x0000000006FD0000-memory.dmp

Filesize
320KB

Download
memory/2252-227-0x0000000002430000-0x000000000246C000-memory.dmp

Filesize
240KB

Download
memory/2252-225-0x0000000002430000-0x000000000246C000-memory.dmp

Filesize
240KB

Download
memory/2252-229-0x0000000002430000-0x000000000246C000-memory.dmp

Filesize
240KB

Download
memory/2252-231-0x0000000002430000-0x000000000246C000-memory.dmp

Filesize
240KB

Download
memory/2252-458-0x0000000004B40000-0x0000000004B50000-memory.dmp

Filesize
64KB

Download
memory/2252-460-0x0000000004B40000-0x0000000004B50000-memory.dmp

Filesize
64KB

Download
memory/2252-1106-0x0000000005200000-0x0000000005818000-memory.dmp

Filesize
6.1MB

Download
memory/2252-1107-0x0000000005850000-0x000000000595A000-memory.dmp

Filesize
1.0MB

Download
memory/2252-1108-0x0000000005990000-0x00000000059A2000-memory.dmp

Filesize
72KB

Download
memory/2252-1109-0x00000000059B0000-0x00000000059EC000-memory.dmp

Filesize
240KB

Download
memory/2252-1110-0x0000000004B40000-0x0000000004B50000-memory.dmp

Filesize
64KB

Download
memory/2252-1111-0x0000000005CA0000-0x0000000005D06000-memory.dmp

Filesize
408KB

Download
memory/2252-1112-0x0000000006370000-0x0000000006402000-memory.dmp

Filesize
584KB

Download
memory/2252-1113-0x0000000004B40000-0x0000000004B50000-memory.dmp

Filesize
64KB

Download
memory/2252-1114-0x0000000004B40000-0x0000000004B50000-memory.dmp

Filesize
64KB

Download
memory/2252-1115-0x0000000004B40000-0x0000000004B50000-memory.dmp

Filesize
64KB

Download
memory/2252-1118-0x0000000006F00000-0x0000000006F76000-memory.dmp

Filesize
472KB

Download
memory/2252-1117-0x0000000006890000-0x0000000006DBC000-memory.dmp

Filesize
5.2MB

Download
memory/2512-1149-0x0000000007B90000-0x0000000007BA0000-memory.dmp

Filesize
64KB

Download
memory/2748-1167-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3044-1159-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3044-1156-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3064-1162-0x0000000007080000-0x0000000007090000-memory.dmp

Filesize
64KB

Download
memory/4200-1134-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4200-1148-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4772-192-0x0000000000C00000-0x0000000000C2A000-memory.dmp

Filesize
168KB

Download
memory/4820-178-0x0000000005060000-0x0000000005076000-memory.dmp

Filesize
88KB

Download
memory/4820-186-0x0000000004AA0000-0x0000000004AB0000-memory.dmp

Filesize
64KB

Download
memory/4820-174-0x0000000005060000-0x0000000005076000-memory.dmp

Filesize
88KB

Download
memory/4820-172-0x0000000005060000-0x0000000005076000-memory.dmp

Filesize
88KB

Download
memory/4820-180-0x0000000005060000-0x0000000005076000-memory.dmp

Filesize
88KB

Download
memory/4820-182-0x0000000005060000-0x0000000005076000-memory.dmp

Filesize
88KB

Download
memory/4820-170-0x0000000005060000-0x0000000005076000-memory.dmp

Filesize
88KB

Download
memory/4820-184-0x0000000005060000-0x0000000005076000-memory.dmp

Filesize
88KB

Download
memory/4820-185-0x0000000004AA0000-0x0000000004AB0000-memory.dmp

Filesize
64KB

Download
memory/4820-168-0x0000000005060000-0x0000000005076000-memory.dmp

Filesize
88KB

Download
memory/4820-166-0x0000000005060000-0x0000000005076000-memory.dmp

Filesize
88KB

Download
memory/4820-176-0x0000000005060000-0x0000000005076000-memory.dmp

Filesize
88KB

Download
memory/4820-164-0x0000000005060000-0x0000000005076000-memory.dmp

Filesize
88KB

Download
memory/4820-187-0x0000000004AA0000-0x0000000004AB0000-memory.dmp

Filesize
64KB

Download
memory/4820-162-0x0000000005060000-0x0000000005076000-memory.dmp

Filesize
88KB

Download
memory/4820-160-0x0000000005060000-0x0000000005076000-memory.dmp

Filesize
88KB

Download
memory/4820-158-0x0000000005060000-0x0000000005076000-memory.dmp

Filesize
88KB

Download
memory/4820-157-0x0000000005060000-0x0000000005076000-memory.dmp

Filesize
88KB

Download
memory/4820-156-0x0000000004AB0000-0x0000000005054000-memory.dmp

Filesize
5.6MB

Download
memory/4820-154-0x0000000004AA0000-0x0000000004AB0000-memory.dmp

Filesize
64KB

Download
memory/4820-155-0x0000000004AA0000-0x0000000004AB0000-memory.dmp

Filesize
64KB

Download
memory/4832-1189-0x0000000007870000-0x0000000007880000-memory.dmp

Filesize
64KB

Download