redline | ec8e9e94d99bbf7bbdb33b5d003b736a65f0446b5bde067857922eb7044c58b4

Analysis

max time kernel
135s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
19-05-2023 13:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a910223a596d707632c404b4e1ac3ce1.exe
Size

1021KB
MD5

a910223a596d707632c404b4e1ac3ce1
SHA1

cc1481465266be2bf0d2d7469753c778d46603d3
SHA256

ec8e9e94d99bbf7bbdb33b5d003b736a65f0446b5bde067857922eb7044c58b4
SHA512

7437b4e7ce556108e4ab2f5f2c18796ac0395317ca4d156b7a0a9b99768488c7286e33f6ce2656fc2533dce26c250cf12b159711946a7170307ad2e027d93049
SSDEEP

12288:3MrBy90vNnbxZ7+Dj6DFrh0kZhwpU1dAZ2xWotsfGk51+6/pmsND5Tk4Pp2w1wL1:+yeNfSm9mCyU102yi6/pmsdTk4HQ

Score

10^/10

redline luper discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

luper

77.91.68.253:19065

Attributes

auth_value
474f8e2f629b7bc1a8c7ea1dc39ca043

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	o4825287.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	o4825287.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	o4825287.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	o4825287.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	o4825287.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	o4825287.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 20 IoCs

resource	yara_rule
behavioral2/memory/1180-210-0x00000000049B0000-0x00000000049EC000-memory.dmp	family_redline
behavioral2/memory/1180-211-0x00000000049B0000-0x00000000049EC000-memory.dmp	family_redline
behavioral2/memory/1180-213-0x00000000049B0000-0x00000000049EC000-memory.dmp	family_redline
behavioral2/memory/1180-215-0x00000000049B0000-0x00000000049EC000-memory.dmp	family_redline
behavioral2/memory/1180-217-0x00000000049B0000-0x00000000049EC000-memory.dmp	family_redline
behavioral2/memory/1180-219-0x00000000049B0000-0x00000000049EC000-memory.dmp	family_redline
behavioral2/memory/1180-221-0x0000000004AE0000-0x0000000004AF0000-memory.dmp	family_redline
behavioral2/memory/1180-222-0x00000000049B0000-0x00000000049EC000-memory.dmp	family_redline
behavioral2/memory/1180-225-0x00000000049B0000-0x00000000049EC000-memory.dmp	family_redline
behavioral2/memory/1180-228-0x00000000049B0000-0x00000000049EC000-memory.dmp	family_redline
behavioral2/memory/1180-230-0x00000000049B0000-0x00000000049EC000-memory.dmp	family_redline
behavioral2/memory/1180-232-0x00000000049B0000-0x00000000049EC000-memory.dmp	family_redline
behavioral2/memory/1180-234-0x00000000049B0000-0x00000000049EC000-memory.dmp	family_redline
behavioral2/memory/1180-236-0x00000000049B0000-0x00000000049EC000-memory.dmp	family_redline
behavioral2/memory/1180-238-0x00000000049B0000-0x00000000049EC000-memory.dmp	family_redline
behavioral2/memory/1180-240-0x00000000049B0000-0x00000000049EC000-memory.dmp	family_redline
behavioral2/memory/1180-242-0x00000000049B0000-0x00000000049EC000-memory.dmp	family_redline
behavioral2/memory/1180-244-0x00000000049B0000-0x00000000049EC000-memory.dmp	family_redline
behavioral2/memory/1180-246-0x00000000049B0000-0x00000000049EC000-memory.dmp	family_redline
behavioral2/memory/1180-248-0x00000000049B0000-0x00000000049EC000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	s4652586.exe
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	legends.exe

Executes dropped EXE 14 IoCs

pid	Process
720	z4785108.exe
1540	z1603742.exe
4596	o4825287.exe
3344	p1898208.exe
1180	r5964166.exe
604	s4652586.exe
2600	s4652586.exe
1656	legends.exe
4760	legends.exe
368	legends.exe
2180	legends.exe
3612	legends.exe
3700	legends.exe
4328	legends.exe

Loads dropped DLL 1 IoCs

pid	Process
212	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	o4825287.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	o4825287.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	a910223a596d707632c404b4e1ac3ce1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	a910223a596d707632c404b4e1ac3ce1.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z4785108.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z4785108.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z1603742.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z1603742.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 604 set thread context of 2600	604	s4652586.exe	91
PID 1656 set thread context of 4760	1656	legends.exe	93
PID 368 set thread context of 3612	368	legends.exe	106
PID 3700 set thread context of 4328	3700	legends.exe	109

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4228	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4596	o4825287.exe
4596	o4825287.exe
3344	p1898208.exe
3344	p1898208.exe
1180	r5964166.exe
1180	r5964166.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	4596	o4825287.exe
Token: SeDebugPrivilege	3344	p1898208.exe
Token: SeDebugPrivilege	1180	r5964166.exe
Token: SeDebugPrivilege	604	s4652586.exe
Token: SeDebugPrivilege	1656	legends.exe
Token: SeDebugPrivilege	368	legends.exe
Token: SeDebugPrivilege	3700	legends.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2600	s4652586.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3660 wrote to memory of 720	3660	a910223a596d707632c404b4e1ac3ce1.exe	84
PID 3660 wrote to memory of 720	3660	a910223a596d707632c404b4e1ac3ce1.exe	84
PID 3660 wrote to memory of 720	3660	a910223a596d707632c404b4e1ac3ce1.exe	84
PID 720 wrote to memory of 1540	720	z4785108.exe	85
PID 720 wrote to memory of 1540	720	z4785108.exe	85
PID 720 wrote to memory of 1540	720	z4785108.exe	85
PID 1540 wrote to memory of 4596	1540	z1603742.exe	86
PID 1540 wrote to memory of 4596	1540	z1603742.exe	86
PID 1540 wrote to memory of 4596	1540	z1603742.exe	86
PID 1540 wrote to memory of 3344	1540	z1603742.exe	87
PID 1540 wrote to memory of 3344	1540	z1603742.exe	87
PID 1540 wrote to memory of 3344	1540	z1603742.exe	87
PID 720 wrote to memory of 1180	720	z4785108.exe	88
PID 720 wrote to memory of 1180	720	z4785108.exe	88
PID 720 wrote to memory of 1180	720	z4785108.exe	88
PID 3660 wrote to memory of 604	3660	a910223a596d707632c404b4e1ac3ce1.exe	90
PID 3660 wrote to memory of 604	3660	a910223a596d707632c404b4e1ac3ce1.exe	90
PID 3660 wrote to memory of 604	3660	a910223a596d707632c404b4e1ac3ce1.exe	90
PID 604 wrote to memory of 2600	604	s4652586.exe	91
PID 604 wrote to memory of 2600	604	s4652586.exe	91
PID 604 wrote to memory of 2600	604	s4652586.exe	91
PID 604 wrote to memory of 2600	604	s4652586.exe	91
PID 604 wrote to memory of 2600	604	s4652586.exe	91
PID 604 wrote to memory of 2600	604	s4652586.exe	91
PID 604 wrote to memory of 2600	604	s4652586.exe	91
PID 604 wrote to memory of 2600	604	s4652586.exe	91
PID 604 wrote to memory of 2600	604	s4652586.exe	91
PID 604 wrote to memory of 2600	604	s4652586.exe	91
PID 2600 wrote to memory of 1656	2600	s4652586.exe	92
PID 2600 wrote to memory of 1656	2600	s4652586.exe	92
PID 2600 wrote to memory of 1656	2600	s4652586.exe	92
PID 1656 wrote to memory of 4760	1656	legends.exe	93
PID 1656 wrote to memory of 4760	1656	legends.exe	93
PID 1656 wrote to memory of 4760	1656	legends.exe	93
PID 1656 wrote to memory of 4760	1656	legends.exe	93
PID 1656 wrote to memory of 4760	1656	legends.exe	93
PID 1656 wrote to memory of 4760	1656	legends.exe	93
PID 1656 wrote to memory of 4760	1656	legends.exe	93
PID 1656 wrote to memory of 4760	1656	legends.exe	93
PID 1656 wrote to memory of 4760	1656	legends.exe	93
PID 1656 wrote to memory of 4760	1656	legends.exe	93
PID 4760 wrote to memory of 4228	4760	legends.exe	94
PID 4760 wrote to memory of 4228	4760	legends.exe	94
PID 4760 wrote to memory of 4228	4760	legends.exe	94
PID 4760 wrote to memory of 4648	4760	legends.exe	96
PID 4760 wrote to memory of 4648	4760	legends.exe	96
PID 4760 wrote to memory of 4648	4760	legends.exe	96
PID 4648 wrote to memory of 4216	4648	cmd.exe	98
PID 4648 wrote to memory of 4216	4648	cmd.exe	98
PID 4648 wrote to memory of 4216	4648	cmd.exe	98
PID 4648 wrote to memory of 1700	4648	cmd.exe	99
PID 4648 wrote to memory of 1700	4648	cmd.exe	99
PID 4648 wrote to memory of 1700	4648	cmd.exe	99
PID 4648 wrote to memory of 4620	4648	cmd.exe	100
PID 4648 wrote to memory of 4620	4648	cmd.exe	100
PID 4648 wrote to memory of 4620	4648	cmd.exe	100
PID 4648 wrote to memory of 4144	4648	cmd.exe	101
PID 4648 wrote to memory of 4144	4648	cmd.exe	101
PID 4648 wrote to memory of 4144	4648	cmd.exe	101
PID 4648 wrote to memory of 2388	4648	cmd.exe	102
PID 4648 wrote to memory of 2388	4648	cmd.exe	102
PID 4648 wrote to memory of 2388	4648	cmd.exe	102
PID 4648 wrote to memory of 4436	4648	cmd.exe	103
PID 4648 wrote to memory of 4436	4648	cmd.exe	103

C:\Users\Admin\AppData\Local\Temp\a910223a596d707632c404b4e1ac3ce1.exe
"C:\Users\Admin\AppData\Local\Temp\a910223a596d707632c404b4e1ac3ce1.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3660
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4785108.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4785108.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:720
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1603742.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1603742.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1540
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o4825287.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o4825287.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4596
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p1898208.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p1898208.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3344
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r5964166.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r5964166.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1180
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s4652586.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s4652586.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:604
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s4652586.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s4652586.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:2600
  - - C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
      "C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1656
    - - C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
        
        C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4760
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legends.exe /TR "C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe" /F
        6⤵
        Creates scheduled task(s)
        
        PID:4228
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legends.exe" /P "Admin:N"&&CACLS "legends.exe" /P "Admin:R" /E&&echo Y|CACLS "..\41bde21dc7" /P "Admin:N"&&CACLS "..\41bde21dc7" /P "Admin:R" /E&&Exit
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        
        PID:4216
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "legends.exe" /P "Admin:N"
        7⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "legends.exe" /P "Admin:R" /E
        7⤵
        
        PID:4620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        
        PID:4144
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\41bde21dc7" /P "Admin:N"
        7⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\41bde21dc7" /P "Admin:R" /E
        7⤵
        
        PID:4436
      - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
        6⤵
        Loads dropped DLL
        
        PID:212

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:368
- C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
  C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
  2⤵
  - Executes dropped EXE
  PID:2180
- C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
  C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
  2⤵
  - Executes dropped EXE
  PID:3612

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3700
- C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
  C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
  2⤵
  - Executes dropped EXE
  PID:4328

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\legends.exe.log

Filesize
425B

MD5
4eaca4566b22b01cd3bc115b9b0b2196

SHA1
e743e0792c19f71740416e7b3c061d9f1336bf94

SHA256
34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

SHA512
bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
962KB

MD5
b7fd4476dd01c1d8e8db38c5b67f308f

SHA1
376f99bf029aa745b3ec0875fed2a29f26433437

SHA256
431853abe6183de9b0297fcb81ff867854c5699caaeb5d98bbde375f18176078

SHA512
f507f17f21ea18132bad08e677eecd9d0fa744801a8cc6b3b1638609dea934a024b7bf62cd4a0e2f82d818f7bb72022c748ef3dff2e88986e507327759c13518

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
962KB

MD5
b7fd4476dd01c1d8e8db38c5b67f308f

SHA1
376f99bf029aa745b3ec0875fed2a29f26433437

SHA256
431853abe6183de9b0297fcb81ff867854c5699caaeb5d98bbde375f18176078

SHA512
f507f17f21ea18132bad08e677eecd9d0fa744801a8cc6b3b1638609dea934a024b7bf62cd4a0e2f82d818f7bb72022c748ef3dff2e88986e507327759c13518

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
962KB

MD5
b7fd4476dd01c1d8e8db38c5b67f308f

SHA1
376f99bf029aa745b3ec0875fed2a29f26433437

SHA256
431853abe6183de9b0297fcb81ff867854c5699caaeb5d98bbde375f18176078

SHA512
f507f17f21ea18132bad08e677eecd9d0fa744801a8cc6b3b1638609dea934a024b7bf62cd4a0e2f82d818f7bb72022c748ef3dff2e88986e507327759c13518

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
962KB

MD5
b7fd4476dd01c1d8e8db38c5b67f308f

SHA1
376f99bf029aa745b3ec0875fed2a29f26433437

SHA256
431853abe6183de9b0297fcb81ff867854c5699caaeb5d98bbde375f18176078

SHA512
f507f17f21ea18132bad08e677eecd9d0fa744801a8cc6b3b1638609dea934a024b7bf62cd4a0e2f82d818f7bb72022c748ef3dff2e88986e507327759c13518

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
962KB

MD5
b7fd4476dd01c1d8e8db38c5b67f308f

SHA1
376f99bf029aa745b3ec0875fed2a29f26433437

SHA256
431853abe6183de9b0297fcb81ff867854c5699caaeb5d98bbde375f18176078

SHA512
f507f17f21ea18132bad08e677eecd9d0fa744801a8cc6b3b1638609dea934a024b7bf62cd4a0e2f82d818f7bb72022c748ef3dff2e88986e507327759c13518

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
962KB

MD5
b7fd4476dd01c1d8e8db38c5b67f308f

SHA1
376f99bf029aa745b3ec0875fed2a29f26433437

SHA256
431853abe6183de9b0297fcb81ff867854c5699caaeb5d98bbde375f18176078

SHA512
f507f17f21ea18132bad08e677eecd9d0fa744801a8cc6b3b1638609dea934a024b7bf62cd4a0e2f82d818f7bb72022c748ef3dff2e88986e507327759c13518

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
962KB

MD5
b7fd4476dd01c1d8e8db38c5b67f308f

SHA1
376f99bf029aa745b3ec0875fed2a29f26433437

SHA256
431853abe6183de9b0297fcb81ff867854c5699caaeb5d98bbde375f18176078

SHA512
f507f17f21ea18132bad08e677eecd9d0fa744801a8cc6b3b1638609dea934a024b7bf62cd4a0e2f82d818f7bb72022c748ef3dff2e88986e507327759c13518

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
962KB

MD5
b7fd4476dd01c1d8e8db38c5b67f308f

SHA1
376f99bf029aa745b3ec0875fed2a29f26433437

SHA256
431853abe6183de9b0297fcb81ff867854c5699caaeb5d98bbde375f18176078

SHA512
f507f17f21ea18132bad08e677eecd9d0fa744801a8cc6b3b1638609dea934a024b7bf62cd4a0e2f82d818f7bb72022c748ef3dff2e88986e507327759c13518

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
962KB

MD5
b7fd4476dd01c1d8e8db38c5b67f308f

SHA1
376f99bf029aa745b3ec0875fed2a29f26433437

SHA256
431853abe6183de9b0297fcb81ff867854c5699caaeb5d98bbde375f18176078

SHA512
f507f17f21ea18132bad08e677eecd9d0fa744801a8cc6b3b1638609dea934a024b7bf62cd4a0e2f82d818f7bb72022c748ef3dff2e88986e507327759c13518

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s4652586.exe

Filesize
962KB

MD5
b7fd4476dd01c1d8e8db38c5b67f308f

SHA1
376f99bf029aa745b3ec0875fed2a29f26433437

SHA256
431853abe6183de9b0297fcb81ff867854c5699caaeb5d98bbde375f18176078

SHA512
f507f17f21ea18132bad08e677eecd9d0fa744801a8cc6b3b1638609dea934a024b7bf62cd4a0e2f82d818f7bb72022c748ef3dff2e88986e507327759c13518

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s4652586.exe

Filesize
962KB

MD5
b7fd4476dd01c1d8e8db38c5b67f308f

SHA1
376f99bf029aa745b3ec0875fed2a29f26433437

SHA256
431853abe6183de9b0297fcb81ff867854c5699caaeb5d98bbde375f18176078

SHA512
f507f17f21ea18132bad08e677eecd9d0fa744801a8cc6b3b1638609dea934a024b7bf62cd4a0e2f82d818f7bb72022c748ef3dff2e88986e507327759c13518

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s4652586.exe

Filesize
962KB

MD5
b7fd4476dd01c1d8e8db38c5b67f308f

SHA1
376f99bf029aa745b3ec0875fed2a29f26433437

SHA256
431853abe6183de9b0297fcb81ff867854c5699caaeb5d98bbde375f18176078

SHA512
f507f17f21ea18132bad08e677eecd9d0fa744801a8cc6b3b1638609dea934a024b7bf62cd4a0e2f82d818f7bb72022c748ef3dff2e88986e507327759c13518

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4785108.exe

Filesize
576KB

MD5
ee6c23eb8368789f6b0fcfa9043ba544

SHA1
6c4e991f38c69b828bac18f78549c50dddf515e8

SHA256
af4f4d4f21a2de7168c06ed210dabb1b615594327f2b04a57e398cf5a761af5b

SHA512
fec15b110845cb241070c6310d13a65ec1826fb8f28b2ca8a30654aae220be2e29354143467c453b191ae4d78097635173efad435b90e312bd12df2b3fccd062

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4785108.exe

Filesize
576KB

MD5
ee6c23eb8368789f6b0fcfa9043ba544

SHA1
6c4e991f38c69b828bac18f78549c50dddf515e8

SHA256
af4f4d4f21a2de7168c06ed210dabb1b615594327f2b04a57e398cf5a761af5b

SHA512
fec15b110845cb241070c6310d13a65ec1826fb8f28b2ca8a30654aae220be2e29354143467c453b191ae4d78097635173efad435b90e312bd12df2b3fccd062

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r5964166.exe

Filesize
284KB

MD5
5e7d3be2b8a650df3d590e97297c47c1

SHA1
f0f6ce37913b8c6ec020c8f62caa15b91dc2fdbe

SHA256
8c8afd07139b9cebf67bebae8813aca8848b9e1402a0639efc4acdeb2c85971e

SHA512
36e4af18699454091bda0d24343d5cb31f7f649674deab3ffdc01ce093e7b0a55b9ffd4d32ce511f6fd0fb1c2b9f21dbc0c52cefa474413a45bb44b02f994610

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r5964166.exe

Filesize
284KB

MD5
5e7d3be2b8a650df3d590e97297c47c1

SHA1
f0f6ce37913b8c6ec020c8f62caa15b91dc2fdbe

SHA256
8c8afd07139b9cebf67bebae8813aca8848b9e1402a0639efc4acdeb2c85971e

SHA512
36e4af18699454091bda0d24343d5cb31f7f649674deab3ffdc01ce093e7b0a55b9ffd4d32ce511f6fd0fb1c2b9f21dbc0c52cefa474413a45bb44b02f994610

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1603742.exe

Filesize
305KB

MD5
460e2723790f10cb7a5fc0277d09a5cf

SHA1
270014cec76c82dc906fb98d452f9b7d970b99cb

SHA256
f5eab1c4024333a2716fde20b7efa399af14488debd7c46567cfb75f97b48ef4

SHA512
01354c30a64c058e622bce3a547c99aa147634909e66d9bc073518a8c70cb530586e88ce59e0c2f575f977a8738825bdf85b18ea63a77f2248be78f32a206aab

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1603742.exe

Filesize
305KB

MD5
460e2723790f10cb7a5fc0277d09a5cf

SHA1
270014cec76c82dc906fb98d452f9b7d970b99cb

SHA256
f5eab1c4024333a2716fde20b7efa399af14488debd7c46567cfb75f97b48ef4

SHA512
01354c30a64c058e622bce3a547c99aa147634909e66d9bc073518a8c70cb530586e88ce59e0c2f575f977a8738825bdf85b18ea63a77f2248be78f32a206aab

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o4825287.exe

Filesize
184KB

MD5
d316a24ea6dff1d9f9b009689251d98c

SHA1
d06a7071691d88e7a482ca7a6bb3636e6c52a0a6

SHA256
72286ff6def26a0bafbac7cba5a78afa9619d287f64f8896f9278a0743ac115d

SHA512
00ee2f2dd709285fba21924a7cd3db3a8705e9b3894c372ae9141eb0296e2565c13207859c89ffaeb075352f7bf892a1915f6f95b10d27b0e47e4fd41c952fcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o4825287.exe

Filesize
184KB

MD5
d316a24ea6dff1d9f9b009689251d98c

SHA1
d06a7071691d88e7a482ca7a6bb3636e6c52a0a6

SHA256
72286ff6def26a0bafbac7cba5a78afa9619d287f64f8896f9278a0743ac115d

SHA512
00ee2f2dd709285fba21924a7cd3db3a8705e9b3894c372ae9141eb0296e2565c13207859c89ffaeb075352f7bf892a1915f6f95b10d27b0e47e4fd41c952fcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p1898208.exe

Filesize
145KB

MD5
aeffe8be570f6d167ab4adde7fc6b98b

SHA1
f4b1458440483308b399694c5fe95e9d1f810aa9

SHA256
3075ebb4f4f2503858499f8064d496edf2d6e49081f8103142fa7cdb4019bed9

SHA512
702eb53e26af92336559a27a696ecd7ad18944f290c9ceb41b0f2f9d8467efc39e05888bcc09a79292290ca70d6c20b8d0b96bc13b4f59d6f34e3dcebcb3ff89

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p1898208.exe

Filesize
145KB

MD5
aeffe8be570f6d167ab4adde7fc6b98b

SHA1
f4b1458440483308b399694c5fe95e9d1f810aa9

SHA256
3075ebb4f4f2503858499f8064d496edf2d6e49081f8103142fa7cdb4019bed9

SHA512
702eb53e26af92336559a27a696ecd7ad18944f290c9ceb41b0f2f9d8467efc39e05888bcc09a79292290ca70d6c20b8d0b96bc13b4f59d6f34e3dcebcb3ff89

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
89KB

MD5
73c0c85e39b9a63b42f6c4ff6d634f8b

SHA1
efb047b4177ad78268f6fc8bf959f58f1123eb51

SHA256
477252e3531300fe2a21a679fba3664803179e91a1a4d5dd44080dbd41126368

SHA512
ca32507717c2c099d54a5473fb062083237f7fda9c076e9a957b70072f41a78eedf9244b50862b81d00374297e3795021ad6db943c8408da50b1da8b5ed4a643

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
89KB

MD5
73c0c85e39b9a63b42f6c4ff6d634f8b

SHA1
efb047b4177ad78268f6fc8bf959f58f1123eb51

SHA256
477252e3531300fe2a21a679fba3664803179e91a1a4d5dd44080dbd41126368

SHA512
ca32507717c2c099d54a5473fb062083237f7fda9c076e9a957b70072f41a78eedf9244b50862b81d00374297e3795021ad6db943c8408da50b1da8b5ed4a643

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
89KB

MD5
73c0c85e39b9a63b42f6c4ff6d634f8b

SHA1
efb047b4177ad78268f6fc8bf959f58f1123eb51

SHA256
477252e3531300fe2a21a679fba3664803179e91a1a4d5dd44080dbd41126368

SHA512
ca32507717c2c099d54a5473fb062083237f7fda9c076e9a957b70072f41a78eedf9244b50862b81d00374297e3795021ad6db943c8408da50b1da8b5ed4a643

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
memory/604-1129-0x0000000007D30000-0x0000000007D40000-memory.dmp

Filesize
64KB

Download
memory/604-1128-0x0000000000F40000-0x0000000001038000-memory.dmp

Filesize
992KB

Download
memory/1180-215-0x00000000049B0000-0x00000000049EC000-memory.dmp

Filesize
240KB

Download
memory/1180-240-0x00000000049B0000-0x00000000049EC000-memory.dmp

Filesize
240KB

Download
memory/1180-1123-0x0000000004AE0000-0x0000000004AF0000-memory.dmp

Filesize
64KB

Download
memory/1180-1122-0x0000000004AE0000-0x0000000004AF0000-memory.dmp

Filesize
64KB

Download
memory/1180-1121-0x0000000004AE0000-0x0000000004AF0000-memory.dmp

Filesize
64KB

Download
memory/1180-248-0x00000000049B0000-0x00000000049EC000-memory.dmp

Filesize
240KB

Download
memory/1180-246-0x00000000049B0000-0x00000000049EC000-memory.dmp

Filesize
240KB

Download
memory/1180-244-0x00000000049B0000-0x00000000049EC000-memory.dmp

Filesize
240KB

Download
memory/1180-242-0x00000000049B0000-0x00000000049EC000-memory.dmp

Filesize
240KB

Download
memory/1180-238-0x00000000049B0000-0x00000000049EC000-memory.dmp

Filesize
240KB

Download
memory/1180-236-0x00000000049B0000-0x00000000049EC000-memory.dmp

Filesize
240KB

Download
memory/1180-234-0x00000000049B0000-0x00000000049EC000-memory.dmp

Filesize
240KB

Download
memory/1180-232-0x00000000049B0000-0x00000000049EC000-memory.dmp

Filesize
240KB

Download
memory/1180-230-0x00000000049B0000-0x00000000049EC000-memory.dmp

Filesize
240KB

Download
memory/1180-228-0x00000000049B0000-0x00000000049EC000-memory.dmp

Filesize
240KB

Download
memory/1180-225-0x00000000049B0000-0x00000000049EC000-memory.dmp

Filesize
240KB

Download
memory/1180-210-0x00000000049B0000-0x00000000049EC000-memory.dmp

Filesize
240KB

Download
memory/1180-211-0x00000000049B0000-0x00000000049EC000-memory.dmp

Filesize
240KB

Download
memory/1180-213-0x00000000049B0000-0x00000000049EC000-memory.dmp

Filesize
240KB

Download
memory/1180-226-0x0000000004AE0000-0x0000000004AF0000-memory.dmp

Filesize
64KB

Download
memory/1180-217-0x00000000049B0000-0x00000000049EC000-memory.dmp

Filesize
240KB

Download
memory/1180-219-0x00000000049B0000-0x00000000049EC000-memory.dmp

Filesize
240KB

Download
memory/1180-221-0x0000000004AE0000-0x0000000004AF0000-memory.dmp

Filesize
64KB

Download
memory/1180-222-0x00000000049B0000-0x00000000049EC000-memory.dmp

Filesize
240KB

Download
memory/1180-223-0x0000000004AE0000-0x0000000004AF0000-memory.dmp

Filesize
64KB

Download
memory/1656-1151-0x00000000077A0000-0x00000000077B0000-memory.dmp

Filesize
64KB

Download
memory/2600-1136-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2600-1149-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3344-193-0x0000000000920000-0x000000000094A000-memory.dmp

Filesize
168KB

Download
memory/3344-199-0x0000000005E60000-0x0000000005EF2000-memory.dmp

Filesize
584KB

Download
memory/3344-203-0x00000000052E0000-0x00000000052F0000-memory.dmp

Filesize
64KB

Download
memory/3344-202-0x0000000007290000-0x00000000077BC000-memory.dmp

Filesize
5.2MB

Download
memory/3344-201-0x0000000006B90000-0x0000000006D52000-memory.dmp

Filesize
1.8MB

Download
memory/3344-205-0x0000000006B30000-0x0000000006B80000-memory.dmp

Filesize
320KB

Download
memory/3344-200-0x00000000057A0000-0x0000000005806000-memory.dmp

Filesize
408KB

Download
memory/3344-204-0x0000000006D60000-0x0000000006DD6000-memory.dmp

Filesize
472KB

Download
memory/3344-198-0x00000000052E0000-0x00000000052F0000-memory.dmp

Filesize
64KB

Download
memory/3344-197-0x0000000005370000-0x00000000053AC000-memory.dmp

Filesize
240KB

Download
memory/3344-196-0x0000000005310000-0x0000000005322000-memory.dmp

Filesize
72KB

Download
memory/3344-195-0x00000000053C0000-0x00000000054CA000-memory.dmp

Filesize
1.0MB

Download
memory/3344-194-0x0000000005840000-0x0000000005E58000-memory.dmp

Filesize
6.1MB

Download
memory/3612-1169-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4328-1195-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4596-175-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/4596-167-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/4596-186-0x00000000049F0000-0x0000000004A00000-memory.dmp

Filesize
64KB

Download
memory/4596-183-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/4596-179-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/4596-177-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/4596-185-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/4596-171-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/4596-181-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/4596-169-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/4596-187-0x00000000049F0000-0x0000000004A00000-memory.dmp

Filesize
64KB

Download
memory/4596-173-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/4596-164-0x00000000049F0000-0x0000000004A00000-memory.dmp

Filesize
64KB

Download
memory/4596-165-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/4596-154-0x0000000004A00000-0x0000000004FA4000-memory.dmp

Filesize
5.6MB

Download
memory/4596-162-0x00000000049F0000-0x0000000004A00000-memory.dmp

Filesize
64KB

Download
memory/4596-188-0x00000000049F0000-0x0000000004A00000-memory.dmp

Filesize
64KB

Download
memory/4596-160-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/4596-161-0x00000000049F0000-0x0000000004A00000-memory.dmp

Filesize
64KB

Download
memory/4596-156-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/4596-158-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/4596-155-0x0000000004960000-0x0000000004976000-memory.dmp

Filesize
88KB

Download
memory/4760-1164-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4760-1158-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download