redline | 27f56ed6d4a4728406f537b1d3bd3677fe612e25c721d9bceebadc2aa3a954b9

Analysis

max time kernel
135s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
22/05/2023, 06:58

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

27f56ed6d4a4728406f537b1d3bd3677fe612e25c721d9bceebadc2aa3a954b9.exe
Size

1021KB
MD5

b4fafbd40caa3f935d9928a0b1581439
SHA1

7410a66c3993997fbcec79ff33a9a19de536d9ab
SHA256

27f56ed6d4a4728406f537b1d3bd3677fe612e25c721d9bceebadc2aa3a954b9
SHA512

1b29f83730de0167fca0d7e582e1aad13a38796a7880d977f9ef67729d95be154a7580acdc745098126929fc0b4373d34880fee3c882b4575c903b112e04dcff
SSDEEP

24576:fypM2hkm5aTPq1WyAKeI0IhPoXVRjwDSS3V:qff5aTPqcKKcAXbwWS3

Score

10^/10

redline luza discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

luza

185.161.248.37:4138

Attributes

auth_value
1261701914d508e02e8b4f25d38bc7f9

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	o2912756.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	o2912756.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	o2912756.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	o2912756.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	o2912756.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	o2912756.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 22 IoCs

resource	yara_rule
behavioral2/memory/1884-210-0x0000000004990000-0x00000000049CC000-memory.dmp	family_redline
behavioral2/memory/1884-209-0x0000000004990000-0x00000000049CC000-memory.dmp	family_redline
behavioral2/memory/1884-212-0x0000000004990000-0x00000000049CC000-memory.dmp	family_redline
behavioral2/memory/1884-214-0x0000000004990000-0x00000000049CC000-memory.dmp	family_redline
behavioral2/memory/1884-216-0x0000000004990000-0x00000000049CC000-memory.dmp	family_redline
behavioral2/memory/1884-218-0x0000000004990000-0x00000000049CC000-memory.dmp	family_redline
behavioral2/memory/1884-220-0x0000000004990000-0x00000000049CC000-memory.dmp	family_redline
behavioral2/memory/1884-222-0x0000000004990000-0x00000000049CC000-memory.dmp	family_redline
behavioral2/memory/1884-224-0x0000000004990000-0x00000000049CC000-memory.dmp	family_redline
behavioral2/memory/1884-226-0x0000000004990000-0x00000000049CC000-memory.dmp	family_redline
behavioral2/memory/1884-228-0x0000000004990000-0x00000000049CC000-memory.dmp	family_redline
behavioral2/memory/1884-230-0x0000000004990000-0x00000000049CC000-memory.dmp	family_redline
behavioral2/memory/1884-232-0x0000000004990000-0x00000000049CC000-memory.dmp	family_redline
behavioral2/memory/1884-234-0x0000000004990000-0x00000000049CC000-memory.dmp	family_redline
behavioral2/memory/1884-236-0x0000000004990000-0x00000000049CC000-memory.dmp	family_redline
behavioral2/memory/1884-238-0x0000000004990000-0x00000000049CC000-memory.dmp	family_redline
behavioral2/memory/1884-240-0x0000000004990000-0x00000000049CC000-memory.dmp	family_redline
behavioral2/memory/1884-242-0x0000000004990000-0x00000000049CC000-memory.dmp	family_redline
behavioral2/memory/1884-244-0x0000000004990000-0x00000000049CC000-memory.dmp	family_redline
behavioral2/memory/1884-599-0x0000000004AE0000-0x0000000004AF0000-memory.dmp	family_redline
behavioral2/memory/1884-1122-0x0000000004AE0000-0x0000000004AF0000-memory.dmp	family_redline
behavioral2/memory/1884-1121-0x0000000004AE0000-0x0000000004AF0000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	s9000628.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	legends.exe

Executes dropped EXE 13 IoCs

pid	Process
1576	z3786085.exe
4692	z5254998.exe
1532	o2912756.exe
3328	p8122792.exe
1884	r1142642.exe
3720	s9000628.exe
4612	s9000628.exe
2856	legends.exe
3696	legends.exe
3816	legends.exe
2224	legends.exe
2132	legends.exe
4696	legends.exe

Loads dropped DLL 1 IoCs

pid	Process
2528	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	o2912756.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	o2912756.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z5254998.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	27f56ed6d4a4728406f537b1d3bd3677fe612e25c721d9bceebadc2aa3a954b9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	27f56ed6d4a4728406f537b1d3bd3677fe612e25c721d9bceebadc2aa3a954b9.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z3786085.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z3786085.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z5254998.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 3720 set thread context of 4612	3720	s9000628.exe	91
PID 2856 set thread context of 3696	2856	legends.exe	93
PID 3816 set thread context of 2224	3816	legends.exe	105
PID 2132 set thread context of 4696	2132	legends.exe	108

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
2468	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1532	o2912756.exe
1532	o2912756.exe
3328	p8122792.exe
3328	p8122792.exe
1884	r1142642.exe
1884	r1142642.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	1532	o2912756.exe
Token: SeDebugPrivilege	3328	p8122792.exe
Token: SeDebugPrivilege	1884	r1142642.exe
Token: SeDebugPrivilege	3720	s9000628.exe
Token: SeDebugPrivilege	2856	legends.exe
Token: SeDebugPrivilege	3816	legends.exe
Token: SeDebugPrivilege	2132	legends.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4612	s9000628.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2144 wrote to memory of 1576	2144	27f56ed6d4a4728406f537b1d3bd3677fe612e25c721d9bceebadc2aa3a954b9.exe	84
PID 2144 wrote to memory of 1576	2144	27f56ed6d4a4728406f537b1d3bd3677fe612e25c721d9bceebadc2aa3a954b9.exe	84
PID 2144 wrote to memory of 1576	2144	27f56ed6d4a4728406f537b1d3bd3677fe612e25c721d9bceebadc2aa3a954b9.exe	84
PID 1576 wrote to memory of 4692	1576	z3786085.exe	85
PID 1576 wrote to memory of 4692	1576	z3786085.exe	85
PID 1576 wrote to memory of 4692	1576	z3786085.exe	85
PID 4692 wrote to memory of 1532	4692	z5254998.exe	86
PID 4692 wrote to memory of 1532	4692	z5254998.exe	86
PID 4692 wrote to memory of 1532	4692	z5254998.exe	86
PID 4692 wrote to memory of 3328	4692	z5254998.exe	87
PID 4692 wrote to memory of 3328	4692	z5254998.exe	87
PID 4692 wrote to memory of 3328	4692	z5254998.exe	87
PID 1576 wrote to memory of 1884	1576	z3786085.exe	88
PID 1576 wrote to memory of 1884	1576	z3786085.exe	88
PID 1576 wrote to memory of 1884	1576	z3786085.exe	88
PID 2144 wrote to memory of 3720	2144	27f56ed6d4a4728406f537b1d3bd3677fe612e25c721d9bceebadc2aa3a954b9.exe	90
PID 2144 wrote to memory of 3720	2144	27f56ed6d4a4728406f537b1d3bd3677fe612e25c721d9bceebadc2aa3a954b9.exe	90
PID 2144 wrote to memory of 3720	2144	27f56ed6d4a4728406f537b1d3bd3677fe612e25c721d9bceebadc2aa3a954b9.exe	90
PID 3720 wrote to memory of 4612	3720	s9000628.exe	91
PID 3720 wrote to memory of 4612	3720	s9000628.exe	91
PID 3720 wrote to memory of 4612	3720	s9000628.exe	91
PID 3720 wrote to memory of 4612	3720	s9000628.exe	91
PID 3720 wrote to memory of 4612	3720	s9000628.exe	91
PID 3720 wrote to memory of 4612	3720	s9000628.exe	91
PID 3720 wrote to memory of 4612	3720	s9000628.exe	91
PID 3720 wrote to memory of 4612	3720	s9000628.exe	91
PID 3720 wrote to memory of 4612	3720	s9000628.exe	91
PID 3720 wrote to memory of 4612	3720	s9000628.exe	91
PID 4612 wrote to memory of 2856	4612	s9000628.exe	92
PID 4612 wrote to memory of 2856	4612	s9000628.exe	92
PID 4612 wrote to memory of 2856	4612	s9000628.exe	92
PID 2856 wrote to memory of 3696	2856	legends.exe	93
PID 2856 wrote to memory of 3696	2856	legends.exe	93
PID 2856 wrote to memory of 3696	2856	legends.exe	93
PID 2856 wrote to memory of 3696	2856	legends.exe	93
PID 2856 wrote to memory of 3696	2856	legends.exe	93
PID 2856 wrote to memory of 3696	2856	legends.exe	93
PID 2856 wrote to memory of 3696	2856	legends.exe	93
PID 2856 wrote to memory of 3696	2856	legends.exe	93
PID 2856 wrote to memory of 3696	2856	legends.exe	93
PID 2856 wrote to memory of 3696	2856	legends.exe	93
PID 3696 wrote to memory of 2468	3696	legends.exe	94
PID 3696 wrote to memory of 2468	3696	legends.exe	94
PID 3696 wrote to memory of 2468	3696	legends.exe	94
PID 3696 wrote to memory of 1320	3696	legends.exe	96
PID 3696 wrote to memory of 1320	3696	legends.exe	96
PID 3696 wrote to memory of 1320	3696	legends.exe	96
PID 1320 wrote to memory of 444	1320	cmd.exe	98
PID 1320 wrote to memory of 444	1320	cmd.exe	98
PID 1320 wrote to memory of 444	1320	cmd.exe	98
PID 1320 wrote to memory of 2928	1320	cmd.exe	99
PID 1320 wrote to memory of 2928	1320	cmd.exe	99
PID 1320 wrote to memory of 2928	1320	cmd.exe	99
PID 1320 wrote to memory of 3040	1320	cmd.exe	100
PID 1320 wrote to memory of 3040	1320	cmd.exe	100
PID 1320 wrote to memory of 3040	1320	cmd.exe	100
PID 1320 wrote to memory of 2732	1320	cmd.exe	101
PID 1320 wrote to memory of 2732	1320	cmd.exe	101
PID 1320 wrote to memory of 2732	1320	cmd.exe	101
PID 1320 wrote to memory of 1676	1320	cmd.exe	102
PID 1320 wrote to memory of 1676	1320	cmd.exe	102
PID 1320 wrote to memory of 1676	1320	cmd.exe	102
PID 1320 wrote to memory of 2696	1320	cmd.exe	103
PID 1320 wrote to memory of 2696	1320	cmd.exe	103

C:\Users\Admin\AppData\Local\Temp\27f56ed6d4a4728406f537b1d3bd3677fe612e25c721d9bceebadc2aa3a954b9.exe
"C:\Users\Admin\AppData\Local\Temp\27f56ed6d4a4728406f537b1d3bd3677fe612e25c721d9bceebadc2aa3a954b9.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2144
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3786085.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3786085.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1576
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5254998.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5254998.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4692
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o2912756.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o2912756.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1532
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p8122792.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p8122792.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3328
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r1142642.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r1142642.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1884
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s9000628.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s9000628.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3720
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s9000628.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s9000628.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:4612
  - - C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
      "C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2856
    - - C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
        
        C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3696
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legends.exe /TR "C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe" /F
        6⤵
        Creates scheduled task(s)
        
        PID:2468
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legends.exe" /P "Admin:N"&&CACLS "legends.exe" /P "Admin:R" /E&&echo Y|CACLS "..\41bde21dc7" /P "Admin:N"&&CACLS "..\41bde21dc7" /P "Admin:R" /E&&Exit
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        
        PID:444
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "legends.exe" /P "Admin:N"
        7⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "legends.exe" /P "Admin:R" /E
        7⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\41bde21dc7" /P "Admin:N"
        7⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\41bde21dc7" /P "Admin:R" /E
        7⤵
        
        PID:2696
      - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
        6⤵
        Loads dropped DLL
        
        PID:2528

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3816
- C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
  C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
  2⤵
  - Executes dropped EXE
  PID:2224

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2132
- C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
  C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
  2⤵
  - Executes dropped EXE
  PID:4696

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\legends.exe.log

Filesize
425B

MD5
4eaca4566b22b01cd3bc115b9b0b2196

SHA1
e743e0792c19f71740416e7b3c061d9f1336bf94

SHA256
34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

SHA512
bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
963KB

MD5
2645659c824565ffbcb580f6d5783700

SHA1
cfdd42ab6babead1b848f474b476920dbeecfd73

SHA256
5b909512e93f74c86019c6d5d7085e229799a2d5d5cda70c50d2b75a3e665457

SHA512
0564648448516ad70ae3ef76be7481109b6783b7e130c4554adf7ffba82a01a086a80c717221591d6102814b57b34b68ec42c88c88c06668b6526b6ec9a757d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
963KB

MD5
2645659c824565ffbcb580f6d5783700

SHA1
cfdd42ab6babead1b848f474b476920dbeecfd73

SHA256
5b909512e93f74c86019c6d5d7085e229799a2d5d5cda70c50d2b75a3e665457

SHA512
0564648448516ad70ae3ef76be7481109b6783b7e130c4554adf7ffba82a01a086a80c717221591d6102814b57b34b68ec42c88c88c06668b6526b6ec9a757d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
963KB

MD5
2645659c824565ffbcb580f6d5783700

SHA1
cfdd42ab6babead1b848f474b476920dbeecfd73

SHA256
5b909512e93f74c86019c6d5d7085e229799a2d5d5cda70c50d2b75a3e665457

SHA512
0564648448516ad70ae3ef76be7481109b6783b7e130c4554adf7ffba82a01a086a80c717221591d6102814b57b34b68ec42c88c88c06668b6526b6ec9a757d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
963KB

MD5
2645659c824565ffbcb580f6d5783700

SHA1
cfdd42ab6babead1b848f474b476920dbeecfd73

SHA256
5b909512e93f74c86019c6d5d7085e229799a2d5d5cda70c50d2b75a3e665457

SHA512
0564648448516ad70ae3ef76be7481109b6783b7e130c4554adf7ffba82a01a086a80c717221591d6102814b57b34b68ec42c88c88c06668b6526b6ec9a757d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
963KB

MD5
2645659c824565ffbcb580f6d5783700

SHA1
cfdd42ab6babead1b848f474b476920dbeecfd73

SHA256
5b909512e93f74c86019c6d5d7085e229799a2d5d5cda70c50d2b75a3e665457

SHA512
0564648448516ad70ae3ef76be7481109b6783b7e130c4554adf7ffba82a01a086a80c717221591d6102814b57b34b68ec42c88c88c06668b6526b6ec9a757d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
963KB

MD5
2645659c824565ffbcb580f6d5783700

SHA1
cfdd42ab6babead1b848f474b476920dbeecfd73

SHA256
5b909512e93f74c86019c6d5d7085e229799a2d5d5cda70c50d2b75a3e665457

SHA512
0564648448516ad70ae3ef76be7481109b6783b7e130c4554adf7ffba82a01a086a80c717221591d6102814b57b34b68ec42c88c88c06668b6526b6ec9a757d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
963KB

MD5
2645659c824565ffbcb580f6d5783700

SHA1
cfdd42ab6babead1b848f474b476920dbeecfd73

SHA256
5b909512e93f74c86019c6d5d7085e229799a2d5d5cda70c50d2b75a3e665457

SHA512
0564648448516ad70ae3ef76be7481109b6783b7e130c4554adf7ffba82a01a086a80c717221591d6102814b57b34b68ec42c88c88c06668b6526b6ec9a757d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
963KB

MD5
2645659c824565ffbcb580f6d5783700

SHA1
cfdd42ab6babead1b848f474b476920dbeecfd73

SHA256
5b909512e93f74c86019c6d5d7085e229799a2d5d5cda70c50d2b75a3e665457

SHA512
0564648448516ad70ae3ef76be7481109b6783b7e130c4554adf7ffba82a01a086a80c717221591d6102814b57b34b68ec42c88c88c06668b6526b6ec9a757d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s9000628.exe

Filesize
963KB

MD5
2645659c824565ffbcb580f6d5783700

SHA1
cfdd42ab6babead1b848f474b476920dbeecfd73

SHA256
5b909512e93f74c86019c6d5d7085e229799a2d5d5cda70c50d2b75a3e665457

SHA512
0564648448516ad70ae3ef76be7481109b6783b7e130c4554adf7ffba82a01a086a80c717221591d6102814b57b34b68ec42c88c88c06668b6526b6ec9a757d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s9000628.exe

Filesize
963KB

MD5
2645659c824565ffbcb580f6d5783700

SHA1
cfdd42ab6babead1b848f474b476920dbeecfd73

SHA256
5b909512e93f74c86019c6d5d7085e229799a2d5d5cda70c50d2b75a3e665457

SHA512
0564648448516ad70ae3ef76be7481109b6783b7e130c4554adf7ffba82a01a086a80c717221591d6102814b57b34b68ec42c88c88c06668b6526b6ec9a757d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s9000628.exe

Filesize
963KB

MD5
2645659c824565ffbcb580f6d5783700

SHA1
cfdd42ab6babead1b848f474b476920dbeecfd73

SHA256
5b909512e93f74c86019c6d5d7085e229799a2d5d5cda70c50d2b75a3e665457

SHA512
0564648448516ad70ae3ef76be7481109b6783b7e130c4554adf7ffba82a01a086a80c717221591d6102814b57b34b68ec42c88c88c06668b6526b6ec9a757d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3786085.exe

Filesize
577KB

MD5
ad3af65612c578641a309ac88df42c89

SHA1
c6a8b684d83bf9daa350bec4b1a6c8732c34783f

SHA256
17386bc4a251f47a6d6da8685c02140cdb23d2272b1fc3c488383e39f26280bd

SHA512
b01135cc874db14872c0374412f4ce7e1091afc179fd1f233f218f8c0466d447375def35c41d81488c25c5835c4f78fbbf249db6f13351dbe7b0d065689d9630

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3786085.exe

Filesize
577KB

MD5
ad3af65612c578641a309ac88df42c89

SHA1
c6a8b684d83bf9daa350bec4b1a6c8732c34783f

SHA256
17386bc4a251f47a6d6da8685c02140cdb23d2272b1fc3c488383e39f26280bd

SHA512
b01135cc874db14872c0374412f4ce7e1091afc179fd1f233f218f8c0466d447375def35c41d81488c25c5835c4f78fbbf249db6f13351dbe7b0d065689d9630

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r1142642.exe

Filesize
286KB

MD5
bddd8a447a1e3c153aa0cac6e2d646e4

SHA1
70ad5e6047f3b201f10d538adc8a874ee55e2adb

SHA256
bcf062232badf844260a2531e21ab25a7996fbd7988b69adf9caf27c84c0f78d

SHA512
5aadf07eed7fa2ab2528c0d0ab26a14604070b786e3a5a4456482a5e1d253252dcccbd8cfd2c420eec264f20f887ff603e264b54e8adfc89680ac04f99698143

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r1142642.exe

Filesize
286KB

MD5
bddd8a447a1e3c153aa0cac6e2d646e4

SHA1
70ad5e6047f3b201f10d538adc8a874ee55e2adb

SHA256
bcf062232badf844260a2531e21ab25a7996fbd7988b69adf9caf27c84c0f78d

SHA512
5aadf07eed7fa2ab2528c0d0ab26a14604070b786e3a5a4456482a5e1d253252dcccbd8cfd2c420eec264f20f887ff603e264b54e8adfc89680ac04f99698143

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5254998.exe

Filesize
305KB

MD5
6eff4219ff024b83284ec720665b07d3

SHA1
f3d0946ec03bc2266fa1e76f8dd5eb19b3c22fa9

SHA256
4e61868684ba70031a03762753bfdf66c0bc2cbd78bbe746bbecb7fa730301d2

SHA512
b3aef0b9b9d74eb884d8312b129f8687f64f48ecf4c08b776e329047cf37bb327837048d53215a1493801691dd2d2b8f73a1b5cdc9929f813b336acf5f29b70f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5254998.exe

Filesize
305KB

MD5
6eff4219ff024b83284ec720665b07d3

SHA1
f3d0946ec03bc2266fa1e76f8dd5eb19b3c22fa9

SHA256
4e61868684ba70031a03762753bfdf66c0bc2cbd78bbe746bbecb7fa730301d2

SHA512
b3aef0b9b9d74eb884d8312b129f8687f64f48ecf4c08b776e329047cf37bb327837048d53215a1493801691dd2d2b8f73a1b5cdc9929f813b336acf5f29b70f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o2912756.exe

Filesize
186KB

MD5
eaf5a31de507f0ea7e393203c25f0cdc

SHA1
ec38a8d8fa744d35dac0255d97f58507b39bad47

SHA256
5e10b97e1759823ed54506f49367433d502c7fd6d3c17b6d75776fa6184603ad

SHA512
482d79cde3624655bd0f7be3c990d8f0c03a1e46ec3dbde861c18a8b708561f4d3e4407f8ef36ff718a5ec9d41577b1a41e0915f4978c5311334e072f6975476

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o2912756.exe

Filesize
186KB

MD5
eaf5a31de507f0ea7e393203c25f0cdc

SHA1
ec38a8d8fa744d35dac0255d97f58507b39bad47

SHA256
5e10b97e1759823ed54506f49367433d502c7fd6d3c17b6d75776fa6184603ad

SHA512
482d79cde3624655bd0f7be3c990d8f0c03a1e46ec3dbde861c18a8b708561f4d3e4407f8ef36ff718a5ec9d41577b1a41e0915f4978c5311334e072f6975476

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p8122792.exe

Filesize
145KB

MD5
1289112200f978a88688127ea70c8e3e

SHA1
76cc9b4e7f4d80f20301885eb011c21398abb04d

SHA256
d3347c91a549786671b4dc3554be5f5176c7362936769668cc2499a057485e58

SHA512
a6009c781f4248cd0a2e14cb7302bd14ca064f968a9c36e1ac2cc7a12e41ce25ee28f5f917f48f7a8efa7ac28ba68453d3b8ad97769acb4816803764d6cf3369

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p8122792.exe

Filesize
145KB

MD5
1289112200f978a88688127ea70c8e3e

SHA1
76cc9b4e7f4d80f20301885eb011c21398abb04d

SHA256
d3347c91a549786671b4dc3554be5f5176c7362936769668cc2499a057485e58

SHA512
a6009c781f4248cd0a2e14cb7302bd14ca064f968a9c36e1ac2cc7a12e41ce25ee28f5f917f48f7a8efa7ac28ba68453d3b8ad97769acb4816803764d6cf3369

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
89KB

MD5
73c0c85e39b9a63b42f6c4ff6d634f8b

SHA1
efb047b4177ad78268f6fc8bf959f58f1123eb51

SHA256
477252e3531300fe2a21a679fba3664803179e91a1a4d5dd44080dbd41126368

SHA512
ca32507717c2c099d54a5473fb062083237f7fda9c076e9a957b70072f41a78eedf9244b50862b81d00374297e3795021ad6db943c8408da50b1da8b5ed4a643

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
89KB

MD5
73c0c85e39b9a63b42f6c4ff6d634f8b

SHA1
efb047b4177ad78268f6fc8bf959f58f1123eb51

SHA256
477252e3531300fe2a21a679fba3664803179e91a1a4d5dd44080dbd41126368

SHA512
ca32507717c2c099d54a5473fb062083237f7fda9c076e9a957b70072f41a78eedf9244b50862b81d00374297e3795021ad6db943c8408da50b1da8b5ed4a643

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
89KB

MD5
73c0c85e39b9a63b42f6c4ff6d634f8b

SHA1
efb047b4177ad78268f6fc8bf959f58f1123eb51

SHA256
477252e3531300fe2a21a679fba3664803179e91a1a4d5dd44080dbd41126368

SHA512
ca32507717c2c099d54a5473fb062083237f7fda9c076e9a957b70072f41a78eedf9244b50862b81d00374297e3795021ad6db943c8408da50b1da8b5ed4a643

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
memory/1532-156-0x0000000004BD0000-0x0000000004BE0000-memory.dmp

Filesize
64KB

Download
memory/1532-183-0x0000000002550000-0x0000000002566000-memory.dmp

Filesize
88KB

Download
memory/1532-185-0x0000000002550000-0x0000000002566000-memory.dmp

Filesize
88KB

Download
memory/1532-186-0x0000000004BD0000-0x0000000004BE0000-memory.dmp

Filesize
64KB

Download
memory/1532-187-0x0000000004BD0000-0x0000000004BE0000-memory.dmp

Filesize
64KB

Download
memory/1532-188-0x0000000004BD0000-0x0000000004BE0000-memory.dmp

Filesize
64KB

Download
memory/1532-181-0x0000000002550000-0x0000000002566000-memory.dmp

Filesize
88KB

Download
memory/1532-179-0x0000000002550000-0x0000000002566000-memory.dmp

Filesize
88KB

Download
memory/1532-177-0x0000000002550000-0x0000000002566000-memory.dmp

Filesize
88KB

Download
memory/1532-175-0x0000000002550000-0x0000000002566000-memory.dmp

Filesize
88KB

Download
memory/1532-173-0x0000000002550000-0x0000000002566000-memory.dmp

Filesize
88KB

Download
memory/1532-171-0x0000000002550000-0x0000000002566000-memory.dmp

Filesize
88KB

Download
memory/1532-169-0x0000000002550000-0x0000000002566000-memory.dmp

Filesize
88KB

Download
memory/1532-167-0x0000000002550000-0x0000000002566000-memory.dmp

Filesize
88KB

Download
memory/1532-165-0x0000000002550000-0x0000000002566000-memory.dmp

Filesize
88KB

Download
memory/1532-163-0x0000000002550000-0x0000000002566000-memory.dmp

Filesize
88KB

Download
memory/1532-161-0x0000000002550000-0x0000000002566000-memory.dmp

Filesize
88KB

Download
memory/1532-158-0x0000000002550000-0x0000000002566000-memory.dmp

Filesize
88KB

Download
memory/1532-159-0x0000000002550000-0x0000000002566000-memory.dmp

Filesize
88KB

Download
memory/1532-157-0x0000000004BD0000-0x0000000004BE0000-memory.dmp

Filesize
64KB

Download
memory/1532-155-0x0000000004BD0000-0x0000000004BE0000-memory.dmp

Filesize
64KB

Download
memory/1532-154-0x0000000004BE0000-0x0000000005184000-memory.dmp

Filesize
5.6MB

Download
memory/1884-222-0x0000000004990000-0x00000000049CC000-memory.dmp

Filesize
240KB

Download
memory/1884-595-0x0000000004AE0000-0x0000000004AF0000-memory.dmp

Filesize
64KB

Download
memory/1884-226-0x0000000004990000-0x00000000049CC000-memory.dmp

Filesize
240KB

Download
memory/1884-228-0x0000000004990000-0x00000000049CC000-memory.dmp

Filesize
240KB

Download
memory/1884-230-0x0000000004990000-0x00000000049CC000-memory.dmp

Filesize
240KB

Download
memory/1884-232-0x0000000004990000-0x00000000049CC000-memory.dmp

Filesize
240KB

Download
memory/1884-234-0x0000000004990000-0x00000000049CC000-memory.dmp

Filesize
240KB

Download
memory/1884-236-0x0000000004990000-0x00000000049CC000-memory.dmp

Filesize
240KB

Download
memory/1884-238-0x0000000004990000-0x00000000049CC000-memory.dmp

Filesize
240KB

Download
memory/1884-240-0x0000000004990000-0x00000000049CC000-memory.dmp

Filesize
240KB

Download
memory/1884-242-0x0000000004990000-0x00000000049CC000-memory.dmp

Filesize
240KB

Download
memory/1884-244-0x0000000004990000-0x00000000049CC000-memory.dmp

Filesize
240KB

Download
memory/1884-597-0x0000000004AE0000-0x0000000004AF0000-memory.dmp

Filesize
64KB

Download
memory/1884-214-0x0000000004990000-0x00000000049CC000-memory.dmp

Filesize
240KB

Download
memory/1884-599-0x0000000004AE0000-0x0000000004AF0000-memory.dmp

Filesize
64KB

Download
memory/1884-1120-0x0000000004AE0000-0x0000000004AF0000-memory.dmp

Filesize
64KB

Download
memory/1884-1122-0x0000000004AE0000-0x0000000004AF0000-memory.dmp

Filesize
64KB

Download
memory/1884-1121-0x0000000004AE0000-0x0000000004AF0000-memory.dmp

Filesize
64KB

Download
memory/1884-1123-0x0000000004AE0000-0x0000000004AF0000-memory.dmp

Filesize
64KB

Download
memory/1884-220-0x0000000004990000-0x00000000049CC000-memory.dmp

Filesize
240KB

Download
memory/1884-218-0x0000000004990000-0x00000000049CC000-memory.dmp

Filesize
240KB

Download
memory/1884-210-0x0000000004990000-0x00000000049CC000-memory.dmp

Filesize
240KB

Download
memory/1884-212-0x0000000004990000-0x00000000049CC000-memory.dmp

Filesize
240KB

Download
memory/1884-224-0x0000000004990000-0x00000000049CC000-memory.dmp

Filesize
240KB

Download
memory/1884-216-0x0000000004990000-0x00000000049CC000-memory.dmp

Filesize
240KB

Download
memory/1884-209-0x0000000004990000-0x00000000049CC000-memory.dmp

Filesize
240KB

Download
memory/2224-1168-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2856-1151-0x0000000007690000-0x00000000076A0000-memory.dmp

Filesize
64KB

Download
memory/3328-204-0x0000000006DE0000-0x000000000730C000-memory.dmp

Filesize
5.2MB

Download
memory/3328-197-0x0000000004C90000-0x0000000004CCC000-memory.dmp

Filesize
240KB

Download
memory/3328-202-0x0000000005D30000-0x0000000005D80000-memory.dmp

Filesize
320KB

Download
memory/3328-193-0x0000000000290000-0x00000000002BA000-memory.dmp

Filesize
168KB

Download
memory/3328-194-0x0000000005290000-0x00000000058A8000-memory.dmp

Filesize
6.1MB

Download
memory/3328-201-0x0000000005CB0000-0x0000000005D26000-memory.dmp

Filesize
472KB

Download
memory/3328-195-0x0000000004D80000-0x0000000004E8A000-memory.dmp

Filesize
1.0MB

Download
memory/3328-200-0x00000000050C0000-0x0000000005126000-memory.dmp

Filesize
408KB

Download
memory/3328-199-0x0000000005020000-0x00000000050B2000-memory.dmp

Filesize
584KB

Download
memory/3328-196-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/3328-198-0x0000000005010000-0x0000000005020000-memory.dmp

Filesize
64KB

Download
memory/3328-203-0x00000000066E0000-0x00000000068A2000-memory.dmp

Filesize
1.8MB

Download
memory/3696-1169-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3696-1158-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3720-1128-0x0000000000F60000-0x0000000001058000-memory.dmp

Filesize
992KB

Download
memory/3720-1129-0x0000000007E50000-0x0000000007E60000-memory.dmp

Filesize
64KB

Download
memory/3816-1163-0x0000000006E50000-0x0000000006E60000-memory.dmp

Filesize
64KB

Download
memory/4612-1136-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4612-1149-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4696-1195-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download