redline | 7e529e7385d36aff568fc23ebee74c2100407dd45ced3088190021be13eecf4c

Analysis

max time kernel
146s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2023 01:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

1020KB
MD5

47c9fad851d822398e63211fd7407f71
SHA1

ea5154a47be879d569c966d217db9f6bc2eabe19
SHA256

7e529e7385d36aff568fc23ebee74c2100407dd45ced3088190021be13eecf4c
SHA512

dc7de56bf0534a764600dc010775b6cf1daed3aa4ab35e7375f9fddf0af9590f94df8cd2b1d47dee0b9affca7c179ef9581d0d6e4ead098c111f51a75eb354ab
SSDEEP

24576:4yMVtu0XQyC6Ey1vL+k+lwA6ivn2XGH8A1pn7Y:/MVPQy5E2+Hwov

Score

10^/10

redline lupa discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

lupa

83.97.73.122:19062

Attributes

auth_value
6a764aa41830c77712442516d143bc9c

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	o1663671.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	o1663671.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	o1663671.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	o1663671.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	o1663671.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	o1663671.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 20 IoCs

resource	yara_rule
behavioral2/memory/4524-207-0x0000000004990000-0x00000000049CC000-memory.dmp	family_redline
behavioral2/memory/4524-208-0x0000000004990000-0x00000000049CC000-memory.dmp	family_redline
behavioral2/memory/4524-210-0x0000000004990000-0x00000000049CC000-memory.dmp	family_redline
behavioral2/memory/4524-212-0x0000000004990000-0x00000000049CC000-memory.dmp	family_redline
behavioral2/memory/4524-214-0x0000000004990000-0x00000000049CC000-memory.dmp	family_redline
behavioral2/memory/4524-216-0x0000000004990000-0x00000000049CC000-memory.dmp	family_redline
behavioral2/memory/4524-218-0x0000000004990000-0x00000000049CC000-memory.dmp	family_redline
behavioral2/memory/4524-220-0x0000000004990000-0x00000000049CC000-memory.dmp	family_redline
behavioral2/memory/4524-226-0x0000000004990000-0x00000000049CC000-memory.dmp	family_redline
behavioral2/memory/4524-224-0x0000000004990000-0x00000000049CC000-memory.dmp	family_redline
behavioral2/memory/4524-232-0x0000000004990000-0x00000000049CC000-memory.dmp	family_redline
behavioral2/memory/4524-234-0x0000000004990000-0x00000000049CC000-memory.dmp	family_redline
behavioral2/memory/4524-230-0x0000000004990000-0x00000000049CC000-memory.dmp	family_redline
behavioral2/memory/4524-228-0x0000000004990000-0x00000000049CC000-memory.dmp	family_redline
behavioral2/memory/4524-236-0x0000000004990000-0x00000000049CC000-memory.dmp	family_redline
behavioral2/memory/4524-238-0x0000000004990000-0x00000000049CC000-memory.dmp	family_redline
behavioral2/memory/4524-222-0x0000000004990000-0x00000000049CC000-memory.dmp	family_redline
behavioral2/memory/4524-241-0x0000000004990000-0x00000000049CC000-memory.dmp	family_redline
behavioral2/memory/4524-244-0x0000000004990000-0x00000000049CC000-memory.dmp	family_redline
behavioral2/memory/4524-1118-0x0000000004B50000-0x0000000004B60000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	legends.exe
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	s7067614.exe

Executes dropped EXE 13 IoCs

pid	Process
2544	z2499859.exe
4916	z3353742.exe
856	o1663671.exe
1780	p4455314.exe
4524	r6070295.exe
2328	s7067614.exe
320	s7067614.exe
2808	legends.exe
3956	legends.exe
4812	legends.exe
2052	legends.exe
5068	legends.exe
2916	legends.exe

Loads dropped DLL 1 IoCs

pid	Process
1592	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	o1663671.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	o1663671.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z3353742.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	file.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	file.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z2499859.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z2499859.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z3353742.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2328 set thread context of 320	2328	s7067614.exe	99
PID 2808 set thread context of 2052	2808	legends.exe	106
PID 5068 set thread context of 2916	5068	legends.exe	119

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3372	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
856	o1663671.exe
856	o1663671.exe
1780	p4455314.exe
1780	p4455314.exe
4524	r6070295.exe
4524	r6070295.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	856	o1663671.exe
Token: SeDebugPrivilege	1780	p4455314.exe
Token: SeDebugPrivilege	4524	r6070295.exe
Token: SeDebugPrivilege	2328	s7067614.exe
Token: SeDebugPrivilege	2808	legends.exe
Token: SeDebugPrivilege	5068	legends.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
320	s7067614.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1784 wrote to memory of 2544	1784	file.exe	88
PID 1784 wrote to memory of 2544	1784	file.exe	88
PID 1784 wrote to memory of 2544	1784	file.exe	88
PID 2544 wrote to memory of 4916	2544	z2499859.exe	90
PID 2544 wrote to memory of 4916	2544	z2499859.exe	90
PID 2544 wrote to memory of 4916	2544	z2499859.exe	90
PID 4916 wrote to memory of 856	4916	z3353742.exe	89
PID 4916 wrote to memory of 856	4916	z3353742.exe	89
PID 4916 wrote to memory of 856	4916	z3353742.exe	89
PID 4916 wrote to memory of 1780	4916	z3353742.exe	94
PID 4916 wrote to memory of 1780	4916	z3353742.exe	94
PID 4916 wrote to memory of 1780	4916	z3353742.exe	94
PID 2544 wrote to memory of 4524	2544	z2499859.exe	95
PID 2544 wrote to memory of 4524	2544	z2499859.exe	95
PID 2544 wrote to memory of 4524	2544	z2499859.exe	95
PID 1784 wrote to memory of 2328	1784	file.exe	98
PID 1784 wrote to memory of 2328	1784	file.exe	98
PID 1784 wrote to memory of 2328	1784	file.exe	98
PID 2328 wrote to memory of 320	2328	s7067614.exe	99
PID 2328 wrote to memory of 320	2328	s7067614.exe	99
PID 2328 wrote to memory of 320	2328	s7067614.exe	99
PID 2328 wrote to memory of 320	2328	s7067614.exe	99
PID 2328 wrote to memory of 320	2328	s7067614.exe	99
PID 2328 wrote to memory of 320	2328	s7067614.exe	99
PID 2328 wrote to memory of 320	2328	s7067614.exe	99
PID 2328 wrote to memory of 320	2328	s7067614.exe	99
PID 2328 wrote to memory of 320	2328	s7067614.exe	99
PID 2328 wrote to memory of 320	2328	s7067614.exe	99
PID 320 wrote to memory of 2808	320	s7067614.exe	103
PID 320 wrote to memory of 2808	320	s7067614.exe	103
PID 320 wrote to memory of 2808	320	s7067614.exe	103
PID 2808 wrote to memory of 3956	2808	legends.exe	104
PID 2808 wrote to memory of 3956	2808	legends.exe	104
PID 2808 wrote to memory of 3956	2808	legends.exe	104
PID 2808 wrote to memory of 3956	2808	legends.exe	104
PID 2808 wrote to memory of 4812	2808	legends.exe	105
PID 2808 wrote to memory of 4812	2808	legends.exe	105
PID 2808 wrote to memory of 4812	2808	legends.exe	105
PID 2808 wrote to memory of 4812	2808	legends.exe	105
PID 2808 wrote to memory of 2052	2808	legends.exe	106
PID 2808 wrote to memory of 2052	2808	legends.exe	106
PID 2808 wrote to memory of 2052	2808	legends.exe	106
PID 2808 wrote to memory of 2052	2808	legends.exe	106
PID 2808 wrote to memory of 2052	2808	legends.exe	106
PID 2808 wrote to memory of 2052	2808	legends.exe	106
PID 2808 wrote to memory of 2052	2808	legends.exe	106
PID 2808 wrote to memory of 2052	2808	legends.exe	106
PID 2808 wrote to memory of 2052	2808	legends.exe	106
PID 2808 wrote to memory of 2052	2808	legends.exe	106
PID 2052 wrote to memory of 3372	2052	legends.exe	107
PID 2052 wrote to memory of 3372	2052	legends.exe	107
PID 2052 wrote to memory of 3372	2052	legends.exe	107
PID 2052 wrote to memory of 3404	2052	legends.exe	109
PID 2052 wrote to memory of 3404	2052	legends.exe	109
PID 2052 wrote to memory of 3404	2052	legends.exe	109
PID 3404 wrote to memory of 2076	3404	cmd.exe	111
PID 3404 wrote to memory of 2076	3404	cmd.exe	111
PID 3404 wrote to memory of 2076	3404	cmd.exe	111
PID 3404 wrote to memory of 2376	3404	cmd.exe	112
PID 3404 wrote to memory of 2376	3404	cmd.exe	112
PID 3404 wrote to memory of 2376	3404	cmd.exe	112
PID 3404 wrote to memory of 2936	3404	cmd.exe	113
PID 3404 wrote to memory of 2936	3404	cmd.exe	113
PID 3404 wrote to memory of 2936	3404	cmd.exe	113

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1784
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2499859.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2499859.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2544
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z3353742.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z3353742.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4916
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p4455314.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p4455314.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1780
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r6070295.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r6070295.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4524
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s7067614.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s7067614.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2328
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s7067614.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s7067614.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:320
  - - C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
      "C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2808
    - - C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
        
        C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
        5⤵
        Executes dropped EXE
        
        PID:3956
    - - C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
        
        C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
        5⤵
        Executes dropped EXE
        
        PID:4812
    - - C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
        
        C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2052
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legends.exe /TR "C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe" /F
        6⤵
        Creates scheduled task(s)
        
        PID:3372
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legends.exe" /P "Admin:N"&&CACLS "legends.exe" /P "Admin:R" /E&&echo Y|CACLS "..\41bde21dc7" /P "Admin:N"&&CACLS "..\41bde21dc7" /P "Admin:R" /E&&Exit
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "legends.exe" /P "Admin:N"
        7⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "legends.exe" /P "Admin:R" /E
        7⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\41bde21dc7" /P "Admin:N"
        7⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\41bde21dc7" /P "Admin:R" /E
        7⤵
        
        PID:4472
      - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
        6⤵
        Loads dropped DLL
        
        PID:1592

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o1663671.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o1663671.exe
1⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:856

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:5068
- C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
  C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
  2⤵
  - Executes dropped EXE
  PID:2916

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\legends.exe.log

Filesize
425B

MD5
4eaca4566b22b01cd3bc115b9b0b2196

SHA1
e743e0792c19f71740416e7b3c061d9f1336bf94

SHA256
34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

SHA512
bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
963KB

MD5
fa50d39c2ea4927438a5c30e64382444

SHA1
ad42dbbba5260b9253f4d9d3c00ce31e347df65a

SHA256
5409c173c4b10ec535e417656336fe7c585a33ab5130e08e5427101c014fd880

SHA512
c0387d3539f50abe91cb05ca9671a2e220d751a67b6ec6357555f8f18e2003c5f85f9dca68858ecac0f9e557a4d394871aff9f26f9ea6eca1473017064854c45

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
963KB

MD5
fa50d39c2ea4927438a5c30e64382444

SHA1
ad42dbbba5260b9253f4d9d3c00ce31e347df65a

SHA256
5409c173c4b10ec535e417656336fe7c585a33ab5130e08e5427101c014fd880

SHA512
c0387d3539f50abe91cb05ca9671a2e220d751a67b6ec6357555f8f18e2003c5f85f9dca68858ecac0f9e557a4d394871aff9f26f9ea6eca1473017064854c45

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
963KB

MD5
fa50d39c2ea4927438a5c30e64382444

SHA1
ad42dbbba5260b9253f4d9d3c00ce31e347df65a

SHA256
5409c173c4b10ec535e417656336fe7c585a33ab5130e08e5427101c014fd880

SHA512
c0387d3539f50abe91cb05ca9671a2e220d751a67b6ec6357555f8f18e2003c5f85f9dca68858ecac0f9e557a4d394871aff9f26f9ea6eca1473017064854c45

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
963KB

MD5
fa50d39c2ea4927438a5c30e64382444

SHA1
ad42dbbba5260b9253f4d9d3c00ce31e347df65a

SHA256
5409c173c4b10ec535e417656336fe7c585a33ab5130e08e5427101c014fd880

SHA512
c0387d3539f50abe91cb05ca9671a2e220d751a67b6ec6357555f8f18e2003c5f85f9dca68858ecac0f9e557a4d394871aff9f26f9ea6eca1473017064854c45

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
963KB

MD5
fa50d39c2ea4927438a5c30e64382444

SHA1
ad42dbbba5260b9253f4d9d3c00ce31e347df65a

SHA256
5409c173c4b10ec535e417656336fe7c585a33ab5130e08e5427101c014fd880

SHA512
c0387d3539f50abe91cb05ca9671a2e220d751a67b6ec6357555f8f18e2003c5f85f9dca68858ecac0f9e557a4d394871aff9f26f9ea6eca1473017064854c45

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
963KB

MD5
fa50d39c2ea4927438a5c30e64382444

SHA1
ad42dbbba5260b9253f4d9d3c00ce31e347df65a

SHA256
5409c173c4b10ec535e417656336fe7c585a33ab5130e08e5427101c014fd880

SHA512
c0387d3539f50abe91cb05ca9671a2e220d751a67b6ec6357555f8f18e2003c5f85f9dca68858ecac0f9e557a4d394871aff9f26f9ea6eca1473017064854c45

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
963KB

MD5
fa50d39c2ea4927438a5c30e64382444

SHA1
ad42dbbba5260b9253f4d9d3c00ce31e347df65a

SHA256
5409c173c4b10ec535e417656336fe7c585a33ab5130e08e5427101c014fd880

SHA512
c0387d3539f50abe91cb05ca9671a2e220d751a67b6ec6357555f8f18e2003c5f85f9dca68858ecac0f9e557a4d394871aff9f26f9ea6eca1473017064854c45

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
963KB

MD5
fa50d39c2ea4927438a5c30e64382444

SHA1
ad42dbbba5260b9253f4d9d3c00ce31e347df65a

SHA256
5409c173c4b10ec535e417656336fe7c585a33ab5130e08e5427101c014fd880

SHA512
c0387d3539f50abe91cb05ca9671a2e220d751a67b6ec6357555f8f18e2003c5f85f9dca68858ecac0f9e557a4d394871aff9f26f9ea6eca1473017064854c45

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s7067614.exe

Filesize
963KB

MD5
fa50d39c2ea4927438a5c30e64382444

SHA1
ad42dbbba5260b9253f4d9d3c00ce31e347df65a

SHA256
5409c173c4b10ec535e417656336fe7c585a33ab5130e08e5427101c014fd880

SHA512
c0387d3539f50abe91cb05ca9671a2e220d751a67b6ec6357555f8f18e2003c5f85f9dca68858ecac0f9e557a4d394871aff9f26f9ea6eca1473017064854c45

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s7067614.exe

Filesize
963KB

MD5
fa50d39c2ea4927438a5c30e64382444

SHA1
ad42dbbba5260b9253f4d9d3c00ce31e347df65a

SHA256
5409c173c4b10ec535e417656336fe7c585a33ab5130e08e5427101c014fd880

SHA512
c0387d3539f50abe91cb05ca9671a2e220d751a67b6ec6357555f8f18e2003c5f85f9dca68858ecac0f9e557a4d394871aff9f26f9ea6eca1473017064854c45

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s7067614.exe

Filesize
963KB

MD5
fa50d39c2ea4927438a5c30e64382444

SHA1
ad42dbbba5260b9253f4d9d3c00ce31e347df65a

SHA256
5409c173c4b10ec535e417656336fe7c585a33ab5130e08e5427101c014fd880

SHA512
c0387d3539f50abe91cb05ca9671a2e220d751a67b6ec6357555f8f18e2003c5f85f9dca68858ecac0f9e557a4d394871aff9f26f9ea6eca1473017064854c45

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2499859.exe

Filesize
575KB

MD5
b85ab471a2a32c11529610f5e5c5e51d

SHA1
43f24f7def0dc969828146c2436b16f638b60412

SHA256
a8edc276b3f7d31647bbf10eb171001f6ea5d3d98bcb8f96f5cd6cc10c070d20

SHA512
4117f078e7b5608fe17f42fea015124e07fe3d5b6b66841f4f413e675f7867c4e435b30d77e49c1d7f5c434d26d75ea9c484b43fab76b645907fb1d52b5f1785

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2499859.exe

Filesize
575KB

MD5
b85ab471a2a32c11529610f5e5c5e51d

SHA1
43f24f7def0dc969828146c2436b16f638b60412

SHA256
a8edc276b3f7d31647bbf10eb171001f6ea5d3d98bcb8f96f5cd6cc10c070d20

SHA512
4117f078e7b5608fe17f42fea015124e07fe3d5b6b66841f4f413e675f7867c4e435b30d77e49c1d7f5c434d26d75ea9c484b43fab76b645907fb1d52b5f1785

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r6070295.exe

Filesize
284KB

MD5
bee7a4348f0a7905246f45dc862d8c25

SHA1
38408b56a3959d50b5c9f48448567fed2681e984

SHA256
556b8ee2864718ebc2bba67a322b5fcad5f07f6b00acf4b44fe28097ca92612d

SHA512
3dc9340c6dd7457ad0d8163af353b8df0fb912b22f217150220f98ccd7bcecc35b06d6311a3c875d68a375c04dcdabd5ca58f6c0963d6c3f48df5c53c0b6ed54

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r6070295.exe

Filesize
284KB

MD5
bee7a4348f0a7905246f45dc862d8c25

SHA1
38408b56a3959d50b5c9f48448567fed2681e984

SHA256
556b8ee2864718ebc2bba67a322b5fcad5f07f6b00acf4b44fe28097ca92612d

SHA512
3dc9340c6dd7457ad0d8163af353b8df0fb912b22f217150220f98ccd7bcecc35b06d6311a3c875d68a375c04dcdabd5ca58f6c0963d6c3f48df5c53c0b6ed54

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z3353742.exe

Filesize
304KB

MD5
8c6da8424b7e4cf1c621a525b54aea3f

SHA1
5d77fbbafcede1c7bd9df53b83b74842a8edc066

SHA256
f6dfdab0d6ad6dfb8a82ffee1db6451817663e03c686f36641bff73a21de8851

SHA512
e6bae40f1428e8b5d762aea7aca2165f21decb450866968d31c0e7bb706dd1be2accb4af82ef3884189956e1068825e62b286d5c95642699de4ab3d478c5dd81

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z3353742.exe

Filesize
304KB

MD5
8c6da8424b7e4cf1c621a525b54aea3f

SHA1
5d77fbbafcede1c7bd9df53b83b74842a8edc066

SHA256
f6dfdab0d6ad6dfb8a82ffee1db6451817663e03c686f36641bff73a21de8851

SHA512
e6bae40f1428e8b5d762aea7aca2165f21decb450866968d31c0e7bb706dd1be2accb4af82ef3884189956e1068825e62b286d5c95642699de4ab3d478c5dd81

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o1663671.exe

Filesize
186KB

MD5
1dce61ecd0cdedcb4f5a8f5885a95741

SHA1
280b58e329ee1f2a75ae5199eb049f319be26f94

SHA256
d0a3e10e29f820877ca5f582b7708e3f514298f33c99caa041d5d1cc5bc9604a

SHA512
d94cf9beb3f0b858c9e7416e564decda05f539ca3e43f8d6f30429521fcb80d1192ca9301739061e5bdde7bb78346140c91f4fd1091e3227933b0db0fa96d6cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o1663671.exe

Filesize
186KB

MD5
1dce61ecd0cdedcb4f5a8f5885a95741

SHA1
280b58e329ee1f2a75ae5199eb049f319be26f94

SHA256
d0a3e10e29f820877ca5f582b7708e3f514298f33c99caa041d5d1cc5bc9604a

SHA512
d94cf9beb3f0b858c9e7416e564decda05f539ca3e43f8d6f30429521fcb80d1192ca9301739061e5bdde7bb78346140c91f4fd1091e3227933b0db0fa96d6cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p4455314.exe

Filesize
145KB

MD5
7a0bbff5b25fc97ae8a7b50cb56e7a49

SHA1
a53fde5e21dab81455b71882ca18d895806d89b0

SHA256
64a5f66184a8c25e34c580b8cbf5aded806b5ef7d9603e489672399d63513f59

SHA512
91cc4f54b79a85b16316d83ee9fef7326ddef42454c0f30fe7ffdf91ff8180c20e691a18da27eebc75cf61b33099f1e86e899595aef52385a76ab09e843591fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p4455314.exe

Filesize
145KB

MD5
7a0bbff5b25fc97ae8a7b50cb56e7a49

SHA1
a53fde5e21dab81455b71882ca18d895806d89b0

SHA256
64a5f66184a8c25e34c580b8cbf5aded806b5ef7d9603e489672399d63513f59

SHA512
91cc4f54b79a85b16316d83ee9fef7326ddef42454c0f30fe7ffdf91ff8180c20e691a18da27eebc75cf61b33099f1e86e899595aef52385a76ab09e843591fe

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
89KB

MD5
73c0c85e39b9a63b42f6c4ff6d634f8b

SHA1
efb047b4177ad78268f6fc8bf959f58f1123eb51

SHA256
477252e3531300fe2a21a679fba3664803179e91a1a4d5dd44080dbd41126368

SHA512
ca32507717c2c099d54a5473fb062083237f7fda9c076e9a957b70072f41a78eedf9244b50862b81d00374297e3795021ad6db943c8408da50b1da8b5ed4a643

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
89KB

MD5
73c0c85e39b9a63b42f6c4ff6d634f8b

SHA1
efb047b4177ad78268f6fc8bf959f58f1123eb51

SHA256
477252e3531300fe2a21a679fba3664803179e91a1a4d5dd44080dbd41126368

SHA512
ca32507717c2c099d54a5473fb062083237f7fda9c076e9a957b70072f41a78eedf9244b50862b81d00374297e3795021ad6db943c8408da50b1da8b5ed4a643

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
89KB

MD5
73c0c85e39b9a63b42f6c4ff6d634f8b

SHA1
efb047b4177ad78268f6fc8bf959f58f1123eb51

SHA256
477252e3531300fe2a21a679fba3664803179e91a1a4d5dd44080dbd41126368

SHA512
ca32507717c2c099d54a5473fb062083237f7fda9c076e9a957b70072f41a78eedf9244b50862b81d00374297e3795021ad6db943c8408da50b1da8b5ed4a643

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
memory/320-1132-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/320-1146-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/856-185-0x0000000004A80000-0x0000000004A90000-memory.dmp

Filesize
64KB

Download
memory/856-158-0x0000000002500000-0x0000000002516000-memory.dmp

Filesize
88KB

Download
memory/856-164-0x0000000002500000-0x0000000002516000-memory.dmp

Filesize
88KB

Download
memory/856-184-0x0000000004A80000-0x0000000004A90000-memory.dmp

Filesize
64KB

Download
memory/856-183-0x0000000004A80000-0x0000000004A90000-memory.dmp

Filesize
64KB

Download
memory/856-166-0x0000000002500000-0x0000000002516000-memory.dmp

Filesize
88KB

Download
memory/856-168-0x0000000002500000-0x0000000002516000-memory.dmp

Filesize
88KB

Download
memory/856-174-0x0000000002500000-0x0000000002516000-memory.dmp

Filesize
88KB

Download
memory/856-176-0x0000000002500000-0x0000000002516000-memory.dmp

Filesize
88KB

Download
memory/856-178-0x0000000002500000-0x0000000002516000-memory.dmp

Filesize
88KB

Download
memory/856-162-0x0000000002500000-0x0000000002516000-memory.dmp

Filesize
88KB

Download
memory/856-180-0x0000000002500000-0x0000000002516000-memory.dmp

Filesize
88KB

Download
memory/856-182-0x0000000002500000-0x0000000002516000-memory.dmp

Filesize
88KB

Download
memory/856-170-0x0000000002500000-0x0000000002516000-memory.dmp

Filesize
88KB

Download
memory/856-172-0x0000000002500000-0x0000000002516000-memory.dmp

Filesize
88KB

Download
memory/856-154-0x0000000004A90000-0x0000000005034000-memory.dmp

Filesize
5.6MB

Download
memory/856-160-0x0000000002500000-0x0000000002516000-memory.dmp

Filesize
88KB

Download
memory/856-155-0x0000000002500000-0x0000000002516000-memory.dmp

Filesize
88KB

Download
memory/856-156-0x0000000002500000-0x0000000002516000-memory.dmp

Filesize
88KB

Download
memory/1780-201-0x0000000007230000-0x000000000775C000-memory.dmp

Filesize
5.2MB

Download
memory/1780-196-0x0000000005640000-0x00000000056D2000-memory.dmp

Filesize
584KB

Download
memory/1780-193-0x0000000005130000-0x0000000005142000-memory.dmp

Filesize
72KB

Download
memory/1780-190-0x0000000000760000-0x000000000078A000-memory.dmp

Filesize
168KB

Download
memory/1780-194-0x0000000005190000-0x00000000051CC000-memory.dmp

Filesize
240KB

Download
memory/1780-192-0x0000000005200000-0x000000000530A000-memory.dmp

Filesize
1.0MB

Download
memory/1780-191-0x00000000056E0000-0x0000000005CF8000-memory.dmp

Filesize
6.1MB

Download
memory/1780-202-0x0000000005490000-0x00000000054A0000-memory.dmp

Filesize
64KB

Download
memory/1780-200-0x0000000006B30000-0x0000000006CF2000-memory.dmp

Filesize
1.8MB

Download
memory/1780-195-0x0000000005490000-0x00000000054A0000-memory.dmp

Filesize
64KB

Download
memory/1780-199-0x0000000006240000-0x0000000006290000-memory.dmp

Filesize
320KB

Download
memory/1780-198-0x00000000068E0000-0x0000000006956000-memory.dmp

Filesize
472KB

Download
memory/1780-197-0x0000000005D00000-0x0000000005D66000-memory.dmp

Filesize
408KB

Download
memory/2052-1156-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2052-1159-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2328-1125-0x0000000007B50000-0x0000000007B60000-memory.dmp

Filesize
64KB

Download
memory/2328-1124-0x0000000000DB0000-0x0000000000EA8000-memory.dmp

Filesize
992KB

Download
memory/2808-1147-0x0000000007570000-0x0000000007580000-memory.dmp

Filesize
64KB

Download
memory/2916-1187-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4524-210-0x0000000004990000-0x00000000049CC000-memory.dmp

Filesize
240KB

Download
memory/4524-234-0x0000000004990000-0x00000000049CC000-memory.dmp

Filesize
240KB

Download
memory/4524-1118-0x0000000004B50000-0x0000000004B60000-memory.dmp

Filesize
64KB

Download
memory/4524-1117-0x0000000004B50000-0x0000000004B60000-memory.dmp

Filesize
64KB

Download
memory/4524-240-0x0000000004B50000-0x0000000004B60000-memory.dmp

Filesize
64KB

Download
memory/4524-244-0x0000000004990000-0x00000000049CC000-memory.dmp

Filesize
240KB

Download
memory/4524-243-0x0000000004B50000-0x0000000004B60000-memory.dmp

Filesize
64KB

Download
memory/4524-241-0x0000000004990000-0x00000000049CC000-memory.dmp

Filesize
240KB

Download
memory/4524-222-0x0000000004990000-0x00000000049CC000-memory.dmp

Filesize
240KB

Download
memory/4524-238-0x0000000004990000-0x00000000049CC000-memory.dmp

Filesize
240KB

Download
memory/4524-236-0x0000000004990000-0x00000000049CC000-memory.dmp

Filesize
240KB

Download
memory/4524-228-0x0000000004990000-0x00000000049CC000-memory.dmp

Filesize
240KB

Download
memory/4524-230-0x0000000004990000-0x00000000049CC000-memory.dmp

Filesize
240KB

Download
memory/4524-1119-0x0000000004B50000-0x0000000004B60000-memory.dmp

Filesize
64KB

Download
memory/4524-232-0x0000000004990000-0x00000000049CC000-memory.dmp

Filesize
240KB

Download
memory/4524-224-0x0000000004990000-0x00000000049CC000-memory.dmp

Filesize
240KB

Download
memory/4524-226-0x0000000004990000-0x00000000049CC000-memory.dmp

Filesize
240KB

Download
memory/4524-220-0x0000000004990000-0x00000000049CC000-memory.dmp

Filesize
240KB

Download
memory/4524-218-0x0000000004990000-0x00000000049CC000-memory.dmp

Filesize
240KB

Download
memory/4524-216-0x0000000004990000-0x00000000049CC000-memory.dmp

Filesize
240KB

Download
memory/4524-214-0x0000000004990000-0x00000000049CC000-memory.dmp

Filesize
240KB

Download
memory/4524-212-0x0000000004990000-0x00000000049CC000-memory.dmp

Filesize
240KB

Download
memory/4524-207-0x0000000004990000-0x00000000049CC000-memory.dmp

Filesize
240KB

Download
memory/4524-208-0x0000000004990000-0x00000000049CC000-memory.dmp

Filesize
240KB

Download
memory/5068-1182-0x0000000007700000-0x0000000007710000-memory.dmp

Filesize
64KB

Download