redline | 9123e1d5ce36850553013ce543c95697976e9506d542ae8433975162e718d402

Analysis

max time kernel
135s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
26-05-2023 12:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9123e1d5ce36850553013ce543c95697976e9506d542ae8433975162e718d402.exe
Size

1.0MB
MD5

276f97368dee70b2fcf750b4dd0f1209
SHA1

427b46b61d385ebdc4bf73dd2d9a3ae7c3ff3917
SHA256

9123e1d5ce36850553013ce543c95697976e9506d542ae8433975162e718d402
SHA512

e19071de4c2e4d09cc37a1a8c97f58f56fcc84dd6e40262d326ab763c381732109015869dc9b8c6fcb653a4d88ebbf589b6bef6302705c56cc45b195e3cb8308
SSDEEP

24576:uyObO6ZMxVt/Wpmd6avqYh8qcegqws7RA:9yO6qVt/Wpmd6aiY8ejwq

Score

10^/10

redline goga lisa discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

lisa

83.97.73.122:19062

Attributes

auth_value
c2dc311db9820012377b054447d37949

Extracted

Family

redline

Botnet

goga

83.97.73.122:19062

Attributes

auth_value
6d57dff6d3c42dddb8a76dc276b8467f

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

AppLaunch.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

s4599552.exelegends.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Control Panel\International\Geo\Nation	s4599552.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Control Panel\International\Geo\Nation	legends.exe

Executes dropped EXE 14 IoCs

Processes:

z6808455.exez8530051.exeo7968967.exep8133936.exer0353539.exes4599552.exes4599552.exelegends.exelegends.exelegends.exelegends.exelegends.exelegends.exelegends.exe

pid	process
4768	z6808455.exe
5056	z8530051.exe
2612	o7968967.exe
4464	p8133936.exe
2240	r0353539.exe
3376	s4599552.exe
4936	s4599552.exe
4152	legends.exe
748	legends.exe
2900	legends.exe
4832	legends.exe
2276	legends.exe
2752	legends.exe
4252	legends.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

4132 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4132	rundll32.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

z6808455.exez8530051.exe9123e1d5ce36850553013ce543c95697976e9506d542ae8433975162e718d402.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z6808455.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z8530051.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z8530051.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	9123e1d5ce36850553013ce543c95697976e9506d542ae8433975162e718d402.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	9123e1d5ce36850553013ce543c95697976e9506d542ae8433975162e718d402.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z6808455.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 6 IoCs

Processes:

o7968967.exer0353539.exes4599552.exelegends.exelegends.exelegends.exe

description	pid	process	target process
PID 2612 set thread context of 2208	2612	o7968967.exe	AppLaunch.exe
PID 2240 set thread context of 2728	2240	r0353539.exe	AppLaunch.exe
PID 3376 set thread context of 4936	3376	s4599552.exe	s4599552.exe
PID 4152 set thread context of 748	4152	legends.exe	legends.exe
PID 2900 set thread context of 4832	2900	legends.exe	legends.exe
PID 2276 set thread context of 4252	2276	legends.exe	legends.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3252 schtasks.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

AppLaunch.exep8133936.exeAppLaunch.exe

pid process

2208 AppLaunch.exe
2208 AppLaunch.exe
4464 p8133936.exe
4464 p8133936.exe
2728 AppLaunch.exe
2728 AppLaunch.exe

pid	process
3252	schtasks.exe

pid	process
2208	AppLaunch.exe
2208	AppLaunch.exe
4464	p8133936.exe
4464	p8133936.exe
2728	AppLaunch.exe
2728	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

AppLaunch.exep8133936.exes4599552.exelegends.exeAppLaunch.exelegends.exelegends.exe

description	pid	process
Token: SeDebugPrivilege	2208	AppLaunch.exe
Token: SeDebugPrivilege	4464	p8133936.exe
Token: SeDebugPrivilege	3376	s4599552.exe
Token: SeDebugPrivilege	4152	legends.exe
Token: SeDebugPrivilege	2728	AppLaunch.exe
Token: SeDebugPrivilege	2900	legends.exe
Token: SeDebugPrivilege	2276	legends.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

s4599552.exe

pid process

4936 s4599552.exe

pid	process
4936	s4599552.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

9123e1d5ce36850553013ce543c95697976e9506d542ae8433975162e718d402.exez6808455.exez8530051.exeo7968967.exer0353539.exes4599552.exes4599552.exelegends.exelegends.execmd.exe

description	pid	process	target process
PID 3800 wrote to memory of 4768	3800	9123e1d5ce36850553013ce543c95697976e9506d542ae8433975162e718d402.exe	z6808455.exe
PID 3800 wrote to memory of 4768	3800	9123e1d5ce36850553013ce543c95697976e9506d542ae8433975162e718d402.exe	z6808455.exe
PID 3800 wrote to memory of 4768	3800	9123e1d5ce36850553013ce543c95697976e9506d542ae8433975162e718d402.exe	z6808455.exe
PID 4768 wrote to memory of 5056	4768	z6808455.exe	z8530051.exe
PID 4768 wrote to memory of 5056	4768	z6808455.exe	z8530051.exe
PID 4768 wrote to memory of 5056	4768	z6808455.exe	z8530051.exe
PID 5056 wrote to memory of 2612	5056	z8530051.exe	o7968967.exe
PID 5056 wrote to memory of 2612	5056	z8530051.exe	o7968967.exe
PID 5056 wrote to memory of 2612	5056	z8530051.exe	o7968967.exe
PID 2612 wrote to memory of 2208	2612	o7968967.exe	AppLaunch.exe
PID 2612 wrote to memory of 2208	2612	o7968967.exe	AppLaunch.exe
PID 2612 wrote to memory of 2208	2612	o7968967.exe	AppLaunch.exe
PID 2612 wrote to memory of 2208	2612	o7968967.exe	AppLaunch.exe
PID 2612 wrote to memory of 2208	2612	o7968967.exe	AppLaunch.exe
PID 5056 wrote to memory of 4464	5056	z8530051.exe	p8133936.exe
PID 5056 wrote to memory of 4464	5056	z8530051.exe	p8133936.exe
PID 5056 wrote to memory of 4464	5056	z8530051.exe	p8133936.exe
PID 4768 wrote to memory of 2240	4768	z6808455.exe	r0353539.exe
PID 4768 wrote to memory of 2240	4768	z6808455.exe	r0353539.exe
PID 4768 wrote to memory of 2240	4768	z6808455.exe	r0353539.exe
PID 2240 wrote to memory of 2728	2240	r0353539.exe	AppLaunch.exe
PID 2240 wrote to memory of 2728	2240	r0353539.exe	AppLaunch.exe
PID 2240 wrote to memory of 2728	2240	r0353539.exe	AppLaunch.exe
PID 2240 wrote to memory of 2728	2240	r0353539.exe	AppLaunch.exe
PID 2240 wrote to memory of 2728	2240	r0353539.exe	AppLaunch.exe
PID 3800 wrote to memory of 3376	3800	9123e1d5ce36850553013ce543c95697976e9506d542ae8433975162e718d402.exe	s4599552.exe
PID 3800 wrote to memory of 3376	3800	9123e1d5ce36850553013ce543c95697976e9506d542ae8433975162e718d402.exe	s4599552.exe
PID 3800 wrote to memory of 3376	3800	9123e1d5ce36850553013ce543c95697976e9506d542ae8433975162e718d402.exe	s4599552.exe
PID 3376 wrote to memory of 4936	3376	s4599552.exe	s4599552.exe
PID 3376 wrote to memory of 4936	3376	s4599552.exe	s4599552.exe
PID 3376 wrote to memory of 4936	3376	s4599552.exe	s4599552.exe
PID 3376 wrote to memory of 4936	3376	s4599552.exe	s4599552.exe
PID 3376 wrote to memory of 4936	3376	s4599552.exe	s4599552.exe
PID 3376 wrote to memory of 4936	3376	s4599552.exe	s4599552.exe
PID 3376 wrote to memory of 4936	3376	s4599552.exe	s4599552.exe
PID 3376 wrote to memory of 4936	3376	s4599552.exe	s4599552.exe
PID 3376 wrote to memory of 4936	3376	s4599552.exe	s4599552.exe
PID 3376 wrote to memory of 4936	3376	s4599552.exe	s4599552.exe
PID 4936 wrote to memory of 4152	4936	s4599552.exe	legends.exe
PID 4936 wrote to memory of 4152	4936	s4599552.exe	legends.exe
PID 4936 wrote to memory of 4152	4936	s4599552.exe	legends.exe
PID 4152 wrote to memory of 748	4152	legends.exe	legends.exe
PID 4152 wrote to memory of 748	4152	legends.exe	legends.exe
PID 4152 wrote to memory of 748	4152	legends.exe	legends.exe
PID 4152 wrote to memory of 748	4152	legends.exe	legends.exe
PID 4152 wrote to memory of 748	4152	legends.exe	legends.exe
PID 4152 wrote to memory of 748	4152	legends.exe	legends.exe
PID 4152 wrote to memory of 748	4152	legends.exe	legends.exe
PID 4152 wrote to memory of 748	4152	legends.exe	legends.exe
PID 4152 wrote to memory of 748	4152	legends.exe	legends.exe
PID 4152 wrote to memory of 748	4152	legends.exe	legends.exe
PID 748 wrote to memory of 3252	748	legends.exe	schtasks.exe
PID 748 wrote to memory of 3252	748	legends.exe	schtasks.exe
PID 748 wrote to memory of 3252	748	legends.exe	schtasks.exe
PID 748 wrote to memory of 1696	748	legends.exe	cmd.exe
PID 748 wrote to memory of 1696	748	legends.exe	cmd.exe
PID 748 wrote to memory of 1696	748	legends.exe	cmd.exe
PID 1696 wrote to memory of 4492	1696	cmd.exe	cmd.exe
PID 1696 wrote to memory of 4492	1696	cmd.exe	cmd.exe
PID 1696 wrote to memory of 4492	1696	cmd.exe	cmd.exe
PID 1696 wrote to memory of 1292	1696	cmd.exe	cacls.exe
PID 1696 wrote to memory of 1292	1696	cmd.exe	cacls.exe
PID 1696 wrote to memory of 1292	1696	cmd.exe	cacls.exe
PID 1696 wrote to memory of 3268	1696	cmd.exe	cacls.exe

C:\Users\Admin\AppData\Local\Temp\9123e1d5ce36850553013ce543c95697976e9506d542ae8433975162e718d402.exe
"C:\Users\Admin\AppData\Local\Temp\9123e1d5ce36850553013ce543c95697976e9506d542ae8433975162e718d402.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3800

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6808455.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6808455.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4768

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z8530051.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z8530051.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5056

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o7968967.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o7968967.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2612

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
5⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2208

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p8133936.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p8133936.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4464

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r0353539.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r0353539.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2240

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2728

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s4599552.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s4599552.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3376

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s4599552.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s4599552.exe
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4936

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
"C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4152

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:748

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legends.exe /TR "C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe" /F
6⤵
- Creates scheduled task(s)
PID:3252

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legends.exe" /P "Admin:N"&&CACLS "legends.exe" /P "Admin:R" /E&&echo Y|CACLS "..\41bde21dc7" /P "Admin:N"&&CACLS "..\41bde21dc7" /P "Admin:R" /E&&Exit
6⤵
- Suspicious use of WriteProcessMemory
PID:1696

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
7⤵
PID:4492

C:\Windows\SysWOW64\cacls.exe
CACLS "legends.exe" /P "Admin:N"
7⤵
PID:1292

C:\Windows\SysWOW64\cacls.exe
CACLS "legends.exe" /P "Admin:R" /E
7⤵
PID:3268

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
7⤵
PID:3224

C:\Windows\SysWOW64\cacls.exe
CACLS "..\41bde21dc7" /P "Admin:N"
7⤵
PID:3472

C:\Windows\SysWOW64\cacls.exe
CACLS "..\41bde21dc7" /P "Admin:R" /E
7⤵
PID:2384

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
6⤵
- Loads dropped DLL
PID:4132

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2900

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
2⤵
- Executes dropped EXE
PID:4832

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2276

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
2⤵
- Executes dropped EXE
PID:2752

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
2⤵
- Executes dropped EXE
PID:4252

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log
Filesize
226B

MD5
916851e072fbabc4796d8916c5131092

SHA1
d48a602229a690c512d5fdaf4c8d77547a88e7a2

SHA256
7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

SHA512
07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\legends.exe.log
Filesize
425B

MD5
4eaca4566b22b01cd3bc115b9b0b2196

SHA1
e743e0792c19f71740416e7b3c061d9f1336bf94

SHA256
34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

SHA512
bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
962KB

MD5
279fffec080c7af60ad51deec88bc5e1

SHA1
dae9f079e2f08bb5f69af9bf8eaa7aa1d6ea32cf

SHA256
e0fb5440683f0a41697e0fc052c3f8992f797b2308bfafda798ff074ea03af13

SHA512
6a61060c26bcbb45b9d79f050485d110cf6bb1c236bda94b80f42657e7f58bb798e9d908f0b8b8df16c80155a40e23c2fcf7b2ac02fe0927fe1044a8a321637c

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
962KB

MD5
279fffec080c7af60ad51deec88bc5e1

SHA1
dae9f079e2f08bb5f69af9bf8eaa7aa1d6ea32cf

SHA256
e0fb5440683f0a41697e0fc052c3f8992f797b2308bfafda798ff074ea03af13

SHA512
6a61060c26bcbb45b9d79f050485d110cf6bb1c236bda94b80f42657e7f58bb798e9d908f0b8b8df16c80155a40e23c2fcf7b2ac02fe0927fe1044a8a321637c

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
962KB

MD5
279fffec080c7af60ad51deec88bc5e1

SHA1
dae9f079e2f08bb5f69af9bf8eaa7aa1d6ea32cf

SHA256
e0fb5440683f0a41697e0fc052c3f8992f797b2308bfafda798ff074ea03af13

SHA512
6a61060c26bcbb45b9d79f050485d110cf6bb1c236bda94b80f42657e7f58bb798e9d908f0b8b8df16c80155a40e23c2fcf7b2ac02fe0927fe1044a8a321637c

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
962KB

MD5
279fffec080c7af60ad51deec88bc5e1

SHA1
dae9f079e2f08bb5f69af9bf8eaa7aa1d6ea32cf

SHA256
e0fb5440683f0a41697e0fc052c3f8992f797b2308bfafda798ff074ea03af13

SHA512
6a61060c26bcbb45b9d79f050485d110cf6bb1c236bda94b80f42657e7f58bb798e9d908f0b8b8df16c80155a40e23c2fcf7b2ac02fe0927fe1044a8a321637c

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
962KB

MD5
279fffec080c7af60ad51deec88bc5e1

SHA1
dae9f079e2f08bb5f69af9bf8eaa7aa1d6ea32cf

SHA256
e0fb5440683f0a41697e0fc052c3f8992f797b2308bfafda798ff074ea03af13

SHA512
6a61060c26bcbb45b9d79f050485d110cf6bb1c236bda94b80f42657e7f58bb798e9d908f0b8b8df16c80155a40e23c2fcf7b2ac02fe0927fe1044a8a321637c

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
962KB

MD5
279fffec080c7af60ad51deec88bc5e1

SHA1
dae9f079e2f08bb5f69af9bf8eaa7aa1d6ea32cf

SHA256
e0fb5440683f0a41697e0fc052c3f8992f797b2308bfafda798ff074ea03af13

SHA512
6a61060c26bcbb45b9d79f050485d110cf6bb1c236bda94b80f42657e7f58bb798e9d908f0b8b8df16c80155a40e23c2fcf7b2ac02fe0927fe1044a8a321637c

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
962KB

MD5
279fffec080c7af60ad51deec88bc5e1

SHA1
dae9f079e2f08bb5f69af9bf8eaa7aa1d6ea32cf

SHA256
e0fb5440683f0a41697e0fc052c3f8992f797b2308bfafda798ff074ea03af13

SHA512
6a61060c26bcbb45b9d79f050485d110cf6bb1c236bda94b80f42657e7f58bb798e9d908f0b8b8df16c80155a40e23c2fcf7b2ac02fe0927fe1044a8a321637c

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
962KB

MD5
279fffec080c7af60ad51deec88bc5e1

SHA1
dae9f079e2f08bb5f69af9bf8eaa7aa1d6ea32cf

SHA256
e0fb5440683f0a41697e0fc052c3f8992f797b2308bfafda798ff074ea03af13

SHA512
6a61060c26bcbb45b9d79f050485d110cf6bb1c236bda94b80f42657e7f58bb798e9d908f0b8b8df16c80155a40e23c2fcf7b2ac02fe0927fe1044a8a321637c

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
962KB

MD5
279fffec080c7af60ad51deec88bc5e1

SHA1
dae9f079e2f08bb5f69af9bf8eaa7aa1d6ea32cf

SHA256
e0fb5440683f0a41697e0fc052c3f8992f797b2308bfafda798ff074ea03af13

SHA512
6a61060c26bcbb45b9d79f050485d110cf6bb1c236bda94b80f42657e7f58bb798e9d908f0b8b8df16c80155a40e23c2fcf7b2ac02fe0927fe1044a8a321637c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s4599552.exe
Filesize
962KB

MD5
279fffec080c7af60ad51deec88bc5e1

SHA1
dae9f079e2f08bb5f69af9bf8eaa7aa1d6ea32cf

SHA256
e0fb5440683f0a41697e0fc052c3f8992f797b2308bfafda798ff074ea03af13

SHA512
6a61060c26bcbb45b9d79f050485d110cf6bb1c236bda94b80f42657e7f58bb798e9d908f0b8b8df16c80155a40e23c2fcf7b2ac02fe0927fe1044a8a321637c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s4599552.exe
Filesize
962KB

MD5
279fffec080c7af60ad51deec88bc5e1

SHA1
dae9f079e2f08bb5f69af9bf8eaa7aa1d6ea32cf

SHA256
e0fb5440683f0a41697e0fc052c3f8992f797b2308bfafda798ff074ea03af13

SHA512
6a61060c26bcbb45b9d79f050485d110cf6bb1c236bda94b80f42657e7f58bb798e9d908f0b8b8df16c80155a40e23c2fcf7b2ac02fe0927fe1044a8a321637c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s4599552.exe
Filesize
962KB

MD5
279fffec080c7af60ad51deec88bc5e1

SHA1
dae9f079e2f08bb5f69af9bf8eaa7aa1d6ea32cf

SHA256
e0fb5440683f0a41697e0fc052c3f8992f797b2308bfafda798ff074ea03af13

SHA512
6a61060c26bcbb45b9d79f050485d110cf6bb1c236bda94b80f42657e7f58bb798e9d908f0b8b8df16c80155a40e23c2fcf7b2ac02fe0927fe1044a8a321637c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6808455.exe
Filesize
592KB

MD5
d6e566e196bb66e265bfd87f59af59e9

SHA1
a16530027b701658d624f2952f8fc3352755959b

SHA256
98922050557544978351d381896521d4a212d50f478ff7ac9a8f2c4699aafd05

SHA512
dd750805e7175652caa576c5874d4fb1d76476781a69407dbafd591e7bffac14da67c498ac614366343b3c20cfbc3cae43acc0eab03705aeb910b853b38fb83c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6808455.exe
Filesize
592KB

MD5
d6e566e196bb66e265bfd87f59af59e9

SHA1
a16530027b701658d624f2952f8fc3352755959b

SHA256
98922050557544978351d381896521d4a212d50f478ff7ac9a8f2c4699aafd05

SHA512
dd750805e7175652caa576c5874d4fb1d76476781a69407dbafd591e7bffac14da67c498ac614366343b3c20cfbc3cae43acc0eab03705aeb910b853b38fb83c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r0353539.exe
Filesize
315KB

MD5
adebffde909b881b4ddffad3351abb3f

SHA1
a46bf954139dea83b8c8e85e4b33c758e8aad06e

SHA256
358d82aa9b0b9f42e9587289daf85336ee808f6f131596d55139bb0e31ec835b

SHA512
d80f2377ac1ff58ceb64ee56fef3f09fcb8ed4087874f86f994b11d46f4a0afb8754be1940d29a6cda89bccfbd228cd7fd9701f144f6c4c34e277bbff860151f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r0353539.exe
Filesize
315KB

MD5
adebffde909b881b4ddffad3351abb3f

SHA1
a46bf954139dea83b8c8e85e4b33c758e8aad06e

SHA256
358d82aa9b0b9f42e9587289daf85336ee808f6f131596d55139bb0e31ec835b

SHA512
d80f2377ac1ff58ceb64ee56fef3f09fcb8ed4087874f86f994b11d46f4a0afb8754be1940d29a6cda89bccfbd228cd7fd9701f144f6c4c34e277bbff860151f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z8530051.exe
Filesize
275KB

MD5
e47ca2a92ec54fe215376a93edbee780

SHA1
932ecf34f79d4e7ecea36f0db7789225660700b7

SHA256
541867d0656c772770e291b13c6fb4b0c743ceb955bd8938c848741526ff252b

SHA512
7c968f2907779fab7a24ebd51d3ca3c47f27df7de08076b47235ca4a045bff6aad99075ab3122201b0892d998f5ec1d40f9838f89547c47cd13a15dd4a38572c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z8530051.exe
Filesize
275KB

MD5
e47ca2a92ec54fe215376a93edbee780

SHA1
932ecf34f79d4e7ecea36f0db7789225660700b7

SHA256
541867d0656c772770e291b13c6fb4b0c743ceb955bd8938c848741526ff252b

SHA512
7c968f2907779fab7a24ebd51d3ca3c47f27df7de08076b47235ca4a045bff6aad99075ab3122201b0892d998f5ec1d40f9838f89547c47cd13a15dd4a38572c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o7968967.exe
Filesize
181KB

MD5
3db048ff477521b27bac146ef9de20d3

SHA1
c316b2d2a2af2c8b78e3dffb80f778855d01ba9c

SHA256
c8aee75f2d15a92eab07efc174c9490cd85af74c025de5faf5f66e7bd236392a

SHA512
686ca12331bda96cd68d1d7a85ac3c68eeece7b2d58074990888dc3893ae5aeba205cdf90ca57cf6ea660e5f7f6f3d6e6b29f11dbf89bc4024b56fb874c498a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o7968967.exe
Filesize
181KB

MD5
3db048ff477521b27bac146ef9de20d3

SHA1
c316b2d2a2af2c8b78e3dffb80f778855d01ba9c

SHA256
c8aee75f2d15a92eab07efc174c9490cd85af74c025de5faf5f66e7bd236392a

SHA512
686ca12331bda96cd68d1d7a85ac3c68eeece7b2d58074990888dc3893ae5aeba205cdf90ca57cf6ea660e5f7f6f3d6e6b29f11dbf89bc4024b56fb874c498a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p8133936.exe
Filesize
145KB

MD5
5584e1dcf39b21b6fa549032330a38e5

SHA1
b0e7c01886ce8304e4db3d292f5682e8575a3a1c

SHA256
f4c7ef227b48481eede9d01942c079805562290165ccc013c56174628c1a5a4a

SHA512
993738516c3871764c3c0e66ee4c1eb0ac2fb3258a801622dfc8b00a07f2132bfbf2d46223f377babff74251bf03053fae3db550ea82a1dc63ce999313be1f2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p8133936.exe
Filesize
145KB

MD5
5584e1dcf39b21b6fa549032330a38e5

SHA1
b0e7c01886ce8304e4db3d292f5682e8575a3a1c

SHA256
f4c7ef227b48481eede9d01942c079805562290165ccc013c56174628c1a5a4a

SHA512
993738516c3871764c3c0e66ee4c1eb0ac2fb3258a801622dfc8b00a07f2132bfbf2d46223f377babff74251bf03053fae3db550ea82a1dc63ce999313be1f2f

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
73c0c85e39b9a63b42f6c4ff6d634f8b

SHA1
efb047b4177ad78268f6fc8bf959f58f1123eb51

SHA256
477252e3531300fe2a21a679fba3664803179e91a1a4d5dd44080dbd41126368

SHA512
ca32507717c2c099d54a5473fb062083237f7fda9c076e9a957b70072f41a78eedf9244b50862b81d00374297e3795021ad6db943c8408da50b1da8b5ed4a643

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
73c0c85e39b9a63b42f6c4ff6d634f8b

SHA1
efb047b4177ad78268f6fc8bf959f58f1123eb51

SHA256
477252e3531300fe2a21a679fba3664803179e91a1a4d5dd44080dbd41126368

SHA512
ca32507717c2c099d54a5473fb062083237f7fda9c076e9a957b70072f41a78eedf9244b50862b81d00374297e3795021ad6db943c8408da50b1da8b5ed4a643

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
73c0c85e39b9a63b42f6c4ff6d634f8b

SHA1
efb047b4177ad78268f6fc8bf959f58f1123eb51

SHA256
477252e3531300fe2a21a679fba3664803179e91a1a4d5dd44080dbd41126368

SHA512
ca32507717c2c099d54a5473fb062083237f7fda9c076e9a957b70072f41a78eedf9244b50862b81d00374297e3795021ad6db943c8408da50b1da8b5ed4a643

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
memory/748-221-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/748-220-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/748-223-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/748-224-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/748-251-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2208-155-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2728-193-0x0000000004F20000-0x0000000004F30000-memory.dmp

Filesize
64KB

Download
memory/2728-183-0x0000000000480000-0x00000000004AA000-memory.dmp

Filesize
168KB

Download
memory/2900-228-0x00000000077F0000-0x0000000007800000-memory.dmp

Filesize
64KB

Download
memory/3376-192-0x00000000008F0000-0x00000000009E8000-memory.dmp

Filesize
992KB

Download
memory/3376-194-0x0000000007680000-0x0000000007690000-memory.dmp

Filesize
64KB

Download
memory/4152-216-0x0000000007940000-0x0000000007950000-memory.dmp

Filesize
64KB

Download
memory/4252-260-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4252-259-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4252-258-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4464-177-0x0000000006530000-0x0000000006580000-memory.dmp

Filesize
320KB

Download
memory/4464-165-0x0000000004DC0000-0x0000000004ECA000-memory.dmp

Filesize
1.0MB

Download
memory/4464-176-0x0000000006760000-0x00000000067D6000-memory.dmp

Filesize
472KB

Download
memory/4464-175-0x0000000004CC0000-0x0000000004CD0000-memory.dmp

Filesize
64KB

Download
memory/4464-173-0x0000000006C90000-0x00000000071BC000-memory.dmp

Filesize
5.2MB

Download
memory/4464-172-0x0000000006590000-0x0000000006752000-memory.dmp

Filesize
1.8MB

Download
memory/4464-171-0x00000000051A0000-0x0000000005206000-memory.dmp

Filesize
408KB

Download
memory/4464-163-0x0000000000320000-0x000000000034A000-memory.dmp

Filesize
168KB

Download
memory/4464-169-0x0000000005E10000-0x00000000063B4000-memory.dmp

Filesize
5.6MB

Download
memory/4464-164-0x0000000005240000-0x0000000005858000-memory.dmp

Filesize
6.1MB

Download
memory/4464-166-0x0000000004D00000-0x0000000004D12000-memory.dmp

Filesize
72KB

Download
memory/4464-170-0x0000000005860000-0x00000000058F2000-memory.dmp

Filesize
584KB

Download
memory/4464-167-0x0000000004D60000-0x0000000004D9C000-memory.dmp

Filesize
240KB

Download
memory/4464-168-0x0000000004CC0000-0x0000000004CD0000-memory.dmp

Filesize
64KB

Download
memory/4832-231-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4832-233-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4832-232-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4936-195-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4936-199-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4936-198-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4936-214-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4936-201-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download