redline | b214a3d867081a80a2f0eef209e167bc32cefb973dca659dcceac6fba049d1f7

Analysis

max time kernel
135s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
29-05-2023 15:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b214a3d867081a80a2f0eef209e167bc32cefb973dca659dcceac6fba049d1f7.exe
Size

1.0MB
MD5

13cc9a77aea1d4e2b3c1c47f4d7811f7
SHA1

523cffeafe96e0a93511571c22a3b5bf6f80aa35
SHA256

b214a3d867081a80a2f0eef209e167bc32cefb973dca659dcceac6fba049d1f7
SHA512

3996cfe348169afd0c489025f729dc2b8b703b8d86dec5ee281074b7e8f73b379c2f8b0eeafcb6495f3825fbef0b10efdfcc7ed092f23a95f782b2ba745c71d3
SSDEEP

12288:gMrCy908OLqjW56NcoAlJhOJFP76h04TmFOlLr3FWHVQFpU2Nb8vJM5SMaFaaDya:SyEyco37G+4JEHVQnU2Nbaj5Fauyvi

Score

10^/10

redline lizsa metro discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

lizsa

83.97.73.127:19045

Attributes

auth_value
44b0b71b36e78465dbdebb4ecfb78b77

Extracted

Family

redline

Botnet

metro

83.97.73.127:19045

Attributes

auth_value
f7fd4aa816bdbaad933b45b51d9b6b1a

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

AppLaunch.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

s9279482.exelegends.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	s9279482.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	legends.exe

Executes dropped EXE 13 IoCs

Processes:

z5516973.exez3673803.exeo8168181.exep0009491.exer8132651.exes9279482.exes9279482.exelegends.exelegends.exelegends.exelegends.exelegends.exelegends.exe

pid	process
1768	z5516973.exe
2732	z3673803.exe
2060	o8168181.exe
1428	p0009491.exe
324	r8132651.exe
1564	s9279482.exe
4052	s9279482.exe
928	legends.exe
3232	legends.exe
2552	legends.exe
1284	legends.exe
4900	legends.exe
2224	legends.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

4460 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4460	rundll32.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

b214a3d867081a80a2f0eef209e167bc32cefb973dca659dcceac6fba049d1f7.exez5516973.exez3673803.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	b214a3d867081a80a2f0eef209e167bc32cefb973dca659dcceac6fba049d1f7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	b214a3d867081a80a2f0eef209e167bc32cefb973dca659dcceac6fba049d1f7.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z5516973.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z5516973.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z3673803.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z3673803.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 6 IoCs

Processes:

o8168181.exer8132651.exes9279482.exelegends.exelegends.exelegends.exe

description	pid	process	target process
PID 2060 set thread context of 5028	2060	o8168181.exe	AppLaunch.exe
PID 324 set thread context of 3212	324	r8132651.exe	AppLaunch.exe
PID 1564 set thread context of 4052	1564	s9279482.exe	s9279482.exe
PID 928 set thread context of 3232	928	legends.exe	legends.exe
PID 2552 set thread context of 1284	2552	legends.exe	legends.exe
PID 4900 set thread context of 2224	4900	legends.exe	legends.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1916 schtasks.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

AppLaunch.exep0009491.exeAppLaunch.exe

pid process

5028 AppLaunch.exe
5028 AppLaunch.exe
1428 p0009491.exe
1428 p0009491.exe
3212 AppLaunch.exe
3212 AppLaunch.exe

pid	process
1916	schtasks.exe

pid	process
5028	AppLaunch.exe
5028	AppLaunch.exe
1428	p0009491.exe
1428	p0009491.exe
3212	AppLaunch.exe
3212	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

AppLaunch.exep0009491.exes9279482.exelegends.exeAppLaunch.exelegends.exelegends.exe

description	pid	process
Token: SeDebugPrivilege	5028	AppLaunch.exe
Token: SeDebugPrivilege	1428	p0009491.exe
Token: SeDebugPrivilege	1564	s9279482.exe
Token: SeDebugPrivilege	928	legends.exe
Token: SeDebugPrivilege	3212	AppLaunch.exe
Token: SeDebugPrivilege	2552	legends.exe
Token: SeDebugPrivilege	4900	legends.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

s9279482.exe

pid process

4052 s9279482.exe

pid	process
4052	s9279482.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

b214a3d867081a80a2f0eef209e167bc32cefb973dca659dcceac6fba049d1f7.exez5516973.exez3673803.exeo8168181.exer8132651.exes9279482.exes9279482.exelegends.exelegends.execmd.exe

description	pid	process	target process
PID 4488 wrote to memory of 1768	4488	b214a3d867081a80a2f0eef209e167bc32cefb973dca659dcceac6fba049d1f7.exe	z5516973.exe
PID 4488 wrote to memory of 1768	4488	b214a3d867081a80a2f0eef209e167bc32cefb973dca659dcceac6fba049d1f7.exe	z5516973.exe
PID 4488 wrote to memory of 1768	4488	b214a3d867081a80a2f0eef209e167bc32cefb973dca659dcceac6fba049d1f7.exe	z5516973.exe
PID 1768 wrote to memory of 2732	1768	z5516973.exe	z3673803.exe
PID 1768 wrote to memory of 2732	1768	z5516973.exe	z3673803.exe
PID 1768 wrote to memory of 2732	1768	z5516973.exe	z3673803.exe
PID 2732 wrote to memory of 2060	2732	z3673803.exe	o8168181.exe
PID 2732 wrote to memory of 2060	2732	z3673803.exe	o8168181.exe
PID 2732 wrote to memory of 2060	2732	z3673803.exe	o8168181.exe
PID 2060 wrote to memory of 5028	2060	o8168181.exe	AppLaunch.exe
PID 2060 wrote to memory of 5028	2060	o8168181.exe	AppLaunch.exe
PID 2060 wrote to memory of 5028	2060	o8168181.exe	AppLaunch.exe
PID 2060 wrote to memory of 5028	2060	o8168181.exe	AppLaunch.exe
PID 2060 wrote to memory of 5028	2060	o8168181.exe	AppLaunch.exe
PID 2732 wrote to memory of 1428	2732	z3673803.exe	p0009491.exe
PID 2732 wrote to memory of 1428	2732	z3673803.exe	p0009491.exe
PID 2732 wrote to memory of 1428	2732	z3673803.exe	p0009491.exe
PID 1768 wrote to memory of 324	1768	z5516973.exe	r8132651.exe
PID 1768 wrote to memory of 324	1768	z5516973.exe	r8132651.exe
PID 1768 wrote to memory of 324	1768	z5516973.exe	r8132651.exe
PID 324 wrote to memory of 3212	324	r8132651.exe	AppLaunch.exe
PID 324 wrote to memory of 3212	324	r8132651.exe	AppLaunch.exe
PID 324 wrote to memory of 3212	324	r8132651.exe	AppLaunch.exe
PID 324 wrote to memory of 3212	324	r8132651.exe	AppLaunch.exe
PID 324 wrote to memory of 3212	324	r8132651.exe	AppLaunch.exe
PID 4488 wrote to memory of 1564	4488	b214a3d867081a80a2f0eef209e167bc32cefb973dca659dcceac6fba049d1f7.exe	s9279482.exe
PID 4488 wrote to memory of 1564	4488	b214a3d867081a80a2f0eef209e167bc32cefb973dca659dcceac6fba049d1f7.exe	s9279482.exe
PID 4488 wrote to memory of 1564	4488	b214a3d867081a80a2f0eef209e167bc32cefb973dca659dcceac6fba049d1f7.exe	s9279482.exe
PID 1564 wrote to memory of 4052	1564	s9279482.exe	s9279482.exe
PID 1564 wrote to memory of 4052	1564	s9279482.exe	s9279482.exe
PID 1564 wrote to memory of 4052	1564	s9279482.exe	s9279482.exe
PID 1564 wrote to memory of 4052	1564	s9279482.exe	s9279482.exe
PID 1564 wrote to memory of 4052	1564	s9279482.exe	s9279482.exe
PID 1564 wrote to memory of 4052	1564	s9279482.exe	s9279482.exe
PID 1564 wrote to memory of 4052	1564	s9279482.exe	s9279482.exe
PID 1564 wrote to memory of 4052	1564	s9279482.exe	s9279482.exe
PID 1564 wrote to memory of 4052	1564	s9279482.exe	s9279482.exe
PID 1564 wrote to memory of 4052	1564	s9279482.exe	s9279482.exe
PID 4052 wrote to memory of 928	4052	s9279482.exe	legends.exe
PID 4052 wrote to memory of 928	4052	s9279482.exe	legends.exe
PID 4052 wrote to memory of 928	4052	s9279482.exe	legends.exe
PID 928 wrote to memory of 3232	928	legends.exe	legends.exe
PID 928 wrote to memory of 3232	928	legends.exe	legends.exe
PID 928 wrote to memory of 3232	928	legends.exe	legends.exe
PID 928 wrote to memory of 3232	928	legends.exe	legends.exe
PID 928 wrote to memory of 3232	928	legends.exe	legends.exe
PID 928 wrote to memory of 3232	928	legends.exe	legends.exe
PID 928 wrote to memory of 3232	928	legends.exe	legends.exe
PID 928 wrote to memory of 3232	928	legends.exe	legends.exe
PID 928 wrote to memory of 3232	928	legends.exe	legends.exe
PID 928 wrote to memory of 3232	928	legends.exe	legends.exe
PID 3232 wrote to memory of 1916	3232	legends.exe	schtasks.exe
PID 3232 wrote to memory of 1916	3232	legends.exe	schtasks.exe
PID 3232 wrote to memory of 1916	3232	legends.exe	schtasks.exe
PID 3232 wrote to memory of 2248	3232	legends.exe	cmd.exe
PID 3232 wrote to memory of 2248	3232	legends.exe	cmd.exe
PID 3232 wrote to memory of 2248	3232	legends.exe	cmd.exe
PID 2248 wrote to memory of 3096	2248	cmd.exe	cmd.exe
PID 2248 wrote to memory of 3096	2248	cmd.exe	cmd.exe
PID 2248 wrote to memory of 3096	2248	cmd.exe	cmd.exe
PID 2248 wrote to memory of 3224	2248	cmd.exe	cacls.exe
PID 2248 wrote to memory of 3224	2248	cmd.exe	cacls.exe
PID 2248 wrote to memory of 3224	2248	cmd.exe	cacls.exe
PID 2248 wrote to memory of 3320	2248	cmd.exe	cacls.exe

C:\Users\Admin\AppData\Local\Temp\b214a3d867081a80a2f0eef209e167bc32cefb973dca659dcceac6fba049d1f7.exe
"C:\Users\Admin\AppData\Local\Temp\b214a3d867081a80a2f0eef209e167bc32cefb973dca659dcceac6fba049d1f7.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4488

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5516973.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5516973.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1768

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z3673803.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z3673803.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2732

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o8168181.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o8168181.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2060

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
5⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5028

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p0009491.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p0009491.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1428

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r8132651.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r8132651.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:324

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3212

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s9279482.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s9279482.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1564

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s9279482.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s9279482.exe
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4052

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
"C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:928

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3232

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legends.exe /TR "C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe" /F
6⤵
- Creates scheduled task(s)
PID:1916

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legends.exe" /P "Admin:N"&&CACLS "legends.exe" /P "Admin:R" /E&&echo Y|CACLS "..\41bde21dc7" /P "Admin:N"&&CACLS "..\41bde21dc7" /P "Admin:R" /E&&Exit
6⤵
- Suspicious use of WriteProcessMemory
PID:2248

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
7⤵
PID:3096

C:\Windows\SysWOW64\cacls.exe
CACLS "legends.exe" /P "Admin:N"
7⤵
PID:3224

C:\Windows\SysWOW64\cacls.exe
CACLS "legends.exe" /P "Admin:R" /E
7⤵
PID:3320

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
7⤵
PID:3412

C:\Windows\SysWOW64\cacls.exe
CACLS "..\41bde21dc7" /P "Admin:N"
7⤵
PID:2896

C:\Windows\SysWOW64\cacls.exe
CACLS "..\41bde21dc7" /P "Admin:R" /E
7⤵
PID:4080

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
6⤵
- Loads dropped DLL
PID:4460

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2552

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
2⤵
- Executes dropped EXE
PID:1284

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4900

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
2⤵
- Executes dropped EXE
PID:2224

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log
Filesize
226B

MD5
916851e072fbabc4796d8916c5131092

SHA1
d48a602229a690c512d5fdaf4c8d77547a88e7a2

SHA256
7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

SHA512
07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\legends.exe.log
Filesize
425B

MD5
4eaca4566b22b01cd3bc115b9b0b2196

SHA1
e743e0792c19f71740416e7b3c061d9f1336bf94

SHA256
34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

SHA512
bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
964KB

MD5
f4d9901c79edf0a20f1b5c9cb5c3689b

SHA1
4645b63d08ac517a767d90aac51b36f188748b2e

SHA256
f216bae96838d55c6127e345d8ee01f57c6dd30c6796fd4d8918b7e5adde60e1

SHA512
19667798c5bbfbe29ed91727f8168550b3aa3ffee4ec60a67fc623b08ecf8241f7c6f0df4eb26bb6865f1bf082ebecb7d5d6acb7ad775f05727dc30aa3368d95

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
964KB

MD5
f4d9901c79edf0a20f1b5c9cb5c3689b

SHA1
4645b63d08ac517a767d90aac51b36f188748b2e

SHA256
f216bae96838d55c6127e345d8ee01f57c6dd30c6796fd4d8918b7e5adde60e1

SHA512
19667798c5bbfbe29ed91727f8168550b3aa3ffee4ec60a67fc623b08ecf8241f7c6f0df4eb26bb6865f1bf082ebecb7d5d6acb7ad775f05727dc30aa3368d95

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
964KB

MD5
f4d9901c79edf0a20f1b5c9cb5c3689b

SHA1
4645b63d08ac517a767d90aac51b36f188748b2e

SHA256
f216bae96838d55c6127e345d8ee01f57c6dd30c6796fd4d8918b7e5adde60e1

SHA512
19667798c5bbfbe29ed91727f8168550b3aa3ffee4ec60a67fc623b08ecf8241f7c6f0df4eb26bb6865f1bf082ebecb7d5d6acb7ad775f05727dc30aa3368d95

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
964KB

MD5
f4d9901c79edf0a20f1b5c9cb5c3689b

SHA1
4645b63d08ac517a767d90aac51b36f188748b2e

SHA256
f216bae96838d55c6127e345d8ee01f57c6dd30c6796fd4d8918b7e5adde60e1

SHA512
19667798c5bbfbe29ed91727f8168550b3aa3ffee4ec60a67fc623b08ecf8241f7c6f0df4eb26bb6865f1bf082ebecb7d5d6acb7ad775f05727dc30aa3368d95

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
964KB

MD5
f4d9901c79edf0a20f1b5c9cb5c3689b

SHA1
4645b63d08ac517a767d90aac51b36f188748b2e

SHA256
f216bae96838d55c6127e345d8ee01f57c6dd30c6796fd4d8918b7e5adde60e1

SHA512
19667798c5bbfbe29ed91727f8168550b3aa3ffee4ec60a67fc623b08ecf8241f7c6f0df4eb26bb6865f1bf082ebecb7d5d6acb7ad775f05727dc30aa3368d95

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
964KB

MD5
f4d9901c79edf0a20f1b5c9cb5c3689b

SHA1
4645b63d08ac517a767d90aac51b36f188748b2e

SHA256
f216bae96838d55c6127e345d8ee01f57c6dd30c6796fd4d8918b7e5adde60e1

SHA512
19667798c5bbfbe29ed91727f8168550b3aa3ffee4ec60a67fc623b08ecf8241f7c6f0df4eb26bb6865f1bf082ebecb7d5d6acb7ad775f05727dc30aa3368d95

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
964KB

MD5
f4d9901c79edf0a20f1b5c9cb5c3689b

SHA1
4645b63d08ac517a767d90aac51b36f188748b2e

SHA256
f216bae96838d55c6127e345d8ee01f57c6dd30c6796fd4d8918b7e5adde60e1

SHA512
19667798c5bbfbe29ed91727f8168550b3aa3ffee4ec60a67fc623b08ecf8241f7c6f0df4eb26bb6865f1bf082ebecb7d5d6acb7ad775f05727dc30aa3368d95

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
964KB

MD5
f4d9901c79edf0a20f1b5c9cb5c3689b

SHA1
4645b63d08ac517a767d90aac51b36f188748b2e

SHA256
f216bae96838d55c6127e345d8ee01f57c6dd30c6796fd4d8918b7e5adde60e1

SHA512
19667798c5bbfbe29ed91727f8168550b3aa3ffee4ec60a67fc623b08ecf8241f7c6f0df4eb26bb6865f1bf082ebecb7d5d6acb7ad775f05727dc30aa3368d95

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s9279482.exe
Filesize
964KB

MD5
f4d9901c79edf0a20f1b5c9cb5c3689b

SHA1
4645b63d08ac517a767d90aac51b36f188748b2e

SHA256
f216bae96838d55c6127e345d8ee01f57c6dd30c6796fd4d8918b7e5adde60e1

SHA512
19667798c5bbfbe29ed91727f8168550b3aa3ffee4ec60a67fc623b08ecf8241f7c6f0df4eb26bb6865f1bf082ebecb7d5d6acb7ad775f05727dc30aa3368d95

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s9279482.exe
Filesize
964KB

MD5
f4d9901c79edf0a20f1b5c9cb5c3689b

SHA1
4645b63d08ac517a767d90aac51b36f188748b2e

SHA256
f216bae96838d55c6127e345d8ee01f57c6dd30c6796fd4d8918b7e5adde60e1

SHA512
19667798c5bbfbe29ed91727f8168550b3aa3ffee4ec60a67fc623b08ecf8241f7c6f0df4eb26bb6865f1bf082ebecb7d5d6acb7ad775f05727dc30aa3368d95

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s9279482.exe
Filesize
964KB

MD5
f4d9901c79edf0a20f1b5c9cb5c3689b

SHA1
4645b63d08ac517a767d90aac51b36f188748b2e

SHA256
f216bae96838d55c6127e345d8ee01f57c6dd30c6796fd4d8918b7e5adde60e1

SHA512
19667798c5bbfbe29ed91727f8168550b3aa3ffee4ec60a67fc623b08ecf8241f7c6f0df4eb26bb6865f1bf082ebecb7d5d6acb7ad775f05727dc30aa3368d95

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5516973.exe
Filesize
617KB

MD5
1f4efc37fa52cb6eff15484ff42a9256

SHA1
6177ca0130b1cf00a47a199aeba4b5d8fd76e3f3

SHA256
52e9cd03d6fd319d44c5818e9f74539c22172da3c390825e999ea871a2d3c63b

SHA512
31305c9d68d0a109d735dedce46d30300c7b46d8380dba0a208c87dfa974078219dc2bb33fca31fb18a428393843dc960f85de07d958d94be4ed20ba5419b496

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5516973.exe
Filesize
617KB

MD5
1f4efc37fa52cb6eff15484ff42a9256

SHA1
6177ca0130b1cf00a47a199aeba4b5d8fd76e3f3

SHA256
52e9cd03d6fd319d44c5818e9f74539c22172da3c390825e999ea871a2d3c63b

SHA512
31305c9d68d0a109d735dedce46d30300c7b46d8380dba0a208c87dfa974078219dc2bb33fca31fb18a428393843dc960f85de07d958d94be4ed20ba5419b496

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r8132651.exe
Filesize
321KB

MD5
d536c2daf635d79a6dbab08bfa649d4f

SHA1
ec035ef79a8591faba5ae4fae2b7d27ed081198f

SHA256
f34528d1ac9a337fe92507f751cf593c26fc375a70cb3afa16d86bb286fd317f

SHA512
a2a98bd3d549831feaa84bd0e7b9c0f41023ef17ddd922b3e6399e708ea20406f60cca166a27d20c70713768874f76364bc7bc11b26972f51d500a9795b520b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r8132651.exe
Filesize
321KB

MD5
d536c2daf635d79a6dbab08bfa649d4f

SHA1
ec035ef79a8591faba5ae4fae2b7d27ed081198f

SHA256
f34528d1ac9a337fe92507f751cf593c26fc375a70cb3afa16d86bb286fd317f

SHA512
a2a98bd3d549831feaa84bd0e7b9c0f41023ef17ddd922b3e6399e708ea20406f60cca166a27d20c70713768874f76364bc7bc11b26972f51d500a9795b520b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z3673803.exe
Filesize
282KB

MD5
680e77c86a4da962fad56a1f56370373

SHA1
b2b29602fda176d05cc104f1a5213430a17827af

SHA256
955551cf5b9c2b5594276e5b375b3ac9df1976ef747dbe0599b94cf1f3a9bd73

SHA512
c1c86048f6a586f7dca6690cd7e2666495efb527dd2b3fc604095e66564db45252bda0b1b266f8fdf9cedda4dbe71e1b8b78d82df952ea4a3ccca895b4be747a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z3673803.exe
Filesize
282KB

MD5
680e77c86a4da962fad56a1f56370373

SHA1
b2b29602fda176d05cc104f1a5213430a17827af

SHA256
955551cf5b9c2b5594276e5b375b3ac9df1976ef747dbe0599b94cf1f3a9bd73

SHA512
c1c86048f6a586f7dca6690cd7e2666495efb527dd2b3fc604095e66564db45252bda0b1b266f8fdf9cedda4dbe71e1b8b78d82df952ea4a3ccca895b4be747a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o8168181.exe
Filesize
164KB

MD5
8ee12fdaaf83ad067cfbc30665c1306f

SHA1
10d8e48cde54f86049a51737356ba1c881f2c73e

SHA256
35b53aba35572ee1dc6e2556fa154c7a4d4893564e28b6561d17c4997cd82867

SHA512
6ab9e00eb06f374e39224139a3f1ee9acf0dd726f577e3d179bdbb4202fc6e9c24161c68a03e09d16f13d1252c3258f4bdd23b508cebc41feaaab09effad7642

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o8168181.exe
Filesize
164KB

MD5
8ee12fdaaf83ad067cfbc30665c1306f

SHA1
10d8e48cde54f86049a51737356ba1c881f2c73e

SHA256
35b53aba35572ee1dc6e2556fa154c7a4d4893564e28b6561d17c4997cd82867

SHA512
6ab9e00eb06f374e39224139a3f1ee9acf0dd726f577e3d179bdbb4202fc6e9c24161c68a03e09d16f13d1252c3258f4bdd23b508cebc41feaaab09effad7642

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p0009491.exe
Filesize
168KB

MD5
e09b977b83ffae8ae66f32faa03d5ea9

SHA1
78212a7580020fc5f70ac1cc151a5fed78a29ee5

SHA256
163cbd1d246e2cb5c2e65fd5e6a5848dc9beafaf52dc9a62ead56e478d86240d

SHA512
0c566e516ddf0d3b16a9b333ead95d56a6e274ba1cac4fb46d259be22beb03514056fbf200229102c834d51f4269ebb0add3c56562128a01356e5d9ad3467b11

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p0009491.exe
Filesize
168KB

MD5
e09b977b83ffae8ae66f32faa03d5ea9

SHA1
78212a7580020fc5f70ac1cc151a5fed78a29ee5

SHA256
163cbd1d246e2cb5c2e65fd5e6a5848dc9beafaf52dc9a62ead56e478d86240d

SHA512
0c566e516ddf0d3b16a9b333ead95d56a6e274ba1cac4fb46d259be22beb03514056fbf200229102c834d51f4269ebb0add3c56562128a01356e5d9ad3467b11

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
73c0c85e39b9a63b42f6c4ff6d634f8b

SHA1
efb047b4177ad78268f6fc8bf959f58f1123eb51

SHA256
477252e3531300fe2a21a679fba3664803179e91a1a4d5dd44080dbd41126368

SHA512
ca32507717c2c099d54a5473fb062083237f7fda9c076e9a957b70072f41a78eedf9244b50862b81d00374297e3795021ad6db943c8408da50b1da8b5ed4a643

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
73c0c85e39b9a63b42f6c4ff6d634f8b

SHA1
efb047b4177ad78268f6fc8bf959f58f1123eb51

SHA256
477252e3531300fe2a21a679fba3664803179e91a1a4d5dd44080dbd41126368

SHA512
ca32507717c2c099d54a5473fb062083237f7fda9c076e9a957b70072f41a78eedf9244b50862b81d00374297e3795021ad6db943c8408da50b1da8b5ed4a643

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
73c0c85e39b9a63b42f6c4ff6d634f8b

SHA1
efb047b4177ad78268f6fc8bf959f58f1123eb51

SHA256
477252e3531300fe2a21a679fba3664803179e91a1a4d5dd44080dbd41126368

SHA512
ca32507717c2c099d54a5473fb062083237f7fda9c076e9a957b70072f41a78eedf9244b50862b81d00374297e3795021ad6db943c8408da50b1da8b5ed4a643

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
memory/928-216-0x0000000007210000-0x0000000007220000-memory.dmp

Filesize
64KB

Download
memory/1284-232-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1284-231-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1284-230-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1428-165-0x000000000A680000-0x000000000A78A000-memory.dmp

Filesize
1.0MB

Download
memory/1428-177-0x00000000050E0000-0x00000000050F0000-memory.dmp

Filesize
64KB

Download
memory/1428-175-0x000000000B820000-0x000000000B870000-memory.dmp

Filesize
320KB

Download
memory/1428-174-0x000000000C640000-0x000000000CB6C000-memory.dmp

Filesize
5.2MB

Download
memory/1428-173-0x000000000B8F0000-0x000000000BAB2000-memory.dmp

Filesize
1.8MB

Download
memory/1428-172-0x000000000BB60000-0x000000000C104000-memory.dmp

Filesize
5.6MB

Download
memory/1428-171-0x000000000A990000-0x000000000A9F6000-memory.dmp

Filesize
408KB

Download
memory/1428-170-0x000000000AA30000-0x000000000AAC2000-memory.dmp

Filesize
584KB

Download
memory/1428-169-0x000000000A910000-0x000000000A986000-memory.dmp

Filesize
472KB

Download
memory/1428-168-0x000000000A600000-0x000000000A63C000-memory.dmp

Filesize
240KB

Download
memory/1428-167-0x00000000050E0000-0x00000000050F0000-memory.dmp

Filesize
64KB

Download
memory/1428-166-0x000000000A5A0000-0x000000000A5B2000-memory.dmp

Filesize
72KB

Download
memory/1428-164-0x000000000AB90000-0x000000000B1A8000-memory.dmp

Filesize
6.1MB

Download
memory/1428-163-0x00000000006F0000-0x000000000071E000-memory.dmp

Filesize
184KB

Download
memory/1564-194-0x0000000007450000-0x0000000007460000-memory.dmp

Filesize
64KB

Download
memory/1564-192-0x00000000006B0000-0x00000000007A8000-memory.dmp

Filesize
992KB

Download
memory/2224-258-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2224-257-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2224-256-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3212-183-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3212-193-0x0000000005330000-0x0000000005340000-memory.dmp

Filesize
64KB

Download
memory/3232-223-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3232-220-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3232-221-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3232-224-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3232-250-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4052-215-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4052-195-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4052-198-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4052-199-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4052-203-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5028-155-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download