redline | f38e8c5e01a4198ba2eae79e91784c7272a8b7142a011a01422b6c9b0262dc19

Analysis

max time kernel
150s
max time network
151s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
03/06/2023, 17:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f38e8c5e01a4198ba2eae79e91784c7272a8b7142a011a01422b6c9b0262dc19.exe
Size

1.0MB
MD5

e77b56178dfb234e0770e50178ba9065
SHA1

2241bfb4987a8d7f2e431904818134c54ab02cb4
SHA256

f38e8c5e01a4198ba2eae79e91784c7272a8b7142a011a01422b6c9b0262dc19
SHA512

cdebf4f62ee6690d31f01350fd8b732667c97a640ee1ec8f381f846b42c3391016366afe780db160273dc630b9f292665e3bc764647c290a42441db85f1ab390
SSDEEP

24576:6yrTP6SxEkGXRMvjd8dpleoVCOnplOoLd+fRH0MrZFj:Br2L4d8dpkepgoR+fRH0WZF

Score

10^/10

redline brain lusa discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

lusa

83.97.73.126:19046

Attributes

auth_value
c9df946711e01c378b42221de692acbd

Extracted

Family

redline

Botnet

brain

83.97.73.126:19046

Attributes

auth_value
5fb8269baadec0c49899b9a7a0c8851f

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 16 IoCs

pid	Process
3652	z8570488.exe
4608	z8135058.exe
5008	o8758829.exe
4072	p6777795.exe
1544	r7605585.exe
3684	s6494594.exe
3504	s6494594.exe
4492	legends.exe
3608	legends.exe
4484	legends.exe
5056	legends.exe
4952	legends.exe
4896	legends.exe
4116	legends.exe
4108	legends.exe
4208	legends.exe

Loads dropped DLL 1 IoCs

pid	Process
3376	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	f38e8c5e01a4198ba2eae79e91784c7272a8b7142a011a01422b6c9b0262dc19.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z8570488.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z8570488.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z8135058.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z8135058.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	f38e8c5e01a4198ba2eae79e91784c7272a8b7142a011a01422b6c9b0262dc19.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 7 IoCs

description	pid	Process	procid_target
PID 5008 set thread context of 3060	5008	o8758829.exe	70
PID 1544 set thread context of 3040	1544	r7605585.exe	75
PID 3684 set thread context of 3504	3684	s6494594.exe	77
PID 4492 set thread context of 3608	4492	legends.exe	79
PID 4484 set thread context of 5056	4484	legends.exe	91
PID 4952 set thread context of 4116	4952	legends.exe	95
PID 4108 set thread context of 4208	4108	legends.exe	97

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3556	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3060	AppLaunch.exe
3060	AppLaunch.exe
4072	p6777795.exe
4072	p6777795.exe
3040	AppLaunch.exe
3040	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	3060	AppLaunch.exe
Token: SeDebugPrivilege	4072	p6777795.exe
Token: SeDebugPrivilege	3684	s6494594.exe
Token: SeDebugPrivilege	4492	legends.exe
Token: SeDebugPrivilege	3040	AppLaunch.exe
Token: SeDebugPrivilege	4484	legends.exe
Token: SeDebugPrivilege	4952	legends.exe
Token: SeDebugPrivilege	4108	legends.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3504	s6494594.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 420 wrote to memory of 3652	420	f38e8c5e01a4198ba2eae79e91784c7272a8b7142a011a01422b6c9b0262dc19.exe	66
PID 420 wrote to memory of 3652	420	f38e8c5e01a4198ba2eae79e91784c7272a8b7142a011a01422b6c9b0262dc19.exe	66
PID 420 wrote to memory of 3652	420	f38e8c5e01a4198ba2eae79e91784c7272a8b7142a011a01422b6c9b0262dc19.exe	66
PID 3652 wrote to memory of 4608	3652	z8570488.exe	67
PID 3652 wrote to memory of 4608	3652	z8570488.exe	67
PID 3652 wrote to memory of 4608	3652	z8570488.exe	67
PID 4608 wrote to memory of 5008	4608	z8135058.exe	68
PID 4608 wrote to memory of 5008	4608	z8135058.exe	68
PID 4608 wrote to memory of 5008	4608	z8135058.exe	68
PID 5008 wrote to memory of 3060	5008	o8758829.exe	70
PID 5008 wrote to memory of 3060	5008	o8758829.exe	70
PID 5008 wrote to memory of 3060	5008	o8758829.exe	70
PID 5008 wrote to memory of 3060	5008	o8758829.exe	70
PID 5008 wrote to memory of 3060	5008	o8758829.exe	70
PID 4608 wrote to memory of 4072	4608	z8135058.exe	71
PID 4608 wrote to memory of 4072	4608	z8135058.exe	71
PID 4608 wrote to memory of 4072	4608	z8135058.exe	71
PID 3652 wrote to memory of 1544	3652	z8570488.exe	73
PID 3652 wrote to memory of 1544	3652	z8570488.exe	73
PID 3652 wrote to memory of 1544	3652	z8570488.exe	73
PID 1544 wrote to memory of 3040	1544	r7605585.exe	75
PID 1544 wrote to memory of 3040	1544	r7605585.exe	75
PID 1544 wrote to memory of 3040	1544	r7605585.exe	75
PID 1544 wrote to memory of 3040	1544	r7605585.exe	75
PID 1544 wrote to memory of 3040	1544	r7605585.exe	75
PID 420 wrote to memory of 3684	420	f38e8c5e01a4198ba2eae79e91784c7272a8b7142a011a01422b6c9b0262dc19.exe	76
PID 420 wrote to memory of 3684	420	f38e8c5e01a4198ba2eae79e91784c7272a8b7142a011a01422b6c9b0262dc19.exe	76
PID 420 wrote to memory of 3684	420	f38e8c5e01a4198ba2eae79e91784c7272a8b7142a011a01422b6c9b0262dc19.exe	76
PID 3684 wrote to memory of 3504	3684	s6494594.exe	77
PID 3684 wrote to memory of 3504	3684	s6494594.exe	77
PID 3684 wrote to memory of 3504	3684	s6494594.exe	77
PID 3684 wrote to memory of 3504	3684	s6494594.exe	77
PID 3684 wrote to memory of 3504	3684	s6494594.exe	77
PID 3684 wrote to memory of 3504	3684	s6494594.exe	77
PID 3684 wrote to memory of 3504	3684	s6494594.exe	77
PID 3684 wrote to memory of 3504	3684	s6494594.exe	77
PID 3684 wrote to memory of 3504	3684	s6494594.exe	77
PID 3684 wrote to memory of 3504	3684	s6494594.exe	77
PID 3504 wrote to memory of 4492	3504	s6494594.exe	78
PID 3504 wrote to memory of 4492	3504	s6494594.exe	78
PID 3504 wrote to memory of 4492	3504	s6494594.exe	78
PID 4492 wrote to memory of 3608	4492	legends.exe	79
PID 4492 wrote to memory of 3608	4492	legends.exe	79
PID 4492 wrote to memory of 3608	4492	legends.exe	79
PID 4492 wrote to memory of 3608	4492	legends.exe	79
PID 4492 wrote to memory of 3608	4492	legends.exe	79
PID 4492 wrote to memory of 3608	4492	legends.exe	79
PID 4492 wrote to memory of 3608	4492	legends.exe	79
PID 4492 wrote to memory of 3608	4492	legends.exe	79
PID 4492 wrote to memory of 3608	4492	legends.exe	79
PID 4492 wrote to memory of 3608	4492	legends.exe	79
PID 3608 wrote to memory of 3556	3608	legends.exe	80
PID 3608 wrote to memory of 3556	3608	legends.exe	80
PID 3608 wrote to memory of 3556	3608	legends.exe	80
PID 3608 wrote to memory of 4232	3608	legends.exe	82
PID 3608 wrote to memory of 4232	3608	legends.exe	82
PID 3608 wrote to memory of 4232	3608	legends.exe	82
PID 4232 wrote to memory of 3748	4232	cmd.exe	84
PID 4232 wrote to memory of 3748	4232	cmd.exe	84
PID 4232 wrote to memory of 3748	4232	cmd.exe	84
PID 4232 wrote to memory of 1736	4232	cmd.exe	85
PID 4232 wrote to memory of 1736	4232	cmd.exe	85
PID 4232 wrote to memory of 1736	4232	cmd.exe	85
PID 4232 wrote to memory of 3744	4232	cmd.exe	86

C:\Users\Admin\AppData\Local\Temp\f38e8c5e01a4198ba2eae79e91784c7272a8b7142a011a01422b6c9b0262dc19.exe
"C:\Users\Admin\AppData\Local\Temp\f38e8c5e01a4198ba2eae79e91784c7272a8b7142a011a01422b6c9b0262dc19.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:420
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8570488.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8570488.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3652
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z8135058.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z8135058.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4608
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o8758829.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o8758829.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:5008
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3060
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p6777795.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p6777795.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4072
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r7605585.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r7605585.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1544
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3040
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s6494594.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s6494594.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3684
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s6494594.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s6494594.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:3504
  - - C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
      "C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4492
    - - C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
        
        C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3608
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legends.exe /TR "C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe" /F
        6⤵
        Creates scheduled task(s)
        
        PID:3556
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legends.exe" /P "Admin:N"&&CACLS "legends.exe" /P "Admin:R" /E&&echo Y|CACLS "..\41bde21dc7" /P "Admin:N"&&CACLS "..\41bde21dc7" /P "Admin:R" /E&&Exit
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        
        PID:3748
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "legends.exe" /P "Admin:N"
        7⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "legends.exe" /P "Admin:R" /E
        7⤵
        
        PID:3744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\41bde21dc7" /P "Admin:N"
        7⤵
        
        PID:3680
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\41bde21dc7" /P "Admin:R" /E
        7⤵
        
        PID:3576
      - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
        6⤵
        Loads dropped DLL
        
        PID:3376

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4484
- C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
  C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
  2⤵
  - Executes dropped EXE
  PID:5056

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4952
- C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
  C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
  2⤵
  - Executes dropped EXE
  PID:4896
- C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
  C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
  2⤵
  - Executes dropped EXE
  PID:4116

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4108
- C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
  C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
  2⤵
  - Executes dropped EXE
  PID:4208

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log

Filesize
226B

MD5
957779c42144282d8cd83192b8fbc7cf

SHA1
de83d08d2cca06b9ff3d1ef239d6b60b705d25fe

SHA256
0d7ca7ba65e2b465e4878e324ceab8f8981f5ec06dcf5bc32559a4467a9c7d51

SHA512
f1549c61b4f2906d13b2aabb74772c2bc826cd42373d7bb6c48cbb125d5aa2ec17617e6b5e67e8aae3bb5790cc831cdba48a45008ed01df4fba8be448cce39fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\legends.exe.log

Filesize
425B

MD5
605f809fab8c19729d39d075f7ffdb53

SHA1
c546f877c9bd53563174a90312a8337fdfc5fdd9

SHA256
6904d540649e76c55f99530b81be17e099184bb4cad415aa9b9b39cc3677f556

SHA512
82cc12c3186ae23884b8d5c104638c8206272c4389ade56b926dfc1d437b03888159b3c790b188b54d277a262e731927e703e680ea642e1417faee27443fd5b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
966KB

MD5
49531a04964d99a49b94e42517eed1e0

SHA1
9e74bbb384caba3c7613e9204de0278987ea19fa

SHA256
1d6cf04c6ba1bce7fdbec8cf1d5764fcf1ab1bd072f240951702f7bd8759ae3b

SHA512
b95ae106a81c8695747d292a2c801e0c147ab4d8155a202f5cb5a79e3d7251ada05058dbc00f8d38843023bef0473524861c1c3863993fb224a9597adb437a52

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
966KB

MD5
49531a04964d99a49b94e42517eed1e0

SHA1
9e74bbb384caba3c7613e9204de0278987ea19fa

SHA256
1d6cf04c6ba1bce7fdbec8cf1d5764fcf1ab1bd072f240951702f7bd8759ae3b

SHA512
b95ae106a81c8695747d292a2c801e0c147ab4d8155a202f5cb5a79e3d7251ada05058dbc00f8d38843023bef0473524861c1c3863993fb224a9597adb437a52

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
966KB

MD5
49531a04964d99a49b94e42517eed1e0

SHA1
9e74bbb384caba3c7613e9204de0278987ea19fa

SHA256
1d6cf04c6ba1bce7fdbec8cf1d5764fcf1ab1bd072f240951702f7bd8759ae3b

SHA512
b95ae106a81c8695747d292a2c801e0c147ab4d8155a202f5cb5a79e3d7251ada05058dbc00f8d38843023bef0473524861c1c3863993fb224a9597adb437a52

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
966KB

MD5
49531a04964d99a49b94e42517eed1e0

SHA1
9e74bbb384caba3c7613e9204de0278987ea19fa

SHA256
1d6cf04c6ba1bce7fdbec8cf1d5764fcf1ab1bd072f240951702f7bd8759ae3b

SHA512
b95ae106a81c8695747d292a2c801e0c147ab4d8155a202f5cb5a79e3d7251ada05058dbc00f8d38843023bef0473524861c1c3863993fb224a9597adb437a52

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
966KB

MD5
49531a04964d99a49b94e42517eed1e0

SHA1
9e74bbb384caba3c7613e9204de0278987ea19fa

SHA256
1d6cf04c6ba1bce7fdbec8cf1d5764fcf1ab1bd072f240951702f7bd8759ae3b

SHA512
b95ae106a81c8695747d292a2c801e0c147ab4d8155a202f5cb5a79e3d7251ada05058dbc00f8d38843023bef0473524861c1c3863993fb224a9597adb437a52

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
966KB

MD5
49531a04964d99a49b94e42517eed1e0

SHA1
9e74bbb384caba3c7613e9204de0278987ea19fa

SHA256
1d6cf04c6ba1bce7fdbec8cf1d5764fcf1ab1bd072f240951702f7bd8759ae3b

SHA512
b95ae106a81c8695747d292a2c801e0c147ab4d8155a202f5cb5a79e3d7251ada05058dbc00f8d38843023bef0473524861c1c3863993fb224a9597adb437a52

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
966KB

MD5
49531a04964d99a49b94e42517eed1e0

SHA1
9e74bbb384caba3c7613e9204de0278987ea19fa

SHA256
1d6cf04c6ba1bce7fdbec8cf1d5764fcf1ab1bd072f240951702f7bd8759ae3b

SHA512
b95ae106a81c8695747d292a2c801e0c147ab4d8155a202f5cb5a79e3d7251ada05058dbc00f8d38843023bef0473524861c1c3863993fb224a9597adb437a52

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
966KB

MD5
49531a04964d99a49b94e42517eed1e0

SHA1
9e74bbb384caba3c7613e9204de0278987ea19fa

SHA256
1d6cf04c6ba1bce7fdbec8cf1d5764fcf1ab1bd072f240951702f7bd8759ae3b

SHA512
b95ae106a81c8695747d292a2c801e0c147ab4d8155a202f5cb5a79e3d7251ada05058dbc00f8d38843023bef0473524861c1c3863993fb224a9597adb437a52

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
966KB

MD5
49531a04964d99a49b94e42517eed1e0

SHA1
9e74bbb384caba3c7613e9204de0278987ea19fa

SHA256
1d6cf04c6ba1bce7fdbec8cf1d5764fcf1ab1bd072f240951702f7bd8759ae3b

SHA512
b95ae106a81c8695747d292a2c801e0c147ab4d8155a202f5cb5a79e3d7251ada05058dbc00f8d38843023bef0473524861c1c3863993fb224a9597adb437a52

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
966KB

MD5
49531a04964d99a49b94e42517eed1e0

SHA1
9e74bbb384caba3c7613e9204de0278987ea19fa

SHA256
1d6cf04c6ba1bce7fdbec8cf1d5764fcf1ab1bd072f240951702f7bd8759ae3b

SHA512
b95ae106a81c8695747d292a2c801e0c147ab4d8155a202f5cb5a79e3d7251ada05058dbc00f8d38843023bef0473524861c1c3863993fb224a9597adb437a52

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe

Filesize
966KB

MD5
49531a04964d99a49b94e42517eed1e0

SHA1
9e74bbb384caba3c7613e9204de0278987ea19fa

SHA256
1d6cf04c6ba1bce7fdbec8cf1d5764fcf1ab1bd072f240951702f7bd8759ae3b

SHA512
b95ae106a81c8695747d292a2c801e0c147ab4d8155a202f5cb5a79e3d7251ada05058dbc00f8d38843023bef0473524861c1c3863993fb224a9597adb437a52

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s6494594.exe

Filesize
966KB

MD5
49531a04964d99a49b94e42517eed1e0

SHA1
9e74bbb384caba3c7613e9204de0278987ea19fa

SHA256
1d6cf04c6ba1bce7fdbec8cf1d5764fcf1ab1bd072f240951702f7bd8759ae3b

SHA512
b95ae106a81c8695747d292a2c801e0c147ab4d8155a202f5cb5a79e3d7251ada05058dbc00f8d38843023bef0473524861c1c3863993fb224a9597adb437a52

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s6494594.exe

Filesize
966KB

MD5
49531a04964d99a49b94e42517eed1e0

SHA1
9e74bbb384caba3c7613e9204de0278987ea19fa

SHA256
1d6cf04c6ba1bce7fdbec8cf1d5764fcf1ab1bd072f240951702f7bd8759ae3b

SHA512
b95ae106a81c8695747d292a2c801e0c147ab4d8155a202f5cb5a79e3d7251ada05058dbc00f8d38843023bef0473524861c1c3863993fb224a9597adb437a52

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s6494594.exe

Filesize
966KB

MD5
49531a04964d99a49b94e42517eed1e0

SHA1
9e74bbb384caba3c7613e9204de0278987ea19fa

SHA256
1d6cf04c6ba1bce7fdbec8cf1d5764fcf1ab1bd072f240951702f7bd8759ae3b

SHA512
b95ae106a81c8695747d292a2c801e0c147ab4d8155a202f5cb5a79e3d7251ada05058dbc00f8d38843023bef0473524861c1c3863993fb224a9597adb437a52

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8570488.exe

Filesize
607KB

MD5
6d55bd1ceeb9657f4d2f32a8bb49be6f

SHA1
41334e10c00a23f0936595a0be43785ddfece928

SHA256
68cea7c860cd90b754fd21fc3370157a37c69fdf4c89aaf11083aad3af5320d6

SHA512
8f9927bbc6abfe20116d7847f71a6832aa99a3ae3dee044042dad6fffb52e7bda3ded8b75bed59a3b084705c65ed3b3240e762fe209f5de2abf874974866ea76

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8570488.exe

Filesize
607KB

MD5
6d55bd1ceeb9657f4d2f32a8bb49be6f

SHA1
41334e10c00a23f0936595a0be43785ddfece928

SHA256
68cea7c860cd90b754fd21fc3370157a37c69fdf4c89aaf11083aad3af5320d6

SHA512
8f9927bbc6abfe20116d7847f71a6832aa99a3ae3dee044042dad6fffb52e7bda3ded8b75bed59a3b084705c65ed3b3240e762fe209f5de2abf874974866ea76

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r7605585.exe

Filesize
304KB

MD5
91680fe2c4c6396e7ae0d633172739b6

SHA1
72fd06b92caae790420d72b4f165009fe57d613d

SHA256
2a52d162b955187abc604e73e729dd3301d502c2c9c7ec59843433585b74c195

SHA512
2a8ce7b8cd7f26b51112553ea84f4685fcc1490aa6c8be1fe1a5321b8a5bb51c6367a34cae150c6ddd21b33a57c834b9b6fc0aea6991127fee309009d517feb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r7605585.exe

Filesize
304KB

MD5
91680fe2c4c6396e7ae0d633172739b6

SHA1
72fd06b92caae790420d72b4f165009fe57d613d

SHA256
2a52d162b955187abc604e73e729dd3301d502c2c9c7ec59843433585b74c195

SHA512
2a8ce7b8cd7f26b51112553ea84f4685fcc1490aa6c8be1fe1a5321b8a5bb51c6367a34cae150c6ddd21b33a57c834b9b6fc0aea6991127fee309009d517feb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z8135058.exe

Filesize
276KB

MD5
bc22026d93573726551504d381b9aef8

SHA1
7872526adfd24d706f82c83a909e3269666067c2

SHA256
4bcd059b41262987867eabaa8356f070d415085c5cb2d6a9d9184761d925847a

SHA512
ad9a027bdfab4a27b1b2173fa941ee46776ff5808af96971ec2e99f1802516949d387fb2d42008d07982bd258ef391cf4873ec1ffc0257ccddc2b69e042a8a46

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z8135058.exe

Filesize
276KB

MD5
bc22026d93573726551504d381b9aef8

SHA1
7872526adfd24d706f82c83a909e3269666067c2

SHA256
4bcd059b41262987867eabaa8356f070d415085c5cb2d6a9d9184761d925847a

SHA512
ad9a027bdfab4a27b1b2173fa941ee46776ff5808af96971ec2e99f1802516949d387fb2d42008d07982bd258ef391cf4873ec1ffc0257ccddc2b69e042a8a46

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o8758829.exe

Filesize
147KB

MD5
54ca77d2cafd3bb56c5b848a72394a2b

SHA1
d00c5a47e07bf850c2a712be4d23438c2492ee7d

SHA256
19281439254ac3246079de8a5c26cf7b1cac7d52072d1b0296760b80cd3c3d56

SHA512
8b9241982c6c4d585e491b0d729b049f881103fd29682bbed1c6d5fb6a14f141ff790d2f777f69c9bb30e69e45099b17b6711be58822a3f3e75257aad1e8b864

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o8758829.exe

Filesize
147KB

MD5
54ca77d2cafd3bb56c5b848a72394a2b

SHA1
d00c5a47e07bf850c2a712be4d23438c2492ee7d

SHA256
19281439254ac3246079de8a5c26cf7b1cac7d52072d1b0296760b80cd3c3d56

SHA512
8b9241982c6c4d585e491b0d729b049f881103fd29682bbed1c6d5fb6a14f141ff790d2f777f69c9bb30e69e45099b17b6711be58822a3f3e75257aad1e8b864

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p6777795.exe

Filesize
168KB

MD5
3750fd1375ac063400ae822350c2c97b

SHA1
73767193372083134ba7da195c4e713512883025

SHA256
9f91b4a29af11787b087e6e4c88562fdbf4938046c946760e5a866ed46133153

SHA512
c17bf820226caa4524dc58156154e67a6b10e33bd80a31e5c302c0a3e31aa026a39859c9536066b12c397590cd2d7ff35074945053f119a4e916ffac430bdeb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p6777795.exe

Filesize
168KB

MD5
3750fd1375ac063400ae822350c2c97b

SHA1
73767193372083134ba7da195c4e713512883025

SHA256
9f91b4a29af11787b087e6e4c88562fdbf4938046c946760e5a866ed46133153

SHA512
c17bf820226caa4524dc58156154e67a6b10e33bd80a31e5c302c0a3e31aa026a39859c9536066b12c397590cd2d7ff35074945053f119a4e916ffac430bdeb1

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
89KB

MD5
73c0c85e39b9a63b42f6c4ff6d634f8b

SHA1
efb047b4177ad78268f6fc8bf959f58f1123eb51

SHA256
477252e3531300fe2a21a679fba3664803179e91a1a4d5dd44080dbd41126368

SHA512
ca32507717c2c099d54a5473fb062083237f7fda9c076e9a957b70072f41a78eedf9244b50862b81d00374297e3795021ad6db943c8408da50b1da8b5ed4a643

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
89KB

MD5
73c0c85e39b9a63b42f6c4ff6d634f8b

SHA1
efb047b4177ad78268f6fc8bf959f58f1123eb51

SHA256
477252e3531300fe2a21a679fba3664803179e91a1a4d5dd44080dbd41126368

SHA512
ca32507717c2c099d54a5473fb062083237f7fda9c076e9a957b70072f41a78eedf9244b50862b81d00374297e3795021ad6db943c8408da50b1da8b5ed4a643

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
89KB

MD5
73c0c85e39b9a63b42f6c4ff6d634f8b

SHA1
efb047b4177ad78268f6fc8bf959f58f1123eb51

SHA256
477252e3531300fe2a21a679fba3664803179e91a1a4d5dd44080dbd41126368

SHA512
ca32507717c2c099d54a5473fb062083237f7fda9c076e9a957b70072f41a78eedf9244b50862b81d00374297e3795021ad6db943c8408da50b1da8b5ed4a643

Download Submit
memory/3040-190-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3040-203-0x00000000092E0000-0x00000000092E6000-memory.dmp

Filesize
24KB

Download
memory/3040-209-0x0000000009330000-0x0000000009340000-memory.dmp

Filesize
64KB

Download
memory/3060-138-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/3504-214-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3504-213-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3504-216-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3504-210-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3504-224-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3608-588-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3608-631-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3608-590-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3608-599-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3608-587-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3684-208-0x0000000007A00000-0x0000000007A10000-memory.dmp

Filesize
64KB

Download
memory/3684-202-0x0000000000CC0000-0x0000000000DB8000-memory.dmp

Filesize
992KB

Download
memory/4072-166-0x000000000AA30000-0x000000000AAC2000-memory.dmp

Filesize
584KB

Download
memory/4072-167-0x000000000A990000-0x000000000A9F6000-memory.dmp

Filesize
408KB

Download
memory/4072-185-0x000000000B730000-0x000000000B780000-memory.dmp

Filesize
320KB

Download
memory/4072-170-0x000000000C4D0000-0x000000000C9FC000-memory.dmp

Filesize
5.2MB

Download
memory/4072-169-0x000000000B790000-0x000000000B952000-memory.dmp

Filesize
1.8MB

Download
memory/4072-149-0x0000000000720000-0x000000000074E000-memory.dmp

Filesize
184KB

Download
memory/4072-168-0x000000000BAA0000-0x000000000BF9E000-memory.dmp

Filesize
5.0MB

Download
memory/4072-153-0x000000000A5A0000-0x000000000A5B2000-memory.dmp

Filesize
72KB

Download
memory/4072-150-0x00000000029E0000-0x00000000029E6000-memory.dmp

Filesize
24KB

Download
memory/4072-151-0x000000000AB90000-0x000000000B196000-memory.dmp

Filesize
6.0MB

Download
memory/4072-152-0x000000000A690000-0x000000000A79A000-memory.dmp

Filesize
1.0MB

Download
memory/4072-165-0x000000000A910000-0x000000000A986000-memory.dmp

Filesize
472KB

Download
memory/4072-156-0x000000000A640000-0x000000000A68B000-memory.dmp

Filesize
300KB

Download
memory/4072-155-0x000000000A600000-0x000000000A63E000-memory.dmp

Filesize
248KB

Download
memory/4072-154-0x00000000050F0000-0x0000000005100000-memory.dmp

Filesize
64KB

Download
memory/4108-643-0x0000000007190000-0x00000000071A0000-memory.dmp

Filesize
64KB

Download
memory/4116-639-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4116-640-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4116-641-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4208-646-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4208-647-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4208-648-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4484-608-0x0000000007590000-0x00000000075A0000-memory.dmp

Filesize
64KB

Download
memory/4492-225-0x0000000007BD0000-0x0000000007BE0000-memory.dmp

Filesize
64KB

Download
memory/4952-635-0x0000000007BF0000-0x0000000007C00000-memory.dmp

Filesize
64KB

Download
memory/5056-613-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5056-612-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5056-611-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download