neshta | 84647ec81d76528fac8b78b96a7c2b7b57ada2f979739bb114d8e91b84009546

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
15-11-2024 11:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Google Play Gift Cards Generator And Checker v3 By X-LINE.zip
Size

2.6MB
MD5

32c6a5bdcc614611364576ebe2c7e754
SHA1

a3d7308876f7025b9a89b920ff95085d565f4478
SHA256

84647ec81d76528fac8b78b96a7c2b7b57ada2f979739bb114d8e91b84009546
SHA512

e5bef3719c0f9dd0bb6ce10ed83d8991f813bbb89662c89073bcc1e277f29169569c29a3398ec2f60c7c6316074d92a4ccebc43e00947f307878327a8cfa70d7
SSDEEP

49152:y+GKlqHgWaBiNqe/g1OfblYt7bqDJRF3g2M9RWgIGZyp:yhKlqHzjYwfa94fm1IGZW

Score

10^/10

neshta redline diamotrix discovery infostealer persistence pyinstaller spyware stealer

Malware Config

Extracted

Family

redline

Botnet

Diamotrix

176.111.174.140:1912

Signatures

Detect Neshta payload 13 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\Desktop\Google Play Gift Cards Generator And Checker v3 By X-LINE\Google Play Gift Cards Generator And Checker v3 By X-LINE.exe	family_neshta
C:\Users\Admin\Desktop\Google Play Gift Cards Generator And Checker v3 By X-LINE\Checker.exe	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Users\Admin\Desktop\Google Play Gift Cards Generator And Checker v3 By X-LINE\Google Play Gift Cards Generator And Checker v3 By X-LINE.exe	family_neshta
behavioral2/memory/1180-295-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3236-296-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2064-313-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1948-354-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/464-365-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2552-371-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3388-372-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3236-374-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Neshta family
neshta
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\A5A6.tmp.x.exe	family_redline
behavioral2/memory/3120-157-0x0000000000EB0000-0x0000000000F02000-memory.dmp	family_redline

Redline family
redline
Downloads MZ/PE file

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Google Play Gift Cards Generator And Checker v3 By X-LINE.exeChecker.exeGOOGLE~1.EXEChecker.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Google Play Gift Cards Generator And Checker v3 By X-LINE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Checker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	GOOGLE~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Checker.exe

Executes dropped EXE 16 IoCs

Processes:

Google Play Gift Cards Generator And Checker v3 By X-LINE.exesysctemapp.exeChecker.exeChecker.exesvchost.comA5A6TM~1.EXEsvchost.comB6CETM~1.EXEB6CETM~1.EXEsvchost.comGOOGLE~1.EXEsvchost.comChecker.exeSYSCTE~1.EXEsvchost.comChecker.exe

pid	process
3172	Google Play Gift Cards Generator And Checker v3 By X-LINE.exe
4544	sysctemapp.exe
3236	Checker.exe
4872	Checker.exe
1180	svchost.com
3120	A5A6TM~1.EXE
3388	svchost.com
2992	B6CETM~1.EXE
4628	B6CETM~1.EXE
2064	svchost.com
1072	GOOGLE~1.EXE
1948	svchost.com
464	Checker.exe
852	SYSCTE~1.EXE
2552	svchost.com
2776	Checker.exe

Loads dropped DLL 7 IoCs

Processes:

Checker.exeB6CETM~1.EXEChecker.exe

pid process

4872 Checker.exe
4628 B6CETM~1.EXE
4628 B6CETM~1.EXE
4628 B6CETM~1.EXE
4628 B6CETM~1.EXE
4628 B6CETM~1.EXE
2776 Checker.exe
Modifies system executable filetype association 2 TTPs 1 IoCs
persistence

Modify Registry
T1112

Change Default File Association
T1546.001

Processes:

Checker.exe

description ioc process

Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" Checker.exe
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
4872	Checker.exe
4628	B6CETM~1.EXE
4628	B6CETM~1.EXE
4628	B6CETM~1.EXE
4628	B6CETM~1.EXE
4628	B6CETM~1.EXE
2776	Checker.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	Checker.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

audiodg.exeSYSCTE~1.EXEsysctemapp.exemsiexec.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Roaming\\71870676E6FA3332743865\\71870676E6FA3332743865.exe"	audiodg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Roaming\\71870676E6FA3332743865\\71870676E6FA3332743865.exe"	SYSCTE~1.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Roaming\\71870676E6FA3332743865\\71870676E6FA3332743865.exe"	sysctemapp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Roaming\\71870676E6FA3332743865\\71870676E6FA3332743865.exe"	msiexec.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 6 IoCs

Processes:

sysctemapp.exeSYSCTE~1.EXE

description	pid	process	target process
PID 4544 set thread context of 4008	4544	sysctemapp.exe	svchost.exe
PID 4544 set thread context of 3308	4544	sysctemapp.exe	msiexec.exe
PID 4544 set thread context of 2012	4544	sysctemapp.exe	audiodg.exe
PID 852 set thread context of 976	852	SYSCTE~1.EXE	svchost.exe
PID 852 set thread context of 1464	852	SYSCTE~1.EXE	audiodg.exe
PID 852 set thread context of 4020	852	SYSCTE~1.EXE	msiexec.exe

Drops file in Program Files directory 64 IoCs

Processes:

svchost.comChecker.exe

description	ioc	process
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	svchost.com
File opened for modification	C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	Checker.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MI9C33~1.EXE	Checker.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpconfig.exe	Checker.exe
File opened for modification	C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	Checker.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmlaunch.exe	svchost.com
File opened for modification	C:\PROGRA~2\WINDOW~4\wmprph.exe	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	Checker.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE	Checker.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	Checker.exe
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	Checker.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	Checker.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	Checker.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF5AF~1\WINDOW~1.EXE	Checker.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpconfig.exe	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	Checker.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	Checker.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE	Checker.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpshare.exe	Checker.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpshare.exe	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe	Checker.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe	Checker.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	Checker.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	Checker.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	Checker.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	Checker.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOBD5D~1.EXE	Checker.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	Checker.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmplayer.exe	Checker.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmplayer.exe	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE	Checker.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe	Checker.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	Checker.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{63880~1\WINDOW~1.EXE	Checker.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	Checker.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~1.EXE	Checker.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe	Checker.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~2.EXE	Checker.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE	Checker.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmprph.exe	Checker.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	Checker.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	Checker.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe	Checker.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	Checker.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE	Checker.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~4.EXE	Checker.exe
File opened for modification	C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe	Checker.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	Checker.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	Checker.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	Checker.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	Checker.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOF5E2~1.EXE	Checker.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE	Checker.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\setup_wm.exe	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~3.EXE	Checker.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	Checker.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	Checker.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~2.EXE	Checker.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE	Checker.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE	Checker.exe

Drops file in Windows directory 13 IoCs

Processes:

Checker.exesvchost.comsvchost.comsvchost.comsvchost.comChecker.exesvchost.com

description	ioc	process
File opened for modification	C:\Windows\svchost.com	Checker.exe
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	Checker.exe
File opened for modification	C:\Windows\svchost.com	Checker.exe
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com

Detects Pyinstaller 1 IoCs

pyinstaller

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\B6CE.tmp.zx.exe	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

4492 4872 WerFault.exe Checker.exe
3460 2776 WerFault.exe Checker.exe

pid	pid_target	process	target process
4492	4872	WerFault.exe	Checker.exe
3460	2776	WerFault.exe	Checker.exe

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

svchost.comA5A6TM~1.EXEsvchost.comsvchost.comsvchost.comChecker.exeChecker.exeChecker.exesvchost.comChecker.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	A5A6TM~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Checker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Checker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Checker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Checker.exe

Modifies registry class 36 IoCs

Processes:

Explorer.EXEChecker.exeChecker.exeGOOGLE~1.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1280x720x96(1).top = "50"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\HotKey = "0"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	Explorer.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	Checker.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\MinPos1280x720x96(1).x = "4294967295"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\MaxPos1280x720x96(1).y = "4294967295"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WFlags = "2"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\ShowCmd = "3"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	Checker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\NavBar = 000000000000000000000000000000008b000000870000003153505305d5cdd59c2e1b10939708002b2cf9ae6b0000005a000000007b00360044003800420042003300440033002d0039004400380037002d0034004100390031002d0041004200350036002d003400460033003000430046004600450046004500390046007d005f0057006900640074006800000013000000cc0000000000000000000000	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1280x720x96(1).bottom = "650"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\MinPos1280x720x96(1).y = "4294967295"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\MaxPos1280x720x96(1).x = "4294967295"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1280x720x96(1).left = "250"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1280x720x96(1).right = "1050"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616209"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	GOOGLE~1.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msiexec.exeaudiodg.exesvchost.exeExplorer.EXE

pid	process
3308	msiexec.exe
3308	msiexec.exe
3308	msiexec.exe
3308	msiexec.exe
3308	msiexec.exe
3308	msiexec.exe
3308	msiexec.exe
3308	msiexec.exe
3308	msiexec.exe
3308	msiexec.exe
3308	msiexec.exe
3308	msiexec.exe
3308	msiexec.exe
3308	msiexec.exe
3308	msiexec.exe
2012	audiodg.exe
2012	audiodg.exe
2012	audiodg.exe
2012	audiodg.exe
3308	msiexec.exe
2012	audiodg.exe
2012	audiodg.exe
2012	audiodg.exe
2012	audiodg.exe
2012	audiodg.exe
3308	msiexec.exe
2012	audiodg.exe
3308	msiexec.exe
2012	audiodg.exe
2012	audiodg.exe
2012	audiodg.exe
2012	audiodg.exe
2012	audiodg.exe
2012	audiodg.exe
2012	audiodg.exe
2012	audiodg.exe
4008	svchost.exe
4008	svchost.exe
3500	Explorer.EXE
3500	Explorer.EXE
2012	audiodg.exe
3308	msiexec.exe
3308	msiexec.exe
2012	audiodg.exe
3308	msiexec.exe
3308	msiexec.exe
2012	audiodg.exe
2012	audiodg.exe
3308	msiexec.exe
2012	audiodg.exe
3308	msiexec.exe
2012	audiodg.exe
3308	msiexec.exe
3308	msiexec.exe
2012	audiodg.exe
2012	audiodg.exe
3308	msiexec.exe
3308	msiexec.exe
2012	audiodg.exe
2012	audiodg.exe
3308	msiexec.exe
3308	msiexec.exe
2012	audiodg.exe
2012	audiodg.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3500 Explorer.EXE

pid	process
3500	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

7zFM.exesysctemapp.exesvchost.exemsiexec.exe

description	pid	process
Token: SeRestorePrivilege	372	7zFM.exe
Token: 35	372	7zFM.exe
Token: SeSecurityPrivilege	372	7zFM.exe
Token: SeIncreaseQuotaPrivilege	4544	sysctemapp.exe
Token: SeSecurityPrivilege	4544	sysctemapp.exe
Token: SeTakeOwnershipPrivilege	4544	sysctemapp.exe
Token: SeLoadDriverPrivilege	4544	sysctemapp.exe
Token: SeSystemProfilePrivilege	4544	sysctemapp.exe
Token: SeSystemtimePrivilege	4544	sysctemapp.exe
Token: SeProfSingleProcessPrivilege	4544	sysctemapp.exe
Token: SeIncBasePriorityPrivilege	4544	sysctemapp.exe
Token: SeCreatePagefilePrivilege	4544	sysctemapp.exe
Token: SeBackupPrivilege	4544	sysctemapp.exe
Token: SeRestorePrivilege	4544	sysctemapp.exe
Token: SeShutdownPrivilege	4544	sysctemapp.exe
Token: SeDebugPrivilege	4544	sysctemapp.exe
Token: SeSystemEnvironmentPrivilege	4544	sysctemapp.exe
Token: SeRemoteShutdownPrivilege	4544	sysctemapp.exe
Token: SeUndockPrivilege	4544	sysctemapp.exe
Token: SeManageVolumePrivilege	4544	sysctemapp.exe
Token: 33	4544	sysctemapp.exe
Token: 34	4544	sysctemapp.exe
Token: 35	4544	sysctemapp.exe
Token: 36	4544	sysctemapp.exe
Token: SeIncreaseQuotaPrivilege	4008	svchost.exe
Token: SeSecurityPrivilege	4008	svchost.exe
Token: SeTakeOwnershipPrivilege	4008	svchost.exe
Token: SeLoadDriverPrivilege	4008	svchost.exe
Token: SeSystemProfilePrivilege	4008	svchost.exe
Token: SeSystemtimePrivilege	4008	svchost.exe
Token: SeProfSingleProcessPrivilege	4008	svchost.exe
Token: SeIncBasePriorityPrivilege	4008	svchost.exe
Token: SeCreatePagefilePrivilege	4008	svchost.exe
Token: SeBackupPrivilege	4008	svchost.exe
Token: SeRestorePrivilege	4008	svchost.exe
Token: SeShutdownPrivilege	4008	svchost.exe
Token: SeDebugPrivilege	4008	svchost.exe
Token: SeSystemEnvironmentPrivilege	4008	svchost.exe
Token: SeRemoteShutdownPrivilege	4008	svchost.exe
Token: SeUndockPrivilege	4008	svchost.exe
Token: SeManageVolumePrivilege	4008	svchost.exe
Token: 33	4008	svchost.exe
Token: 34	4008	svchost.exe
Token: 35	4008	svchost.exe
Token: 36	4008	svchost.exe
Token: SeIncreaseQuotaPrivilege	3308	msiexec.exe
Token: SeSecurityPrivilege	3308	msiexec.exe
Token: SeTakeOwnershipPrivilege	3308	msiexec.exe
Token: SeLoadDriverPrivilege	3308	msiexec.exe
Token: SeSystemProfilePrivilege	3308	msiexec.exe
Token: SeSystemtimePrivilege	3308	msiexec.exe
Token: SeProfSingleProcessPrivilege	3308	msiexec.exe
Token: SeIncBasePriorityPrivilege	3308	msiexec.exe
Token: SeCreatePagefilePrivilege	3308	msiexec.exe
Token: SeBackupPrivilege	3308	msiexec.exe
Token: SeRestorePrivilege	3308	msiexec.exe
Token: SeShutdownPrivilege	3308	msiexec.exe
Token: SeDebugPrivilege	3308	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3308	msiexec.exe
Token: SeRemoteShutdownPrivilege	3308	msiexec.exe
Token: SeUndockPrivilege	3308	msiexec.exe
Token: SeManageVolumePrivilege	3308	msiexec.exe
Token: 33	3308	msiexec.exe
Token: 34	3308	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

7zFM.exe

pid process

372 7zFM.exe
372 7zFM.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

3500 Explorer.EXE

pid	process
372	7zFM.exe
372	7zFM.exe

pid	process
3500	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Google Play Gift Cards Generator And Checker v3 By X-LINE.exesysctemapp.exeChecker.exesvchost.exeExplorer.EXEsvchost.comsvchost.comB6CETM~1.EXEsvchost.comGOOGLE~1.EXE

description	pid	process	target process
PID 3172 wrote to memory of 4544	3172	Google Play Gift Cards Generator And Checker v3 By X-LINE.exe	sysctemapp.exe
PID 3172 wrote to memory of 4544	3172	Google Play Gift Cards Generator And Checker v3 By X-LINE.exe	sysctemapp.exe
PID 4544 wrote to memory of 4008	4544	sysctemapp.exe	svchost.exe
PID 4544 wrote to memory of 4008	4544	sysctemapp.exe	svchost.exe
PID 4544 wrote to memory of 3308	4544	sysctemapp.exe	msiexec.exe
PID 4544 wrote to memory of 3308	4544	sysctemapp.exe	msiexec.exe
PID 3172 wrote to memory of 3236	3172	Google Play Gift Cards Generator And Checker v3 By X-LINE.exe	Checker.exe
PID 3172 wrote to memory of 3236	3172	Google Play Gift Cards Generator And Checker v3 By X-LINE.exe	Checker.exe
PID 3172 wrote to memory of 3236	3172	Google Play Gift Cards Generator And Checker v3 By X-LINE.exe	Checker.exe
PID 4544 wrote to memory of 2012	4544	sysctemapp.exe	audiodg.exe
PID 4544 wrote to memory of 2012	4544	sysctemapp.exe	audiodg.exe
PID 4544 wrote to memory of 4008	4544	sysctemapp.exe	svchost.exe
PID 4544 wrote to memory of 4008	4544	sysctemapp.exe	svchost.exe
PID 4544 wrote to memory of 4008	4544	sysctemapp.exe	svchost.exe
PID 4544 wrote to memory of 4008	4544	sysctemapp.exe	svchost.exe
PID 4544 wrote to memory of 4008	4544	sysctemapp.exe	svchost.exe
PID 4544 wrote to memory of 4008	4544	sysctemapp.exe	svchost.exe
PID 4544 wrote to memory of 4008	4544	sysctemapp.exe	svchost.exe
PID 4544 wrote to memory of 4008	4544	sysctemapp.exe	svchost.exe
PID 4544 wrote to memory of 4008	4544	sysctemapp.exe	svchost.exe
PID 4544 wrote to memory of 3308	4544	sysctemapp.exe	msiexec.exe
PID 4544 wrote to memory of 3308	4544	sysctemapp.exe	msiexec.exe
PID 4544 wrote to memory of 3308	4544	sysctemapp.exe	msiexec.exe
PID 4544 wrote to memory of 3308	4544	sysctemapp.exe	msiexec.exe
PID 4544 wrote to memory of 3308	4544	sysctemapp.exe	msiexec.exe
PID 4544 wrote to memory of 3308	4544	sysctemapp.exe	msiexec.exe
PID 4544 wrote to memory of 3308	4544	sysctemapp.exe	msiexec.exe
PID 4544 wrote to memory of 3308	4544	sysctemapp.exe	msiexec.exe
PID 4544 wrote to memory of 3308	4544	sysctemapp.exe	msiexec.exe
PID 4544 wrote to memory of 2012	4544	sysctemapp.exe	audiodg.exe
PID 4544 wrote to memory of 2012	4544	sysctemapp.exe	audiodg.exe
PID 4544 wrote to memory of 2012	4544	sysctemapp.exe	audiodg.exe
PID 4544 wrote to memory of 2012	4544	sysctemapp.exe	audiodg.exe
PID 4544 wrote to memory of 2012	4544	sysctemapp.exe	audiodg.exe
PID 4544 wrote to memory of 2012	4544	sysctemapp.exe	audiodg.exe
PID 4544 wrote to memory of 2012	4544	sysctemapp.exe	audiodg.exe
PID 4544 wrote to memory of 2012	4544	sysctemapp.exe	audiodg.exe
PID 4544 wrote to memory of 2012	4544	sysctemapp.exe	audiodg.exe
PID 3236 wrote to memory of 4872	3236	Checker.exe	Checker.exe
PID 3236 wrote to memory of 4872	3236	Checker.exe	Checker.exe
PID 3236 wrote to memory of 4872	3236	Checker.exe	Checker.exe
PID 4008 wrote to memory of 3500	4008	svchost.exe	Explorer.EXE
PID 3500 wrote to memory of 1180	3500	Explorer.EXE	svchost.com
PID 3500 wrote to memory of 1180	3500	Explorer.EXE	svchost.com
PID 3500 wrote to memory of 1180	3500	Explorer.EXE	svchost.com
PID 1180 wrote to memory of 3120	1180	svchost.com	A5A6TM~1.EXE
PID 1180 wrote to memory of 3120	1180	svchost.com	A5A6TM~1.EXE
PID 1180 wrote to memory of 3120	1180	svchost.com	A5A6TM~1.EXE
PID 3500 wrote to memory of 3388	3500	Explorer.EXE	svchost.com
PID 3500 wrote to memory of 3388	3500	Explorer.EXE	svchost.com
PID 3500 wrote to memory of 3388	3500	Explorer.EXE	svchost.com
PID 3388 wrote to memory of 2992	3388	svchost.com	B6CETM~1.EXE
PID 3388 wrote to memory of 2992	3388	svchost.com	B6CETM~1.EXE
PID 2992 wrote to memory of 4628	2992	B6CETM~1.EXE	B6CETM~1.EXE
PID 2992 wrote to memory of 4628	2992	B6CETM~1.EXE	B6CETM~1.EXE
PID 3500 wrote to memory of 2064	3500	Explorer.EXE	svchost.com
PID 3500 wrote to memory of 2064	3500	Explorer.EXE	svchost.com
PID 3500 wrote to memory of 2064	3500	Explorer.EXE	svchost.com
PID 2064 wrote to memory of 1072	2064	svchost.com	GOOGLE~1.EXE
PID 2064 wrote to memory of 1072	2064	svchost.com	GOOGLE~1.EXE
PID 1072 wrote to memory of 1948	1072	GOOGLE~1.EXE	svchost.com
PID 1072 wrote to memory of 1948	1072	GOOGLE~1.EXE	svchost.com
PID 1072 wrote to memory of 1948	1072	GOOGLE~1.EXE	svchost.com
PID 1072 wrote to memory of 464	1072	GOOGLE~1.EXE	Checker.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3500
- C:\Program Files\7-Zip\7zFM.exe
  "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Google Play Gift Cards Generator And Checker v3 By X-LINE.zip"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:372
- C:\Users\Admin\Desktop\Google Play Gift Cards Generator And Checker v3 By X-LINE\Google Play Gift Cards Generator And Checker v3 By X-LINE.exe
  "C:\Users\Admin\Desktop\Google Play Gift Cards Generator And Checker v3 By X-LINE\Google Play Gift Cards Generator And Checker v3 By X-LINE.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3172
- - C:\Users\Admin\AppData\Local\Temp\sysctemapp.exe
    "C:\Users\Admin\AppData\Local\Temp\sysctemapp.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4544
  - - C:\Windows\system32\svchost.exe
      "C:\Windows\system32\svchost.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4008
  - - C:\Windows\system32\audiodg.exe
      "C:\Windows\system32\audiodg.exe"
      4⤵
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      PID:2012
  - - C:\Windows\system32\msiexec.exe
      "C:\Windows\system32\msiexec.exe"
      4⤵
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3308
- - C:\Users\Admin\Desktop\Google Play Gift Cards Generator And Checker v3 By X-LINE\Checker.exe
    "Checker.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies system executable filetype association
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3236
  - - C:\Users\Admin\AppData\Local\Temp\3582-490\Checker.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\Checker.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:4872
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4872 -s 1260
        5⤵
        Program crash
        
        PID:4492
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\A5A6TM~1.EXE"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1180
- - C:\Users\Admin\AppData\Local\Temp\A5A6TM~1.EXE
    C:\Users\Admin\AppData\Local\Temp\A5A6TM~1.EXE
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3120
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\B6CETM~1.EXE"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3388
- - C:\Users\Admin\AppData\Local\Temp\B6CETM~1.EXE
    C:\Users\Admin\AppData\Local\Temp\B6CETM~1.EXE
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2992
  - - C:\Users\Admin\AppData\Local\Temp\B6CETM~1.EXE
      C:\Users\Admin\AppData\Local\Temp\B6CETM~1.EXE
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4628
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\Desktop\GOOGLE~1\GOOGLE~1.EXE"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2064
- - C:\Users\Admin\Desktop\GOOGLE~1\GOOGLE~1.EXE
    C:\Users\Admin\Desktop\GOOGLE~1\GOOGLE~1.EXE
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1072
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSCTE~1.EXE"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      PID:1948
    - - C:\Users\Admin\AppData\Local\Temp\SYSCTE~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSCTE~1.EXE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:852
      - C:\Windows\system32\svchost.exe
        
        "C:\Windows\system32\svchost.exe"
        6⤵
        
        PID:976
      - C:\Windows\system32\audiodg.exe
        
        "C:\Windows\system32\audiodg.exe"
        6⤵
        
        PID:1464
      - C:\Windows\system32\msiexec.exe
        
        "C:\Windows\system32\msiexec.exe"
        6⤵
        
        PID:4020
  - - C:\Users\Admin\Desktop\Google Play Gift Cards Generator And Checker v3 By X-LINE\Checker.exe
      "Checker.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:464
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\Checker.exe"
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2552
      - C:\Users\Admin\AppData\Local\Temp\3582-490\Checker.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\Checker.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2776
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2776 -s 1224
        7⤵
        Program crash
        
        PID:3460

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4872 -ip 4872
1⤵
PID:1072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2776 -ip 2776
1⤵
PID:1920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE

Filesize
328KB

MD5
39c8a4c2c3984b64b701b85cb724533b

SHA1
c911f4c4070dfe9a35d9adcb7de6e6fb1482ce00

SHA256
888a1dd0033e5d758a4e731e3e55357de866e80d03b1b194375f714e1fd4351d

SHA512
f42ca2962fe60cff1a13dea8b81ff0647b317c785ee4f5159c38487c34d33aecba8478757047d31ab2ee893fbdcb91a21655353456ba6a018fc71b2278db4db2

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\Checker.exe

Filesize
2.4MB

MD5
41071245809b9354c1c2477cb876238d

SHA1
31f82fd85edd4e4f5ce6c8ba25b6132bd9c95946

SHA256
2d81ce152aae729a062c245b4cf21237f128395f37bcb7467ea22bf791fe0aad

SHA512
7be19ad8365433461b03be6490f9e0f709e501cfdaff9d39d58279f77eca2b5f9e60b45abb5e6c6aa1ea42efbab84b167a4fdc0e6f199a78d68627b9156d0bea

Download Submit
C:\Users\Admin\AppData\Local\Temp\A5A6.tmp.x.exe

Filesize
300KB

MD5
97eb7baa28471ec31e5373fcd7b8c880

SHA1
397efcd2fae0589e9e29fc2153ffb18a86a9b709

SHA256
9053b6bbaf941a840a7af09753889873e51f9b15507990979537b6c982d618cb

SHA512
323389357a9ffc5e96f5d6ef78ceb2ec5c62e4dcc1e868524b4188aff2497810ad16de84e498a3e49640ad0d58eadf2ba9c6ec24e512aa64d319331f003d7ced

Download Submit
C:\Users\Admin\AppData\Local\Temp\B6CE.tmp.zx.exe

Filesize
5.6MB

MD5
56378523b35cf8ccf01b7dfd0a7893ab

SHA1
ab9be30874a86ecb840bad21ca89840ed61b9c52

SHA256
ddb9ac7733ce2526159ac300526b41acfe437b45c73a404fc29a29ab2f0a183f

SHA512
ff32919ce3c9e074caf16e557e46d517b0e9fa15b71e01ef771cc66e369330a08bca8f7e94f7013bcac1db9482a5acb11ac152d7739e282efbe32764dd148d82

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29922\VCRUNTIME140.dll

Filesize
87KB

MD5
0e675d4a7a5b7ccd69013386793f68eb

SHA1
6e5821ddd8fea6681bda4448816f39984a33596b

SHA256
bf5ff4603557c9959acec995653d052d9054ad4826df967974efd2f377c723d1

SHA512
cae69a90f92936febde67dacd6ce77647cb3b3ed82bb66463cd9047e90723f633aa2fc365489de09fecdc510be15808c183b12e6236b0893af19633f6a670e66

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29922\_ctypes.pyd

Filesize
120KB

MD5
f1e33a8f6f91c2ed93dc5049dd50d7b8

SHA1
23c583dc98aa3f6b8b108db5d90e65d3dd72e9b4

SHA256
9459d246df7a3c638776305cf3683946ba8db26a7de90df8b60e1be0b27e53c4

SHA512
229896da389d78cbdf2168753ed7fcc72d8e0e62c6607a3766d6d47842c0abd519ac4f5d46607b15e7ba785280f9d27b482954e931645337a152b8a54467c6a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29922\api-ms-win-core-console-l1-1-0.dll

Filesize
19KB

MD5
b56d69079d2001c1b2af272774b53a64

SHA1
67ede1c5a71412b11847f79f5a684eabaf00de01

SHA256
f3a41d882544202b2e1bdf3d955458be11fc7f76ba12668388a681870636f143

SHA512
7eb8fe111dd2e1f7e308b622461eb311c2b9fc4ef44c76e1def6c524eb7281d5522af12211f1f91f651f2b678592d2997fe4cd15724f700deaff314a1737b3a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29922\api-ms-win-core-datetime-l1-1-0.dll

Filesize
19KB

MD5
5af784f599437629deea9fe4e8eb4799

SHA1
3c891b920fd2703edd6881117ea035ced5a619f6

SHA256
7e5bd3ee263d09c7998e0d5ffa684906ddc56da61536331c89c74b039df00c7c

SHA512
4df58513cf52511c0d2037cdc674115d8ed5a0ed4360eb6383cc6a798a7037f3f7f2d587797223ed7797ccd476f1c503b3c16e095843f43e6b87d55ad4822d70

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29922\api-ms-win-core-debug-l1-1-0.dll

Filesize
19KB

MD5
e1ca15cf0597c6743b3876af23a96960

SHA1
301231f7250431bd122b12ed34a8d4e8bb379457

SHA256
990e46d8f7c9574a558ebdfcb8739fbccba59d0d3a2193c9c8e66807387a276d

SHA512
7c9dacd882a0650bf2f553e9bc5647e6320a66021ac4c1adc802070fd53de4c6672a7bacfd397c51009a23b6762e85c8017895e9347a94d489d42c50fa0a1c42

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29922\api-ms-win-core-errorhandling-l1-1-0.dll

Filesize
19KB

MD5
8d6599d7c4897dcd0217070cca074574

SHA1
25eacaaa4c6f89945e97388796a8c85ba6fb01fb

SHA256
a011260fafaaaefd7e7326d8d5290c6a76d55e5af4e43ffa4de5fea9b08fa928

SHA512
e8e2e7c5bff41ccaa0f77c3cfee48dac43c11e75688f03b719cc1d716db047597a7a2ce25b561171ef259957bdcd9dd4345a0e0125db2b36f31698ba178e2248

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29922\api-ms-win-core-file-l1-1-0.dll

Filesize
22KB

MD5
642b29701907e98e2aa7d36eba7d78b8

SHA1
16f46b0e057816f3592f9c0a6671111ea2f35114

SHA256
5d72feac789562d445d745a55a99536fa9302b0c27b8f493f025ba69ba31941c

SHA512
1beab2b368cc595beb39b2f5a2f52d334bc42bf674b8039d334c6d399c966aff0b15876105f0a4a54fa08e021cb44907ed47d31a0af9e789eb4102b82025cf57

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29922\api-ms-win-core-file-l1-2-0.dll

Filesize
19KB

MD5
f0c73f7454a5ce6fb8e3d795fdb0235d

SHA1
acdd6c5a359421d268b28ddf19d3bcb71f36c010

SHA256
2a59dd891533a028fae7a81e690e4c28c9074c2f327393fab17329affe53fd7b

SHA512
bd6cf4e37c3e7a1a3b36f42858af1b476f69caa4ba1fd836a7e32220e5eff7ccc811c903019560844af988a7c77cc41dc6216c0c949d8e04516a537da5821a3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29922\api-ms-win-core-file-l2-1-0.dll

Filesize
19KB

MD5
7d4d4593b478b4357446c106b64e61f8

SHA1
8a4969c9e59d7a7485c8cc5723c037b20dea5c9d

SHA256
0a6e2224cde90a0d41926e8863f9956848ffbf19848e8855bd08953112afc801

SHA512
7bc9c473705ec98ba0c1da31c295937d97710cedefc660f6a5cb0512bae36ad23bebb2f6f14df7ce7f90ec3f817b02f577317fdd514560aab22cb0434d8e4e0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29922\api-ms-win-core-handle-l1-1-0.dll

Filesize
19KB

MD5
7bc1b8712e266db746914db48b27ef9c

SHA1
c76eb162c23865b3f1bd7978f7979d6ba09ccb60

SHA256
f82d05aea21bcf6337ef45fbdad6d647d17c043a67b44c7234f149f861a012b9

SHA512
db6983f5f9c18908266dbf01ef95ebae49f88edc04a0515699ef12201ac9a50f09939b8784c75ae513105ada5b155e5330bd42d70f8c8c48fe6005513aefad2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29922\api-ms-win-core-heap-l1-1-0.dll

Filesize
19KB

MD5
b071e761cea670d89d7ae80e016ce7e6

SHA1
c675be753dbef1624100f16674c2221a20cf07dd

SHA256
63fb84a49308b857804ae1481d2d53b00a88bbd806d257d196de2bd5c385701e

SHA512
f2ecbdaba3516d92bd29dcce618185f1755451d95c7dbbe23f8215318f6f300a9964c93ec3ed65c5535d87be82b668e1d3025a7e325af71a05f14e15d530d35f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29922\api-ms-win-core-interlocked-l1-1-0.dll

Filesize
19KB

MD5
1dccf27f2967601ce6666c8611317f03

SHA1
d8246df2ed9ec4a8a719fd4b1db4fd8a71ef679b

SHA256
6a83ab9a413afd74d77a090f52784b0128527bee9cb0a4224c59d5c75fc18387

SHA512
70b96d69d609211f8b9e05fa510ea7d574ae8da3a6498f5c982aee71635b8a749162247055b7ba21a884bfa06c1415b68912c463f0f1b6ffb9049f3532386877

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29922\api-ms-win-core-libraryloader-l1-1-0.dll

Filesize
19KB

MD5
569a7ac3f6824a04282ff708c629a6d2

SHA1
fc0d78de1075dfd4c1024a72074d09576d4d4181

SHA256
84c579a8263a87991ca1d3aee2845e1c262fb4b849606358062093d08afdc7a2

SHA512
e9cbff82e32540f9230cead9063acb1aceb7ccc9f3338c0b7ad10b0ac70ff5b47c15944d0dce33ea8405554aa9b75de30b26ae2ca55db159d45b6e64bc02a180

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29922\api-ms-win-core-localization-l1-2-0.dll

Filesize
21KB

MD5
1d75e7b9f68c23a195d408cf02248119

SHA1
62179fc9a949d238bb221d7c2f71ba7c1680184c

SHA256
67ebe168b7019627d68064043680674f9782fda7e30258748b29412c2b3d4c6b

SHA512
c2ee84a9aeac34f7b51426d12f87bb35d8c3238bb26a6e14f412ea485e5bd3b8fb5b1231323d4b089cf69d8180a38ddd7fd593cc52cbdf250125ad02d66eea9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29922\api-ms-win-core-memory-l1-1-0.dll

Filesize
19KB

MD5
623283471b12f1bdb83e25dbafaf9c16

SHA1
ecbba66f4dca89a3faa3e242e30aefac8de02153

SHA256
9ca500775fee9ff69b960d65040b8dc415a2efde2982a9251ee6a3e8de625bc7

SHA512
54b69ffa2c263be4ddadca62fa2867fea6148949d64c2634745db3dcbc1ba0ecf7167f02fa53efd69eaaee81d617d914f370f26ca16ee5850853f70c69e9a61f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29922\api-ms-win-core-namedpipe-l1-1-0.dll

Filesize
19KB

MD5
61f70f2d1e3f22e976053df5f3d8ecb7

SHA1
7d224b7f404cde960e6b7a1c449b41050c8e9c58

SHA256
2695761b010d22fdfda2b5e73cf0ac7328ccc62b4b28101d5c10155dd9a48020

SHA512
1ddc568590e9954db198f102be99eabb4133b49e9f3b464f2fc7f31cc77d06d5a7132152f4b331332c42f241562ee6c7bf1c2d68e546db3f59ab47eaf83a22cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29922\api-ms-win-core-processenvironment-l1-1-0.dll

Filesize
20KB

MD5
1322690996cf4b2b7275a7950bad9856

SHA1
502e05ed81e3629ea3ed26ee84a4e7c07f663735

SHA256
5660030ee4c18b1610fb9f46e66f44d3fc1cf714ecce235525f08f627b3738d7

SHA512
7edc06bfa9e633351291b449b283659e5dd9e706dd57ade354bce3af55df4842491af27c7721b2acc6948078bdfc8e9736fec46e0641af368d419c7ed6aebd44

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29922\api-ms-win-core-processthreads-l1-1-0.dll

Filesize
21KB

MD5
95612a8a419c61480b670d6767e72d09

SHA1
3b94d1745aff6aafeff87fed7f23e45473f9afc9

SHA256
6781071119d66757efa996317167904697216ad72d7c031af4337138a61258d4

SHA512
570f15c2c5aa599332dd4cfb3c90da0dd565ca9053ecf1c2c05316a7f623615dd153497e93b38df94971c8abf2e25bc1aaaf3311f1cda432f2670b32c767012a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29922\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
19KB

MD5
d6ad0f2652460f428c0e8fc40b6f6115

SHA1
1a5152871abc5cf3d4868a218de665105563775e

SHA256
4ef09fa6510eeebb4855b6f197b20a7a27b56368c63cc8a3d1014fa4231ab93a

SHA512
ceafeee932919bc002b111d6d67b7c249c85d30da35dfbcebd1f37db51e506ac161e4ee047ff8f7bf0d08da6a7f8b97e802224920bd058f8e790e6fa0ee48b22

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29922\api-ms-win-core-profile-l1-1-0.dll

Filesize
18KB

MD5
654d95515ab099639f2739685cb35977

SHA1
9951854a5cf407051ce6cd44767bfd9bd5c4b0cc

SHA256
c4868e4cebdf86126377a45bd829d88449b4aa031c9b1c05edc47d6d395949d4

SHA512
9c9dd64a3ad1136ba62cca14fc27574faaebc3de1e371a86b83599260424a966dfd813991a5ef0b2342e0401cb99ce83cd82c19fcae73c7decdb92bac1fb58a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29922\api-ms-win-core-rtlsupport-l1-1-0.dll

Filesize
19KB

MD5
e6b7681ccc718ddb69c48abe8709fdd6

SHA1
a518b705746b2c6276f56a2f1c996360b837d548

SHA256
4b532729988224fe5d98056cd94fc3e8b4ba496519f461ef5d9d0ff9d9402d4b

SHA512
89b20affaa23e674543f0f2e9b0a8b3ecd9a8a095e19d50e11c52cb205dafdbf2672892fd35b1c45f16e78ae9b61525de67dbe7673f8ca450aa8c42feeac0895

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29922\api-ms-win-core-string-l1-1-0.dll

Filesize
19KB

MD5
bcb412464f01467f1066e94085957f42

SHA1
716c11b5d759d59dbfec116874e382d69f9a25b6

SHA256
f040b6e07935b67599ea7e32859a3e93db37ff4195b28b4451ad0d274db6330e

SHA512
79ec0c5ee21680843c8b7f22da3155b7607d5be269f8a51056cc5f060ad3a48ced3b6829117262aba1a90e692374b59ddfe92105d14179f631efc0c863bfdecb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29922\api-ms-win-core-synch-l1-1-0.dll

Filesize
21KB

MD5
b98598657162de8fbc1536568f1e5a4f

SHA1
f7c020220025101638fd690d86c53d895a03e53c

SHA256
f596c72be43db3a722b7c7a0fd3a4d5aea68267003986fbfd278702af88efa74

SHA512
ad5f46a3f4f6e64a5dcb85c328f1b8daefa94fc33f59922328fdcfedc04a8759f16a1a839027f74b7d7016406c20ac47569277620d6b909e09999021b669a0d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29922\api-ms-win-core-synch-l1-2-0.dll

Filesize
19KB

MD5
b751571148923d943f828a1deb459e24

SHA1
d4160404c2aa6aeaf3492738f5a6ce476a0584a6

SHA256
b394b1142d060322048fb6a8ac6281e4576c0e37be8da772bc970f352dd22a20

SHA512
26e252ff0c01e1e398ebddcc5683a58cdd139161f2b63b65bde6c3e943e85c0820b24486859c2c597af6189de38ca7fe6fa700975be0650cb53c791cd2481c9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29922\api-ms-win-core-sysinfo-l1-1-0.dll

Filesize
20KB

MD5
8aea681e0e2b9abbf73a924003247dbb

SHA1
5bafc2e0a3906723f9b12834b054e6f44d7ff49f

SHA256
286068a999fe179ee91b289360dd76e89365900b130a50e8651a9b7ece80b36d

SHA512
08c83a729036c94148d9a5cbc03647fa2adea4fba1bbb514c06f85ca804eefbf36c909cb6edc1171da8d4d5e4389e15e52571baa6987d1f1353377f509e269ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29922\api-ms-win-core-timezone-l1-1-0.dll

Filesize
19KB

MD5
eab486e4719b916cad05d64cd4e72e43

SHA1
876c256fb2aeb0b25a63c9ee87d79b7a3c157ead

SHA256
05fe96faa8429992520451f4317fbceba1b17716fa2caf44ddc92ede88ce509d

SHA512
c50c3e656cc28a2f4f6377ba24d126bdc248a3125dca490994f8cace0a4903e23346ae937bb5b0a333f7d39ece42665ae44fde2fd5600873489f3982151a0f5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29922\api-ms-win-core-util-l1-1-0.dll

Filesize
19KB

MD5
edd61ff85d75794dc92877f793a2cef6

SHA1
de9f1738fc8bf2d19aa202e34512ec24c1ccb635

SHA256
8aca888849e9089a3a56fa867b16b071951693ab886843cfb61bd7a5b08a1ece

SHA512
6cef9b256cdca1a401971ca5706adf395961b2d3407c1fff23e6c16f7e2ce6d85d946843a53532848fcc087c18009c08f651c6eb38112778a2b4b33e8c64796c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29922\api-ms-win-crt-conio-l1-1-0.dll

Filesize
20KB

MD5
22bfe210b767a667b0f3ed692a536e4e

SHA1
88e0ff9c141d8484b5e34eaaa5e4be0b414b8adf

SHA256
f1a2499cc238e52d69c63a43d1e61847cf852173fe95c155056cfbd2cb76abc3

SHA512
cbea3c690049a73b1a713a2183ff15d13b09982f8dd128546fd3db264af4252ccd390021dee54435f06827450da4bd388bd6ff11b084c0b43d50b181c928fd25

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29922\api-ms-win-crt-convert-l1-1-0.dll

Filesize
23KB

MD5
da5e087677c8ebbc0062eac758dfed49

SHA1
ca69d48efa07090acb7ae7c1608f61e8d26d3985

SHA256
08a43a53a66d8acb2e107e6fc71213cedd180363055a2dc5081fe5a837940dce

SHA512
6262e9a0808d8f64e5f2dfad5242cd307e2f5eaa78f0a768f325e65c98db056c312d79f0b3e63c74e364af913a832c1d90f4604fe26cc5fb05f3a5a661b12573

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29922\api-ms-win-crt-environment-l1-1-0.dll

Filesize
19KB

MD5
33a0fe1943c5a325f93679d6e9237fee

SHA1
737d2537d602308fc022dbc0c29aa607bcdec702

SHA256
5af7aa065ffdbf98d139246e198601bfde025d11a6c878201f4b99876d6c7eac

SHA512
cab7fcaa305a9ace1f1cc7077b97526bebc0921adf23273e74cd42d7fe99401d4f7ede8ecb9847b6734a13760b9ebe4dbd2465a3db3139ed232dbef68fb62c54

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29922\api-ms-win-crt-filesystem-l1-1-0.dll

Filesize
21KB

MD5
633dca52da4ebaa6f4bf268822c6dc88

SHA1
1ebfc0f881ce338d2f66fcc3f9c1cbb94cdc067e

SHA256
424fd5d3d3297a8ab1227007ef8ded5a4f194f24bd573a5211be71937aa55d22

SHA512
ed058525ee7b4cc7e12561c7d674c26759a4301322ff0b3239f3183911ce14993614e3199d8017b9bfde25c8cb9ac0990d318bb19f3992624b39ec0f084a8df1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29922\api-ms-win-crt-heap-l1-1-0.dll

Filesize
20KB

MD5
43bf2037bfd3fb60e1fedac634c6f86e

SHA1
959eebe41d905ad3afa4254a52628ec13613cf70

SHA256
735703c0597da278af8a6359fc051b9e657627f50ad5b486185c2ef328ad571b

SHA512
7042846c009efea45ca5fafdc08016eca471a8c54486ba03f212abba47467f8744e9546c8f33214620f97dbcc994e3002788ad0db65b86d8a3e4ff0d8a9d0d05

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29922\api-ms-win-crt-locale-l1-1-0.dll

Filesize
19KB

MD5
d51bc845c4efbfdbd68e8ccffdad7375

SHA1
c82e580ec68c48e613c63a4c2f9974bb59182cf6

SHA256
89d9f54e6c9ae1cb8f914da1a2993a20de588c18f1aaf4d66efb20c3a282c866

SHA512
2e353cf58ad218c3e068a345d1da6743f488789ef7c6b96492d48571dc64df8a71ad2db2e5976cfd04cf4b55455e99c70c7f32bd2c0f4a8bed1d29c2dafc17b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29922\api-ms-win-crt-math-l1-1-0.dll

Filesize
28KB

MD5
487f72d0cf7dc1d85fa18788a1b46813

SHA1
0aabff6d4ee9a2a56d40ee61e4591d4ba7d14c0d

SHA256
560baf1b87b692c284ccbb82f2458a688757231b315b6875482e08c8f5333b3d

SHA512
b7f4e32f98bfdcf799331253faebb1fb08ec24f638d8526f02a6d9371c8490b27d03db3412128ced6d2bbb11604247f3f22c8380b1bf2a11fb3bb92f18980185

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29922\base_library.zip

Filesize
821KB

MD5
f4981249047e4b7709801a388e2965af

SHA1
42847b581e714a407a0b73e5dab019b104ec9af2

SHA256
b191e669b1c715026d0732cbf8415f1ff5cfba5ed9d818444719d03e72d14233

SHA512
e8ef3fb3c9d5ef8ae9065838b124ba4920a3a1ba2d4174269cad05c1f318bc9ff80b1c6a6c0f3493e998f0587ef59be0305bc92e009e67b82836755470bc1b13

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29922\libffi-7.dll

Filesize
32KB

MD5
4424baf6ed5340df85482fa82b857b03

SHA1
181b641bf21c810a486f855864cd4b8967c24c44

SHA256
8c1f7f64579d01fedfde07e0906b1f8e607c34d5e6424c87abe431a2322eba79

SHA512
8adb94893ada555de2e82f006ab4d571fad8a1b16ac19ca4d2efc1065677f25d2de5c981473fabd0398f6328c1be1ebd4d36668ea67f8a5d25060f1980ee7e33

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29922\python38.dll

Filesize
4.0MB

MD5
d2a8a5e7380d5f4716016777818a32c5

SHA1
fb12f31d1d0758fe3e056875461186056121ed0c

SHA256
59ab345c565304f638effa7c0236f26041fd06e35041a75988e13995cd28ace9

SHA512
ad1269d1367f587809e3fbe44af703c464a88fa3b2ae0bf2ad6544b8ed938e4265aab7e308d999e6c8297c0c85c608e3160796325286db3188a3edf040a02ab7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29922\ucrtbase.dll

Filesize
1021KB

MD5
4e326feeb3ebf1e3eb21eeb224345727

SHA1
f156a272dbc6695cc170b6091ef8cd41db7ba040

SHA256
3c60056371f82e4744185b6f2fa0c69042b1e78804685944132974dd13f3b6d9

SHA512
be9420a85c82eeee685e18913a7ff152fcead72a90ddcc2bcc8ab53a4a1743ae98f49354023c0a32b3a1d919bda64b5d455f6c3a49d4842bbba4aa37c1d05d67

Download Submit
C:\Users\Admin\AppData\Local\Temp\sysctemapp.exe

Filesize
23KB

MD5
18ba97473a5ff4ecd0d25aee1ac36ddd

SHA1
9b9dad90f6dcd55c6d20857649ce5279c6a9b8d7

SHA256
feefce2d619431c33f6e7167eb467df24ee45b45a8b7c8f804cdf0aa1a04b732

SHA512
0601b17d4b715ba4def5811f94ceeecc62542a9ce53ccef548313e69499cf34f80c8c231d3dd56c71adb05bfcccede58e4d8f76838cd1b2095003bd804ab7c77

Download Submit
C:\Users\Admin\Desktop\Google Play Gift Cards Generator And Checker v3 By X-LINE\Checker.exe

Filesize
2.5MB

MD5
234988dde3cd0efdc5e56c8d89e68ab6

SHA1
77fcb52112b5487e2f2a603e05f2f0da7acb9b35

SHA256
2945e339dbb821de4a5db8b4fcd6a2a5ac861f45cac4ecc565a3800dab0751bf

SHA512
0abf58fae0ddb7d1b7699a03fc6a10a47afd4d7a84570060a583ab9230c5211de0f1d403da1f105f38b4295a166fb89dce0bc142c932585f3336f8b5a531659b

Download Submit
C:\Users\Admin\Desktop\Google Play Gift Cards Generator And Checker v3 By X-LINE\Google Play Gift Cards Generator And Checker v3 By X-LINE.exe

Filesize
2.7MB

MD5
843ce26bed9d7320416f9753b85cca01

SHA1
8a39094386b17fe59f8dfe4f4f1e6410c22daacf

SHA256
02b3950e142c0d4da2ca3324bfc142c277c0a90d2b2242726bf57ce0ba3cda58

SHA512
240fde1dd4e355d008e81c67c1481953a09167402034a3ab30420a083b8384816f4af70d66249facd1a8e502b5d6d4e58ecb38029b21746efcf27dab0db5e034

Download Submit
C:\Users\Admin\Desktop\Google Play Gift Cards Generator And Checker v3 By X-LINE\Google Play Gift Cards Generator And Checker v3 By X-LINE.exe

Filesize
2.7MB

MD5
48710464a5bc1126a9ab2348814e56b4

SHA1
acd603d8217af1471bca0bc9edfae08de8e5fe54

SHA256
f4eeecdc612ad92f92196f518e92ec29f4acff4991fac1ee77d61cacf25422d2

SHA512
b57915d510301e615e8e353063bd560aaca6d11eea2bc1bb61d2a8ff4116de0d903a6458b9e5327d1b42aac060d30e0bedb9a3a523c467e30001d6bf54ed3728

Download Submit
C:\Users\Admin\Desktop\Google Play Gift Cards Generator And Checker v3 By X-LINE\Protect32.dll

Filesize
743KB

MD5
54fb01cc27de40b955fd59aad9afb0d2

SHA1
3030e1efa305d14ce2c9e1a703d76080f0540bd7

SHA256
d3b44e0dceb22fab65f0acfa09ff136916fcd45da51dacc338a969e85a5bdad7

SHA512
08060e49152aee55b6ccbf18a28bc68293382c1260584bdd008139fc41029ad69d429b0b98da4bb4cb6e39876a5753ceff79ea946527c681e40230d5effac59a

Download Submit
C:\Windows\directx.sys

Filesize
48B

MD5
38cf3cbde9fa03f6650b9eeffd60e2cc

SHA1
8af7c7057dac6f969901c4b10e94c2b485017c9a

SHA256
d05dbb8d6b98591ccf0f1695ee565bcaad2efc41ff7897eb5b09d7f7ada1414d

SHA512
0c60c8734773b2a2e74dd71bbcb85ecd231fb23fccd89c07b3925a4b67a7fdb4d24b5bf3d9ee421719357bed546d76705f3dcb18720e89176dcb973889bebe66

Download Submit
C:\Windows\directx.sys

Filesize
46B

MD5
fa9cd95c7b6a8b8d41c2d086e1a8986a

SHA1
2cdf12103ad098084c80cf5c4ec2640a2bfce67e

SHA256
d378f1573444e90497a488fd47d1c13f987497b3368c7cffb1a4e833b4dca354

SHA512
6f0c6d00a14e67b91bd7dc81c78f543831c0485c385c2fad1418cfe11194de1d06fce0eacaad5f144ada755242e8707be28dc6b6f6367251c00b8edf82b54c0e

Download Submit
C:\Windows\directx.sys

Filesize
94B

MD5
78de7429b3b85e13dea7c58be01dd8d3

SHA1
085ef9ffa987bb2f9caa9fbed48aa2ae74d454eb

SHA256
a4660c6bb6c1e86d6ac32fe68824ae46bce476645f48844aa2ab8631186c3337

SHA512
324d86810e194b513e0bc56df04fe8bb3f5f16930eb71fb27a7904da9b4bfb162acef9ec8c628e7b2059288d39a47bf943ca55b4b2baf67511752eb2ab3a6ee9

Download Submit
C:\Windows\directx.sys

Filesize
56B

MD5
b7b2e985fc43e739cbf5ca3b4d2ab9fc

SHA1
88399a9c33d50a2cd90fbaa2773ba1ad061b7861

SHA256
8f9533254f26cd2df436fdcdf221d99118a4b1919fe45c464b59ab9da6839675

SHA512
6c4764ff34b03d9d5d5652245244e208a5e3b479a28b764fc64a030473aa38583ba879aed73348336c72ec20d3bb8849969a06bcac1285ed4a5b938eb6264d9a

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
5ff9f204eb3c0efd28e4a776667e656f

SHA1
27ad2a627e693adc9fb4261e6fa0252426395534

SHA256
2a05d0a63a7b3e1d4bae33736d52dc161b1646c0da7eea2db26860c8350c4e69

SHA512
049934cd4430089cd223f2a80a9497a04612ba7c08e4435a03a5ba6792b3d2a793694a8bac7b024b69efe8f8256353d85f04d177d91ed65237111a05c7e8164a

Download Submit
memory/464-365-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/976-337-0x00007FF7738F0000-0x00007FF7738FB000-memory.dmp

Filesize
44KB

Download
memory/1180-295-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1464-353-0x00007FF7B1800000-0x00007FF7B180B000-memory.dmp

Filesize
44KB

Download
memory/1948-354-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2012-42-0x00007FF7B1800000-0x00007FF7B180B000-memory.dmp

Filesize
44KB

Download
memory/2012-44-0x00007FF7B1800000-0x00007FF7B180B000-memory.dmp

Filesize
44KB

Download
memory/2012-52-0x00007FF7B1800000-0x00007FF7B180B000-memory.dmp

Filesize
44KB

Download
memory/2012-51-0x00007FF7B1800000-0x00007FF7B180B000-memory.dmp

Filesize
44KB

Download
memory/2064-313-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2552-371-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3120-157-0x0000000000EB0000-0x0000000000F02000-memory.dmp

Filesize
328KB

Download
memory/3120-161-0x0000000005E70000-0x0000000006414000-memory.dmp

Filesize
5.6MB

Download
memory/3120-302-0x00000000072D0000-0x0000000007320000-memory.dmp

Filesize
320KB

Download
memory/3120-163-0x00000000057C0000-0x0000000005852000-memory.dmp

Filesize
584KB

Download
memory/3120-165-0x0000000005880000-0x000000000588A000-memory.dmp

Filesize
40KB

Download
memory/3120-179-0x0000000006A40000-0x0000000007058000-memory.dmp

Filesize
6.1MB

Download
memory/3120-181-0x0000000005A60000-0x0000000005A72000-memory.dmp

Filesize
72KB

Download
memory/3120-301-0x0000000007A30000-0x0000000007F5C000-memory.dmp

Filesize
5.2MB

Download
memory/3120-300-0x0000000007330000-0x00000000074F2000-memory.dmp

Filesize
1.8MB

Download
memory/3120-180-0x0000000005B30000-0x0000000005C3A000-memory.dmp

Filesize
1.0MB

Download
memory/3120-182-0x0000000005AC0000-0x0000000005AFC000-memory.dmp

Filesize
240KB

Download
memory/3120-183-0x0000000005C40000-0x0000000005C8C000-memory.dmp

Filesize
304KB

Download
memory/3120-294-0x0000000005DC0000-0x0000000005E26000-memory.dmp

Filesize
408KB

Download
memory/3236-296-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3236-374-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3308-29-0x00007FF72BB20000-0x00007FF72BB2B000-memory.dmp

Filesize
44KB

Download
memory/3308-43-0x00007FF72BB20000-0x00007FF72BB2B000-memory.dmp

Filesize
44KB

Download
memory/3308-50-0x00007FF72BB20000-0x00007FF72BB2B000-memory.dmp

Filesize
44KB

Download
memory/3308-35-0x00007FF72BB20000-0x00007FF72BB2B000-memory.dmp

Filesize
44KB

Download
memory/3388-372-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3500-72-0x00000000112B0000-0x0000000011304000-memory.dmp

Filesize
336KB

Download
memory/3500-66-0x0000000011160000-0x00000000111A6000-memory.dmp

Filesize
280KB

Download
memory/4008-30-0x00007FF7738F0000-0x00007FF7738FB000-memory.dmp

Filesize
44KB

Download
memory/4008-297-0x00007FF7738F0000-0x00007FF7738FB000-memory.dmp

Filesize
44KB

Download
memory/4008-40-0x00007FF7738F0000-0x00007FF7738FB000-memory.dmp

Filesize
44KB

Download
memory/4008-28-0x00007FF7738F0000-0x00007FF7738FB000-memory.dmp

Filesize
44KB

Download
memory/4020-351-0x00007FF72BB20000-0x00007FF72BB2B000-memory.dmp

Filesize
44KB

Download
memory/4872-68-0x0000000000E90000-0x0000000001106000-memory.dmp

Filesize
2.5MB

Download
memory/4872-71-0x0000000005930000-0x0000000005940000-memory.dmp

Filesize
64KB

Download
memory/4872-164-0x0000000007DD0000-0x0000000007E6C000-memory.dmp

Filesize
624KB

Download
memory/4872-169-0x0000000008230000-0x0000000008286000-memory.dmp

Filesize
344KB

Download