Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
63s -
max time network
65s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
12/07/2024, 12:48
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://github.com/glnklein/Free-Fortnite-Hwid-Spoofer/raw/main/freeSpoofer.rar
Resource
win10v2004-20240709-en
General
-
Target
https://github.com/glnklein/Free-Fortnite-Hwid-Spoofer/raw/main/freeSpoofer.rar
Malware Config
Signatures
-
Cerber 6 IoCs
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
description ioc pid Process Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} AMIDEWINx64.EXE Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} AFUWINx64.EXE 1900 taskkill.exe 1292 taskkill.exe 2260 taskkill.exe Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} AMIDEWINx64.EXE -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ applecleaner_2.exe -
Checks BIOS information in registry 2 TTPs 3 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion applecleaner_2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion applecleaner_2.exe Set value (data) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion = 62004f00630048005300200020002d002000300000000000 applecleaner_2.exe -
Executes dropped EXE 6 IoCs
pid Process 1016 freeSpoofer.exe 1708 applecleaner_2.exe 5312 AMIDEWINx64.EXE 1848 AMIDEWINx64.EXE 4436 AFUWINx64.EXE 5280 Volumeid64.exe -
resource yara_rule behavioral1/files/0x0007000000023514-116.dat themida behavioral1/memory/1708-126-0x00007FF792FC0000-0x00007FF793962000-memory.dmp themida behavioral1/memory/1708-129-0x00007FF792FC0000-0x00007FF793962000-memory.dmp themida behavioral1/memory/1708-130-0x00007FF792FC0000-0x00007FF793962000-memory.dmp themida behavioral1/memory/1708-128-0x00007FF792FC0000-0x00007FF793962000-memory.dmp themida behavioral1/memory/1708-131-0x00007FF792FC0000-0x00007FF793962000-memory.dmp themida behavioral1/memory/1708-141-0x00007FF792FC0000-0x00007FF793962000-memory.dmp themida -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA applecleaner_2.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 10 raw.githubusercontent.com 11 raw.githubusercontent.com -
Checks system information in the registry 2 TTPs 1 IoCs
System information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer applecleaner_2.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 1708 applecleaner_2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 21 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS applecleaner_2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardVersion applecleaner_2.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 applecleaner_2.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier = "0d422a95-d92af203-1" applecleaner_2.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier = "e4bac759-809024a1-0" applecleaner_2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemBiosVersion applecleaner_2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily applecleaner_2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName applecleaner_2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral applecleaner_2.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral applecleaner_2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier applecleaner_2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer applecleaner_2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion applecleaner_2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral applecleaner_2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU applecleaner_2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion applecleaner_2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardManufacturer applecleaner_2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct applecleaner_2.exe -
Kills process with taskkill 3 IoCs
pid Process 1292 taskkill.exe 2260 taskkill.exe 1900 taskkill.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings msedge.exe Key created \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings OpenWith.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 1776 msedge.exe 1776 msedge.exe 744 msedge.exe 744 msedge.exe 1808 identity_helper.exe 1808 identity_helper.exe 4400 msedge.exe 4400 msedge.exe 1708 applecleaner_2.exe 1708 applecleaner_2.exe 1016 freeSpoofer.exe 1016 freeSpoofer.exe 1016 freeSpoofer.exe 1016 freeSpoofer.exe -
Suspicious behavior: LoadsDriver 64 IoCs
pid Process 656 Process not Found 656 Process not Found 656 Process not Found 656 Process not Found 656 Process not Found 656 Process not Found 656 Process not Found 656 Process not Found 656 Process not Found 656 Process not Found 656 Process not Found 656 Process not Found 656 Process not Found 656 Process not Found 656 Process not Found 656 Process not Found 656 Process not Found 656 Process not Found 656 Process not Found 656 Process not Found 656 Process not Found 656 Process not Found 656 Process not Found 656 Process not Found 656 Process not Found 656 Process not Found 656 Process not Found 656 Process not Found 656 Process not Found 656 Process not Found 656 Process not Found 656 Process not Found 656 Process not Found 656 Process not Found 656 Process not Found 656 Process not Found 656 Process not Found 656 Process not Found 656 Process not Found 656 Process not Found 656 Process not Found 656 Process not Found 656 Process not Found 656 Process not Found 656 Process not Found 656 Process not Found 656 Process not Found 656 Process not Found 656 Process not Found 656 Process not Found 656 Process not Found 656 Process not Found 656 Process not Found 656 Process not Found 656 Process not Found 656 Process not Found 656 Process not Found 656 Process not Found 656 Process not Found 656 Process not Found 656 Process not Found 656 Process not Found 656 Process not Found 656 Process not Found -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs
pid Process 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
description pid Process Token: SeRestorePrivilege 4572 7zG.exe Token: 35 4572 7zG.exe Token: SeSecurityPrivilege 4572 7zG.exe Token: SeSecurityPrivilege 4572 7zG.exe Token: SeDebugPrivilege 2260 taskkill.exe Token: SeDebugPrivilege 1900 taskkill.exe Token: SeDebugPrivilege 1292 taskkill.exe -
Suspicious use of FindShellTrayWindow 54 IoCs
pid Process 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 4572 7zG.exe 1016 freeSpoofer.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe -
Suspicious use of SendNotifyMessage 41 IoCs
pid Process 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 1016 freeSpoofer.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2628 OpenWith.exe 4436 AFUWINx64.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 744 wrote to memory of 2992 744 msedge.exe 85 PID 744 wrote to memory of 2992 744 msedge.exe 85 PID 744 wrote to memory of 4900 744 msedge.exe 87 PID 744 wrote to memory of 4900 744 msedge.exe 87 PID 744 wrote to memory of 4900 744 msedge.exe 87 PID 744 wrote to memory of 4900 744 msedge.exe 87 PID 744 wrote to memory of 4900 744 msedge.exe 87 PID 744 wrote to memory of 4900 744 msedge.exe 87 PID 744 wrote to memory of 4900 744 msedge.exe 87 PID 744 wrote to memory of 4900 744 msedge.exe 87 PID 744 wrote to memory of 4900 744 msedge.exe 87 PID 744 wrote to memory of 4900 744 msedge.exe 87 PID 744 wrote to memory of 4900 744 msedge.exe 87 PID 744 wrote to memory of 4900 744 msedge.exe 87 PID 744 wrote to memory of 4900 744 msedge.exe 87 PID 744 wrote to memory of 4900 744 msedge.exe 87 PID 744 wrote to memory of 4900 744 msedge.exe 87 PID 744 wrote to memory of 4900 744 msedge.exe 87 PID 744 wrote to memory of 4900 744 msedge.exe 87 PID 744 wrote to memory of 4900 744 msedge.exe 87 PID 744 wrote to memory of 4900 744 msedge.exe 87 PID 744 wrote to memory of 4900 744 msedge.exe 87 PID 744 wrote to memory of 4900 744 msedge.exe 87 PID 744 wrote to memory of 4900 744 msedge.exe 87 PID 744 wrote to memory of 4900 744 msedge.exe 87 PID 744 wrote to memory of 4900 744 msedge.exe 87 PID 744 wrote to memory of 4900 744 msedge.exe 87 PID 744 wrote to memory of 4900 744 msedge.exe 87 PID 744 wrote to memory of 4900 744 msedge.exe 87 PID 744 wrote to memory of 4900 744 msedge.exe 87 PID 744 wrote to memory of 4900 744 msedge.exe 87 PID 744 wrote to memory of 4900 744 msedge.exe 87 PID 744 wrote to memory of 4900 744 msedge.exe 87 PID 744 wrote to memory of 4900 744 msedge.exe 87 PID 744 wrote to memory of 4900 744 msedge.exe 87 PID 744 wrote to memory of 4900 744 msedge.exe 87 PID 744 wrote to memory of 4900 744 msedge.exe 87 PID 744 wrote to memory of 4900 744 msedge.exe 87 PID 744 wrote to memory of 4900 744 msedge.exe 87 PID 744 wrote to memory of 4900 744 msedge.exe 87 PID 744 wrote to memory of 4900 744 msedge.exe 87 PID 744 wrote to memory of 4900 744 msedge.exe 87 PID 744 wrote to memory of 1776 744 msedge.exe 88 PID 744 wrote to memory of 1776 744 msedge.exe 88 PID 744 wrote to memory of 1836 744 msedge.exe 89 PID 744 wrote to memory of 1836 744 msedge.exe 89 PID 744 wrote to memory of 1836 744 msedge.exe 89 PID 744 wrote to memory of 1836 744 msedge.exe 89 PID 744 wrote to memory of 1836 744 msedge.exe 89 PID 744 wrote to memory of 1836 744 msedge.exe 89 PID 744 wrote to memory of 1836 744 msedge.exe 89 PID 744 wrote to memory of 1836 744 msedge.exe 89 PID 744 wrote to memory of 1836 744 msedge.exe 89 PID 744 wrote to memory of 1836 744 msedge.exe 89 PID 744 wrote to memory of 1836 744 msedge.exe 89 PID 744 wrote to memory of 1836 744 msedge.exe 89 PID 744 wrote to memory of 1836 744 msedge.exe 89 PID 744 wrote to memory of 1836 744 msedge.exe 89 PID 744 wrote to memory of 1836 744 msedge.exe 89 PID 744 wrote to memory of 1836 744 msedge.exe 89 PID 744 wrote to memory of 1836 744 msedge.exe 89 PID 744 wrote to memory of 1836 744 msedge.exe 89 PID 744 wrote to memory of 1836 744 msedge.exe 89 PID 744 wrote to memory of 1836 744 msedge.exe 89
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/glnklein/Free-Fortnite-Hwid-Spoofer/raw/main/freeSpoofer.rar1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:744 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9733f46f8,0x7ff9733f4708,0x7ff9733f47182⤵PID:2992
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,13036466160557869610,9510845207129333225,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:22⤵PID:4900
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,13036466160557869610,9510845207129333225,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:1776
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,13036466160557869610,9510845207129333225,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2512 /prefetch:82⤵PID:1836
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,13036466160557869610,9510845207129333225,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3212 /prefetch:12⤵PID:3660
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,13036466160557869610,9510845207129333225,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:12⤵PID:2652
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,13036466160557869610,9510845207129333225,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5256 /prefetch:82⤵PID:3740
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,13036466160557869610,9510845207129333225,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5256 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1808
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2136,13036466160557869610,9510845207129333225,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4832 /prefetch:82⤵PID:2824
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,13036466160557869610,9510845207129333225,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5048 /prefetch:12⤵PID:1316
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2136,13036466160557869610,9510845207129333225,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5680 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4400
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,13036466160557869610,9510845207129333225,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5700 /prefetch:12⤵PID:3632
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,13036466160557869610,9510845207129333225,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5812 /prefetch:12⤵PID:3824
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,13036466160557869610,9510845207129333225,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5600 /prefetch:12⤵PID:5088
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,13036466160557869610,9510845207129333225,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5476 /prefetch:12⤵PID:1524
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,13036466160557869610,9510845207129333225,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1732 /prefetch:12⤵PID:2260
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,13036466160557869610,9510845207129333225,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6172 /prefetch:12⤵PID:3296
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,13036466160557869610,9510845207129333225,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4192 /prefetch:12⤵PID:4840
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,13036466160557869610,9510845207129333225,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5556 /prefetch:12⤵PID:5136
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,13036466160557869610,9510845207129333225,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6524 /prefetch:12⤵PID:5544
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1848
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4300
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2628
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\freeSpoofer\" -ad -an -ai#7zMap25071:84:7zEvent247771⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4572
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:932
-
C:\Users\Admin\Downloads\freeSpoofer\freeSpoofer\freeSpoofer.exe"C:\Users\Admin\Downloads\freeSpoofer\freeSpoofer\freeSpoofer.exe"1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1016 -
C:\Windows\SYSTEM32\cmd.execmd.exe /c start C:\Users\Admin\Downloads\freeSpoofer\freeSpoofer\tools\applecleaner_2.exe2⤵PID:4436
-
C:\Users\Admin\Downloads\freeSpoofer\freeSpoofer\tools\applecleaner_2.exeC:\Users\Admin\Downloads\freeSpoofer\freeSpoofer\tools\applecleaner_2.exe3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Checks system information in the registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:1708 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe >nul 2>&14⤵PID:4060
-
C:\Windows\system32\taskkill.exetaskkill /f /im EpicGamesLauncher.exe5⤵
- Cerber
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2260
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe >nul 2>&14⤵PID:3392
-
C:\Windows\system32\taskkill.exetaskkill /f /im FortniteClient-Win64-Shipping.exe5⤵
- Cerber
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1900
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im Battle.net.exe >nul 2>&14⤵PID:2280
-
C:\Windows\system32\taskkill.exetaskkill /f /im Battle.net.exe5⤵
- Cerber
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1292
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c start https://applecheats.cc4⤵PID:3728
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://applecheats.cc/5⤵PID:2492
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff9733f46f8,0x7ff9733f4708,0x7ff9733f47186⤵PID:2052
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pause4⤵PID:4360
-
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c net user administrator /active:yes |start C:\Users\Admin\Downloads\freeSpoofer\freeSpoofer\tools\AMIDEWINx64.EXE /ALL C:\Users\Admin\Downloads\freeSpoofer\freeSpoofer\tools\alt.txt2⤵PID:5252
-
C:\Windows\system32\net.exenet user administrator /active:yes3⤵PID:5268
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user administrator /active:yes4⤵PID:5296
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" start C:\Users\Admin\Downloads\freeSpoofer\freeSpoofer\tools\AMIDEWINx64.EXE /ALL C:\Users\Admin\Downloads\freeSpoofer\freeSpoofer\tools\alt.txt"3⤵PID:5280
-
C:\Users\Admin\Downloads\freeSpoofer\freeSpoofer\tools\AMIDEWINx64.EXEC:\Users\Admin\Downloads\freeSpoofer\freeSpoofer\tools\AMIDEWINx64.EXE /ALL C:\Users\Admin\Downloads\freeSpoofer\freeSpoofer\tools\alt.txt4⤵
- Cerber
- Executes dropped EXE
PID:5312
-
-
-
-
C:\Users\Admin\Downloads\freeSpoofer\freeSpoofer\tools\AMIDEWINx64.EXE"C:\Users\Admin\Downloads\freeSpoofer\freeSpoofer\tools\AMIDEWINx64.EXE"1⤵
- Cerber
- Executes dropped EXE
PID:1848
-
C:\Users\Admin\Downloads\freeSpoofer\freeSpoofer\tools\AFUWINx64.EXE"C:\Users\Admin\Downloads\freeSpoofer\freeSpoofer\tools\AFUWINx64.EXE"1⤵
- Cerber
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4436
-
C:\Users\Admin\Downloads\freeSpoofer\freeSpoofer\tools\Volumeid64.exe"C:\Users\Admin\Downloads\freeSpoofer\freeSpoofer\tools\Volumeid64.exe"1⤵
- Executes dropped EXE
PID:5280
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5eaaad45aced1889a90a8aa4c39f92659
SHA15c0130d9e8d1a64c97924090d9a5258b8a31b83c
SHA2565e3237f26b6047f64459cd5d3a6bc3563e2642b98d75b97011c93e0a9bd26f3b
SHA5120db1c6bdb51f4e6ba5ef4dc12fc73886e599ab28f1eec5d943110bc3d856401ca31c05baa9026dd441b69f3de92307eb77d93f089ba6e2b84eea6e93982620e4
-
Filesize
152B
MD53ee50fb26a9d3f096c47ff8696c24321
SHA1a8c83e798d2a8b31fec0820560525e80dfa4fe66
SHA256d80ec29cb17280af0c7522b30a80ffa19d1e786c0b09accfe3234b967d23eb6f
SHA512479c0d2b76850aa79b58f9e0a8ba5773bd8909d915b98c2e9dc3a95c0ac18d7741b2ee571df695c0305598d89651c7aef2ff7c2fedb8b6a6aa30057ecfc872c5
-
Filesize
480B
MD580264febe4f75a3d7f1b78712b08cfd3
SHA19d8edc052bbbd815ba9bfae2291641e67cda89b5
SHA256b024e3565983346514743e7a115c298bfdcc5e2e98d1679d34bae2d79299be17
SHA5129d07e9af59f0375d79fa2d008b5ad3272ed237da2130bf0c3ed9c52fdf7f9b122fffd7aa5c3f32c14ef46785d28e2828952ae93a14d6873d7687e7fb6fc9e214
-
Filesize
7KB
MD5b7d05e411615e6d8b2d84d04c47d13f4
SHA1815e6723a4ae26000ddfb4d8281cc816acd20c9a
SHA2567b49ec1392a49151cb8bfd344258a5456ce807fe4b6d86a519afe99e203260af
SHA5124ad00714d3cff9d5f305737dba190a9f2daa0c6826c789f12d1308d576b83ff7e6287d8bea332eaab8f86163517304dd41d8de859dbfe852146cec9445ce9a95
-
Filesize
7KB
MD5d36583669783f4ab7c3bbc50dc704d36
SHA1fa1c214444ceecd2b3caa83c53ab1c20676fa525
SHA256d5d32b6be05ca62475cf69e20297b00aa0d6287d1e371e0c33c69fb2c1e68082
SHA512656d6f0edfdbe2d00e0c673000aa4a3b203c25c9d3eba56368a84fbbc96fd1a77c681fe18217f8b6b61590a06826ee929d903c35769c5ef671cc8d9e0d740278
-
Filesize
6KB
MD5ea383715651e73683a43d13cbe1c75ff
SHA1af970cb28193868472b9f8b7aafad2135f8ee3da
SHA256200771988d68bbf5f02b510c6e32ab69c32ca5bcfcdbca220df9e346c557f828
SHA512a849d496999ec6288ec33651bdcd49498741c148123ac58b437dcb0f88492e261827b93d77880aa4f2645ecba812ea21df1badf39943c02a129504c3d931eabd
-
Filesize
6KB
MD54d25663b3d201382050573635ca8728a
SHA1a828e310dd0c047aac031f4ebca6dc0004c38262
SHA256ab2ff0ced993be7ffda67aa501113eefbe79f3eb4dc524ea93af50ed215c5018
SHA51271bf4efbd2915b50f2d1643d9d0e5bb26ee0fc1e4043f6d7e995a2eb3afcf3eb560082100e79c5000ca3834e91f4733988d238c2e6796b80ed1cbb9c51901c3d
-
Filesize
539B
MD52b6064a474110cdbc7ef2d0d933f1d8c
SHA1d1776a0387609a0d0d6621658309f6913e829378
SHA256c5002910f4de3e647f0607934c6d482fca4178d9535129b44d7dea78f4611718
SHA512b2cd602a45b7aa596a211df0a20f2f12075712503121d02b0807c336fbf07e67c449ed7c0d11df09831e9d5b9007c15cac3b1439be9932953b5145ed7ed85ec2
-
Filesize
371B
MD539d1b2b332a700485f23c383ced9bf52
SHA1d43d0acf30820d06fca55e393bf2a5c527470069
SHA2568d15413d464b1be8456b0534d17f581e3aae07476906eefa06a1d8e0fb8ccda8
SHA51268d17502f4724222cc676f73dfa39f3dfc93d7b7ab6209dcd8dee1d3f2295d8a1215d4d1078ef60f735e0f733c0bfb6ebd3ed800678d4d62d68c03b7117ad100
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD566c68cfd424e15bc0d4c2e2f3075ee39
SHA1e5d2a7a83a20663d1015e594528862e148e7995b
SHA2568fda0c38f5bce47e46a182e5e636535517aba0d868ae5f2936ce1535644bf7a8
SHA5129b6a0f1998973724ba5c5f2826ef562d7b0d91d5de58a38488698d82794f26ef5a04c322d2b16d4d9040dfa4bdd3acb3ee03374d25396d44d29407490db37194
-
Filesize
11KB
MD5b19c9478f7b0841cdc7e4aa36ffd9f7f
SHA1b766de6e06e336153da76565564e086244b6514a
SHA256dbfeb9f50ff8e31d17815ff2fcc1e089c0a0b51bef33d90fa38613803d39dc3e
SHA512b110d2898b5a8d792cdba4c66c966b89534e6a7abf4cea7cec5bfcdb7d25348e645b1c8f25d91cd7c7f224b0afd0c79f35716139e00be25bfa360883271911c3
-
Filesize
11KB
MD55932dedc8936d849c2449c87336455f8
SHA149fa9abb1ba65e7a2cf4964275f14a337999595c
SHA256f3770fdd3023abb4146ac7f71071d6d9d3715ce0b5940a64aa414ed29c91f17a
SHA51258b38acb50faf9821411d5e3f49b57e08e4674d43365c3d236ffa91fd101d9e509d82ad0052af6ee66c629aa4ff14a4c68dc294de8feb6d76ede713d57b78505
-
Filesize
13.8MB
MD54de784dcf73d6a71b45f090e999a591b
SHA1a0dbb8326e1d122c8ef4f8a2bdfb3ec406ad8ebf
SHA25694985615c3a4143304e8f85e41d9f1bd2281d073d47ade04dcac1f63d31305c2
SHA51283e92a5bea27d2ea801296bee5e249f971e2501d7fb7ebb406d6ff43a75ab2c899b74864e317be4e89a4979787d5a3e600a64dece18dffa1145a991edf11d39d
-
Filesize
1.4MB
MD557749553c159683cf8c646bea1fa7e21
SHA1414bdd48c6fd752f6d6100ad1c38fdecda8ffece
SHA2565f1287749ae0d7025a05ab21ab24a6ccce54618f0890e51e85c12f76b0559d13
SHA5126f3138fe1628880e30e7c451f285f8090ec41463c19aaabe2f42395f366d9f29dfe86a07a9086b0da1e1c52f71746fdb82f16a86c472a209996eb94098c19c41
-
Filesize
1015KB
MD559a47fc8e9b4396dddb52907a8a54177
SHA1d16c0825ea1ce721b00df160d826475fda2bae44
SHA25603e11400f15251c9bf2d764b1020f32904f9569a426adfbe26b21e04898c8800
SHA512e857e9627b811d48510e14f0b8e65a12eb4153d0e05ad322cc8b95f6ee5c52cc018a1073acecbed43148de26e5c252ae9a2a6d5fdda1b585dfc41f030bb2f6e3
-
Filesize
377KB
MD58690997c90d94b5a10f2fe39caa0d7a6
SHA1ad05c719b046da3946e370409b342e3c67946a87
SHA256157f846e4865f27898917304ba4480f6d67a327cbb25a790f885a78b8fba6db1
SHA51239d2ff1aa49cdb302fd88f6903d71d0008e89ff9113eab8a3ca2b7dbc0e5604a059f8c6f798c97971149f80a379a73ea6900ad46cce5203effe5c226bcd080e0
-
Filesize
165KB
MD581a45f1a91448313b76d2e6d5308aa7a
SHA10d615343d5de03da03bce52e11b233093b404083
SHA256fb0d02ea26bb1e5df5a07147931caf1ae3d7d1d9b4d83f168b678e7f3a1c0ecd
SHA512675662f84dfcbf33311f5830db70bff50b6e8a34a4a926de6369c446ea2b1cf8a63e9c94e5a5c2e1d226248f0361a1698448f82118ac4de5a92b64d8fdf8815d
-
Filesize
3.6MB
MD5f96eb2236970fb3ea97101b923af4228
SHA1e0eed80f1054acbf5389a7b8860a4503dd3e184a
SHA25646fe5192387d3f897a134d29c069ebf39c72094c892134d2f0e77b12b11a6172
SHA5122fd2d28c5f571d40b43a4dd7a22d367ba42420c29627f21ca0a2052070ffb9f689d80dad638238189eed26ed19af626f47e70f1207e10007041c620dac323cc7
-
Filesize
35KB
MD58d533ae1500f743a177b27c88a241163
SHA152c25cf4c903714fa52870a16d143fb6aeb0fa99
SHA256b9e8de155fb9aabb4760034a65855130eb85aadc88963e40e2be87b049c025bf
SHA512546c9309b9b078ce4c49a3b56ec8d77b0fd4c0bd583f4bce53705f854fe2addba5c8029ed8b8da9e944b2c212d2ee0508095bf20c12632b760a5c271d19940de