Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

12/07/2024, 12:49

240712-p2q5faweqd 10

12/07/2024, 12:48

240712-p1rdtatgml 10

Analysis

  • max time kernel
    63s
  • max time network
    65s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/07/2024, 12:48

General

  • Target

    https://github.com/glnklein/Free-Fortnite-Hwid-Spoofer/raw/main/freeSpoofer.rar

Malware Config

Signatures

  • Cerber 6 IoCs

    Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
  • Checks BIOS information in registry 2 TTPs 3 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 6 IoCs
  • Themida packer 7 IoCs

    Detects Themida, an advanced Windows software protection system.

  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Checks system information in the registry 2 TTPs 1 IoCs

    System information is often read in order to detect sandboxing environments.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 21 IoCs
  • Kills process with taskkill 3 IoCs
  • Modifies registry class 2 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: LoadsDriver 64 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of FindShellTrayWindow 54 IoCs
  • Suspicious use of SendNotifyMessage 41 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/glnklein/Free-Fortnite-Hwid-Spoofer/raw/main/freeSpoofer.rar
    1⤵
    • Enumerates system info in registry
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:744
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9733f46f8,0x7ff9733f4708,0x7ff9733f4718
      2⤵
        PID:2992
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,13036466160557869610,9510845207129333225,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2
        2⤵
          PID:4900
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,13036466160557869610,9510845207129333225,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:1776
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,13036466160557869610,9510845207129333225,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2512 /prefetch:8
          2⤵
            PID:1836
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,13036466160557869610,9510845207129333225,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3212 /prefetch:1
            2⤵
              PID:3660
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,13036466160557869610,9510845207129333225,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:1
              2⤵
                PID:2652
              • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,13036466160557869610,9510845207129333225,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5256 /prefetch:8
                2⤵
                  PID:3740
                • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,13036466160557869610,9510845207129333225,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5256 /prefetch:8
                  2⤵
                  • Suspicious behavior: EnumeratesProcesses
                  PID:1808
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2136,13036466160557869610,9510845207129333225,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4832 /prefetch:8
                  2⤵
                    PID:2824
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,13036466160557869610,9510845207129333225,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5048 /prefetch:1
                    2⤵
                      PID:1316
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2136,13036466160557869610,9510845207129333225,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5680 /prefetch:8
                      2⤵
                      • Suspicious behavior: EnumeratesProcesses
                      PID:4400
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,13036466160557869610,9510845207129333225,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5700 /prefetch:1
                      2⤵
                        PID:3632
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,13036466160557869610,9510845207129333225,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5812 /prefetch:1
                        2⤵
                          PID:3824
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,13036466160557869610,9510845207129333225,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5600 /prefetch:1
                          2⤵
                            PID:5088
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,13036466160557869610,9510845207129333225,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5476 /prefetch:1
                            2⤵
                              PID:1524
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,13036466160557869610,9510845207129333225,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1732 /prefetch:1
                              2⤵
                                PID:2260
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,13036466160557869610,9510845207129333225,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6172 /prefetch:1
                                2⤵
                                  PID:3296
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,13036466160557869610,9510845207129333225,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4192 /prefetch:1
                                  2⤵
                                    PID:4840
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,13036466160557869610,9510845207129333225,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5556 /prefetch:1
                                    2⤵
                                      PID:5136
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,13036466160557869610,9510845207129333225,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6524 /prefetch:1
                                      2⤵
                                        PID:5544
                                    • C:\Windows\System32\CompPkgSrv.exe
                                      C:\Windows\System32\CompPkgSrv.exe -Embedding
                                      1⤵
                                        PID:1848
                                      • C:\Windows\System32\CompPkgSrv.exe
                                        C:\Windows\System32\CompPkgSrv.exe -Embedding
                                        1⤵
                                          PID:4300
                                        • C:\Windows\system32\OpenWith.exe
                                          C:\Windows\system32\OpenWith.exe -Embedding
                                          1⤵
                                          • Modifies registry class
                                          • Suspicious use of SetWindowsHookEx
                                          PID:2628
                                        • C:\Program Files\7-Zip\7zG.exe
                                          "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\freeSpoofer\" -ad -an -ai#7zMap25071:84:7zEvent24777
                                          1⤵
                                          • Suspicious use of AdjustPrivilegeToken
                                          • Suspicious use of FindShellTrayWindow
                                          PID:4572
                                        • C:\Windows\System32\rundll32.exe
                                          C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                          1⤵
                                            PID:932
                                          • C:\Users\Admin\Downloads\freeSpoofer\freeSpoofer\freeSpoofer.exe
                                            "C:\Users\Admin\Downloads\freeSpoofer\freeSpoofer\freeSpoofer.exe"
                                            1⤵
                                            • Executes dropped EXE
                                            • Suspicious behavior: EnumeratesProcesses
                                            • Suspicious use of FindShellTrayWindow
                                            • Suspicious use of SendNotifyMessage
                                            PID:1016
                                            • C:\Windows\SYSTEM32\cmd.exe
                                              cmd.exe /c start C:\Users\Admin\Downloads\freeSpoofer\freeSpoofer\tools\applecleaner_2.exe
                                              2⤵
                                                PID:4436
                                                • C:\Users\Admin\Downloads\freeSpoofer\freeSpoofer\tools\applecleaner_2.exe
                                                  C:\Users\Admin\Downloads\freeSpoofer\freeSpoofer\tools\applecleaner_2.exe
                                                  3⤵
                                                  • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                  • Checks BIOS information in registry
                                                  • Executes dropped EXE
                                                  • Checks whether UAC is enabled
                                                  • Checks system information in the registry
                                                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                  • Enumerates system info in registry
                                                  • Suspicious behavior: EnumeratesProcesses
                                                  PID:1708
                                                  • C:\Windows\system32\cmd.exe
                                                    C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe >nul 2>&1
                                                    4⤵
                                                      PID:4060
                                                      • C:\Windows\system32\taskkill.exe
                                                        taskkill /f /im EpicGamesLauncher.exe
                                                        5⤵
                                                        • Cerber
                                                        • Kills process with taskkill
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:2260
                                                    • C:\Windows\system32\cmd.exe
                                                      C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe >nul 2>&1
                                                      4⤵
                                                        PID:3392
                                                        • C:\Windows\system32\taskkill.exe
                                                          taskkill /f /im FortniteClient-Win64-Shipping.exe
                                                          5⤵
                                                          • Cerber
                                                          • Kills process with taskkill
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          PID:1900
                                                      • C:\Windows\system32\cmd.exe
                                                        C:\Windows\system32\cmd.exe /c taskkill /f /im Battle.net.exe >nul 2>&1
                                                        4⤵
                                                          PID:2280
                                                          • C:\Windows\system32\taskkill.exe
                                                            taskkill /f /im Battle.net.exe
                                                            5⤵
                                                            • Cerber
                                                            • Kills process with taskkill
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            PID:1292
                                                        • C:\Windows\system32\cmd.exe
                                                          C:\Windows\system32\cmd.exe /c start https://applecheats.cc
                                                          4⤵
                                                            PID:3728
                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://applecheats.cc/
                                                              5⤵
                                                                PID:2492
                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff9733f46f8,0x7ff9733f4708,0x7ff9733f4718
                                                                  6⤵
                                                                    PID:2052
                                                              • C:\Windows\system32\cmd.exe
                                                                C:\Windows\system32\cmd.exe /c pause
                                                                4⤵
                                                                  PID:4360
                                                            • C:\Windows\SYSTEM32\cmd.exe
                                                              cmd.exe /c net user administrator /active:yes |start C:\Users\Admin\Downloads\freeSpoofer\freeSpoofer\tools\AMIDEWINx64.EXE /ALL C:\Users\Admin\Downloads\freeSpoofer\freeSpoofer\tools\alt.txt
                                                              2⤵
                                                                PID:5252
                                                                • C:\Windows\system32\net.exe
                                                                  net user administrator /active:yes
                                                                  3⤵
                                                                    PID:5268
                                                                    • C:\Windows\system32\net1.exe
                                                                      C:\Windows\system32\net1 user administrator /active:yes
                                                                      4⤵
                                                                        PID:5296
                                                                    • C:\Windows\system32\cmd.exe
                                                                      C:\Windows\system32\cmd.exe /S /D /c" start C:\Users\Admin\Downloads\freeSpoofer\freeSpoofer\tools\AMIDEWINx64.EXE /ALL C:\Users\Admin\Downloads\freeSpoofer\freeSpoofer\tools\alt.txt"
                                                                      3⤵
                                                                        PID:5280
                                                                        • C:\Users\Admin\Downloads\freeSpoofer\freeSpoofer\tools\AMIDEWINx64.EXE
                                                                          C:\Users\Admin\Downloads\freeSpoofer\freeSpoofer\tools\AMIDEWINx64.EXE /ALL C:\Users\Admin\Downloads\freeSpoofer\freeSpoofer\tools\alt.txt
                                                                          4⤵
                                                                          • Cerber
                                                                          • Executes dropped EXE
                                                                          PID:5312
                                                                  • C:\Users\Admin\Downloads\freeSpoofer\freeSpoofer\tools\AMIDEWINx64.EXE
                                                                    "C:\Users\Admin\Downloads\freeSpoofer\freeSpoofer\tools\AMIDEWINx64.EXE"
                                                                    1⤵
                                                                    • Cerber
                                                                    • Executes dropped EXE
                                                                    PID:1848
                                                                  • C:\Users\Admin\Downloads\freeSpoofer\freeSpoofer\tools\AFUWINx64.EXE
                                                                    "C:\Users\Admin\Downloads\freeSpoofer\freeSpoofer\tools\AFUWINx64.EXE"
                                                                    1⤵
                                                                    • Cerber
                                                                    • Executes dropped EXE
                                                                    • Suspicious use of SetWindowsHookEx
                                                                    PID:4436
                                                                  • C:\Users\Admin\Downloads\freeSpoofer\freeSpoofer\tools\Volumeid64.exe
                                                                    "C:\Users\Admin\Downloads\freeSpoofer\freeSpoofer\tools\Volumeid64.exe"
                                                                    1⤵
                                                                    • Executes dropped EXE
                                                                    PID:5280

                                                                  Network

                                                                  MITRE ATT&CK Enterprise v15

                                                                  Replay Monitor

                                                                  Loading Replay Monitor...

                                                                  Downloads

                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                                    Filesize

                                                                    152B

                                                                    MD5

                                                                    eaaad45aced1889a90a8aa4c39f92659

                                                                    SHA1

                                                                    5c0130d9e8d1a64c97924090d9a5258b8a31b83c

                                                                    SHA256

                                                                    5e3237f26b6047f64459cd5d3a6bc3563e2642b98d75b97011c93e0a9bd26f3b

                                                                    SHA512

                                                                    0db1c6bdb51f4e6ba5ef4dc12fc73886e599ab28f1eec5d943110bc3d856401ca31c05baa9026dd441b69f3de92307eb77d93f089ba6e2b84eea6e93982620e4

                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                                    Filesize

                                                                    152B

                                                                    MD5

                                                                    3ee50fb26a9d3f096c47ff8696c24321

                                                                    SHA1

                                                                    a8c83e798d2a8b31fec0820560525e80dfa4fe66

                                                                    SHA256

                                                                    d80ec29cb17280af0c7522b30a80ffa19d1e786c0b09accfe3234b967d23eb6f

                                                                    SHA512

                                                                    479c0d2b76850aa79b58f9e0a8ba5773bd8909d915b98c2e9dc3a95c0ac18d7741b2ee571df695c0305598d89651c7aef2ff7c2fedb8b6a6aa30057ecfc872c5

                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\temp-index

                                                                    Filesize

                                                                    480B

                                                                    MD5

                                                                    80264febe4f75a3d7f1b78712b08cfd3

                                                                    SHA1

                                                                    9d8edc052bbbd815ba9bfae2291641e67cda89b5

                                                                    SHA256

                                                                    b024e3565983346514743e7a115c298bfdcc5e2e98d1679d34bae2d79299be17

                                                                    SHA512

                                                                    9d07e9af59f0375d79fa2d008b5ad3272ed237da2130bf0c3ed9c52fdf7f9b122fffd7aa5c3f32c14ef46785d28e2828952ae93a14d6873d7687e7fb6fc9e214

                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                                    Filesize

                                                                    7KB

                                                                    MD5

                                                                    b7d05e411615e6d8b2d84d04c47d13f4

                                                                    SHA1

                                                                    815e6723a4ae26000ddfb4d8281cc816acd20c9a

                                                                    SHA256

                                                                    7b49ec1392a49151cb8bfd344258a5456ce807fe4b6d86a519afe99e203260af

                                                                    SHA512

                                                                    4ad00714d3cff9d5f305737dba190a9f2daa0c6826c789f12d1308d576b83ff7e6287d8bea332eaab8f86163517304dd41d8de859dbfe852146cec9445ce9a95

                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                                    Filesize

                                                                    7KB

                                                                    MD5

                                                                    d36583669783f4ab7c3bbc50dc704d36

                                                                    SHA1

                                                                    fa1c214444ceecd2b3caa83c53ab1c20676fa525

                                                                    SHA256

                                                                    d5d32b6be05ca62475cf69e20297b00aa0d6287d1e371e0c33c69fb2c1e68082

                                                                    SHA512

                                                                    656d6f0edfdbe2d00e0c673000aa4a3b203c25c9d3eba56368a84fbbc96fd1a77c681fe18217f8b6b61590a06826ee929d903c35769c5ef671cc8d9e0d740278

                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                                    Filesize

                                                                    6KB

                                                                    MD5

                                                                    ea383715651e73683a43d13cbe1c75ff

                                                                    SHA1

                                                                    af970cb28193868472b9f8b7aafad2135f8ee3da

                                                                    SHA256

                                                                    200771988d68bbf5f02b510c6e32ab69c32ca5bcfcdbca220df9e346c557f828

                                                                    SHA512

                                                                    a849d496999ec6288ec33651bdcd49498741c148123ac58b437dcb0f88492e261827b93d77880aa4f2645ecba812ea21df1badf39943c02a129504c3d931eabd

                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                                    Filesize

                                                                    6KB

                                                                    MD5

                                                                    4d25663b3d201382050573635ca8728a

                                                                    SHA1

                                                                    a828e310dd0c047aac031f4ebca6dc0004c38262

                                                                    SHA256

                                                                    ab2ff0ced993be7ffda67aa501113eefbe79f3eb4dc524ea93af50ed215c5018

                                                                    SHA512

                                                                    71bf4efbd2915b50f2d1643d9d0e5bb26ee0fc1e4043f6d7e995a2eb3afcf3eb560082100e79c5000ca3834e91f4733988d238c2e6796b80ed1cbb9c51901c3d

                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

                                                                    Filesize

                                                                    539B

                                                                    MD5

                                                                    2b6064a474110cdbc7ef2d0d933f1d8c

                                                                    SHA1

                                                                    d1776a0387609a0d0d6621658309f6913e829378

                                                                    SHA256

                                                                    c5002910f4de3e647f0607934c6d482fca4178d9535129b44d7dea78f4611718

                                                                    SHA512

                                                                    b2cd602a45b7aa596a211df0a20f2f12075712503121d02b0807c336fbf07e67c449ed7c0d11df09831e9d5b9007c15cac3b1439be9932953b5145ed7ed85ec2

                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe584c85.TMP

                                                                    Filesize

                                                                    371B

                                                                    MD5

                                                                    39d1b2b332a700485f23c383ced9bf52

                                                                    SHA1

                                                                    d43d0acf30820d06fca55e393bf2a5c527470069

                                                                    SHA256

                                                                    8d15413d464b1be8456b0534d17f581e3aae07476906eefa06a1d8e0fb8ccda8

                                                                    SHA512

                                                                    68d17502f4724222cc676f73dfa39f3dfc93d7b7ab6209dcd8dee1d3f2295d8a1215d4d1078ef60f735e0f733c0bfb6ebd3ed800678d4d62d68c03b7117ad100

                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                                                    Filesize

                                                                    16B

                                                                    MD5

                                                                    6752a1d65b201c13b62ea44016eb221f

                                                                    SHA1

                                                                    58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                                                    SHA256

                                                                    0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                                                    SHA512

                                                                    9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                                    Filesize

                                                                    11KB

                                                                    MD5

                                                                    66c68cfd424e15bc0d4c2e2f3075ee39

                                                                    SHA1

                                                                    e5d2a7a83a20663d1015e594528862e148e7995b

                                                                    SHA256

                                                                    8fda0c38f5bce47e46a182e5e636535517aba0d868ae5f2936ce1535644bf7a8

                                                                    SHA512

                                                                    9b6a0f1998973724ba5c5f2826ef562d7b0d91d5de58a38488698d82794f26ef5a04c322d2b16d4d9040dfa4bdd3acb3ee03374d25396d44d29407490db37194

                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                                    Filesize

                                                                    11KB

                                                                    MD5

                                                                    b19c9478f7b0841cdc7e4aa36ffd9f7f

                                                                    SHA1

                                                                    b766de6e06e336153da76565564e086244b6514a

                                                                    SHA256

                                                                    dbfeb9f50ff8e31d17815ff2fcc1e089c0a0b51bef33d90fa38613803d39dc3e

                                                                    SHA512

                                                                    b110d2898b5a8d792cdba4c66c966b89534e6a7abf4cea7cec5bfcdb7d25348e645b1c8f25d91cd7c7f224b0afd0c79f35716139e00be25bfa360883271911c3

                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                                    Filesize

                                                                    11KB

                                                                    MD5

                                                                    5932dedc8936d849c2449c87336455f8

                                                                    SHA1

                                                                    49fa9abb1ba65e7a2cf4964275f14a337999595c

                                                                    SHA256

                                                                    f3770fdd3023abb4146ac7f71071d6d9d3715ce0b5940a64aa414ed29c91f17a

                                                                    SHA512

                                                                    58b38acb50faf9821411d5e3f49b57e08e4674d43365c3d236ffa91fd101d9e509d82ad0052af6ee66c629aa4ff14a4c68dc294de8feb6d76ede713d57b78505

                                                                  • C:\Users\Admin\Downloads\freeSpoofer.rar

                                                                    Filesize

                                                                    13.8MB

                                                                    MD5

                                                                    4de784dcf73d6a71b45f090e999a591b

                                                                    SHA1

                                                                    a0dbb8326e1d122c8ef4f8a2bdfb3ec406ad8ebf

                                                                    SHA256

                                                                    94985615c3a4143304e8f85e41d9f1bd2281d073d47ade04dcac1f63d31305c2

                                                                    SHA512

                                                                    83e92a5bea27d2ea801296bee5e249f971e2501d7fb7ebb406d6ff43a75ab2c899b74864e317be4e89a4979787d5a3e600a64dece18dffa1145a991edf11d39d

                                                                  • C:\Users\Admin\Downloads\freeSpoofer\freeSpoofer\freeSpoofer.exe

                                                                    Filesize

                                                                    1.4MB

                                                                    MD5

                                                                    57749553c159683cf8c646bea1fa7e21

                                                                    SHA1

                                                                    414bdd48c6fd752f6d6100ad1c38fdecda8ffece

                                                                    SHA256

                                                                    5f1287749ae0d7025a05ab21ab24a6ccce54618f0890e51e85c12f76b0559d13

                                                                    SHA512

                                                                    6f3138fe1628880e30e7c451f285f8090ec41463c19aaabe2f42395f366d9f29dfe86a07a9086b0da1e1c52f71746fdb82f16a86c472a209996eb94098c19c41

                                                                  • C:\Users\Admin\Downloads\freeSpoofer\freeSpoofer\tools\AFUWINx64.EXE

                                                                    Filesize

                                                                    1015KB

                                                                    MD5

                                                                    59a47fc8e9b4396dddb52907a8a54177

                                                                    SHA1

                                                                    d16c0825ea1ce721b00df160d826475fda2bae44

                                                                    SHA256

                                                                    03e11400f15251c9bf2d764b1020f32904f9569a426adfbe26b21e04898c8800

                                                                    SHA512

                                                                    e857e9627b811d48510e14f0b8e65a12eb4153d0e05ad322cc8b95f6ee5c52cc018a1073acecbed43148de26e5c252ae9a2a6d5fdda1b585dfc41f030bb2f6e3

                                                                  • C:\Users\Admin\Downloads\freeSpoofer\freeSpoofer\tools\AMIDEWINx64.EXE

                                                                    Filesize

                                                                    377KB

                                                                    MD5

                                                                    8690997c90d94b5a10f2fe39caa0d7a6

                                                                    SHA1

                                                                    ad05c719b046da3946e370409b342e3c67946a87

                                                                    SHA256

                                                                    157f846e4865f27898917304ba4480f6d67a327cbb25a790f885a78b8fba6db1

                                                                    SHA512

                                                                    39d2ff1aa49cdb302fd88f6903d71d0008e89ff9113eab8a3ca2b7dbc0e5604a059f8c6f798c97971149f80a379a73ea6900ad46cce5203effe5c226bcd080e0

                                                                  • C:\Users\Admin\Downloads\freeSpoofer\freeSpoofer\tools\Volumeid64.exe

                                                                    Filesize

                                                                    165KB

                                                                    MD5

                                                                    81a45f1a91448313b76d2e6d5308aa7a

                                                                    SHA1

                                                                    0d615343d5de03da03bce52e11b233093b404083

                                                                    SHA256

                                                                    fb0d02ea26bb1e5df5a07147931caf1ae3d7d1d9b4d83f168b678e7f3a1c0ecd

                                                                    SHA512

                                                                    675662f84dfcbf33311f5830db70bff50b6e8a34a4a926de6369c446ea2b1cf8a63e9c94e5a5c2e1d226248f0361a1698448f82118ac4de5a92b64d8fdf8815d

                                                                  • C:\Users\Admin\Downloads\freeSpoofer\freeSpoofer\tools\applecleaner_2.exe

                                                                    Filesize

                                                                    3.6MB

                                                                    MD5

                                                                    f96eb2236970fb3ea97101b923af4228

                                                                    SHA1

                                                                    e0eed80f1054acbf5389a7b8860a4503dd3e184a

                                                                    SHA256

                                                                    46fe5192387d3f897a134d29c069ebf39c72094c892134d2f0e77b12b11a6172

                                                                    SHA512

                                                                    2fd2d28c5f571d40b43a4dd7a22d367ba42420c29627f21ca0a2052070ffb9f689d80dad638238189eed26ed19af626f47e70f1207e10007041c620dac323cc7

                                                                  • C:\Users\Admin\Downloads\freeSpoofer\freeSpoofer\tools\lvafudrv64.sys

                                                                    Filesize

                                                                    35KB

                                                                    MD5

                                                                    8d533ae1500f743a177b27c88a241163

                                                                    SHA1

                                                                    52c25cf4c903714fa52870a16d143fb6aeb0fa99

                                                                    SHA256

                                                                    b9e8de155fb9aabb4760034a65855130eb85aadc88963e40e2be87b049c025bf

                                                                    SHA512

                                                                    546c9309b9b078ce4c49a3b56ec8d77b0fd4c0bd583f4bce53705f854fe2addba5c8029ed8b8da9e944b2c212d2ee0508095bf20c12632b760a5c271d19940de

                                                                  • memory/1708-141-0x00007FF792FC0000-0x00007FF793962000-memory.dmp

                                                                    Filesize

                                                                    9.6MB

                                                                  • memory/1708-126-0x00007FF792FC0000-0x00007FF793962000-memory.dmp

                                                                    Filesize

                                                                    9.6MB

                                                                  • memory/1708-129-0x00007FF792FC0000-0x00007FF793962000-memory.dmp

                                                                    Filesize

                                                                    9.6MB

                                                                  • memory/1708-130-0x00007FF792FC0000-0x00007FF793962000-memory.dmp

                                                                    Filesize

                                                                    9.6MB

                                                                  • memory/1708-131-0x00007FF792FC0000-0x00007FF793962000-memory.dmp

                                                                    Filesize

                                                                    9.6MB

                                                                  • memory/1708-128-0x00007FF792FC0000-0x00007FF793962000-memory.dmp

                                                                    Filesize

                                                                    9.6MB