cerber | hxxps://github[.]com/glnklein/Free-Fortnite-Hwid-Spoofer/raw/main/freeSpoofer[.]rar

Resubmissions

12/07/2024, 12:49

240712-p2q5faweqd 10

12/07/2024, 12:48

240712-p1rdtatgml 10

Analysis

max time kernel
63s
max time network
65s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
12/07/2024, 12:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/glnklein/Free-Fortnite-Hwid-Spoofer/raw/main/freeSpoofer.rar

Score

10^/10

cerber evasion ransomware themida trojan

Malware Config

Signatures

Cerber 6 IoCs

Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.

ransomware cerber

description	ioc	pid	Process
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AFUWINx64.EXE
		1900	taskkill.exe
		1292	taskkill.exe
		2260	taskkill.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	applecleaner_2.exe

Checks BIOS information in registry 2 TTPs 3 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	applecleaner_2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	applecleaner_2.exe
Set value (data)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion = 62004f00630048005300200020002d002000300000000000	applecleaner_2.exe

Executes dropped EXE 6 IoCs

pid	Process
1016	freeSpoofer.exe
1708	applecleaner_2.exe
5312	AMIDEWINx64.EXE
1848	AMIDEWINx64.EXE
4436	AFUWINx64.EXE
5280	Volumeid64.exe

Themida packer 7 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/files/0x0007000000023514-116.dat	themida
behavioral1/memory/1708-126-0x00007FF792FC0000-0x00007FF793962000-memory.dmp	themida
behavioral1/memory/1708-129-0x00007FF792FC0000-0x00007FF793962000-memory.dmp	themida
behavioral1/memory/1708-130-0x00007FF792FC0000-0x00007FF793962000-memory.dmp	themida
behavioral1/memory/1708-128-0x00007FF792FC0000-0x00007FF793962000-memory.dmp	themida
behavioral1/memory/1708-131-0x00007FF792FC0000-0x00007FF793962000-memory.dmp	themida
behavioral1/memory/1708-141-0x00007FF792FC0000-0x00007FF793962000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	applecleaner_2.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
10	raw.githubusercontent.com
11	raw.githubusercontent.com

Checks system information in the registry 2 TTPs 1 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	applecleaner_2.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1708	applecleaner_2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 21 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	applecleaner_2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardVersion	applecleaner_2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	applecleaner_2.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier = "0d422a95-d92af203-1"	applecleaner_2.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier = "e4bac759-809024a1-0"	applecleaner_2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemBiosVersion	applecleaner_2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	applecleaner_2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	applecleaner_2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	applecleaner_2.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	applecleaner_2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier	applecleaner_2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	applecleaner_2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	applecleaner_2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	applecleaner_2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	applecleaner_2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion	applecleaner_2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardManufacturer	applecleaner_2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct	applecleaner_2.exe

Kills process with taskkill 3 IoCs

evasion

pid	Process
1292	taskkill.exe
2260	taskkill.exe
1900	taskkill.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings	OpenWith.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
1776	msedge.exe
1776	msedge.exe
744	msedge.exe
744	msedge.exe
1808	identity_helper.exe
1808	identity_helper.exe
4400	msedge.exe
4400	msedge.exe
1708	applecleaner_2.exe
1708	applecleaner_2.exe
1016	freeSpoofer.exe
1016	freeSpoofer.exe
1016	freeSpoofer.exe
1016	freeSpoofer.exe

Suspicious behavior: LoadsDriver 64 IoCs

pid	Process
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs

pid	Process
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeRestorePrivilege	4572	7zG.exe
Token: 35	4572	7zG.exe
Token: SeSecurityPrivilege	4572	7zG.exe
Token: SeSecurityPrivilege	4572	7zG.exe
Token: SeDebugPrivilege	2260	taskkill.exe
Token: SeDebugPrivilege	1900	taskkill.exe
Token: SeDebugPrivilege	1292	taskkill.exe

Suspicious use of FindShellTrayWindow 54 IoCs

pid	Process
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
4572	7zG.exe
1016	freeSpoofer.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe

Suspicious use of SendNotifyMessage 41 IoCs

pid	Process
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
1016	freeSpoofer.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2628	OpenWith.exe
4436	AFUWINx64.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 744 wrote to memory of 2992	744	msedge.exe	85
PID 744 wrote to memory of 2992	744	msedge.exe	85
PID 744 wrote to memory of 4900	744	msedge.exe	87
PID 744 wrote to memory of 4900	744	msedge.exe	87
PID 744 wrote to memory of 4900	744	msedge.exe	87
PID 744 wrote to memory of 4900	744	msedge.exe	87
PID 744 wrote to memory of 4900	744	msedge.exe	87
PID 744 wrote to memory of 4900	744	msedge.exe	87
PID 744 wrote to memory of 4900	744	msedge.exe	87
PID 744 wrote to memory of 4900	744	msedge.exe	87
PID 744 wrote to memory of 4900	744	msedge.exe	87
PID 744 wrote to memory of 4900	744	msedge.exe	87
PID 744 wrote to memory of 4900	744	msedge.exe	87
PID 744 wrote to memory of 4900	744	msedge.exe	87
PID 744 wrote to memory of 4900	744	msedge.exe	87
PID 744 wrote to memory of 4900	744	msedge.exe	87
PID 744 wrote to memory of 4900	744	msedge.exe	87
PID 744 wrote to memory of 4900	744	msedge.exe	87
PID 744 wrote to memory of 4900	744	msedge.exe	87
PID 744 wrote to memory of 4900	744	msedge.exe	87
PID 744 wrote to memory of 4900	744	msedge.exe	87
PID 744 wrote to memory of 4900	744	msedge.exe	87
PID 744 wrote to memory of 4900	744	msedge.exe	87
PID 744 wrote to memory of 4900	744	msedge.exe	87
PID 744 wrote to memory of 4900	744	msedge.exe	87
PID 744 wrote to memory of 4900	744	msedge.exe	87
PID 744 wrote to memory of 4900	744	msedge.exe	87
PID 744 wrote to memory of 4900	744	msedge.exe	87
PID 744 wrote to memory of 4900	744	msedge.exe	87
PID 744 wrote to memory of 4900	744	msedge.exe	87
PID 744 wrote to memory of 4900	744	msedge.exe	87
PID 744 wrote to memory of 4900	744	msedge.exe	87
PID 744 wrote to memory of 4900	744	msedge.exe	87
PID 744 wrote to memory of 4900	744	msedge.exe	87
PID 744 wrote to memory of 4900	744	msedge.exe	87
PID 744 wrote to memory of 4900	744	msedge.exe	87
PID 744 wrote to memory of 4900	744	msedge.exe	87
PID 744 wrote to memory of 4900	744	msedge.exe	87
PID 744 wrote to memory of 4900	744	msedge.exe	87
PID 744 wrote to memory of 4900	744	msedge.exe	87
PID 744 wrote to memory of 4900	744	msedge.exe	87
PID 744 wrote to memory of 4900	744	msedge.exe	87
PID 744 wrote to memory of 1776	744	msedge.exe	88
PID 744 wrote to memory of 1776	744	msedge.exe	88
PID 744 wrote to memory of 1836	744	msedge.exe	89
PID 744 wrote to memory of 1836	744	msedge.exe	89
PID 744 wrote to memory of 1836	744	msedge.exe	89
PID 744 wrote to memory of 1836	744	msedge.exe	89
PID 744 wrote to memory of 1836	744	msedge.exe	89
PID 744 wrote to memory of 1836	744	msedge.exe	89
PID 744 wrote to memory of 1836	744	msedge.exe	89
PID 744 wrote to memory of 1836	744	msedge.exe	89
PID 744 wrote to memory of 1836	744	msedge.exe	89
PID 744 wrote to memory of 1836	744	msedge.exe	89
PID 744 wrote to memory of 1836	744	msedge.exe	89
PID 744 wrote to memory of 1836	744	msedge.exe	89
PID 744 wrote to memory of 1836	744	msedge.exe	89
PID 744 wrote to memory of 1836	744	msedge.exe	89
PID 744 wrote to memory of 1836	744	msedge.exe	89
PID 744 wrote to memory of 1836	744	msedge.exe	89
PID 744 wrote to memory of 1836	744	msedge.exe	89
PID 744 wrote to memory of 1836	744	msedge.exe	89
PID 744 wrote to memory of 1836	744	msedge.exe	89
PID 744 wrote to memory of 1836	744	msedge.exe	89

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/glnklein/Free-Fortnite-Hwid-Spoofer/raw/main/freeSpoofer.rar
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9733f46f8,0x7ff9733f4708,0x7ff9733f4718
  2⤵
  PID:2992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,13036466160557869610,9510845207129333225,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2
  2⤵
  PID:4900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,13036466160557869610,9510845207129333225,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,13036466160557869610,9510845207129333225,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2512 /prefetch:8
  2⤵
  PID:1836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,13036466160557869610,9510845207129333225,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3212 /prefetch:1
  2⤵
  PID:3660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,13036466160557869610,9510845207129333225,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:1
  2⤵
  PID:2652
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,13036466160557869610,9510845207129333225,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5256 /prefetch:8
  2⤵
  PID:3740
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,13036466160557869610,9510845207129333225,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5256 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2136,13036466160557869610,9510845207129333225,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4832 /prefetch:8
  2⤵
  PID:2824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,13036466160557869610,9510845207129333225,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5048 /prefetch:1
  2⤵
  PID:1316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2136,13036466160557869610,9510845207129333225,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5680 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,13036466160557869610,9510845207129333225,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5700 /prefetch:1
  2⤵
  PID:3632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,13036466160557869610,9510845207129333225,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5812 /prefetch:1
  2⤵
  PID:3824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,13036466160557869610,9510845207129333225,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5600 /prefetch:1
  2⤵
  PID:5088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,13036466160557869610,9510845207129333225,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5476 /prefetch:1
  2⤵
  PID:1524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,13036466160557869610,9510845207129333225,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1732 /prefetch:1
  2⤵
  PID:2260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,13036466160557869610,9510845207129333225,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6172 /prefetch:1
  2⤵
  PID:3296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,13036466160557869610,9510845207129333225,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4192 /prefetch:1
  2⤵
  PID:4840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,13036466160557869610,9510845207129333225,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5556 /prefetch:1
  2⤵
  PID:5136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,13036466160557869610,9510845207129333225,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6524 /prefetch:1
  2⤵
  PID:5544

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1848

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4300

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2628

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\freeSpoofer\" -ad -an -ai#7zMap25071:84:7zEvent24777
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4572

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:932

C:\Users\Admin\Downloads\freeSpoofer\freeSpoofer\freeSpoofer.exe
"C:\Users\Admin\Downloads\freeSpoofer\freeSpoofer\freeSpoofer.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1016
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c start C:\Users\Admin\Downloads\freeSpoofer\freeSpoofer\tools\applecleaner_2.exe
  2⤵
  PID:4436
- - C:\Users\Admin\Downloads\freeSpoofer\freeSpoofer\tools\applecleaner_2.exe
    C:\Users\Admin\Downloads\freeSpoofer\freeSpoofer\tools\applecleaner_2.exe
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Checks system information in the registry
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:1708
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe >nul 2>&1
      4⤵
      PID:4060
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im EpicGamesLauncher.exe
        5⤵
        Cerber
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2260
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe >nul 2>&1
      4⤵
      PID:3392
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im FortniteClient-Win64-Shipping.exe
        5⤵
        Cerber
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1900
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c taskkill /f /im Battle.net.exe >nul 2>&1
      4⤵
      PID:2280
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im Battle.net.exe
        5⤵
        Cerber
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1292
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start https://applecheats.cc
      4⤵
      PID:3728
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://applecheats.cc/
        5⤵
        
        PID:2492
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff9733f46f8,0x7ff9733f4708,0x7ff9733f4718
        6⤵
        
        PID:2052
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c pause
      4⤵
      PID:4360
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c net user administrator /active:yes |start C:\Users\Admin\Downloads\freeSpoofer\freeSpoofer\tools\AMIDEWINx64.EXE /ALL C:\Users\Admin\Downloads\freeSpoofer\freeSpoofer\tools\alt.txt
  2⤵
  PID:5252
- - C:\Windows\system32\net.exe
    net user administrator /active:yes
    3⤵
    PID:5268
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user administrator /active:yes
      4⤵
      PID:5296
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" start C:\Users\Admin\Downloads\freeSpoofer\freeSpoofer\tools\AMIDEWINx64.EXE /ALL C:\Users\Admin\Downloads\freeSpoofer\freeSpoofer\tools\alt.txt"
    3⤵
    PID:5280
  - - C:\Users\Admin\Downloads\freeSpoofer\freeSpoofer\tools\AMIDEWINx64.EXE
      C:\Users\Admin\Downloads\freeSpoofer\freeSpoofer\tools\AMIDEWINx64.EXE /ALL C:\Users\Admin\Downloads\freeSpoofer\freeSpoofer\tools\alt.txt
      4⤵
      Cerber
      Executes dropped EXE
      PID:5312

C:\Users\Admin\Downloads\freeSpoofer\freeSpoofer\tools\AMIDEWINx64.EXE
"C:\Users\Admin\Downloads\freeSpoofer\freeSpoofer\tools\AMIDEWINx64.EXE"
1⤵
- Cerber
- Executes dropped EXE
PID:1848

C:\Users\Admin\Downloads\freeSpoofer\freeSpoofer\tools\AFUWINx64.EXE
"C:\Users\Admin\Downloads\freeSpoofer\freeSpoofer\tools\AFUWINx64.EXE"
1⤵
- Cerber
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4436

C:\Users\Admin\Downloads\freeSpoofer\freeSpoofer\tools\Volumeid64.exe
"C:\Users\Admin\Downloads\freeSpoofer\freeSpoofer\tools\Volumeid64.exe"
1⤵
- Executes dropped EXE
PID:5280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
eaaad45aced1889a90a8aa4c39f92659

SHA1
5c0130d9e8d1a64c97924090d9a5258b8a31b83c

SHA256
5e3237f26b6047f64459cd5d3a6bc3563e2642b98d75b97011c93e0a9bd26f3b

SHA512
0db1c6bdb51f4e6ba5ef4dc12fc73886e599ab28f1eec5d943110bc3d856401ca31c05baa9026dd441b69f3de92307eb77d93f089ba6e2b84eea6e93982620e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3ee50fb26a9d3f096c47ff8696c24321

SHA1
a8c83e798d2a8b31fec0820560525e80dfa4fe66

SHA256
d80ec29cb17280af0c7522b30a80ffa19d1e786c0b09accfe3234b967d23eb6f

SHA512
479c0d2b76850aa79b58f9e0a8ba5773bd8909d915b98c2e9dc3a95c0ac18d7741b2ee571df695c0305598d89651c7aef2ff7c2fedb8b6a6aa30057ecfc872c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\temp-index

Filesize
480B

MD5
80264febe4f75a3d7f1b78712b08cfd3

SHA1
9d8edc052bbbd815ba9bfae2291641e67cda89b5

SHA256
b024e3565983346514743e7a115c298bfdcc5e2e98d1679d34bae2d79299be17

SHA512
9d07e9af59f0375d79fa2d008b5ad3272ed237da2130bf0c3ed9c52fdf7f9b122fffd7aa5c3f32c14ef46785d28e2828952ae93a14d6873d7687e7fb6fc9e214

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
b7d05e411615e6d8b2d84d04c47d13f4

SHA1
815e6723a4ae26000ddfb4d8281cc816acd20c9a

SHA256
7b49ec1392a49151cb8bfd344258a5456ce807fe4b6d86a519afe99e203260af

SHA512
4ad00714d3cff9d5f305737dba190a9f2daa0c6826c789f12d1308d576b83ff7e6287d8bea332eaab8f86163517304dd41d8de859dbfe852146cec9445ce9a95

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
d36583669783f4ab7c3bbc50dc704d36

SHA1
fa1c214444ceecd2b3caa83c53ab1c20676fa525

SHA256
d5d32b6be05ca62475cf69e20297b00aa0d6287d1e371e0c33c69fb2c1e68082

SHA512
656d6f0edfdbe2d00e0c673000aa4a3b203c25c9d3eba56368a84fbbc96fd1a77c681fe18217f8b6b61590a06826ee929d903c35769c5ef671cc8d9e0d740278

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ea383715651e73683a43d13cbe1c75ff

SHA1
af970cb28193868472b9f8b7aafad2135f8ee3da

SHA256
200771988d68bbf5f02b510c6e32ab69c32ca5bcfcdbca220df9e346c557f828

SHA512
a849d496999ec6288ec33651bdcd49498741c148123ac58b437dcb0f88492e261827b93d77880aa4f2645ecba812ea21df1badf39943c02a129504c3d931eabd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4d25663b3d201382050573635ca8728a

SHA1
a828e310dd0c047aac031f4ebca6dc0004c38262

SHA256
ab2ff0ced993be7ffda67aa501113eefbe79f3eb4dc524ea93af50ed215c5018

SHA512
71bf4efbd2915b50f2d1643d9d0e5bb26ee0fc1e4043f6d7e995a2eb3afcf3eb560082100e79c5000ca3834e91f4733988d238c2e6796b80ed1cbb9c51901c3d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
539B

MD5
2b6064a474110cdbc7ef2d0d933f1d8c

SHA1
d1776a0387609a0d0d6621658309f6913e829378

SHA256
c5002910f4de3e647f0607934c6d482fca4178d9535129b44d7dea78f4611718

SHA512
b2cd602a45b7aa596a211df0a20f2f12075712503121d02b0807c336fbf07e67c449ed7c0d11df09831e9d5b9007c15cac3b1439be9932953b5145ed7ed85ec2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe584c85.TMP

Filesize
371B

MD5
39d1b2b332a700485f23c383ced9bf52

SHA1
d43d0acf30820d06fca55e393bf2a5c527470069

SHA256
8d15413d464b1be8456b0534d17f581e3aae07476906eefa06a1d8e0fb8ccda8

SHA512
68d17502f4724222cc676f73dfa39f3dfc93d7b7ab6209dcd8dee1d3f2295d8a1215d4d1078ef60f735e0f733c0bfb6ebd3ed800678d4d62d68c03b7117ad100

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
66c68cfd424e15bc0d4c2e2f3075ee39

SHA1
e5d2a7a83a20663d1015e594528862e148e7995b

SHA256
8fda0c38f5bce47e46a182e5e636535517aba0d868ae5f2936ce1535644bf7a8

SHA512
9b6a0f1998973724ba5c5f2826ef562d7b0d91d5de58a38488698d82794f26ef5a04c322d2b16d4d9040dfa4bdd3acb3ee03374d25396d44d29407490db37194

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
b19c9478f7b0841cdc7e4aa36ffd9f7f

SHA1
b766de6e06e336153da76565564e086244b6514a

SHA256
dbfeb9f50ff8e31d17815ff2fcc1e089c0a0b51bef33d90fa38613803d39dc3e

SHA512
b110d2898b5a8d792cdba4c66c966b89534e6a7abf4cea7cec5bfcdb7d25348e645b1c8f25d91cd7c7f224b0afd0c79f35716139e00be25bfa360883271911c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
5932dedc8936d849c2449c87336455f8

SHA1
49fa9abb1ba65e7a2cf4964275f14a337999595c

SHA256
f3770fdd3023abb4146ac7f71071d6d9d3715ce0b5940a64aa414ed29c91f17a

SHA512
58b38acb50faf9821411d5e3f49b57e08e4674d43365c3d236ffa91fd101d9e509d82ad0052af6ee66c629aa4ff14a4c68dc294de8feb6d76ede713d57b78505

Download Submit
C:\Users\Admin\Downloads\freeSpoofer.rar

Filesize
13.8MB

MD5
4de784dcf73d6a71b45f090e999a591b

SHA1
a0dbb8326e1d122c8ef4f8a2bdfb3ec406ad8ebf

SHA256
94985615c3a4143304e8f85e41d9f1bd2281d073d47ade04dcac1f63d31305c2

SHA512
83e92a5bea27d2ea801296bee5e249f971e2501d7fb7ebb406d6ff43a75ab2c899b74864e317be4e89a4979787d5a3e600a64dece18dffa1145a991edf11d39d

Download Submit
C:\Users\Admin\Downloads\freeSpoofer\freeSpoofer\freeSpoofer.exe

Filesize
1.4MB

MD5
57749553c159683cf8c646bea1fa7e21

SHA1
414bdd48c6fd752f6d6100ad1c38fdecda8ffece

SHA256
5f1287749ae0d7025a05ab21ab24a6ccce54618f0890e51e85c12f76b0559d13

SHA512
6f3138fe1628880e30e7c451f285f8090ec41463c19aaabe2f42395f366d9f29dfe86a07a9086b0da1e1c52f71746fdb82f16a86c472a209996eb94098c19c41

Download Submit
C:\Users\Admin\Downloads\freeSpoofer\freeSpoofer\tools\AFUWINx64.EXE

Filesize
1015KB

MD5
59a47fc8e9b4396dddb52907a8a54177

SHA1
d16c0825ea1ce721b00df160d826475fda2bae44

SHA256
03e11400f15251c9bf2d764b1020f32904f9569a426adfbe26b21e04898c8800

SHA512
e857e9627b811d48510e14f0b8e65a12eb4153d0e05ad322cc8b95f6ee5c52cc018a1073acecbed43148de26e5c252ae9a2a6d5fdda1b585dfc41f030bb2f6e3

Download Submit
C:\Users\Admin\Downloads\freeSpoofer\freeSpoofer\tools\AMIDEWINx64.EXE

Filesize
377KB

MD5
8690997c90d94b5a10f2fe39caa0d7a6

SHA1
ad05c719b046da3946e370409b342e3c67946a87

SHA256
157f846e4865f27898917304ba4480f6d67a327cbb25a790f885a78b8fba6db1

SHA512
39d2ff1aa49cdb302fd88f6903d71d0008e89ff9113eab8a3ca2b7dbc0e5604a059f8c6f798c97971149f80a379a73ea6900ad46cce5203effe5c226bcd080e0

Download Submit
C:\Users\Admin\Downloads\freeSpoofer\freeSpoofer\tools\Volumeid64.exe

Filesize
165KB

MD5
81a45f1a91448313b76d2e6d5308aa7a

SHA1
0d615343d5de03da03bce52e11b233093b404083

SHA256
fb0d02ea26bb1e5df5a07147931caf1ae3d7d1d9b4d83f168b678e7f3a1c0ecd

SHA512
675662f84dfcbf33311f5830db70bff50b6e8a34a4a926de6369c446ea2b1cf8a63e9c94e5a5c2e1d226248f0361a1698448f82118ac4de5a92b64d8fdf8815d

Download Submit
C:\Users\Admin\Downloads\freeSpoofer\freeSpoofer\tools\applecleaner_2.exe

Filesize
3.6MB

MD5
f96eb2236970fb3ea97101b923af4228

SHA1
e0eed80f1054acbf5389a7b8860a4503dd3e184a

SHA256
46fe5192387d3f897a134d29c069ebf39c72094c892134d2f0e77b12b11a6172

SHA512
2fd2d28c5f571d40b43a4dd7a22d367ba42420c29627f21ca0a2052070ffb9f689d80dad638238189eed26ed19af626f47e70f1207e10007041c620dac323cc7

Download Submit
C:\Users\Admin\Downloads\freeSpoofer\freeSpoofer\tools\lvafudrv64.sys

Filesize
35KB

MD5
8d533ae1500f743a177b27c88a241163

SHA1
52c25cf4c903714fa52870a16d143fb6aeb0fa99

SHA256
b9e8de155fb9aabb4760034a65855130eb85aadc88963e40e2be87b049c025bf

SHA512
546c9309b9b078ce4c49a3b56ec8d77b0fd4c0bd583f4bce53705f854fe2addba5c8029ed8b8da9e944b2c212d2ee0508095bf20c12632b760a5c271d19940de

Download Submit
memory/1708-141-0x00007FF792FC0000-0x00007FF793962000-memory.dmp

Filesize
9.6MB

Download
memory/1708-126-0x00007FF792FC0000-0x00007FF793962000-memory.dmp

Filesize
9.6MB

Download
memory/1708-129-0x00007FF792FC0000-0x00007FF793962000-memory.dmp

Filesize
9.6MB

Download
memory/1708-130-0x00007FF792FC0000-0x00007FF793962000-memory.dmp

Filesize
9.6MB

Download
memory/1708-131-0x00007FF792FC0000-0x00007FF793962000-memory.dmp

Filesize
9.6MB

Download
memory/1708-128-0x00007FF792FC0000-0x00007FF793962000-memory.dmp

Filesize
9.6MB

Download