hxxps://file[.]garden/ZzOCUl6h5X8NnK9Z/SpoofX%20Spoofer[.]rar

Analysis

max time kernel
66s
max time network
83s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-12-2024 14:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://file.garden/ZzOCUl6h5X8NnK9Z/SpoofX%20Spoofer.rar

Score

10^/10

discovery evasion persistence privilege_escalation

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

Executes dropped EXE 22 IoCs

pid	Process
3804	SpoofX.exe
4868	spoofx.exe
2980	icsys.icn.exe
4196	explorer.exe
1828	spoolsv.exe
2576	svchost.exe
3648	spoolsv.exe
4868	HardDiskSerialNumberChanger.exe
5076	harddiskserialnumberchanger.exe
4244	icsys.icn.exe
1464	explorer.exe
3804	SpoofX.exe
4868	spoofx.exe
2980	icsys.icn.exe
4196	explorer.exe
1828	spoolsv.exe
2576	svchost.exe
3648	spoolsv.exe
4868	HardDiskSerialNumberChanger.exe
5076	harddiskserialnumberchanger.exe
4244	icsys.icn.exe
1464	explorer.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	harddiskserialnumberchanger.exe
File opened (read-only)	\??\M:	harddiskserialnumberchanger.exe
File opened (read-only)	\??\O:	harddiskserialnumberchanger.exe
File opened (read-only)	\??\R:	harddiskserialnumberchanger.exe
File opened (read-only)	\??\S:	harddiskserialnumberchanger.exe
File opened (read-only)	\??\V:	harddiskserialnumberchanger.exe
File opened (read-only)	\??\E:	harddiskserialnumberchanger.exe
File opened (read-only)	\??\G:	harddiskserialnumberchanger.exe
File opened (read-only)	\??\W:	harddiskserialnumberchanger.exe
File opened (read-only)	\??\Z:	harddiskserialnumberchanger.exe
File opened (read-only)	\??\X:	harddiskserialnumberchanger.exe
File opened (read-only)	\??\P:	harddiskserialnumberchanger.exe
File opened (read-only)	\??\T:	harddiskserialnumberchanger.exe
File opened (read-only)	\??\L:	harddiskserialnumberchanger.exe
File opened (read-only)	\??\N:	harddiskserialnumberchanger.exe
File opened (read-only)	\??\U:	harddiskserialnumberchanger.exe
File opened (read-only)	\??\B:	harddiskserialnumberchanger.exe
File opened (read-only)	\??\J:	harddiskserialnumberchanger.exe
File opened (read-only)	\??\K:	harddiskserialnumberchanger.exe
File opened (read-only)	\??\Q:	harddiskserialnumberchanger.exe
File opened (read-only)	\??\Y:	harddiskserialnumberchanger.exe
File opened (read-only)	\??\A:	harddiskserialnumberchanger.exe
File opened (read-only)	\??\I:	harddiskserialnumberchanger.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	SpoofX.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	HardDiskSerialNumberChanger.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SpoofX.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HardDiskSerialNumberChanger.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	harddiskserialnumberchanger.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1268	msedge.exe
1268	msedge.exe
3996	msedge.exe
3996	msedge.exe
1104	identity_helper.exe
1104	identity_helper.exe
2372	msedge.exe
2372	msedge.exe
3804	SpoofX.exe
3804	SpoofX.exe
3804	SpoofX.exe
3804	SpoofX.exe
3804	SpoofX.exe
3804	SpoofX.exe
3804	SpoofX.exe
3804	SpoofX.exe
3804	SpoofX.exe
3804	SpoofX.exe
3804	SpoofX.exe
3804	SpoofX.exe
3804	SpoofX.exe
3804	SpoofX.exe
3804	SpoofX.exe
3804	SpoofX.exe
3804	SpoofX.exe
3804	SpoofX.exe
3804	SpoofX.exe
3804	SpoofX.exe
3804	SpoofX.exe
3804	SpoofX.exe
3804	SpoofX.exe
3804	SpoofX.exe
3804	SpoofX.exe
3804	SpoofX.exe
3804	SpoofX.exe
3804	SpoofX.exe
3804	SpoofX.exe
3804	SpoofX.exe
3804	SpoofX.exe
3804	SpoofX.exe
2980	icsys.icn.exe
2980	icsys.icn.exe
2980	icsys.icn.exe
2980	icsys.icn.exe
2980	icsys.icn.exe
2980	icsys.icn.exe
2980	icsys.icn.exe
2980	icsys.icn.exe
2980	icsys.icn.exe
2980	icsys.icn.exe
2980	icsys.icn.exe
2980	icsys.icn.exe
2980	icsys.icn.exe
2980	icsys.icn.exe
2980	icsys.icn.exe
2980	icsys.icn.exe
2980	icsys.icn.exe
2980	icsys.icn.exe
2980	icsys.icn.exe
2980	icsys.icn.exe
2980	icsys.icn.exe
2980	icsys.icn.exe
2980	icsys.icn.exe
2980	icsys.icn.exe

Suspicious behavior: GetForegroundWindowSpam 4 IoCs

pid	Process
2576	svchost.exe
4196	explorer.exe
2576	svchost.exe
4196	explorer.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs

pid	Process
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	464	7zG.exe
Token: 35	464	7zG.exe
Token: SeSecurityPrivilege	464	7zG.exe
Token: SeSecurityPrivilege	464	7zG.exe
Token: SeIncreaseQuotaPrivilege	736	WMIC.exe
Token: SeSecurityPrivilege	736	WMIC.exe
Token: SeTakeOwnershipPrivilege	736	WMIC.exe
Token: SeLoadDriverPrivilege	736	WMIC.exe
Token: SeSystemProfilePrivilege	736	WMIC.exe
Token: SeSystemtimePrivilege	736	WMIC.exe
Token: SeProfSingleProcessPrivilege	736	WMIC.exe
Token: SeIncBasePriorityPrivilege	736	WMIC.exe
Token: SeCreatePagefilePrivilege	736	WMIC.exe
Token: SeBackupPrivilege	736	WMIC.exe
Token: SeRestorePrivilege	736	WMIC.exe
Token: SeShutdownPrivilege	736	WMIC.exe
Token: SeDebugPrivilege	736	WMIC.exe
Token: SeSystemEnvironmentPrivilege	736	WMIC.exe
Token: SeRemoteShutdownPrivilege	736	WMIC.exe
Token: SeUndockPrivilege	736	WMIC.exe
Token: SeManageVolumePrivilege	736	WMIC.exe
Token: 33	736	WMIC.exe
Token: 34	736	WMIC.exe
Token: 35	736	WMIC.exe
Token: 36	736	WMIC.exe
Token: SeIncreaseQuotaPrivilege	736	WMIC.exe
Token: SeSecurityPrivilege	736	WMIC.exe
Token: SeTakeOwnershipPrivilege	736	WMIC.exe
Token: SeLoadDriverPrivilege	736	WMIC.exe
Token: SeSystemProfilePrivilege	736	WMIC.exe
Token: SeSystemtimePrivilege	736	WMIC.exe
Token: SeProfSingleProcessPrivilege	736	WMIC.exe
Token: SeIncBasePriorityPrivilege	736	WMIC.exe
Token: SeCreatePagefilePrivilege	736	WMIC.exe
Token: SeBackupPrivilege	736	WMIC.exe
Token: SeRestorePrivilege	736	WMIC.exe
Token: SeShutdownPrivilege	736	WMIC.exe
Token: SeDebugPrivilege	736	WMIC.exe
Token: SeSystemEnvironmentPrivilege	736	WMIC.exe
Token: SeRemoteShutdownPrivilege	736	WMIC.exe
Token: SeUndockPrivilege	736	WMIC.exe
Token: SeManageVolumePrivilege	736	WMIC.exe
Token: 33	736	WMIC.exe
Token: 34	736	WMIC.exe
Token: 35	736	WMIC.exe
Token: 36	736	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2316	WMIC.exe
Token: SeSecurityPrivilege	2316	WMIC.exe
Token: SeTakeOwnershipPrivilege	2316	WMIC.exe
Token: SeLoadDriverPrivilege	2316	WMIC.exe
Token: SeSystemProfilePrivilege	2316	WMIC.exe
Token: SeSystemtimePrivilege	2316	WMIC.exe
Token: SeProfSingleProcessPrivilege	2316	WMIC.exe
Token: SeIncBasePriorityPrivilege	2316	WMIC.exe
Token: SeCreatePagefilePrivilege	2316	WMIC.exe
Token: SeBackupPrivilege	2316	WMIC.exe
Token: SeRestorePrivilege	2316	WMIC.exe
Token: SeShutdownPrivilege	2316	WMIC.exe
Token: SeDebugPrivilege	2316	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2316	WMIC.exe
Token: SeRemoteShutdownPrivilege	2316	WMIC.exe
Token: SeUndockPrivilege	2316	WMIC.exe
Token: SeManageVolumePrivilege	2316	WMIC.exe
Token: 33	2316	WMIC.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
464	7zG.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1828	OpenWith.exe
3980	OpenWith.exe
3980	OpenWith.exe
3980	OpenWith.exe
3804	SpoofX.exe
3804	SpoofX.exe
3804	SpoofX.exe
2980	icsys.icn.exe
2980	icsys.icn.exe
2980	icsys.icn.exe
4196	explorer.exe
4196	explorer.exe
4196	explorer.exe
1828	spoolsv.exe
1828	spoolsv.exe
1828	spoolsv.exe
2576	svchost.exe
2576	svchost.exe
2576	svchost.exe
3648	spoolsv.exe
3648	spoolsv.exe
3648	spoolsv.exe
4868	HardDiskSerialNumberChanger.exe
4868	HardDiskSerialNumberChanger.exe
4868	HardDiskSerialNumberChanger.exe
5076	harddiskserialnumberchanger.exe
4244	icsys.icn.exe
4244	icsys.icn.exe
4244	icsys.icn.exe
1464	explorer.exe
1464	explorer.exe
1464	explorer.exe
1828	OpenWith.exe
3980	OpenWith.exe
3980	OpenWith.exe
3980	OpenWith.exe
3804	SpoofX.exe
3804	SpoofX.exe
3804	SpoofX.exe
2980	icsys.icn.exe
2980	icsys.icn.exe
2980	icsys.icn.exe
4196	explorer.exe
4196	explorer.exe
4196	explorer.exe
1828	spoolsv.exe
1828	spoolsv.exe
1828	spoolsv.exe
2576	svchost.exe
2576	svchost.exe
2576	svchost.exe
3648	spoolsv.exe
3648	spoolsv.exe
3648	spoolsv.exe
4868	HardDiskSerialNumberChanger.exe
4868	HardDiskSerialNumberChanger.exe
4868	HardDiskSerialNumberChanger.exe
5076	harddiskserialnumberchanger.exe
4244	icsys.icn.exe
4244	icsys.icn.exe
4244	icsys.icn.exe
1464	explorer.exe
1464	explorer.exe
1464	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3996 wrote to memory of 3080	3996	msedge.exe	82
PID 3996 wrote to memory of 3080	3996	msedge.exe	82
PID 3996 wrote to memory of 3860	3996	msedge.exe	83
PID 3996 wrote to memory of 3860	3996	msedge.exe	83
PID 3996 wrote to memory of 3860	3996	msedge.exe	83
PID 3996 wrote to memory of 3860	3996	msedge.exe	83
PID 3996 wrote to memory of 3860	3996	msedge.exe	83
PID 3996 wrote to memory of 3860	3996	msedge.exe	83
PID 3996 wrote to memory of 3860	3996	msedge.exe	83
PID 3996 wrote to memory of 3860	3996	msedge.exe	83
PID 3996 wrote to memory of 3860	3996	msedge.exe	83
PID 3996 wrote to memory of 3860	3996	msedge.exe	83
PID 3996 wrote to memory of 3860	3996	msedge.exe	83
PID 3996 wrote to memory of 3860	3996	msedge.exe	83
PID 3996 wrote to memory of 3860	3996	msedge.exe	83
PID 3996 wrote to memory of 3860	3996	msedge.exe	83
PID 3996 wrote to memory of 3860	3996	msedge.exe	83
PID 3996 wrote to memory of 3860	3996	msedge.exe	83
PID 3996 wrote to memory of 3860	3996	msedge.exe	83
PID 3996 wrote to memory of 3860	3996	msedge.exe	83
PID 3996 wrote to memory of 3860	3996	msedge.exe	83
PID 3996 wrote to memory of 3860	3996	msedge.exe	83
PID 3996 wrote to memory of 3860	3996	msedge.exe	83
PID 3996 wrote to memory of 3860	3996	msedge.exe	83
PID 3996 wrote to memory of 3860	3996	msedge.exe	83
PID 3996 wrote to memory of 3860	3996	msedge.exe	83
PID 3996 wrote to memory of 3860	3996	msedge.exe	83
PID 3996 wrote to memory of 3860	3996	msedge.exe	83
PID 3996 wrote to memory of 3860	3996	msedge.exe	83
PID 3996 wrote to memory of 3860	3996	msedge.exe	83
PID 3996 wrote to memory of 3860	3996	msedge.exe	83
PID 3996 wrote to memory of 3860	3996	msedge.exe	83
PID 3996 wrote to memory of 3860	3996	msedge.exe	83
PID 3996 wrote to memory of 3860	3996	msedge.exe	83
PID 3996 wrote to memory of 3860	3996	msedge.exe	83
PID 3996 wrote to memory of 3860	3996	msedge.exe	83
PID 3996 wrote to memory of 3860	3996	msedge.exe	83
PID 3996 wrote to memory of 3860	3996	msedge.exe	83
PID 3996 wrote to memory of 3860	3996	msedge.exe	83
PID 3996 wrote to memory of 3860	3996	msedge.exe	83
PID 3996 wrote to memory of 3860	3996	msedge.exe	83
PID 3996 wrote to memory of 3860	3996	msedge.exe	83
PID 3996 wrote to memory of 1268	3996	msedge.exe	84
PID 3996 wrote to memory of 1268	3996	msedge.exe	84
PID 3996 wrote to memory of 1648	3996	msedge.exe	85
PID 3996 wrote to memory of 1648	3996	msedge.exe	85
PID 3996 wrote to memory of 1648	3996	msedge.exe	85
PID 3996 wrote to memory of 1648	3996	msedge.exe	85
PID 3996 wrote to memory of 1648	3996	msedge.exe	85
PID 3996 wrote to memory of 1648	3996	msedge.exe	85
PID 3996 wrote to memory of 1648	3996	msedge.exe	85
PID 3996 wrote to memory of 1648	3996	msedge.exe	85
PID 3996 wrote to memory of 1648	3996	msedge.exe	85
PID 3996 wrote to memory of 1648	3996	msedge.exe	85
PID 3996 wrote to memory of 1648	3996	msedge.exe	85
PID 3996 wrote to memory of 1648	3996	msedge.exe	85
PID 3996 wrote to memory of 1648	3996	msedge.exe	85
PID 3996 wrote to memory of 1648	3996	msedge.exe	85
PID 3996 wrote to memory of 1648	3996	msedge.exe	85
PID 3996 wrote to memory of 1648	3996	msedge.exe	85
PID 3996 wrote to memory of 1648	3996	msedge.exe	85
PID 3996 wrote to memory of 1648	3996	msedge.exe	85
PID 3996 wrote to memory of 1648	3996	msedge.exe	85
PID 3996 wrote to memory of 1648	3996	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://file.garden/ZzOCUl6h5X8NnK9Z/SpoofX%20Spoofer.rar
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb1a0a46f8,0x7ffb1a0a4708,0x7ffb1a0a4718
  2⤵
  PID:3080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,665498712273056811,11591096432582561263,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:2
  2⤵
  PID:3860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2056,665498712273056811,11591096432582561263,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2352 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2056,665498712273056811,11591096432582561263,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2864 /prefetch:8
  2⤵
  PID:1648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,665498712273056811,11591096432582561263,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
  2⤵
  PID:3464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,665498712273056811,11591096432582561263,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
  2⤵
  PID:2400
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,665498712273056811,11591096432582561263,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5036 /prefetch:8
  2⤵
  PID:5056
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,665498712273056811,11591096432582561263,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5036 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,665498712273056811,11591096432582561263,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4140 /prefetch:1
  2⤵
  PID:5068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,665498712273056811,11591096432582561263,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4188 /prefetch:1
  2⤵
  PID:4184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,665498712273056811,11591096432582561263,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5712 /prefetch:1
  2⤵
  PID:2428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,665498712273056811,11591096432582561263,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4012 /prefetch:1
  2⤵
  PID:3252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2056,665498712273056811,11591096432582561263,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5272 /prefetch:8
  2⤵
  PID:4460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,665498712273056811,11591096432582561263,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4940 /prefetch:1
  2⤵
  PID:3880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2056,665498712273056811,11591096432582561263,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5568 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2372

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3160

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3184

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1828

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3980

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4916

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\SpoofX Spoofer\" -ad -an -ai#7zMap4845:90:7zEvent31748
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:464

C:\Users\Admin\Downloads\SpoofX Spoofer\SpoofX.exe
"C:\Users\Admin\Downloads\SpoofX Spoofer\SpoofX.exe"
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3804
- \??\c:\users\admin\downloads\spoofx spoofer\spoofx.exe
  "c:\users\admin\downloads\spoofx spoofer\spoofx.exe "
  2⤵
  - Executes dropped EXE
  PID:4868
- C:\Windows\Resources\Themes\icsys.icn.exe
  C:\Windows\Resources\Themes\icsys.icn.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2980
- - \??\c:\windows\resources\themes\explorer.exe
    c:\windows\resources\themes\explorer.exe
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:4196
  - - \??\c:\windows\resources\spoolsv.exe
      c:\windows\resources\spoolsv.exe SE
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1828
    - - \??\c:\windows\resources\svchost.exe
        
        c:\windows\resources\svchost.exe
        5⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        
        PID:2576
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3648

C:\Users\Admin\Downloads\SpoofX Spoofer\HardDiskSerialNumberChanger.exe
"C:\Users\Admin\Downloads\SpoofX Spoofer\HardDiskSerialNumberChanger.exe"
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4868
- \??\c:\users\admin\downloads\spoofx spoofer\harddiskserialnumberchanger.exe
  "c:\users\admin\downloads\spoofx spoofer\harddiskserialnumberchanger.exe "
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5076
- C:\Windows\Resources\Themes\icsys.icn.exe
  C:\Windows\Resources\Themes\icsys.icn.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4244
- - \??\c:\windows\resources\themes\explorer.exe
    c:\windows\resources\themes\explorer.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\SpoofX Spoofer\SpoofX cleaners\alternate mac spoof.bat" "
1⤵
PID:2084
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic nic where physicaladapter=true get deviceid | findstr [0-9]
  2⤵
  PID:2380
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic nic where physicaladapter=true get deviceid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:736
- - C:\Windows\system32\findstr.exe
    findstr [0-9]
    3⤵
    PID:3792
- C:\Windows\system32\reg.exe
  REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\01
  2⤵
  PID:728
- C:\Windows\system32\reg.exe
  REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\001
  2⤵
  PID:2996
- C:\Windows\system32\reg.exe
  REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001
  2⤵
  PID:3724
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001 /v NetworkAddress /t REG_SZ /d 1EECF6E877E6 /f
  2⤵
  PID:4988
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic nic where physicaladapter=true get deviceid | findstr [0-9]
  2⤵
  PID:4524
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic nic where physicaladapter=true get deviceid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2316
- - C:\Windows\system32\findstr.exe
    findstr [0-9]
    3⤵
    PID:448
- C:\Windows\system32\reg.exe
  REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\01
  2⤵
  PID:2552
- C:\Windows\system32\reg.exe
  REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\001
  2⤵
  PID:2956
- C:\Windows\system32\reg.exe
  REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001
  2⤵
  PID:3216
- C:\Windows\system32\reg.exe
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001 /v PnPCapabilities /t REG_DWORD /d 24 /f
  2⤵
  PID:712
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "wmic nic where (netconnectionid like '%') get netconnectionid,netconnectionstatus /format:csv"
  2⤵
  PID:4080
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic nic where (netconnectionid like '%') get netconnectionid,netconnectionstatus /format:csv
    3⤵
    PID:1524
- C:\Windows\system32\netsh.exe
  netsh interface set interface name="Ethernet" disable
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:4628

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman
1⤵
PID:4740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6960857d16aadfa79d36df8ebbf0e423

SHA1
e1db43bd478274366621a8c6497e270d46c6ed4f

SHA256
f40b812ce44e391423eb66602ac0af138a1e948aa8c4116045fef671ef21cd32

SHA512
6deb2a63055a643759dd0ae125fb2f68ec04a443dbf8b066a812b42352bbcfa4517382ed0910c190c986a864559c3453c772e153ee2e9432fb2de2e1e49ca7fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f426165d1e5f7df1b7a3758c306cd4ae

SHA1
59ef728fbbb5c4197600f61daec48556fec651c1

SHA256
b68dfc21866d0abe5c75d70acc54670421fa9b26baf98af852768676a901b841

SHA512
8d437fcb85acb0705bf080141e7a021740901248985a76299ea8c43e46ad78fb88c738322cf302f6a550caa5e79d85b36827e9b329b1094521b17cf638c015b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\40a6f980-8146-42fa-961c-9328994848ed.tmp

Filesize
6KB

MD5
038d5405828a705f21b6c823a501ac38

SHA1
e3f3f63bcd8993a28cf63142488192176620d794

SHA256
4bbaec8dbeb29d4f7108d8e1401c92742100263c30ebf6c387358c527903d693

SHA512
06a4b8bf06d3f7bcd7d68209aa53132e876f359c0c2f6fecce79035c3c55ea4fcec21bf489304e27e7a2f81deee9f71f84fe3ee25de95f4650c557cf011998f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
05536410d9561dd1c88fc978520ab0bb

SHA1
01d327a00e3c417b6771068420550cb699253b26

SHA256
bdec95fc0a429624dcceda1fee518dc49e2a87ec0e2f71b0db0d58f196f9e10b

SHA512
3c62e69af90bf8e79ad66167f39e63799067a70dc96de1d71c6bd36d09c4c9fadab77b64fd9d5f42ed6f726a73b4bc25b839a5dd56ee4d3c2b82c6caef454794

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
bc33d60b532a129b17b8b9a4c32bab7f

SHA1
1488a50a2c5a2a142aba510a0af1e468a561bd1a

SHA256
9b3f81827de228928bda25b4c91ef7300d02c897ebbb8e28c00cf9ad36a67693

SHA512
2c3c8f21aba0b4cecb1f6088e8942a25e18726d4992be9d085e0835226d6f67016538961b1e53bb7d8e7dfc7dc9c20eec0bf9f76b409e729dfc0bd9a1fbc6413

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
595aa67b0c74c77dad9dc7ccb8a39ab9

SHA1
a67322a7bb0d9cabcff8744e88374b325863d39e

SHA256
546db4f076bfa9573a8d6e803bb2aeac1bcb90742719dc179a18faea7cc262b3

SHA512
7cd86ae5110499517e96c512e9f70fbcb5c9499031c47bbc683466c1e18e6f0c63734906860b1e99671ca042d817ed6035d44b908c2ee7a19ac39ee33ea46550

Download Submit
C:\Users\Admin\Downloads\SpoofX Spoofer.rar

Filesize
12.5MB

MD5
6a415e47d5eb20e3d1c0869197b2fa36

SHA1
30485b6f12d76d323344fe57d1c2c7efbb0684fd

SHA256
64561a9439cde20585027f0c69ecea1e3e01dfe6704e2e5636d44e3ce3901543

SHA512
004c13529866494a10e98f57b747ed939315489023b115a58a4ab288f491a2b99fe9cfc0c1e709aacd5eaab1d5e5a56392c91dfadecd14ff8bcb6ae8ea159570

Download Submit
C:\Users\Admin\Downloads\SpoofX Spoofer\HardDiskSerialNumberChanger.exe

Filesize
771KB

MD5
4a63611b061b48c5bdf9cd9400098d5f

SHA1
3a151c533f23299aafb964fa532baf05b80f80c4

SHA256
b7e7ce1f506af875df798a1a700521bec70afd4218f2eade6e832eef7d441392

SHA512
5e0683fb6bc0bdaf1685bfb348c48774d42f2cdf152bac1512c04b43b3bb72cca4d0aadd6b5c021c37ddf0f83d15a6803e46a4c7d84e94a609880ae9160a63fb

Download Submit
C:\Users\Admin\Downloads\SpoofX Spoofer\SpoofX cleaners\VixenCleaner.exe

Filesize
5.1MB

MD5
bdab0990fadc6728b0470628d4215204

SHA1
18d04899a19ba2fd8ac2c84ac14385e66a6762ea

SHA256
11efbfb6744041867cec293bcd2261c22f7d3f71a00b3357d29d17bffd3c0bbc

SHA512
8cc6bb3975016135f8febf55243934a758fb496b5465b937b661f6d6db3f016bb500bcf08c4d1f8ce2e2c1925ee941930bf6faed967e54f416fbe90d688112c8

Download Submit
C:\Users\Admin\Downloads\SpoofX Spoofer\SpoofX cleaners\alternate mac spoof.bat

Filesize
2KB

MD5
cdaa7941a4356bfe23adf6c65ed7b8b1

SHA1
0e47e8022e4cece737fea016f13e5ef4cbc9abfc

SHA256
f1c330aa968765df064f743f8a2501c9a00ec262ee696d5a4d0cbd2e8035b1f2

SHA512
f17a8bea6372c3dfbdf85846ab62f39881e0971ff4406e2fdf9d9450ff8421a327e337626b2b0a9096cb1156e426860de77f212798400878f3efe166adb27fea

Download Submit
C:\Users\Admin\Downloads\SpoofX Spoofer\SpoofX cleaners\applecleaner_2.exe

Filesize
3.8MB

MD5
8a6bafd2b2dc6a5bd92b521bb2cd2af8

SHA1
aeb333563237e9fc3c532bcb919abce74769435b

SHA256
c3a2a8eb113883c3001890657ca2903f7f3f447060dc558d9e50c6ba22a47f2f

SHA512
ebbe346d50ebe2d7c134e2ae7823846fef7fabdb0929758afecba28841f59ebec0962db0714ce66e13d31b53b3880008f45bb7e0e69f39733f2c5407a95ecc81

Download Submit
C:\Users\Admin\Downloads\SpoofX Spoofer\SpoofX cleaners\bitcheats_cleaner.exe

Filesize
2.6MB

MD5
a83e59d9ba3f5053a6b2d6e5ac24f8ec

SHA1
6cc14a19509846af9fa26db978b273616ccf31fd

SHA256
d993cc9c997dd4b6dd576a651f20b225072cd11bc22c5b3dbda51502dda8c071

SHA512
165e0494655f8b122dcfa6a7b67e0a169198a928ee986723dfb117d71f204ad2a69567e96d1d550368dc7fdd51a5fcb8775c7cc145ac6a65bcca26a3f5108a2e

Download Submit
C:\Users\Admin\Downloads\SpoofX Spoofer\SpoofX.exe

Filesize
2.9MB

MD5
bafe98fde65f7b51b1f2a1dbc62a6c88

SHA1
1bf16c146dedf6bb2e6a272abb8c9883525a9649

SHA256
b2e8dbdaf60dbf348e715a5643a767cbd5eeabd0699988eedc78eb80595d0f5d

SHA512
9219fef6ec1438964d5aa7c1813f852ce581491025d7e9448095ca4416de951f4fc68361c2bc5460154407f4aca4a4270ed5b72b3d3c5c98df1815405de97765

Download Submit
C:\Users\Admin\Downloads\SpoofX Spoofer\harddiskserialnumberchanger.exe

Filesize
636KB

MD5
c20e96d4e616ce333c19a1c15a1cc137

SHA1
f79645ec115130ee59958c55a556f564260b7a9e

SHA256
2c141c06f7df57f11ef2c62f2a96093484a65df47065b1a475c53784af0e2664

SHA512
519fec9955c4a18e45ec68d9e7dc2bcda74721a6ea088e59e634e26b136bfa15f5efedf8839c036a3cfdcdb9780a2121dc2d71f1fdbbfd3df02d9969e5db753b

Download Submit
C:\Users\Admin\Downloads\SpoofX Spoofer\spoofx.exe

Filesize
2.8MB

MD5
e6acb564763adbc0c7af1e7c1de314a3

SHA1
77c5fde92d723c2b0c47b27a6559ee461a9079aa

SHA256
be477d54367117c635c42cd3d360996a15fc3c1ad264238c25b179d9070396d2

SHA512
764703f25556bf50ac19bc648d3246f90fc6055ef1340517144758b5028a4a135855035dfe91a30fdbb7ab9aabf0eb5f4fe65cff12348a6c887b36b3bf67c1cb

Download Submit
C:\Windows\Resources\Themes\explorer.exe

Filesize
135KB

MD5
4e4483ec61e7062309d36b086bcead74

SHA1
cd656381a8cb5bf9f081cbfb8caa5f4668b36326

SHA256
176684998f808a4851144acce647cf115cb8e1df962a4944d1e2d81a62d2855f

SHA512
cfdfb0aa86d1988d63035a8e95a6db08a771ea02a1f6335124f13108ce2c9f026ff9dfe63971123df4b517352b937b8cc79d6fa40ba3317122e29d8de3d33b67

Download Submit
C:\Windows\Resources\Themes\icsys.icn.exe

Filesize
135KB

MD5
bb5c74fe047e063455fd82211aeb86f5

SHA1
e62545fa23913c20c8f365ef8654189ee03d2b79

SHA256
13e727a78869653195db6645679146cdb19614d35b8bda5b8cea961d6b9ebed7

SHA512
521cd6a4f42bf3ddab85c131e7952d4c36f8e610c811b4f0f7fb7da7894324cc4bfba6dcca7a471f05d2c768e4561e5d303c2bae991d424e51057540419841e2

Download Submit
C:\Windows\Resources\Themes\icsys.icn.exe

Filesize
135KB

MD5
8fdf4a2a676ba330b84ea00db89e087a

SHA1
d9624d6568ab81a729630ee64c6b3ac2c6858507

SHA256
634151855fe984b0e3e5c3b5e544e410a5ab5020b5fafba9fc59202cb02c6de4

SHA512
c3f3221c9a33806287d3a92c8e67252cd7dc91d467377c4ee7e0a47e02e55463b45bee990d627f3a4871cdade9803f850310890ef497a49fa33555fcbc0f1c0f

Download Submit
C:\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
308c57a9828ff1cccadbecb8320f6fc1

SHA1
057865ed54792f441fae454f2bfc46f0a7f9910e

SHA256
2cc634d2d19e0561fc6e4e015bdb668505a2e076e210401a3e68fee5df052cde

SHA512
3cf0186ecdd748e81ed9b99e795d2d54c0865697a175db52170054ebb2f9f0dfc4cc6ab062e39aa4705124b195a75534a36395ef15363898b39d9b9fe1942b9b

Download Submit
C:\Windows\Resources\svchost.exe

Filesize
135KB

MD5
11ebbba4ab1c3f8eb67f5d0ef8ed053a

SHA1
1197af353436434aaf4af95f4ee5fba5da80c012

SHA256
4fcc8cd22d2eeafbe487ce69614668d6edbe6c19a68c23ceb2831c94e0c6837f

SHA512
47e33a60e9c5ec191ca48e70b3302cdccce7d094a2fa7d849d71259a5bbe09f0ffde55b90a2f1c9e8c51537ef93f26599b5d69ec543a9207e635cde40ae38da9

Download Submit
memory/1464-199-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1464-203-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1464-199-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1464-203-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1828-168-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1828-168-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2980-170-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2980-170-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3648-167-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3648-167-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3804-171-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3804-123-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3804-123-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3804-171-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4244-193-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4244-193-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4244-204-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4244-204-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4868-182-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4868-182-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4868-205-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4868-205-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5076-212-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/5076-212-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download