Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
7freeSpoofe...er.exe
windows7-x64
10freeSpoofe...er.exe
windows10-2004-x64
10freeSpoofe...64.exe
windows7-x64
1freeSpoofe...64.exe
windows10-2004-x64
1freeSpoofe...64.exe
windows7-x64
1freeSpoofe...64.exe
windows10-2004-x64
1freeSpoofe...64.sys
windows10-2004-x64
1freeSpoofe...64.exe
windows7-x64
1freeSpoofe...64.exe
windows10-2004-x64
1freeSpoofe...64.sys
windows10-2004-x64
1freeSpoofe..._2.exe
windows7-x64
9freeSpoofe..._2.exe
windows10-2004-x64
9freeSpoofe...64.sys
windows10-2004-x64
1freeSpoofe...er.exe
windows7-x64
7freeSpoofe...er.exe
windows10-2004-x64
7freeSpoofe...AC.exe
windows7-x64
3freeSpoofe...AC.exe
windows10-2004-x64
3freeSpoofe...p.html
windows7-x64
3freeSpoofe...p.html
windows10-2004-x64
3Analysis
-
max time kernel
134s -
max time network
130s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
11/01/2025, 16:02
Behavioral task
behavioral1
Sample
freeSpoofer/freeSpoofer.exe
Resource
win7-20240729-en
windows7-x64
20 signatures
150 seconds
Behavioral task
behavioral2
Sample
freeSpoofer/freeSpoofer.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
19 signatures
150 seconds
Behavioral task
behavioral3
Sample
freeSpoofer/tools/AFUWINx64.exe
Resource
win7-20240903-en
windows7-x64
1 signatures
150 seconds
Behavioral task
behavioral4
Sample
freeSpoofer/tools/AFUWINx64.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
1 signatures
150 seconds
Behavioral task
behavioral5
Sample
freeSpoofer/tools/AMIDEWINx64.exe
Resource
win7-20241010-en
windows7-x64
1 signatures
150 seconds
Behavioral task
behavioral6
Sample
freeSpoofer/tools/AMIDEWINx64.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
1 signatures
150 seconds
Behavioral task
behavioral7
Sample
freeSpoofer/tools/LeCrud64.sys
Resource
win10v2004-20241007-en
windows10-2004-x64
0 signatures
150 seconds
Behavioral task
behavioral8
Sample
freeSpoofer/tools/Volumeid64.exe
Resource
win7-20240903-en
windows7-x64
0 signatures
150 seconds
Behavioral task
behavioral9
Sample
freeSpoofer/tools/Volumeid64.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
0 signatures
150 seconds
Behavioral task
behavioral10
Sample
freeSpoofer/tools/amigendrv64.sys
Resource
win10v2004-20241007-en
windows10-2004-x64
0 signatures
150 seconds
Behavioral task
behavioral11
Sample
freeSpoofer/tools/applecleaner_2.exe
Resource
win7-20240708-en
windows7-x64
9 signatures
150 seconds
Behavioral task
behavioral12
Sample
freeSpoofer/tools/applecleaner_2.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
150 seconds
Behavioral task
behavioral13
Sample
freeSpoofer/tools/lvafudrv64.sys
Resource
win10v2004-20241007-en
windows10-2004-x64
0 signatures
150 seconds
Behavioral task
behavioral14
Sample
freeSpoofer/tools/tmac/Installer.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral15
Sample
freeSpoofer/tools/tmac/Installer.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
7 signatures
150 seconds
Behavioral task
behavioral16
Sample
freeSpoofer/tools/tmac/TMAC.exe
Resource
win7-20240903-en
windows7-x64
2 signatures
150 seconds
Behavioral task
behavioral17
Sample
freeSpoofer/tools/tmac/TMAC.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
2 signatures
150 seconds
Behavioral task
behavioral18
Sample
freeSpoofer/tools/tmac/help.html
Resource
win7-20241010-en
windows7-x64
5 signatures
150 seconds
Behavioral task
behavioral19
Sample
freeSpoofer/tools/tmac/help.html
Resource
win10v2004-20241007-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
freeSpoofer/freeSpoofer.exe
-
Size
1.4MB
-
MD5
57749553c159683cf8c646bea1fa7e21
-
SHA1
414bdd48c6fd752f6d6100ad1c38fdecda8ffece
-
SHA256
5f1287749ae0d7025a05ab21ab24a6ccce54618f0890e51e85c12f76b0559d13
-
SHA512
6f3138fe1628880e30e7c451f285f8090ec41463c19aaabe2f42395f366d9f29dfe86a07a9086b0da1e1c52f71746fdb82f16a86c472a209996eb94098c19c41
-
SSDEEP
24576:wUNxvqF6FGYJf6yjNQpNONZNlTX5PlGPgquLEIWxUc7N11QaSYx7Gq6n9uX5:wUNxvC6FGYJf6yjNQpNONZnTX5PlGPgQ
Score
10/10
Malware Config
Signatures
-
Cerber 4 IoCs
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
description ioc pid Process 2728 taskkill.exe 1504 taskkill.exe Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} AMIDEWINx64.EXE 2836 taskkill.exe -
Cerber family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ applecleaner_2.exe -
Checks BIOS information in registry 2 TTPs 3 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion applecleaner_2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion applecleaner_2.exe Set value (data) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion = 63004f00340048005300200020002d002000630000000000 applecleaner_2.exe -
resource yara_rule behavioral1/memory/2336-0-0x000000013FCA0000-0x0000000140642000-memory.dmp themida behavioral1/memory/2944-1-0x000000013FCA0000-0x0000000140642000-memory.dmp themida behavioral1/memory/2944-3-0x000000013FCA0000-0x0000000140642000-memory.dmp themida behavioral1/memory/2944-5-0x000000013FCA0000-0x0000000140642000-memory.dmp themida behavioral1/memory/2944-4-0x000000013FCA0000-0x0000000140642000-memory.dmp themida behavioral1/memory/2944-6-0x000000013FCA0000-0x0000000140642000-memory.dmp themida behavioral1/memory/2944-30-0x000000013FCA0000-0x0000000140642000-memory.dmp themida -
Drops desktop.ini file(s) 7 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\JMFEWY8E\desktop.ini applecleaner_2.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\RTJA0BV0\desktop.ini applecleaner_2.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini iexplore.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini applecleaner_2.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\25UY7HZX\desktop.ini applecleaner_2.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\CBCNU6WZ\desktop.ini applecleaner_2.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini applecleaner_2.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 2944 applecleaner_2.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2720 cmd.exe -
Enumerates system info in registry 2 TTPs 18 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU applecleaner_2.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral applecleaner_2.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier = "7ff7a5f3-4f8adf75-2" applecleaner_2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion applecleaner_2.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier = "0a5e89fc-7a8891dd-9" applecleaner_2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer applecleaner_2.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 applecleaner_2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier applecleaner_2.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS applecleaner_2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardVersion applecleaner_2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct applecleaner_2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily applecleaner_2.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral applecleaner_2.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral applecleaner_2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName applecleaner_2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemBiosVersion applecleaner_2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardManufacturer applecleaner_2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion applecleaner_2.exe -
Kills process with taskkill 3 IoCs
pid Process 2728 taskkill.exe 1504 taskkill.exe 2836 taskkill.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "442773214" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 50304f484264db01 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{733CFEA1-D035-11EF-902B-EAA2AC88CDB5} = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000cf3ce3db1270424f9c32fe45a6d8533b000000000200000000001066000000010000200000000be79671c1b8a72e467a8baf7d2f82a92817d7ed974c5b5f3c6bcea7acf88660000000000e800000000200002000000094848aee12148c52333303bcf1e13ca616dbc0e13beccd97b938675cca009fc1200000000f8d1154357095477da614b8f8a132d25ee850602096c0f6a4cf17b0933f787140000000003ab00dbd543a26e87c1f65db2e39343fd367a321b113de2df595ba4b8ab9baba73d301da4816e4aced90a2e904cbb9986bc1faa629242c73e2055aa4bdc98c iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000cf3ce3db1270424f9c32fe45a6d8533b0000000002000000000010660000000100002000000060c42e28af28b3bcb6362fe810387f56858680fcfb0e9f9dfaf2e7d5be7a5660000000000e8000000002000020000000bfa522c7cc84c35403b5155ab86f06b1bddfdbcf8bc4cac7e4b7e995c37a132b90000000be18ead7464410b1d0d5d45e6a281acc7a2a9fbcd7af7c89a2a035c872a5469c7cd9f18f25c4df7c42000eeb85437dfbe1aec468f33c8089a915a171d86d18b237f29eda3a969cc4dd8dc84381bf4a3f61ae9b920c089e236bbd504c80fc3d0f2b0df4e265fa040a9b38a65d55598b849f5aeec7364851bfd58d0750be2364db7dbe6a9cdb7aef5dbb59ad4f0e9038c740000000eebd668a17c2d273801a16dc154ab0510b2ada9bfe5fcf2d033047190798e6c4bac4f37353569dc874e17927a3e76a260255ff30017ebf917a0304b7dda810f6 iexplore.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2944 applecleaner_2.exe 908 freeSpoofer.exe 908 freeSpoofer.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 480 Process not Found -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2728 taskkill.exe Token: SeDebugPrivilege 1504 taskkill.exe Token: SeDebugPrivilege 2836 taskkill.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 908 freeSpoofer.exe 2708 iexplore.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 908 freeSpoofer.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 2708 iexplore.exe 2708 iexplore.exe 1128 IEXPLORE.EXE 1128 IEXPLORE.EXE 1128 IEXPLORE.EXE 1128 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 52 IoCs
description pid Process procid_target PID 908 wrote to memory of 2336 908 freeSpoofer.exe 30 PID 908 wrote to memory of 2336 908 freeSpoofer.exe 30 PID 908 wrote to memory of 2336 908 freeSpoofer.exe 30 PID 2336 wrote to memory of 2944 2336 cmd.exe 31 PID 2336 wrote to memory of 2944 2336 cmd.exe 31 PID 2336 wrote to memory of 2944 2336 cmd.exe 31 PID 2944 wrote to memory of 2156 2944 applecleaner_2.exe 33 PID 2944 wrote to memory of 2156 2944 applecleaner_2.exe 33 PID 2944 wrote to memory of 2156 2944 applecleaner_2.exe 33 PID 2156 wrote to memory of 2728 2156 cmd.exe 34 PID 2156 wrote to memory of 2728 2156 cmd.exe 34 PID 2156 wrote to memory of 2728 2156 cmd.exe 34 PID 2944 wrote to memory of 2720 2944 applecleaner_2.exe 36 PID 2944 wrote to memory of 2720 2944 applecleaner_2.exe 36 PID 2944 wrote to memory of 2720 2944 applecleaner_2.exe 36 PID 2720 wrote to memory of 1504 2720 cmd.exe 37 PID 2720 wrote to memory of 1504 2720 cmd.exe 37 PID 2720 wrote to memory of 1504 2720 cmd.exe 37 PID 2944 wrote to memory of 2828 2944 applecleaner_2.exe 38 PID 2944 wrote to memory of 2828 2944 applecleaner_2.exe 38 PID 2944 wrote to memory of 2828 2944 applecleaner_2.exe 38 PID 2828 wrote to memory of 2836 2828 cmd.exe 39 PID 2828 wrote to memory of 2836 2828 cmd.exe 39 PID 2828 wrote to memory of 2836 2828 cmd.exe 39 PID 2944 wrote to memory of 2016 2944 applecleaner_2.exe 40 PID 2944 wrote to memory of 2016 2944 applecleaner_2.exe 40 PID 2944 wrote to memory of 2016 2944 applecleaner_2.exe 40 PID 2016 wrote to memory of 2708 2016 cmd.exe 41 PID 2016 wrote to memory of 2708 2016 cmd.exe 41 PID 2016 wrote to memory of 2708 2016 cmd.exe 41 PID 2708 wrote to memory of 1128 2708 iexplore.exe 42 PID 2708 wrote to memory of 1128 2708 iexplore.exe 42 PID 2708 wrote to memory of 1128 2708 iexplore.exe 42 PID 2708 wrote to memory of 1128 2708 iexplore.exe 42 PID 2944 wrote to memory of 1316 2944 applecleaner_2.exe 43 PID 2944 wrote to memory of 1316 2944 applecleaner_2.exe 43 PID 2944 wrote to memory of 1316 2944 applecleaner_2.exe 43 PID 908 wrote to memory of 1112 908 freeSpoofer.exe 44 PID 908 wrote to memory of 1112 908 freeSpoofer.exe 44 PID 908 wrote to memory of 1112 908 freeSpoofer.exe 44 PID 1112 wrote to memory of 1072 1112 cmd.exe 45 PID 1112 wrote to memory of 1072 1112 cmd.exe 45 PID 1112 wrote to memory of 1072 1112 cmd.exe 45 PID 1112 wrote to memory of 744 1112 cmd.exe 46 PID 1112 wrote to memory of 744 1112 cmd.exe 46 PID 1112 wrote to memory of 744 1112 cmd.exe 46 PID 1072 wrote to memory of 1632 1072 net.exe 47 PID 1072 wrote to memory of 1632 1072 net.exe 47 PID 1072 wrote to memory of 1632 1072 net.exe 47 PID 744 wrote to memory of 2648 744 cmd.exe 48 PID 744 wrote to memory of 2648 744 cmd.exe 48 PID 744 wrote to memory of 2648 744 cmd.exe 48
Processes
-
C:\Users\Admin\AppData\Local\Temp\freeSpoofer\freeSpoofer.exe"C:\Users\Admin\AppData\Local\Temp\freeSpoofer\freeSpoofer.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:908 -
C:\Windows\system32\cmd.execmd.exe /c start C:\Users\Admin\AppData\Local\Temp\freeSpoofer\tools\applecleaner_2.exe2⤵
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Users\Admin\AppData\Local\Temp\freeSpoofer\tools\applecleaner_2.exeC:\Users\Admin\AppData\Local\Temp\freeSpoofer\tools\applecleaner_2.exe3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Drops desktop.ini file(s)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe >nul 2>&14⤵
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\system32\taskkill.exetaskkill /f /im EpicGamesLauncher.exe5⤵
- Cerber
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2728
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe >nul 2>&14⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\system32\taskkill.exetaskkill /f /im FortniteClient-Win64-Shipping.exe5⤵
- Cerber
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1504
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im Battle.net.exe >nul 2>&14⤵
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\system32\taskkill.exetaskkill /f /im Battle.net.exe5⤵
- Cerber
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2836
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c start https://applecheats.cc4⤵
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://applecheats.cc/5⤵
- Drops desktop.ini file(s)
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2708 CREDAT:275457 /prefetch:26⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1128
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pause4⤵PID:1316
-
-
-
-
C:\Windows\system32\cmd.execmd.exe /c net user administrator /active:yes |start C:\Users\Admin\AppData\Local\Temp\freeSpoofer\tools\AMIDEWINx64.EXE /ALL C:\Users\Admin\AppData\Local\Temp\freeSpoofer\tools\alt.txt2⤵
- Suspicious use of WriteProcessMemory
PID:1112 -
C:\Windows\system32\net.exenet user administrator /active:yes3⤵
- Suspicious use of WriteProcessMemory
PID:1072 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user administrator /active:yes4⤵PID:1632
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" start C:\Users\Admin\AppData\Local\Temp\freeSpoofer\tools\AMIDEWINx64.EXE /ALL C:\Users\Admin\AppData\Local\Temp\freeSpoofer\tools\alt.txt"3⤵
- Suspicious use of WriteProcessMemory
PID:744 -
C:\Users\Admin\AppData\Local\Temp\freeSpoofer\tools\AMIDEWINx64.EXEC:\Users\Admin\AppData\Local\Temp\freeSpoofer\tools\AMIDEWINx64.EXE /ALL C:\Users\Admin\AppData\Local\Temp\freeSpoofer\tools\alt.txt4⤵
- Cerber
PID:2648
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b