njrat | hxxps://zippyshare[.]day/KhiRqOimV0yTvua/file

Analysis

max time kernel
105s
max time network
106s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
28/02/2025, 12:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://zippyshare.day/KhiRqOimV0yTvua/file

Score

10^/10

njrat hacked defense_evasion discovery persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

hakim32.ddns.net:2000

127.0.0.1:5552

Mutex

c3deeffb05c4fa7f233694e4990d7e74

Attributes

reg_key
c3deeffb05c4fa7f233694e4990d7e74
splitter
|'|'|

Signatures

Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Disables Task Manager via registry modification
defense_evasion

Modifies Windows Firewall 2 TTPs 3 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
5484	netsh.exe
5820	netsh.exe
5992	netsh.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	HWID Spoofer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	HWID Spoofer.exe

Executes dropped EXE 1 IoCs

pid	Process
4268	HWID Spoofer.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HWID Spoofer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HWID Spoofer.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000_Classes\Local Settings	msedge.exe

Opens file in notepad (likely ransom note) 3 IoCs

ransomware

pid	Process
1484	NOTEPAD.EXE
4476	NOTEPAD.EXE
6052	NOTEPAD.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5980	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1200	msedge.exe
1200	msedge.exe
3620	msedge.exe
3620	msedge.exe
3620	msedge.exe
3476	identity_helper.exe
3476	identity_helper.exe
5720	msedge.exe
5720	msedge.exe
2216	HWID Spoofer.exe
2216	HWID Spoofer.exe
2216	HWID Spoofer.exe
2216	HWID Spoofer.exe
2216	HWID Spoofer.exe
2216	HWID Spoofer.exe
2216	HWID Spoofer.exe
2216	HWID Spoofer.exe
2216	HWID Spoofer.exe
2216	HWID Spoofer.exe
2216	HWID Spoofer.exe
2216	HWID Spoofer.exe
2216	HWID Spoofer.exe
2216	HWID Spoofer.exe
2216	HWID Spoofer.exe
2216	HWID Spoofer.exe
2216	HWID Spoofer.exe
2216	HWID Spoofer.exe
2216	HWID Spoofer.exe
2216	HWID Spoofer.exe
2216	HWID Spoofer.exe
2216	HWID Spoofer.exe
2216	HWID Spoofer.exe
2216	HWID Spoofer.exe
2216	HWID Spoofer.exe
2216	HWID Spoofer.exe
2216	HWID Spoofer.exe
2216	HWID Spoofer.exe
2216	HWID Spoofer.exe
2216	HWID Spoofer.exe
2216	HWID Spoofer.exe
2216	HWID Spoofer.exe
2216	HWID Spoofer.exe
2216	HWID Spoofer.exe
2216	HWID Spoofer.exe
2216	HWID Spoofer.exe
2216	HWID Spoofer.exe
2216	HWID Spoofer.exe
2216	HWID Spoofer.exe
2216	HWID Spoofer.exe
2216	HWID Spoofer.exe
2216	HWID Spoofer.exe
2216	HWID Spoofer.exe
2216	HWID Spoofer.exe
2216	HWID Spoofer.exe
2216	HWID Spoofer.exe
2216	HWID Spoofer.exe
2216	HWID Spoofer.exe
2216	HWID Spoofer.exe
2216	HWID Spoofer.exe
2216	HWID Spoofer.exe
2216	HWID Spoofer.exe
2216	HWID Spoofer.exe
2216	HWID Spoofer.exe
2216	HWID Spoofer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2216	HWID Spoofer.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs

pid	Process
3620	msedge.exe
3620	msedge.exe
3620	msedge.exe
3620	msedge.exe
3620	msedge.exe
3620	msedge.exe
3620	msedge.exe
3620	msedge.exe
3620	msedge.exe
3620	msedge.exe
3620	msedge.exe
3620	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	5816	WMIC.exe
Token: SeSecurityPrivilege	5816	WMIC.exe
Token: SeTakeOwnershipPrivilege	5816	WMIC.exe
Token: SeLoadDriverPrivilege	5816	WMIC.exe
Token: SeSystemProfilePrivilege	5816	WMIC.exe
Token: SeSystemtimePrivilege	5816	WMIC.exe
Token: SeProfSingleProcessPrivilege	5816	WMIC.exe
Token: SeIncBasePriorityPrivilege	5816	WMIC.exe
Token: SeCreatePagefilePrivilege	5816	WMIC.exe
Token: SeBackupPrivilege	5816	WMIC.exe
Token: SeRestorePrivilege	5816	WMIC.exe
Token: SeShutdownPrivilege	5816	WMIC.exe
Token: SeDebugPrivilege	5816	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5816	WMIC.exe
Token: SeRemoteShutdownPrivilege	5816	WMIC.exe
Token: SeUndockPrivilege	5816	WMIC.exe
Token: SeManageVolumePrivilege	5816	WMIC.exe
Token: 33	5816	WMIC.exe
Token: 34	5816	WMIC.exe
Token: 35	5816	WMIC.exe
Token: 36	5816	WMIC.exe
Token: SeIncreaseQuotaPrivilege	5816	WMIC.exe
Token: SeSecurityPrivilege	5816	WMIC.exe
Token: SeTakeOwnershipPrivilege	5816	WMIC.exe
Token: SeLoadDriverPrivilege	5816	WMIC.exe
Token: SeSystemProfilePrivilege	5816	WMIC.exe
Token: SeSystemtimePrivilege	5816	WMIC.exe
Token: SeProfSingleProcessPrivilege	5816	WMIC.exe
Token: SeIncBasePriorityPrivilege	5816	WMIC.exe
Token: SeCreatePagefilePrivilege	5816	WMIC.exe
Token: SeBackupPrivilege	5816	WMIC.exe
Token: SeRestorePrivilege	5816	WMIC.exe
Token: SeShutdownPrivilege	5816	WMIC.exe
Token: SeDebugPrivilege	5816	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5816	WMIC.exe
Token: SeRemoteShutdownPrivilege	5816	WMIC.exe
Token: SeUndockPrivilege	5816	WMIC.exe
Token: SeManageVolumePrivilege	5816	WMIC.exe
Token: 33	5816	WMIC.exe
Token: 34	5816	WMIC.exe
Token: 35	5816	WMIC.exe
Token: 36	5816	WMIC.exe
Token: SeIncreaseQuotaPrivilege	5976	WMIC.exe
Token: SeSecurityPrivilege	5976	WMIC.exe
Token: SeTakeOwnershipPrivilege	5976	WMIC.exe
Token: SeLoadDriverPrivilege	5976	WMIC.exe
Token: SeSystemProfilePrivilege	5976	WMIC.exe
Token: SeSystemtimePrivilege	5976	WMIC.exe
Token: SeProfSingleProcessPrivilege	5976	WMIC.exe
Token: SeIncBasePriorityPrivilege	5976	WMIC.exe
Token: SeCreatePagefilePrivilege	5976	WMIC.exe
Token: SeBackupPrivilege	5976	WMIC.exe
Token: SeRestorePrivilege	5976	WMIC.exe
Token: SeShutdownPrivilege	5976	WMIC.exe
Token: SeDebugPrivilege	5976	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5976	WMIC.exe
Token: SeRemoteShutdownPrivilege	5976	WMIC.exe
Token: SeUndockPrivilege	5976	WMIC.exe
Token: SeManageVolumePrivilege	5976	WMIC.exe
Token: 33	5976	WMIC.exe
Token: 34	5976	WMIC.exe
Token: 35	5976	WMIC.exe
Token: 36	5976	WMIC.exe
Token: SeIncreaseQuotaPrivilege	5976	WMIC.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
3620	msedge.exe
3620	msedge.exe
3620	msedge.exe
3620	msedge.exe
3620	msedge.exe
3620	msedge.exe
3620	msedge.exe
3620	msedge.exe
3620	msedge.exe
3620	msedge.exe
3620	msedge.exe
3620	msedge.exe
3620	msedge.exe
3620	msedge.exe
3620	msedge.exe
3620	msedge.exe
3620	msedge.exe
3620	msedge.exe
3620	msedge.exe
3620	msedge.exe
3620	msedge.exe
3620	msedge.exe
3620	msedge.exe
3620	msedge.exe
3620	msedge.exe
3620	msedge.exe
3620	msedge.exe
3620	msedge.exe
3620	msedge.exe
3620	msedge.exe
3620	msedge.exe
3620	msedge.exe
3620	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3620	msedge.exe
3620	msedge.exe
3620	msedge.exe
3620	msedge.exe
3620	msedge.exe
3620	msedge.exe
3620	msedge.exe
3620	msedge.exe
3620	msedge.exe
3620	msedge.exe
3620	msedge.exe
3620	msedge.exe
3620	msedge.exe
3620	msedge.exe
3620	msedge.exe
3620	msedge.exe
3620	msedge.exe
3620	msedge.exe
3620	msedge.exe
3620	msedge.exe
3620	msedge.exe
3620	msedge.exe
3620	msedge.exe
3620	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3620 wrote to memory of 5012	3620	msedge.exe	88
PID 3620 wrote to memory of 5012	3620	msedge.exe	88
PID 3620 wrote to memory of 1212	3620	msedge.exe	89
PID 3620 wrote to memory of 1212	3620	msedge.exe	89
PID 3620 wrote to memory of 1212	3620	msedge.exe	89
PID 3620 wrote to memory of 1212	3620	msedge.exe	89
PID 3620 wrote to memory of 1212	3620	msedge.exe	89
PID 3620 wrote to memory of 1212	3620	msedge.exe	89
PID 3620 wrote to memory of 1212	3620	msedge.exe	89
PID 3620 wrote to memory of 1212	3620	msedge.exe	89
PID 3620 wrote to memory of 1212	3620	msedge.exe	89
PID 3620 wrote to memory of 1212	3620	msedge.exe	89
PID 3620 wrote to memory of 1212	3620	msedge.exe	89
PID 3620 wrote to memory of 1212	3620	msedge.exe	89
PID 3620 wrote to memory of 1212	3620	msedge.exe	89
PID 3620 wrote to memory of 1212	3620	msedge.exe	89
PID 3620 wrote to memory of 1212	3620	msedge.exe	89
PID 3620 wrote to memory of 1212	3620	msedge.exe	89
PID 3620 wrote to memory of 1212	3620	msedge.exe	89
PID 3620 wrote to memory of 1212	3620	msedge.exe	89
PID 3620 wrote to memory of 1212	3620	msedge.exe	89
PID 3620 wrote to memory of 1212	3620	msedge.exe	89
PID 3620 wrote to memory of 1212	3620	msedge.exe	89
PID 3620 wrote to memory of 1212	3620	msedge.exe	89
PID 3620 wrote to memory of 1212	3620	msedge.exe	89
PID 3620 wrote to memory of 1212	3620	msedge.exe	89
PID 3620 wrote to memory of 1212	3620	msedge.exe	89
PID 3620 wrote to memory of 1212	3620	msedge.exe	89
PID 3620 wrote to memory of 1212	3620	msedge.exe	89
PID 3620 wrote to memory of 1212	3620	msedge.exe	89
PID 3620 wrote to memory of 1212	3620	msedge.exe	89
PID 3620 wrote to memory of 1212	3620	msedge.exe	89
PID 3620 wrote to memory of 1212	3620	msedge.exe	89
PID 3620 wrote to memory of 1212	3620	msedge.exe	89
PID 3620 wrote to memory of 1212	3620	msedge.exe	89
PID 3620 wrote to memory of 1212	3620	msedge.exe	89
PID 3620 wrote to memory of 1212	3620	msedge.exe	89
PID 3620 wrote to memory of 1212	3620	msedge.exe	89
PID 3620 wrote to memory of 1212	3620	msedge.exe	89
PID 3620 wrote to memory of 1212	3620	msedge.exe	89
PID 3620 wrote to memory of 1212	3620	msedge.exe	89
PID 3620 wrote to memory of 1212	3620	msedge.exe	89
PID 3620 wrote to memory of 1200	3620	msedge.exe	90
PID 3620 wrote to memory of 1200	3620	msedge.exe	90
PID 3620 wrote to memory of 1952	3620	msedge.exe	91
PID 3620 wrote to memory of 1952	3620	msedge.exe	91
PID 3620 wrote to memory of 1952	3620	msedge.exe	91
PID 3620 wrote to memory of 1952	3620	msedge.exe	91
PID 3620 wrote to memory of 1952	3620	msedge.exe	91
PID 3620 wrote to memory of 1952	3620	msedge.exe	91
PID 3620 wrote to memory of 1952	3620	msedge.exe	91
PID 3620 wrote to memory of 1952	3620	msedge.exe	91
PID 3620 wrote to memory of 1952	3620	msedge.exe	91
PID 3620 wrote to memory of 1952	3620	msedge.exe	91
PID 3620 wrote to memory of 1952	3620	msedge.exe	91
PID 3620 wrote to memory of 1952	3620	msedge.exe	91
PID 3620 wrote to memory of 1952	3620	msedge.exe	91
PID 3620 wrote to memory of 1952	3620	msedge.exe	91
PID 3620 wrote to memory of 1952	3620	msedge.exe	91
PID 3620 wrote to memory of 1952	3620	msedge.exe	91
PID 3620 wrote to memory of 1952	3620	msedge.exe	91
PID 3620 wrote to memory of 1952	3620	msedge.exe	91
PID 3620 wrote to memory of 1952	3620	msedge.exe	91
PID 3620 wrote to memory of 1952	3620	msedge.exe	91

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://zippyshare.day/KhiRqOimV0yTvua/file
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffb0b046f8,0x7fffb0b04708,0x7fffb0b04718
  2⤵
  PID:5012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,17797298844722483922,15134016240223235065,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2
  2⤵
  PID:1212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,17797298844722483922,15134016240223235065,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2252 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,17797298844722483922,15134016240223235065,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2860 /prefetch:8
  2⤵
  PID:1952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,17797298844722483922,15134016240223235065,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
  2⤵
  PID:2768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,17797298844722483922,15134016240223235065,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
  2⤵
  PID:4812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,17797298844722483922,15134016240223235065,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5256 /prefetch:1
  2⤵
  PID:2236
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,17797298844722483922,15134016240223235065,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5692 /prefetch:8
  2⤵
  PID:1512
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,17797298844722483922,15134016240223235065,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5692 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,17797298844722483922,15134016240223235065,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5000 /prefetch:1
  2⤵
  PID:5248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,17797298844722483922,15134016240223235065,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4960 /prefetch:1
  2⤵
  PID:5364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,17797298844722483922,15134016240223235065,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4024 /prefetch:1
  2⤵
  PID:5700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,17797298844722483922,15134016240223235065,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5364 /prefetch:1
  2⤵
  PID:6028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,17797298844722483922,15134016240223235065,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3792 /prefetch:1
  2⤵
  PID:3484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,17797298844722483922,15134016240223235065,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5252 /prefetch:1
  2⤵
  PID:4156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,17797298844722483922,15134016240223235065,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5348 /prefetch:1
  2⤵
  PID:5492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,17797298844722483922,15134016240223235065,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5364 /prefetch:1
  2⤵
  PID:5504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2136,17797298844722483922,15134016240223235065,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5980 /prefetch:8
  2⤵
  PID:5744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,17797298844722483922,15134016240223235065,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5988 /prefetch:1
  2⤵
  PID:5736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2136,17797298844722483922,15134016240223235065,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6380 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5720

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3520

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3016

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:6120

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Temp1_spoofer.zip\steps.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:6052

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Temp1_spoofer.zip\steps.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:1484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\spoofer\checker.bat" "
1⤵
PID:2432
- C:\Windows\system32\mode.com
  mode con: cols=60 lines=37
  2⤵
  PID:4612
- C:\Windows\System32\Wbem\WMIC.exe
  wmic diskdrive get serialnumber
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5816
- C:\Windows\System32\Wbem\WMIC.exe
  wmic cpu get serialnumber
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5976
- C:\Windows\System32\Wbem\WMIC.exe
  wmic bios get serialnumber
  2⤵
  PID:5920
- C:\Windows\System32\Wbem\WMIC.exe
  wmic baseboard get serialnumber
  2⤵
  PID:5724
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path win32_computersystemproduct get uuid
  2⤵
  PID:6036
- C:\Windows\system32\getmac.exe
  getmac
  2⤵
  PID:824

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\spoofer\Tutorial.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:4476

C:\Users\Admin\Downloads\spoofer\HWID Spoofer.exe
"C:\Users\Admin\Downloads\spoofer\HWID Spoofer.exe"
1⤵
- Drops startup file
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
PID:2216
- C:\Windows\SysWOW64\netsh.exe
  netsh firewall add allowedprogram "C:\Users\Admin\Downloads\spoofer\HWID Spoofer.exe" "HWID Spoofer.exe" ENABLE
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:5484
- C:\Windows\SysWOW64\netsh.exe
  netsh firewall delete allowedprogram "C:\Users\Admin\Downloads\spoofer\HWID Spoofer.exe"
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:5820
- C:\Windows\SysWOW64\netsh.exe
  netsh firewall add allowedprogram "C:\Users\Admin\Downloads\spoofer\HWID Spoofer.exe" "HWID Spoofer.exe" ENABLE
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:5992
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /create /sc minute /mo 1 /tn StUpdate /tr C:\Users\Admin\AppData\Local\Temp/StUpdate.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:5980

C:\Users\Admin\Downloads\spoofer\HWID Spoofer.exe
"C:\Users\Admin\Downloads\spoofer\HWID Spoofer.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
25f87986bcd72dd045d9b8618fb48592

SHA1
c2d9b4ec955b8840027ff6fd6c1f636578fef7b5

SHA256
d8b542281740c12609279f2549f85d3c94e6e49a3a2a4b9698c93cca2dce486c

SHA512
0c8a0d1a3b0d4b30773b8519a3d6e63d92973733da818ca9838599a9639e18df18ce31ebf56f46f6bbb7d89d10c726f4d73781e154d115a6068a3be7dd12b314

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
94bd9c36e88be77b106069e32ac8d934

SHA1
32bd157b84cde4eaf93360112d707056fc5b0b86

SHA256
8f49a43a08e2984636b172a777d5b3880e6e82ad25b427fef3f05b7b4f5c5b27

SHA512
7d4933fae6a279cc330fde4ae9425f66478c166684a30cec9c5c3f295289cf83cbdf604b8958f6db64b0a4b1566db102fbcbdcdb6eca008d86d9a9c8b252ff16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000d

Filesize
41KB

MD5
e54a8e3ff39023a57b4d70bd012e9a9b

SHA1
a1cdc7ca30c559ca8d74a36c77d8de88c7b83141

SHA256
5b2082d4e78f090ac854cf92f5b295f6e2d1a3ac9cd2054837868fbc5f56db74

SHA512
9758ba53d6515fd1a561b1d524b765e69c9c7c6b9bc593761b21d582d7d74e21ab3ec22a689b6fdd6f91b92df1e527e3f973e8c25219091be70ea96e990df1c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000e

Filesize
214KB

MD5
d20fef07db1e8a9290802e00d1d65064

SHA1
71befda9256ed5b8cd8889f0eeab41c50d66e64e

SHA256
f9cb4624d03224bfce50c4c0e484418acd462c249f38b4684e72b27a1f30144d

SHA512
ad5b2c8df60027c6dd5104bb8c2357b04eb24d69245c607ff99a6f2a887f929428252ad793d9aaa8c903c7b1e1bf9653cd35f79747d5281e7e3d2c21fa828537

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
720B

MD5
c81c4226ab291aa3f679f101a7a158ec

SHA1
0ff07b49a076f035cc590a15460cdbfe8d3e353e

SHA256
cb5ffc8526b645d5178b77b4cc76564eb070ccb33fa094e654fdc595909f9e3b

SHA512
2995515f8463b3087baca2d21c796bdb249291ec6a7fa2068d43c2a66ab55a52f3eee5f891e55c8a36e58f72e42a1890ebab5b332d28fbb5a44473f44c3ee1f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\Origins\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
bc0a5100b1315e7177ccf799730fbe1e

SHA1
d1e40fbcd5985af774034d3ba7863c63cc968788

SHA256
4c396fd4c30a08bdd51c81497a2f5b5a8e4f0dacabf30db68582d27c02cd7bf4

SHA512
7eb603b21784fdb72f2aa88d7fcc47576d5ec53b3a35a998a1465fc921bb5836d036d285871ca56952d6392ce9eddb848f772b546e89deacf5037f776aae83f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
5f517c68a22375e599df8a10d78bcc34

SHA1
46679e3f91b713bd01d7f74325994043181c56d1

SHA256
518b736908f1ae889b2e005f5854f7344699069432835feb02ed2128d50783f9

SHA512
20cbab7a3a4aadd1f6bdf90baa1e832d1da3d33cd2711cec89137c880e6ccb708e116949133a3215833e8334aabc0ad6d4c7fa1af32324c1d259e43139ca1db3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1609b52f5af1616fcd7a52ff2a2c8753

SHA1
dfeb7c304a4a6a7c66051042792f440cd8fd99f3

SHA256
0652591c14137d8567a2c8ea6b2a3a41b1ae87caf257d866636f09c6f9aaef49

SHA512
d72cc049c6b04e76744f2c8f627dce9d3a6b3090463c6479263f0f725ff396768edf132d62d808479ab9ace3362a870bf6492f2b2613dbe6dfd301c0c2f8753e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
fcecdd7c289e1a2134f7c167843730f8

SHA1
bbf9a3976fcfeda8d15f60e571df0188df80f0e3

SHA256
bdd11c2743ec009ee495ec0bb47c04af82c16529d8683e4fd5ab61c975eb2abe

SHA512
a3e9cd249fd58cbc226367d2ab892d9a65d85c09eb907a3fb4477225c75c59691a97a6d9fb8c1c4d1116019d888d8a119100811d9b50eca6137b00d493bebcf4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
dda620c67e67dc3d06c99e65c921f6ca

SHA1
8494425eabd796bcd407217d6137b5cf89245b9c

SHA256
adba560e39b9abf82e9d9708921acab1bb518f09a53f81fffb734db26b453fbd

SHA512
dfd9aef1ad739379f9113031ee3b8a747030a04dfe2667400e9ee95ca3b0f89b34e43e01fe06e1ddb4c14031438c5628b02a3c2e979bebe16652064d5f00726e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
cc98729e82e2a8cba9e6d4b036f8e501

SHA1
ddca271f2bd078991e4f79f51ce65e6592dbb079

SHA256
fc5e78d4de0f0927b624a02562e48f23c104391d4e6f56367b4cf8b603842907

SHA512
9c0f3c0a694e64f0943b29b578134dfed80bdd91ec06975340715edc2b701ed8b18b836eae3df80b2d3a20197abce10a4f81b810a3e4767306d7ff5e72dc7c2c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5894d8.TMP

Filesize
48B

MD5
a3a84681260b6a423caf4bfadb748798

SHA1
8ffd0706586ba705d56152996b86e3c92f2ac121

SHA256
f78ae5704af6e2b556b45ca6cfe627369087a865daedb7ca10bbbe7b79a793a0

SHA512
8a9385f7e59d532bd9d468a6a59e0708c8a6d39ea15f64d8a94f49cf3bb8e10639863a38010516819e12654be28504dc2288649ce057527f1080d9d27772c745

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
697ff271aaf197d2327187e33b8f689a

SHA1
728721ee3bd27107ac1c68802aba03f87d5bc61f

SHA256
82c7e962d7415133dfaef6006e498e619cdbb76ddcd89fa785a626db24c2bda3

SHA512
b87817d27e19df5a4390af5bcf157891b77e54cef92fdea3ec89b044a08af3b761ee673973de70d93b6d3e91aac84e84ed3aad3f932f0c2973b2aec7748b70ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
d155a3f81942c0f37e964f9c11d4e0bf

SHA1
3b8ef11a56bed1b14d2db3f80fc05d2f8fe50940

SHA256
fb5810c9bcaacc70e9d52c53b56db268a2b70249f91143c67a70114b78d5710a

SHA512
fff21b8faa9f1aa866399a7f8e733ba45a656edbe8c56cebe599ca79aabdcb93ff85c7d07fbaf6b3862c2ae151273de6ce551f7cdafa67720830e11d3f85a390

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe586404.TMP

Filesize
705B

MD5
7ec0e558ab4f8911ce80cc681786ab79

SHA1
4eb9c06b81665054f448664447dad3a1e358ad8b

SHA256
107d8f84a3e839f1c1b6ce48b0f24d4d3ce2ae7fc341cb5540d82b1b3c1329c5

SHA512
1a023c56775d896dfdd3c3adef43d69f6a369cc671ccc8959e9ba73772cd3a471e1ec1cd6fbc946ac9aba6e1406dc32e3c4aff7446cb1917ade10a4a30357561

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
9b546c8d801188936eced79d8e180a06

SHA1
7048193168b1fa283069fdf29fbf9ee8aba0676a

SHA256
02d55d63a4388dd70f4152409a09a40aa771b329b191fb95ff9a97e31519343d

SHA512
9022815e5d5e1473448b377b7dc4ac412437fcddc9c76e18e584abbd009321ca629de86e015a81ccf483c2feadcbbc914494e7f3a52ccb5445ffe97e963dbe8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
5ac6cdb35257435c7435c845939f7170

SHA1
0be52ce14c34a8a8f055587f506a4da8cfd82ac6

SHA256
29f150b5097fcda325b7b2c68782906299a2a1dc6654865e938b0738070786b0

SHA512
2ec2390f0ef823bff0097c1e6da5fd530d71e171f046ea440b496e221f3681c27e0aef53f5b27801ea8637b3aed7d7143117bf9caaa27e24a6f48978f708e396

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
4dbf8f5a6e3b5f5f57cd942772388a76

SHA1
6e33f06748c38565d6a33acbe1616f9ee71749b3

SHA256
5df12c3a2641be514d1cf1c3c156af885af7219768d2a01c8e48f6f696f8a3c9

SHA512
f1e59f4175c07eb1bc12706de4771127fbf8f66fd98129374aaf0b0e4b89e93979bb775ca37c8e176aa947d14e26b9730187c6396c7ffdfabc7d9840d137a2f3

Download Submit
C:\Users\Admin\AppData\Roaming\app

Filesize
5B

MD5
7eb860abfe2281298575b5216ef42bc6

SHA1
d4dfd7ac22dcd07da34306c40b4e5367a969cda5

SHA256
83d46461bf45f00cb4fc5df9679b2bd82dbf54eeb022ca1711eefb4b2e7b7689

SHA512
427bfc41f0514ee10d400eea38f22f6fac6f9d5ecd84ad7adb1161ff9355e47c04ff411e172fafcd23c137ad1528ed2f2cb95d247613ae5550c089633f18994d

Download Submit
C:\Users\Admin\Downloads\spoofer.zip

Filesize
118KB

MD5
26a714bab0085d5332d0f9a6c574f914

SHA1
2bcab5225ac0a340eeece65076c88bef3f8711eb

SHA256
2f89136b4fa0b2fa4d5ac7dfa3d3001c603d0fcf198891f4f0dfc40563a1c066

SHA512
7ee8516f9a25a40ee0ab89168ed5d81d702c3959c4877004a8237250aa007030ad538a1114b511d423c1cb94a22785d9e1a91ffe04b981ffa5fadd6e8e7e615c

Download Submit
C:\Users\Admin\Downloads\spoofer\HWID Spoofer.exe

Filesize
357KB

MD5
c9b25c1bc4eb54124dad046b3b9e4241

SHA1
9e075389a2f34e224a68f84a1c5bb4d665077180

SHA256
620b80bcb9f45c4f6f8a0f2c503b4c639deb22c8b2d46d53261f695b51c2b0be

SHA512
75daa5a302e7faa1bca08b5f3101b757c07fe844945557b656143b85d37cf1fb0c45e51592d41a50827c0a2871bb9dfeaed502b5971efa4a307f7ade39bdd52d

Download Submit