File name:

Spoof.exe

Full analysis: https://app.any.run/tasks/f0d42977-b6ed-4d80-afc8-eaa32c1a73fb
Verdict: Malicious activity
Analysis date: May 25, 2025, 16:23:37
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
amifldrv64-sys
vuln-driver
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (console) x86-64, for MS Windows, 6 sections
MD5:

6AB27EB6A486F4794145309AD0D18E91

SHA1:

E414A7523480637747D3913662BAA341AEB6ABBF

SHA256:

131AF227A519D4DAF8233FB5139FD7AE75F594673B91EAC9F0C108B0BBE87B1E

SSDEEP:

6144:YhSsGfYKXjBnu7YVnPPVHFnEXbw2Y3h3NWqU/xdwpN8T4LUEDW9VXnHFudT7coWX:PsGAEVnPn8w2UNiX0gEOpnHFutV5nyJ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Vulnerable driver has been detected

      • Spoof.exe (PID: 7544)

  • SUSPICIOUS

    • Read disk information to detect sandboxing environments

      • DevManView.exe (PID: 7720)
      • DevManView.exe (PID: 7668)
      • DevManView.exe (PID: 7752)
      • DevManView.exe (PID: 7684)
      • DevManView.exe (PID: 7760)
      • DevManView.exe (PID: 7780)
      • DevManView.exe (PID: 7824)
      • DevManView.exe (PID: 7884)
      • DevManView.exe (PID: 7848)
      • DevManView.exe (PID: 7728)
      • DevManView.exe (PID: 7816)
      • DevManView.exe (PID: 7892)
      • DevManView.exe (PID: 7676)
      • DevManView.exe (PID: 7792)
      • DevManView.exe (PID: 7856)

    • Starts CMD.EXE for commands execution

      • Spoof.exe (PID: 7544)

    • Drops a system driver (possible attempt to evade defenses)

      • Spoof.exe (PID: 7544)

    • Executable content was dropped or overwritten

      • Spoof.exe (PID: 7544)

    • Executing commands from a ".bat" file

      • Spoof.exe (PID: 7544)

  • INFO

    • Checks supported languages

      • Spoof.exe (PID: 7544)
      • DevManView.exe (PID: 7728)
      • DevManView.exe (PID: 7760)
      • DevManView.exe (PID: 7720)
      • DevManView.exe (PID: 7684)
      • DevManView.exe (PID: 7792)
      • DevManView.exe (PID: 7816)
      • DevManView.exe (PID: 7752)
      • DevManView.exe (PID: 7848)
      • DevManView.exe (PID: 7824)
      • DevManView.exe (PID: 7892)
      • DevManView.exe (PID: 7884)
      • DevManView.exe (PID: 7856)
      • DevManView.exe (PID: 7780)
      • AMIDEWINx64.exe (PID: 7936)
      • AMIDEWINx64.exe (PID: 8028)
      • AMIDEWINx64.exe (PID: 8104)
      • AMIDEWINx64.exe (PID: 8148)
      • DevManView.exe (PID: 7676)
      • DevManView.exe (PID: 7668)

    • Reads the computer name

      • DevManView.exe (PID: 7720)
      • DevManView.exe (PID: 7676)
      • DevManView.exe (PID: 7684)
      • DevManView.exe (PID: 7752)
      • DevManView.exe (PID: 7792)
      • DevManView.exe (PID: 7780)
      • DevManView.exe (PID: 7824)
      • DevManView.exe (PID: 7728)
      • DevManView.exe (PID: 7760)
      • DevManView.exe (PID: 7816)
      • DevManView.exe (PID: 7856)
      • DevManView.exe (PID: 7892)
      • DevManView.exe (PID: 7884)
      • DevManView.exe (PID: 7848)
      • AMIDEWINx64.exe (PID: 7936)
      • AMIDEWINx64.exe (PID: 8028)
      • AMIDEWINx64.exe (PID: 8104)
      • AMIDEWINx64.exe (PID: 8148)
      • DevManView.exe (PID: 7668)

    • Creates files in the program directory

      • Spoof.exe (PID: 7544)

    • The sample compiled with english language support

      • Spoof.exe (PID: 7544)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | InstallShield setup (57.6)
.exe | Win64 Executable (generic) (36.9)
.exe | Generic Win/DOS Executable (2.6)
.exe | DOS Executable Generic (2.6)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2021:12:06 22:27:55+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.3
CodeSize: 12288
InitializedDataSize: 707584
UninitializedDataSize: -
EntryPoint: 0x3100
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows command line
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
155
Monitored processes
27
Malicious processes
2
Suspicious processes
15

Behavior graph

Click at the process to see the details
start THREAT spoof.exe conhost.exe no specs cmd.exe no specs devmanview.exe no specs devmanview.exe no specs devmanview.exe no specs devmanview.exe no specs devmanview.exe no specs devmanview.exe no specs devmanview.exe no specs devmanview.exe no specs devmanview.exe no specs devmanview.exe no specs devmanview.exe no specs devmanview.exe no specs devmanview.exe no specs devmanview.exe no specs devmanview.exe no specs cmd.exe no specs amidewinx64.exe no specs cmd.exe no specs amidewinx64.exe no specs cmd.exe no specs amidewinx64.exe no specs cmd.exe no specs amidewinx64.exe no specs spoof.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
7452"C:\Users\admin\AppData\Local\Temp\Spoof.exe" C:\Users\admin\AppData\Local\Temp\Spoof.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\appdata\local\temp\spoof.exe
c:\windows\system32\ntdll.dll
7544"C:\Users\admin\AppData\Local\Temp\Spoof.exe" C:\Users\admin\AppData\Local\Temp\Spoof.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\users\admin\appdata\local\temp\spoof.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140_1.dll
c:\windows\system32\vcruntime140.dll
c:\windows\system32\sechost.dll
7556\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeSpoof.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7644C:\WINDOWS\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\lol.batC:\Windows\System32\cmd.exeSpoof.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
7668DevManView.exe /uninstall "WAN Miniport*" /use_wildcard""C:\ProgramData\Microsoft\Windows\DevManView.execmd.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\programdata\microsoft\windows\devmanview.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
7676DevManView.exe /uninstall "Disk drive*" /use_wildcard""C:\ProgramData\Microsoft\Windows\DevManView.execmd.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\programdata\microsoft\windows\devmanview.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
7684DevManView.exe /uninstall "C:\"C:\ProgramData\Microsoft\Windows\DevManView.execmd.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\programdata\microsoft\windows\devmanview.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
7720DevManView.exe /uninstall "D:\"C:\ProgramData\Microsoft\Windows\DevManView.execmd.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\programdata\microsoft\windows\devmanview.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
7728DevManView.exe /uninstall "E:\"C:\ProgramData\Microsoft\Windows\DevManView.execmd.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\programdata\microsoft\windows\devmanview.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
7752DevManView.exe /uninstall "F:\"C:\ProgramData\Microsoft\Windows\DevManView.execmd.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\programdata\microsoft\windows\devmanview.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
Total events
54 259
Read events
54 258
Write events
1
Delete events
0

Modification events

(PID) Process:(7668) DevManView.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\Setup\SetupapiLogStatus
Operation:writeName:setupapi.dev.log
Value:
4096
Executable files
6
Suspicious files
1
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
7544Spoof.exeC:\ProgramData\Microsoft\Windows\DevManView.exeexecutable
MD5:33D7A84F8EF67FD005F37142232AE97E
SHA256:A1BE60039F125080560EDF1EEBEE5B6D9E2D6039F5F5AC478E6273E05EDADB4B
7544Spoof.exeC:\ProgramData\Microsoft\Windows\amide.sysexecutable
MD5:785045F8B25CD2E937DDC6B09DEBE01A
SHA256:37073E42FFA0322500F90CD7E3C8D02C4CDD695D31C77E81560ABEC20BFB68BA
7544Spoof.exeC:\ProgramData\Microsoft\Windows\DevManView.cfgtext
MD5:43B37D0F48BAD1537A4DE59FFDA50FFE
SHA256:FC258DFB3E49BE04041AC24540EF544192C2E57300186F777F301D586F900288
7544Spoof.exeC:\ProgramData\Microsoft\Windows\lol.battext
MD5:84C4264B5224A40CD350BA2C085E9F79
SHA256:9819406B56FED960E5C0CC62E5300A1B85845FEF5A1EA4C0FD6A1AA3F3833F14
7668DevManView.exeC:\Windows\INF\setupapi.dev.logtext
MD5:7F3D5912188CA79627B75E858D2BE0B8
SHA256:8AF0CD8512710D08AE5AF4CF5043974459FDBB28F024D181FD9AB7B49E832BEB
7544Spoof.exeC:\ProgramData\Microsoft\Windows\AMIDEWINx64.exeexecutable
MD5:C4D09D3B3516550AD2DED3B09E28C10C
SHA256:66433A06884F28FDABB85A73C682D1587767E1DFA116907559EC00ED8D0919D3
7544Spoof.exeC:\ProgramData\Microsoft\Windows\amifldrv64.sysexecutable
MD5:785045F8B25CD2E937DDC6B09DEBE01A
SHA256:37073E42FFA0322500F90CD7E3C8D02C4CDD695D31C77E81560ABEC20BFB68BA
7544Spoof.exeC:\ProgramData\Microsoft\Windows\DevManView.chmbinary
MD5:FCB3C9E1524CAFB62E98A4883C72E53D
SHA256:94D08A83B3B3509FA17860BCDDD6ED038BE29F3BD99251433E235111A8F381EC
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
13
DNS requests
8
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
2.16.168.124:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6544
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:137
whitelisted
2104
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2.16.168.124:80
crl.microsoft.com
Akamai International B.V.
RU
whitelisted
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
5496
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3216
svchost.exe
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6544
svchost.exe
40.126.31.73:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6544
svchost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.124.78.146
whitelisted
crl.microsoft.com
  • 2.16.168.124
  • 2.16.168.114
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
google.com
  • 142.250.186.46
whitelisted
client.wns.windows.com
  • 172.211.123.250
whitelisted
login.live.com
  • 40.126.31.73
  • 40.126.31.130
  • 20.190.159.68
  • 20.190.159.2
  • 20.190.159.129
  • 20.190.159.71
  • 40.126.31.69
  • 40.126.31.0
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Spoof.exe