File name:

Spoofer.zip

Full analysis: https://app.any.run/tasks/7b480003-03a7-427a-bf38-ad535ddb276e
Verdict: Malicious activity
Analysis date: April 23, 2025, 22:37:58
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
procexp1627-sys
vuln-driver
arch-exec
amifldrv64-sys
Indicators:
MIME: application/zip
File info: Zip archive data, at least v1.0 to extract, compression method=store
MD5:

52A813BF6C6459ABD5CFA2FC634CE239

SHA1:

010D866A2EF39839E97185C03E55C61BB302A2AF

SHA256:

41C28661B1453F4470E5799AECFCBFC46FDA8D62D9642919918F13A0C49D822B

SSDEEP:

98304:T14WXCzA1zukBCAFZn+6Br1YRab/Jx6evd+/lgl6zCOfrdAMcB4QaZiD1LiOEBSX:TjfgrqFv

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • device_cleanup.exe (PID: 960)
      • Volumeid64.exe (PID: 2236)
      • Volumeid64.exe (PID: 6476)
      • Volumeid64.exe (PID: 736)
      • Volumeid64.exe (PID: 2384)
      • Volumeid64.exe (PID: 780)
      • Volumeid64.exe (PID: 4776)
      • DriveCleanup.exe (PID: 3180)
      • DeviceCleanupCmd.exe (PID: 5960)

    • Generic archive extractor

      • WinRAR.exe (PID: 1168)

    • Vulnerable driver has been detected

      • cpu_mac_spoofer.exe (PID: 5332)

  • SUSPICIOUS

    • Drops a system driver (possible attempt to evade defenses)

      • cpu_mac_spoofer.exe (PID: 5332)

    • Executing commands from a ".bat" file

      • cpu_mac_spoofer.exe (PID: 5332)
      • load.exe (PID: 4040)
      • os_cleaner_two.exe (PID: 632)
      • load.exe (PID: 780)
      • mac.exe (PID: 1512)
      • Volume.exe (PID: 6576)
      • cmd.exe (PID: 5304)
      • FIXusrTEMPv6.exe (PID: 1512)

    • The executable file from the user directory is run by the CMD process

      • extd.exe (PID: 2516)
      • extd.exe (PID: 5956)
      • extd.exe (PID: 1512)
      • load.exe (PID: 4040)
      • extd.exe (PID: 1040)
      • extd.exe (PID: 5392)
      • extd.exe (PID: 5256)
      • load.exe (PID: 780)
      • mac.exe (PID: 1512)
      • extd.exe (PID: 4628)
      • Volume.exe (PID: 6576)
      • FIXusrTEMPv6.exe (PID: 1512)
      • DeviceCleanupCmd.exe (PID: 5960)
      • DriveCleanup.exe (PID: 3180)
      • DevManView.exe (PID: 5936)
      • DevManView.exe (PID: 5124)
      • DevManView.exe (PID: 5984)
      • DevManView.exe (PID: 4068)
      • DevManView.exe (PID: 968)
      • DevManView.exe (PID: 4180)
      • DevManView.exe (PID: 7184)
      • DevManView.exe (PID: 7176)
      • DevManView.exe (PID: 7240)
      • DevManView.exe (PID: 7248)
      • DevManView.exe (PID: 7256)
      • DevManView.exe (PID: 7264)
      • DevManView.exe (PID: 7216)
      • DevManView.exe (PID: 7224)
      • DevManView.exe (PID: 7232)
      • DevManView.exe (PID: 7304)
      • DevManView.exe (PID: 7288)
      • DevManView.exe (PID: 7296)
      • DevManView.exe (PID: 7320)
      • DevManView.exe (PID: 7272)
      • DevManView.exe (PID: 7280)
      • DevManView.exe (PID: 7312)
      • DevManView.exe (PID: 7440)
      • extd.exe (PID: 3676)
      • DevManView.exe (PID: 8024)

    • The process creates files with name similar to system file names

      • cpu_mac_spoofer.exe (PID: 5332)

    • Process drops legitimate windows executable

      • cpu_mac_spoofer.exe (PID: 5332)

    • Executable content was dropped or overwritten

      • cpu_mac_spoofer.exe (PID: 5332)
      • os_cleaner_two.exe (PID: 632)

    • Starts CMD.EXE for commands execution

      • valorant_cleaner.exe (PID: 2692)
      • cpu_mac_spoofer.exe (PID: 5332)
      • load.exe (PID: 4040)
      • os_cleaner_two.exe (PID: 632)
      • load.exe (PID: 780)
      • cmd.exe (PID: 536)
      • mac.exe (PID: 1512)
      • Volume.exe (PID: 6576)
      • FIXusrTEMPv6.exe (PID: 1512)
      • cmd.exe (PID: 5304)

    • Application launched itself

      • cmd.exe (PID: 536)
      • cmd.exe (PID: 5304)

    • Uses WMIC.EXE to obtain information about the network interface controller

      • cmd.exe (PID: 6392)
      • cmd.exe (PID: 5400)

    • Using 'findstr.exe' to search for text patterns in files and output

      • cmd.exe (PID: 6392)
      • cmd.exe (PID: 5400)

    • Suspicious use of NETSH.EXE

      • cmd.exe (PID: 536)

    • Uses WMIC.EXE to obtain network information

      • cmd.exe (PID: 4696)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 5956)
      • cmd.exe (PID: 1568)
      • cmd.exe (PID: 6752)
      • cmd.exe (PID: 5260)
      • cmd.exe (PID: 2904)
      • cmd.exe (PID: 5680)
      • cmd.exe (PID: 536)
      • cmd.exe (PID: 5756)
      • cmd.exe (PID: 7244)

    • Runs PING.EXE to delay simulation

      • cmd.exe (PID: 2236)

    • Read disk information to detect sandboxing environments

      • DevManView.exe (PID: 968)
      • DevManView.exe (PID: 4180)
      • DevManView.exe (PID: 4068)
      • DevManView.exe (PID: 5936)
      • DevManView.exe (PID: 7176)
      • DevManView.exe (PID: 5124)
      • DevManView.exe (PID: 5984)
      • DevManView.exe (PID: 7184)
      • DevManView.exe (PID: 7312)
      • DevManView.exe (PID: 7272)
      • DevManView.exe (PID: 7440)
      • DevManView.exe (PID: 7248)
      • DevManView.exe (PID: 7296)
      • DevManView.exe (PID: 7232)
      • DevManView.exe (PID: 7224)
      • DevManView.exe (PID: 7304)
      • DevManView.exe (PID: 7280)
      • DevManView.exe (PID: 7264)
      • DevManView.exe (PID: 7256)
      • DevManView.exe (PID: 7320)
      • DevManView.exe (PID: 7288)
      • DevManView.exe (PID: 8024)
      • DevManView.exe (PID: 7216)
      • DevManView.exe (PID: 7240)

    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 2236)

  • INFO

    • Manual execution by a user

      • valorant_cleaner.exe (PID: 4212)
      • valorant_cleaner.exe (PID: 2692)
      • cpu_mac_spoofer.exe (PID: 5332)
      • cpu_mac_spoofer.exe (PID: 5512)
      • device_cleanup.exe (PID: 960)
      • lgsvcl.exe (PID: 4212)
      • lgsvcl.exe (PID: 1280)
      • os_cleaner_two.exe (PID: 4408)
      • os_cleaner_two.exe (PID: 632)

    • Checks supported languages

      • device_cleanup.exe (PID: 960)
      • cpu_mac_spoofer.exe (PID: 5332)
      • valorant_cleaner.exe (PID: 2692)
      • extd.exe (PID: 2516)
      • extd.exe (PID: 5956)
      • load.exe (PID: 4040)
      • extd.exe (PID: 1512)
      • tool.exe (PID: 5204)
      • lgsvcl.exe (PID: 1280)
      • tool.exe (PID: 5064)
      • tool.exe (PID: 3008)
      • os_cleaner_two.exe (PID: 632)
      • tool.exe (PID: 6244)
      • extd.exe (PID: 1040)
      • tool.exe (PID: 4188)
      • tool.exe (PID: 2656)
      • tool.exe (PID: 6728)
      • extd.exe (PID: 5392)
      • extd.exe (PID: 5256)
      • load.exe (PID: 780)
      • tool.exe (PID: 736)
      • tool.exe (PID: 2984)
      • tool.exe (PID: 4212)
      • tool.exe (PID: 5228)
      • tool.exe (PID: 1188)
      • tool.exe (PID: 5608)
      • tool.exe (PID: 4812)
      • tool.exe (PID: 2772)
      • tool.exe (PID: 4464)
      • tool.exe (PID: 6112)
      • tool.exe (PID: 4996)
      • tool.exe (PID: 1660)
      • tool.exe (PID: 4696)
      • tool.exe (PID: 4212)
      • tool.exe (PID: 6728)
      • tool.exe (PID: 4628)
      • tool.exe (PID: 1240)
      • mac.exe (PID: 1512)
      • tool.exe (PID: 1348)
      • tool.exe (PID: 6728)
      • tool.exe (PID: 6476)
      • tool.exe (PID: 720)
      • tool.exe (PID: 2236)
      • tool.exe (PID: 7156)
      • tool.exe (PID: 2268)
      • tool.exe (PID: 4696)
      • extd.exe (PID: 4628)
      • Volumeid64.exe (PID: 6476)
      • Volumeid64.exe (PID: 2236)
      • Volumeid64.exe (PID: 2384)
      • Volumeid64.exe (PID: 4776)
      • Volume.exe (PID: 6576)
      • Volumeid64.exe (PID: 736)
      • Volumeid64.exe (PID: 780)
      • DeviceCleanupCmd.exe (PID: 5960)
      • DriveCleanup.exe (PID: 3180)
      • FIXusrTEMPv6.exe (PID: 1512)
      • DevManView.exe (PID: 4180)
      • DevManView.exe (PID: 5936)
      • DevManView.exe (PID: 968)
      • DevManView.exe (PID: 7176)
      • DevManView.exe (PID: 7184)
      • DevManView.exe (PID: 5984)
      • DevManView.exe (PID: 5124)
      • DevManView.exe (PID: 4068)
      • DevManView.exe (PID: 7224)
      • DevManView.exe (PID: 7232)
      • DevManView.exe (PID: 7264)
      • DevManView.exe (PID: 7312)
      • DevManView.exe (PID: 7288)
      • DevManView.exe (PID: 7304)
      • DevManView.exe (PID: 7296)
      • DevManView.exe (PID: 7240)
      • DevManView.exe (PID: 7280)
      • DevManView.exe (PID: 7248)
      • DevManView.exe (PID: 7256)
      • DevManView.exe (PID: 7272)
      • DevManView.exe (PID: 7216)
      • DevManView.exe (PID: 7320)
      • DevManView.exe (PID: 7440)
      • extd.exe (PID: 3676)
      • DevManView.exe (PID: 8024)

    • Create files in a temporary directory

      • cpu_mac_spoofer.exe (PID: 5332)
      • load.exe (PID: 4040)
      • os_cleaner_two.exe (PID: 632)
      • load.exe (PID: 780)
      • mac.exe (PID: 1512)
      • Volume.exe (PID: 6576)
      • FIXusrTEMPv6.exe (PID: 1512)

    • The sample compiled with english language support

      • cpu_mac_spoofer.exe (PID: 5332)

    • Creates files or folders in the user directory

      • cpu_mac_spoofer.exe (PID: 5332)

    • Reads the computer name

      • tool.exe (PID: 5204)
      • tool.exe (PID: 5064)
      • tool.exe (PID: 3008)
      • tool.exe (PID: 4188)
      • tool.exe (PID: 6244)
      • tool.exe (PID: 6728)
      • tool.exe (PID: 2656)
      • tool.exe (PID: 736)
      • tool.exe (PID: 2984)
      • tool.exe (PID: 4464)
      • tool.exe (PID: 4212)
      • tool.exe (PID: 5228)
      • tool.exe (PID: 5608)
      • tool.exe (PID: 1188)
      • tool.exe (PID: 4812)
      • tool.exe (PID: 6112)
      • tool.exe (PID: 1660)
      • tool.exe (PID: 4996)
      • tool.exe (PID: 4212)
      • tool.exe (PID: 6728)
      • tool.exe (PID: 4696)
      • tool.exe (PID: 2772)
      • tool.exe (PID: 4628)
      • tool.exe (PID: 1240)
      • tool.exe (PID: 1348)
      • tool.exe (PID: 6476)
      • tool.exe (PID: 4696)
      • tool.exe (PID: 720)
      • tool.exe (PID: 2236)
      • tool.exe (PID: 7156)
      • tool.exe (PID: 2268)
      • tool.exe (PID: 6728)
      • DeviceCleanupCmd.exe (PID: 5960)
      • DriveCleanup.exe (PID: 3180)
      • DevManView.exe (PID: 968)
      • DevManView.exe (PID: 4180)
      • DevManView.exe (PID: 5936)
      • DevManView.exe (PID: 5124)
      • DevManView.exe (PID: 4068)
      • DevManView.exe (PID: 7176)
      • DevManView.exe (PID: 7184)
      • DevManView.exe (PID: 5984)
      • DevManView.exe (PID: 7280)
      • DevManView.exe (PID: 7288)
      • DevManView.exe (PID: 7264)
      • DevManView.exe (PID: 7304)
      • DevManView.exe (PID: 7232)
      • DevManView.exe (PID: 7224)
      • DevManView.exe (PID: 7240)
      • DevManView.exe (PID: 7312)
      • DevManView.exe (PID: 7320)
      • DevManView.exe (PID: 7248)
      • DevManView.exe (PID: 7216)
      • DevManView.exe (PID: 7296)
      • DevManView.exe (PID: 7272)
      • DevManView.exe (PID: 7256)
      • DevManView.exe (PID: 7440)
      • DevManView.exe (PID: 8024)

    • Reads security settings of Internet Explorer

      • WMIC.exe (PID: 856)
      • WMIC.exe (PID: 5984)
      • WMIC.exe (PID: 1348)

    • Disables trace logs

      • netsh.exe (PID: 1012)
      • netsh.exe (PID: 1128)

    • NirSoft software is detected

      • DevManView.exe (PID: 968)
      • DevManView.exe (PID: 5936)
      • DevManView.exe (PID: 5124)
      • DevManView.exe (PID: 5984)
      • DevManView.exe (PID: 4068)
      • DevManView.exe (PID: 4180)
      • DevManView.exe (PID: 7176)
      • DevManView.exe (PID: 7184)
      • DevManView.exe (PID: 7240)
      • DevManView.exe (PID: 7248)
      • DevManView.exe (PID: 7256)
      • DevManView.exe (PID: 7216)
      • DevManView.exe (PID: 7224)
      • DevManView.exe (PID: 7232)
      • DevManView.exe (PID: 7264)
      • DevManView.exe (PID: 7304)
      • DevManView.exe (PID: 7312)
      • DevManView.exe (PID: 7320)
      • DevManView.exe (PID: 7272)
      • DevManView.exe (PID: 7280)
      • DevManView.exe (PID: 7288)
      • DevManView.exe (PID: 7296)
      • DevManView.exe (PID: 7440)
      • DevManView.exe (PID: 8024)

    • Checks proxy server information

      • slui.exe (PID: 6576)

    • Reads the software policy settings

      • slui.exe (PID: 6576)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 10
ZipBitFlag: -
ZipCompression: None
ZipModifyDate: 2023:03:19 14:08:40
ZipCRC: 0x00000000
ZipCompressedSize: -
ZipUncompressedSize: -
ZipFileName: classify_spoofer-main/
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
316
Monitored processes
180
Malicious processes
9
Suspicious processes
37

Behavior graph

Click at the process to see the details
start winrar.exe no specs device_cleanup.exe no specs conhost.exe no specs valorant_cleaner.exe no specs valorant_cleaner.exe conhost.exe no specs cmd.exe no specs cmd.exe no specs cpu_mac_spoofer.exe no specs THREAT cpu_mac_spoofer.exe conhost.exe no specs cmd.exe no specs extd.exe no specs extd.exe no specs cmd.exe no specs extd.exe no specs lgsvcl.exe no specs load.exe no specs lgsvcl.exe cmd.exe no specs tool.exe no specs conhost.exe no specs os_cleaner_two.exe no specs tool.exe no specs os_cleaner_two.exe conhost.exe no specs tool.exe no specs cmd.exe no specs extd.exe no specs tool.exe no specs tool.exe no specs tool.exe no specs tool.exe no specs extd.exe no specs tool.exe no specs extd.exe no specs load.exe no specs cmd.exe no specs tool.exe no specs tool.exe no specs tool.exe no specs tool.exe no specs tool.exe no specs tool.exe no specs tool.exe no specs tool.exe no specs tool.exe no specs tool.exe no specs tool.exe no specs tool.exe no specs tool.exe no specs tool.exe no specs tool.exe no specs tool.exe no specs cmd.exe no specs mac.exe no specs cmd.exe no specs tool.exe no specs cmd.exe no specs wmic.exe no specs findstr.exe no specs tool.exe no specs tool.exe no specs tool.exe no specs tool.exe no specs tool.exe no specs tool.exe no specs tool.exe no specs extd.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs cmd.exe no specs wmic.exe no specs findstr.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs cmd.exe no specs wmic.exe no specs netsh.exe no specs cmd.exe no specs netsh.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs volume.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs volumeid64.exe no specs cmd.exe no specs cmd.exe no specs volumeid64.exe no specs cmd.exe no specs volumeid64.exe no specs cmd.exe no specs volumeid64.exe no specs cmd.exe no specs cmd.exe no specs volumeid64.exe no specs cmd.exe no specs volumeid64.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs fixusrtempv6.exe no specs ping.exe no specs cmd.exe no specs ping.exe no specs ping.exe no specs ping.exe no specs ping.exe no specs ping.exe no specs ping.exe no specs devicecleanupcmd.exe no specs conhost.exe no specs drivecleanup.exe no specs conhost.exe no specs ping.exe no specs devmanview.exe no specs devmanview.exe no specs devmanview.exe no specs devmanview.exe no specs devmanview.exe no specs devmanview.exe no specs devmanview.exe no specs devmanview.exe no specs devmanview.exe no specs devmanview.exe no specs devmanview.exe no specs devmanview.exe no specs devmanview.exe no specs devmanview.exe no specs devmanview.exe no specs devmanview.exe no specs devmanview.exe no specs devmanview.exe no specs devmanview.exe no specs devmanview.exe no specs devmanview.exe no specs devmanview.exe no specs devmanview.exe no specs ping.exe no specs rundll32.exe no specs ping.exe no specs ping.exe no specs devmanview.exe no specs ping.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs extd.exe no specs slui.exe cmd.exe no specs reg.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
536"C:\WINDOWS\sysnative\cmd" /c "C:\Users\admin\AppData\Local\Temp\E793.tmp\E794.tmp\E795.bat C:\Users\admin\AppData\Roaming\dump\mac.exe"C:\Windows\System32\cmd.exemac.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
632"C:\Users\admin\Desktop\os_cleaner_two.exe" C:\Users\admin\Desktop\os_cleaner_two.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\desktop\os_cleaner_two.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
644reg delete HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist /fC:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
720tool.exe /BLC "Default string"C:\Users\admin\AppData\Roaming\dump\tool.execmd.exe
User:
admin
Integrity Level:
HIGH
Exit code:
216
Modules
Images
c:\users\admin\appdata\roaming\dump\tool.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
720C:\WINDOWS\system32\cmd.exe /c RMDIR /S /Q C:\Users\%username%\AppData\Local\VALORANTC:\Windows\System32\cmd.exevalorant_cleaner.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
2
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
736tool.exe /SU "AUTO"C:\Users\admin\AppData\Roaming\dump\tool.execmd.exe
User:
admin
Integrity Level:
HIGH
Exit code:
216
Modules
Images
c:\users\admin\appdata\roaming\dump\tool.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
736Volumeid64.exe E: 0664-7001C:\Users\admin\AppData\Roaming\dump\Volumeid64.execmd.exe
User:
admin
Company:
Sysinternals - www.sysinternals.com
Integrity Level:
HIGH
Description:
Set disk volume id
Exit code:
1
Version:
2.1
Modules
Images
c:\users\admin\appdata\roaming\dump\volumeid64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
780"load.exe" C:\Users\admin\AppData\Roaming\dump\load.execmd.exe
User:
admin
Integrity Level:
HIGH
Exit code:
216
Modules
Images
c:\users\admin\appdata\roaming\dump\load.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
780Volumeid64.exe F: 4989-6601C:\Users\admin\AppData\Roaming\dump\Volumeid64.execmd.exe
User:
admin
Company:
Sysinternals - www.sysinternals.com
Integrity Level:
HIGH
Description:
Set disk volume id
Exit code:
1
Version:
2.1
Modules
Images
c:\users\admin\appdata\roaming\dump\volumeid64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
856wmic nic where physicaladapter=true get deviceid C:\Windows\System32\wbem\WMIC.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
WMI Commandline Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
Total events
76 816
Read events
76 762
Write events
17
Delete events
37

Modification events

(PID) Process:(1168) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(1168) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(1168) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(1168) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\Spoofer.zip
(PID) Process:(1168) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(1168) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(1168) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(1168) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(5256) reg.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0010
Operation:writeName:NetworkAddress
Value:
82B4D48519B7
(PID) Process:(5204) reg.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0010
Operation:writeName:PnPCapabilities
Value:
24
Executable files
15
Suspicious files
6
Text files
12
Unknown types
0

Dropped files

PID
Process
Filename
Type
5332cpu_mac_spoofer.exeC:\Users\admin\AppData\Roaming\dump\DevManView.chmbinary
MD5:FCB3C9E1524CAFB62E98A4883C72E53D
SHA256:94D08A83B3B3509FA17860BCDDD6ED038BE29F3BD99251433E235111A8F381EC
5332cpu_mac_spoofer.exeC:\Users\admin\AppData\Roaming\dump\convert.battext
MD5:9154D12F6AE25EEE3A2350A4D419E51C
SHA256:9BFCE540D339A8371E6EBBF7CD2EF8CE6DEAC8B179061D74F520269317D40409
5332cpu_mac_spoofer.exeC:\Users\admin\AppData\Roaming\dump\amifldrv64.sysexecutable
MD5:785045F8B25CD2E937DDC6B09DEBE01A
SHA256:37073E42FFA0322500F90CD7E3C8D02C4CDD695D31C77E81560ABEC20BFB68BA
5332cpu_mac_spoofer.exeC:\Users\admin\AppData\Roaming\dump\DevManView.exeexecutable
MD5:33D7A84F8EF67FD005F37142232AE97E
SHA256:A1BE60039F125080560EDF1EEBEE5B6D9E2D6039F5F5AC478E6273E05EDADB4B
5332cpu_mac_spoofer.exeC:\Users\admin\AppData\Roaming\dump\DriveCleanup.exeexecutable
MD5:6F6D0FD357DDD2661F0035F3440C0EC4
SHA256:7DF319E036EB145DC9ADF9AD0AFC03EB4D18D72851CBCCA8A00C574BCA86FC78
5332cpu_mac_spoofer.exeC:\Users\admin\AppData\Roaming\dump\fix.battext
MD5:5703EBCD2FD73ECDC737D34A9B3E9E6B
SHA256:07A94D172B1CF6BE8646B4476491CED60996CDCAA0511B966690DF56E2901EFD
5332cpu_mac_spoofer.exeC:\Users\admin\AppData\Roaming\dump\DevManView.cfgtext
MD5:F71E8C379C76568CE0472A9F94F399E5
SHA256:43788AA272943CA270314FD0EC0D2BF9F30179093001FE2D846162C51F8A3DB7
2236Volumeid64.exe\Device\HarddiskVolume2
MD5:
SHA256:
5332cpu_mac_spoofer.exeC:\Users\admin\AppData\Local\Temp\D747.tmp\D748.tmp\D749.battext
MD5:05A549C77B6F9502328216ADC3A07D17
SHA256:2390A95953E364F99CEC3C7FE535FCAA9BBD9A8F4A946DB4FC08FD23340EA55D
5332cpu_mac_spoofer.exeC:\Users\admin\AppData\Local\Temp\D747.tmp\D748.tmp\extd.exeexecutable
MD5:C14CE13AB09B4829F67A879D735A10A1
SHA256:EF2699BA677FCDB8A3B70A711A59A5892D8439E108E3AC4D27A7F946C4D01A4A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
29
TCP/UDP connections
54
DNS requests
15
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4024
RUXIMICS.exe
GET
200
2.20.245.137:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
304
4.175.87.197:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
4024
RUXIMICS.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
472
SIHClient.exe
GET
200
2.20.245.137:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
472
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
472
SIHClient.exe
GET
200
2.20.245.137:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
472
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
472
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
472
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
GET
200
13.95.31.18:443
https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4024
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
4024
RUXIMICS.exe
2.20.245.137:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
4024
RUXIMICS.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
3216
svchost.exe
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
2196
svchost.exe
224.0.0.251:5353
unknown
2196
svchost.exe
224.0.0.252:5355
whitelisted
472
SIHClient.exe
4.175.87.197:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
google.com
  • 142.250.185.78
whitelisted
crl.microsoft.com
  • 2.20.245.137
  • 2.20.245.139
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
slscr.update.microsoft.com
  • 4.175.87.197
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.85.23.206
whitelisted
go.microsoft.com
  • 23.218.210.69
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
nexusrules.officeapps.live.com
  • 52.111.227.11
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Spoofer.zip