File name:

LARKSHARP SPOOFER.zip

Full analysis: https://app.any.run/tasks/f43da023-4806-417a-ba0c-6a5a2a5b24b7
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: February 06, 2025, 23:19:24
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
arch-exec
python
loader
pyinstaller
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:

5E5A8A54FC1283A440CE9D35DF48551D

SHA1:

2EBCE3A9C9F3A514F7F35E180400E7AB4DC12EDC

SHA256:

47F42570C1328798A903A976412A5D004FA38CA514F7262CD2FD3F80F55D02DA

SSDEEP:

98304:oxZ5IVvggs2lCJL3KK6NC6/lmNVD0Z9Nu6HYWFV5kAwtL7ex00CQVXe5plC964U5:EbZIDf89VLE4iF85yfepv

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Generic archive extractor

      • WinRAR.exe (PID: 6732)

    • Starts CertUtil for downloading files

      • wscript.exe (PID: 4204)

    • Creates a new registry key or changes the value of an existing one (SCRIPT)

      • wscript.exe (PID: 6668)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • WinRAR.exe (PID: 6732)

    • Process drops legitimate windows executable

      • LARKSHARP SPOOFER.exe (PID: 1864)
      • randomizer.exe (PID: 5872)

    • Process drops python dynamic module

      • LARKSHARP SPOOFER.exe (PID: 1864)
      • randomizer.exe (PID: 5872)

    • Executable content was dropped or overwritten

      • LARKSHARP SPOOFER.exe (PID: 1864)
      • LARKSHARP SPOOFER.exe (PID: 2800)
      • randomizer.exe (PID: 5872)

    • The process drops C-runtime libraries

      • LARKSHARP SPOOFER.exe (PID: 1864)
      • randomizer.exe (PID: 5872)

    • Drops a system driver (possible attempt to evade defenses)

      • LARKSHARP SPOOFER.exe (PID: 1864)
      • LARKSHARP SPOOFER.exe (PID: 2800)

    • Application launched itself

      • LARKSHARP SPOOFER.exe (PID: 1864)
      • randomizer.exe (PID: 5872)
      • cmd.exe (PID: 4244)
      • cmd.exe (PID: 6208)

    • Loads Python modules

      • LARKSHARP SPOOFER.exe (PID: 2800)
      • randomizer.exe (PID: 5028)

    • Starts CMD.EXE for commands execution

      • LARKSHARP SPOOFER.exe (PID: 2800)
      • cmd.exe (PID: 4244)
      • mac.exe (PID: 5328)
      • mac.exe (PID: 4300)
      • mac.exe (PID: 4400)
      • mac.exe (PID: 3288)
      • mac.exe (PID: 6032)
      • cmd.exe (PID: 6208)

    • Uses TASKKILL.EXE to kill process

      • LARKSHARP SPOOFER.exe (PID: 2800)

    • Hides command output

      • cmd.exe (PID: 4244)
      • cmd.exe (PID: 520)
      • cmd.exe (PID: 4116)
      • cmd.exe (PID: 6340)
      • cmd.exe (PID: 5732)
      • cmd.exe (PID: 5472)
      • cmd.exe (PID: 4840)
      • cmd.exe (PID: 3508)
      • cmd.exe (PID: 68)
      • cmd.exe (PID: 5792)
      • cmd.exe (PID: 7076)
      • cmd.exe (PID: 7116)
      • reg.exe (PID: 6428)
      • reg.exe (PID: 6076)
      • reg.exe (PID: 4792)
      • reg.exe (PID: 5284)
      • reg.exe (PID: 2144)
      • reg.exe (PID: 1228)
      • cmd.exe (PID: 6208)
      • ipconfig.exe (PID: 4320)
      • ipconfig.exe (PID: 6240)
      • ipconfig.exe (PID: 5080)
      • ipconfig.exe (PID: 4624)

    • Executing commands from a ".bat" file

      • cmd.exe (PID: 4244)
      • LARKSHARP SPOOFER.exe (PID: 2800)

    • The executable file from the user directory is run by the CMD process

      • AMIDEWINx64.EXE (PID: 2672)
      • AMIDEWINx64.EXE (PID: 5244)
      • AMIDEWINx64.EXE (PID: 5712)
      • AMIDEWINx64.EXE (PID: 6148)
      • AMIDEWINx64.EXE (PID: 4320)
      • AMIDEWINx64.EXE (PID: 3560)
      • AMIDEWINx64.EXE (PID: 6448)
      • AMIDEWINx64.EXE (PID: 1740)
      • AMIDEWINx64.EXE (PID: 6916)
      • AMIDEWINx64.EXE (PID: 6176)
      • AMIDEWINx64.EXE (PID: 6892)
      • AMIDEWINx64.EXE (PID: 6676)
      • AMIDEWINx64.EXE (PID: 7144)
      • AMIDEWINx64.EXE (PID: 7068)
      • AMIDEWINx64.EXE (PID: 7084)
      • AMIDEWINx64.EXE (PID: 7152)
      • AMIDEWINx64.EXE (PID: 7164)
      • AMIDEWINx64.EXE (PID: 4864)
      • AMIDEWINx64.EXE (PID: 4328)
      • AMIDEWINx64.EXE (PID: 6264)
      • AMIDEWINx64.EXE (PID: 1620)
      • AMIDEWINx64.EXE (PID: 6220)
      • AMIDEWINx64.EXE (PID: 5432)
      • AMIDEWINx64.EXE (PID: 968)
      • AMIDEWINx64.EXE (PID: 628)
      • AMIDEWINx64.EXE (PID: 4516)
      • AMIDEWINx64.EXE (PID: 3640)
      • AMIDEWINx64.EXE (PID: 6296)
      • AMIDEWINx64.EXE (PID: 2132)
      • AMIDEWINx64.EXE (PID: 6384)
      • AMIDEWINx64.EXE (PID: 4932)
      • AMIDEWINx64.EXE (PID: 6424)
      • AMIDEWINx64.EXE (PID: 2828)
      • AMIDEWINx64.EXE (PID: 5000)
      • AMIDEWINx64.EXE (PID: 5912)
      • AMIDEWINx64.EXE (PID: 4632)
      • AMIDEWINx64.EXE (PID: 4832)
      • AMIDEWINx64.EXE (PID: 6380)
      • AMIDEWINx64.EXE (PID: 4968)
      • AMIDEWINx64.EXE (PID: 4856)
      • AMIDEWINx64.EXE (PID: 4636)
      • volumeid.exe (PID: 1328)

    • Uses WMIC.EXE

      • cmd.exe (PID: 6340)
      • cmd.exe (PID: 4116)
      • cmd.exe (PID: 5732)
      • cmd.exe (PID: 5472)
      • cmd.exe (PID: 4840)
      • cmd.exe (PID: 3508)
      • cmd.exe (PID: 7116)
      • cmd.exe (PID: 68)
      • cmd.exe (PID: 5792)
      • cmd.exe (PID: 7076)

    • Creates FileSystem object to access computer's file system (SCRIPT)

      • wscript.exe (PID: 4204)

    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 4204)

    • Uses REG/REGEDIT.EXE to modify registry

      • wscript.exe (PID: 4204)

    • The process executes VB scripts

      • cmd.exe (PID: 3364)
      • cmd.exe (PID: 776)

    • Process uses IPCONFIG to get network configuration information

      • wscript.exe (PID: 4204)

    • Process uses IPCONFIG to discard the IP address configuration

      • wscript.exe (PID: 4204)

    • Process uses IPCONFIG to clear DNS cache

      • wscript.exe (PID: 4204)

    • Suspicious use of NETSH.EXE

      • wscript.exe (PID: 4204)

    • The system shut down or reboot

      • LARKSHARP SPOOFER.exe (PID: 2800)

    • Process uses IPCONFIG to renew DHCP configuration

      • wscript.exe (PID: 4204)

  • INFO

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 6732)

    • Checks supported languages

      • LARKSHARP SPOOFER.exe (PID: 1864)
      • LARKSHARP SPOOFER.exe (PID: 2800)
      • mode.com (PID: 5728)
      • randomizer.exe (PID: 5872)
      • randomizer.exe (PID: 5028)
      • AMIDEWINx64.EXE (PID: 4320)
      • AMIDEWINx64.EXE (PID: 2672)
      • AMIDEWINx64.EXE (PID: 5244)
      • AMIDEWINx64.EXE (PID: 5712)
      • AMIDEWINx64.EXE (PID: 6148)
      • AMIDEWINx64.EXE (PID: 3560)
      • AMIDEWINx64.EXE (PID: 6448)
      • AMIDEWINx64.EXE (PID: 1740)
      • AMIDEWINx64.EXE (PID: 6176)
      • AMIDEWINx64.EXE (PID: 6892)
      • AMIDEWINx64.EXE (PID: 6916)
      • AMIDEWINx64.EXE (PID: 7152)
      • AMIDEWINx64.EXE (PID: 7144)
      • AMIDEWINx64.EXE (PID: 7068)
      • AMIDEWINx64.EXE (PID: 7164)
      • AMIDEWINx64.EXE (PID: 7084)
      • AMIDEWINx64.EXE (PID: 4864)
      • AMIDEWINx64.EXE (PID: 6676)
      • AMIDEWINx64.EXE (PID: 4328)
      • AMIDEWINx64.EXE (PID: 628)
      • AMIDEWINx64.EXE (PID: 3640)
      • AMIDEWINx64.EXE (PID: 4516)
      • AMIDEWINx64.EXE (PID: 6264)
      • AMIDEWINx64.EXE (PID: 2132)
      • AMIDEWINx64.EXE (PID: 6296)
      • AMIDEWINx64.EXE (PID: 968)
      • AMIDEWINx64.EXE (PID: 5432)
      • AMIDEWINx64.EXE (PID: 4932)
      • AMIDEWINx64.EXE (PID: 1620)
      • AMIDEWINx64.EXE (PID: 6220)
      • AMIDEWINx64.EXE (PID: 6424)
      • AMIDEWINx64.EXE (PID: 6384)
      • AMIDEWINx64.EXE (PID: 2828)
      • AMIDEWINx64.EXE (PID: 5000)
      • AMIDEWINx64.EXE (PID: 5912)
      • AMIDEWINx64.EXE (PID: 4632)
      • AMIDEWINx64.EXE (PID: 6380)
      • AMIDEWINx64.EXE (PID: 4968)
      • AMIDEWINx64.EXE (PID: 4832)
      • AMIDEWINx64.EXE (PID: 4636)
      • AMIDEWINx64.EXE (PID: 4856)
      • mac.exe (PID: 5328)
      • mac.exe (PID: 4300)
      • mac.exe (PID: 4400)
      • mac.exe (PID: 3288)
      • mac.exe (PID: 6032)
      • volumeid.exe (PID: 1328)

    • Manual execution by a user

      • LARKSHARP SPOOFER.exe (PID: 1864)

    • Reads the computer name

      • LARKSHARP SPOOFER.exe (PID: 1864)
      • randomizer.exe (PID: 5872)
      • AMIDEWINx64.EXE (PID: 2672)
      • AMIDEWINx64.EXE (PID: 5244)
      • AMIDEWINx64.EXE (PID: 5712)
      • AMIDEWINx64.EXE (PID: 4320)
      • AMIDEWINx64.EXE (PID: 6148)
      • AMIDEWINx64.EXE (PID: 3560)
      • AMIDEWINx64.EXE (PID: 6892)
      • AMIDEWINx64.EXE (PID: 6448)
      • AMIDEWINx64.EXE (PID: 1740)
      • AMIDEWINx64.EXE (PID: 6176)
      • AMIDEWINx64.EXE (PID: 6916)
      • AMIDEWINx64.EXE (PID: 6676)
      • AMIDEWINx64.EXE (PID: 7144)
      • AMIDEWINx64.EXE (PID: 7068)
      • AMIDEWINx64.EXE (PID: 7152)
      • AMIDEWINx64.EXE (PID: 7164)
      • AMIDEWINx64.EXE (PID: 7084)
      • AMIDEWINx64.EXE (PID: 4328)
      • AMIDEWINx64.EXE (PID: 4864)
      • AMIDEWINx64.EXE (PID: 628)
      • AMIDEWINx64.EXE (PID: 4516)
      • AMIDEWINx64.EXE (PID: 3640)
      • AMIDEWINx64.EXE (PID: 2132)
      • AMIDEWINx64.EXE (PID: 1620)
      • AMIDEWINx64.EXE (PID: 6264)
      • AMIDEWINx64.EXE (PID: 6296)
      • AMIDEWINx64.EXE (PID: 5432)
      • AMIDEWINx64.EXE (PID: 6220)
      • AMIDEWINx64.EXE (PID: 2828)
      • AMIDEWINx64.EXE (PID: 5000)
      • AMIDEWINx64.EXE (PID: 6384)
      • AMIDEWINx64.EXE (PID: 968)
      • AMIDEWINx64.EXE (PID: 4932)
      • AMIDEWINx64.EXE (PID: 6424)
      • AMIDEWINx64.EXE (PID: 4968)
      • AMIDEWINx64.EXE (PID: 5912)
      • AMIDEWINx64.EXE (PID: 4832)
      • AMIDEWINx64.EXE (PID: 6380)
      • AMIDEWINx64.EXE (PID: 4632)
      • AMIDEWINx64.EXE (PID: 4856)
      • AMIDEWINx64.EXE (PID: 4636)

    • Create files in a temporary directory

      • LARKSHARP SPOOFER.exe (PID: 1864)
      • randomizer.exe (PID: 5872)
      • LARKSHARP SPOOFER.exe (PID: 2800)

    • The sample compiled with english language support

      • LARKSHARP SPOOFER.exe (PID: 1864)
      • LARKSHARP SPOOFER.exe (PID: 2800)
      • randomizer.exe (PID: 5872)

    • Reads the machine GUID from the registry

      • LARKSHARP SPOOFER.exe (PID: 2800)
      • randomizer.exe (PID: 5028)

    • Starts MODE.COM to configure console settings

      • mode.com (PID: 5728)

    • Creates files or folders in the user directory

      • LARKSHARP SPOOFER.exe (PID: 2800)

    • PyInstaller has been detected (YARA)

      • LARKSHARP SPOOFER.exe (PID: 1864)

    • Reads security settings of Internet Explorer

      • WMIC.exe (PID: 716)
      • WMIC.exe (PID: 4896)
      • WMIC.exe (PID: 6608)
      • WMIC.exe (PID: 5712)
      • WMIC.exe (PID: 644)
      • WMIC.exe (PID: 3744)
      • WMIC.exe (PID: 6688)
      • WMIC.exe (PID: 3884)
      • WMIC.exe (PID: 4500)
      • WMIC.exe (PID: 6944)
      • certutil.exe (PID: 5044)

    • Disables trace logs

      • netsh.exe (PID: 4592)
      • netsh.exe (PID: 4144)
      • netsh.exe (PID: 716)
      • netsh.exe (PID: 3632)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2024:10:11 09:49:10
ZipCRC: 0x0a6cdeac
ZipCompressedSize: 10370472
ZipUncompressedSize: 10528569
ZipFileName: LARKSHARP SPOOFER.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
292
Monitored processes
172
Malicious processes
7
Suspicious processes
8

Behavior graph

Click at the process to see the details
start winrar.exe rundll32.exe no specs larksharp spoofer.exe conhost.exe no specs larksharp spoofer.exe cmd.exe no specs mode.com no specs taskkill.exe no specs conhost.exe no specs randomizer.exe conhost.exe no specs randomizer.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs amidewinx64.exe no specs amidewinx64.exe no specs amidewinx64.exe no specs amidewinx64.exe no specs amidewinx64.exe no specs amidewinx64.exe no specs amidewinx64.exe no specs amidewinx64.exe no specs amidewinx64.exe no specs amidewinx64.exe no specs amidewinx64.exe no specs amidewinx64.exe no specs amidewinx64.exe no specs amidewinx64.exe no specs amidewinx64.exe no specs amidewinx64.exe no specs amidewinx64.exe no specs amidewinx64.exe no specs amidewinx64.exe no specs amidewinx64.exe no specs amidewinx64.exe no specs amidewinx64.exe no specs amidewinx64.exe no specs amidewinx64.exe no specs amidewinx64.exe no specs amidewinx64.exe no specs amidewinx64.exe no specs amidewinx64.exe no specs amidewinx64.exe no specs amidewinx64.exe no specs amidewinx64.exe no specs amidewinx64.exe no specs amidewinx64.exe no specs amidewinx64.exe no specs amidewinx64.exe no specs amidewinx64.exe no specs amidewinx64.exe no specs amidewinx64.exe no specs amidewinx64.exe no specs amidewinx64.exe no specs amidewinx64.exe no specs mac.exe no specs conhost.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs mac.exe no specs conhost.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs mac.exe no specs conhost.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs mac.exe no specs conhost.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs mac.exe no specs conhost.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs volumeid.exe no specs cmd.exe no specs conhost.exe no specs wscript.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs certutil.exe no specs conhost.exe no specs netsh.exe no specs conhost.exe no specs netsh.exe no specs conhost.exe no specs netsh.exe no specs conhost.exe no specs netsh.exe no specs conhost.exe no specs ipconfig.exe no specs conhost.exe no specs ipconfig.exe no specs conhost.exe no specs ipconfig.exe no specs conhost.exe no specs ipconfig.exe no specs conhost.exe no specs netsh.exe no specs conhost.exe no specs netsh.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs wscript.exe no specs cmd.exe no specs conhost.exe no specs explorer.exe no specs cmd.exe no specs shutdown.exe no specs conhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
68C:\WINDOWS\system32\cmd.exe /c WMIC PATH WIN32_NETWORKADAPTER WHERE PHYSICALADAPTER=TRUE CALL DISABLE >nul 2>&1C:\Windows\System32\cmd.exemac.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
132\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exenetsh.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
236\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exereg.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
308\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execertutil.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
396\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exereg.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
440"C:\Windows\System32\reg.exe" ADD HKLM\System\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d 42178 /fC:\Windows\System32\reg.exewscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ws2_32.dll
520cmd.exe /c "C:\Users\admin\AppData\Roaming\tmpf37rkdw8\spoof.bat >nul 2>&1"C:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
16
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
628AMIDEWINx64.EXE /BSH 3 WfPdcwlkyHBoGqWC:\Users\admin\AppData\Roaming\tmpf37rkdw8\AMIDEWINx64.EXEcmd.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
16
Modules
Images
c:\users\admin\appdata\roaming\tmpf37rkdw8\amidewinx64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
644WMIC PATH WIN32_NETWORKADAPTER WHERE PHYSICALADAPTER=TRUE CALL ENABLE C:\Windows\System32\wbem\WMIC.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
WMI Commandline Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
716WMIC PATH WIN32_NETWORKADAPTER WHERE PHYSICALADAPTER=TRUE CALL DISABLE C:\Windows\System32\wbem\WMIC.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
WMI Commandline Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
Total events
9 631
Read events
9 587
Write events
26
Delete events
18

Modification events

(PID) Process:(6732) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(6732) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(6732) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(6732) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\LARKSHARP SPOOFER.zip
(PID) Process:(6732) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(6732) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(6732) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(6732) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(6732) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\DialogEditHistory\ExtrPath
Operation:delete valueName:15
Value:
(PID) Process:(6732) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\DialogEditHistory\ExtrPath
Operation:delete valueName:14
Value:
Executable files
36
Suspicious files
2
Text files
8
Unknown types
0

Dropped files

PID
Process
Filename
Type
1864LARKSHARP SPOOFER.exeC:\Users\admin\AppData\Local\Temp\_MEI18642\_ctypes.pydexecutable
MD5:291A0A9B63BAE00A4222A6DF71A22023
SHA256:820E840759EED12E19F3C485FD819B065B49D9DC704AE3599A63077416D63324
1864LARKSHARP SPOOFER.exeC:\Users\admin\AppData\Local\Temp\_MEI18642\VCRUNTIME140.dllexecutable
MD5:4A365FFDBDE27954E768358F4A4CE82E
SHA256:6A0850419432735A98E56857D5CFCE97E9D58A947A9863CA6AFADD1C7BCAB27C
1864LARKSHARP SPOOFER.exeC:\Users\admin\AppData\Local\Temp\_MEI18642\amigendrv64.sysexecutable
MD5:9ACCEBD928A8926FECF317F53CD1C44E
SHA256:811E5D65DF60DFB8C6E1713DA708BE16D9A13EF8DFCD1022D8D1DDA52ED057B2
1864LARKSHARP SPOOFER.exeC:\Users\admin\AppData\Local\Temp\_MEI18642\libcrypto-1_1.dllexecutable
MD5:89511DF61678BEFA2F62F5025C8C8448
SHA256:296426E7CE11BC3D1CFA9F2AEB42F60C974DA4AF3B3EFBEB0BA40E92E5299FDF
1864LARKSHARP SPOOFER.exeC:\Users\admin\AppData\Local\Temp\_MEI18642\MSVCP140.dllexecutable
MD5:72F3D84384E888BF0D38852EB863026B
SHA256:A4C2229BDC2A2A630ACDC095B4D86008E5C3E3BC7773174354F3DA4F5BEB9CDE
1864LARKSHARP SPOOFER.exeC:\Users\admin\AppData\Local\Temp\_MEI18642\base_library.zipcompressed
MD5:35CD9399C279AAB402D2285429B666AC
SHA256:FF2A2D425B9E5EA63934F72ADAD3A53E9E61174A235AF0F61A83816D3C5CABC6
1864LARKSHARP SPOOFER.exeC:\Users\admin\AppData\Local\Temp\_MEI18642\_bz2.pydexecutable
MD5:A49C5F406456B79254EB65D015B81088
SHA256:CE4EF8ED1E72C1D3A6082D500A17A009EB6E8ED15022BF3B68A22291858FECED
1864LARKSHARP SPOOFER.exeC:\Users\admin\AppData\Local\Temp\_MEI18642\_hashlib.pydexecutable
MD5:5E5AF52F42EAF007E3AC73FD2211F048
SHA256:A30CF1A40E0B09610E34BE187F1396AC5A44DCFB27BC7FF9B450D1318B694C1B
1864LARKSHARP SPOOFER.exeC:\Users\admin\AppData\Local\Temp\_MEI18642\_lzma.pydexecutable
MD5:CF9FD17B1706F3044A8F74F6D398D5F1
SHA256:9209CCC60115727B192BF7771551040CA6FDD50F9BF8C3D2EACBFD424E8245E4
1864LARKSHARP SPOOFER.exeC:\Users\admin\AppData\Local\Temp\_MEI18642\amifldrv64.sysexecutable
MD5:785045F8B25CD2E937DDC6B09DEBE01A
SHA256:37073E42FFA0322500F90CD7E3C8D02C4CDD695D31C77E81560ABEC20BFB68BA
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
24
DNS requests
12
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6268
SIHClient.exe
GET
200
69.192.161.161:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
6268
SIHClient.exe
GET
200
69.192.161.161:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
6504
backgroundTaskHost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1176
svchost.exe
20.190.160.2:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
4
System
192.168.100.255:137
whitelisted
1076
svchost.exe
184.28.89.167:443
go.microsoft.com
AKAMAI-AS
US
whitelisted
448
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6504
backgroundTaskHost.exe
20.223.36.55:443
arc.msn.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6504
backgroundTaskHost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
6268
SIHClient.exe
4.245.163.56:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
login.live.com
  • 20.190.160.2
  • 20.190.160.64
  • 20.190.160.130
  • 40.126.32.74
  • 40.126.32.134
  • 20.190.160.65
  • 20.190.160.3
  • 20.190.160.66
whitelisted
go.microsoft.com
  • 184.28.89.167
whitelisted
settings-win.data.microsoft.com
  • 20.73.194.208
whitelisted
arc.msn.com
  • 20.223.36.55
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
fd.api.iris.microsoft.com
  • 20.223.36.55
whitelisted
slscr.update.microsoft.com
  • 4.245.163.56
whitelisted
www.microsoft.com
  • 69.192.161.161
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 52.165.164.15
whitelisted
self.events.data.microsoft.com
  • 40.79.173.41
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
LARKSHARP SPOOFER.zip