File name:

UC Free Spoofer_[unknowncheats.me]_.exe

Full analysis: https://app.any.run/tasks/af0c41de-0f8c-4004-a975-b46d0ca44344
Verdict: Malicious activity
Analysis date: November 15, 2024, 00:29:46
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (console) x86-64, for MS Windows, 6 sections
MD5:

905D2F7475333B95498BCB619162F155

SHA1:

4BA1E3B1B09BC6F079102F45A486C0BF396A18E0

SHA256:

AE68FD74617E5B4EAFAC25C718B8C754A3D0735286FF2CE3860AF80D483AA8EE

SSDEEP:

192:tjROeTXIhWgTOjIRA/zD2hwNZHaoQxQFQ3QrHQFXrmsQ5tfaJdp:3OTEIRA/WGNYQFQ3QrgqsB

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Starts SC.EXE for service management

      • cmd.exe (PID: 4476)
      • cmd.exe (PID: 7140)
      • cmd.exe (PID: 6192)
      • cmd.exe (PID: 7100)

    • Hides command output

      • cmd.exe (PID: 7140)
      • cmd.exe (PID: 3076)
      • cmd.exe (PID: 7100)
      • cmd.exe (PID: 6720)
      • cmd.exe (PID: 6192)
      • cmd.exe (PID: 4476)

    • Uses WMIC.EXE to obtain information about user's desktop

      • cmd.exe (PID: 6200)

    • Executing commands from a ".bat" file

      • UC Free Spoofer_[unknowncheats.me]_.exe (PID: 5240)

    • Starts CMD.EXE for commands execution

      • UC Free Spoofer_[unknowncheats.me]_.exe (PID: 5240)

    • Uses WMIC.EXE to obtain data on the base board management (motherboard or system board)

      • cmd.exe (PID: 6800)

  • INFO

    • Checks supported languages

      • curl.exe (PID: 2708)
      • UC Free Spoofer_[unknowncheats.me]_.exe (PID: 5240)
      • curl.exe (PID: 6728)

    • Changes file name

      • cmd.exe (PID: 6200)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2024:08:28 02:30:24+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.4
CodeSize: 4608
InitializedDataSize: 9216
UninitializedDataSize: -
EntryPoint: 0x14d0
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows command line
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
156
Monitored processes
28
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start uc free spoofer_[unknowncheats.me]_.exe no specs conhost.exe no specs cmd.exe no specs cmd.exe no specs curl.exe no specs cmd.exe no specs curl.exe no specs cmd.exe no specs curl.exe no specs cmd.exe no specs curl.exe no specs cmd.exe no specs cmd.exe no specs sc.exe no specs cmd.exe no specs sc.exe no specs cmd.exe no specs sc.exe no specs cmd.exe no specs sc.exe no specs cmd.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs rundll32.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
608C:\WINDOWS\system32\cmd.exe /c curl -o C:\Windows\amifldrv64.sys --silentC:\Windows\System32\cmd.exeUC Free Spoofer_[unknowncheats.me]_.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
2
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
764C:\WINDOWS\system32\cmd.exe /c C:\Windows\spoof.batC:\Windows\System32\cmd.exeUC Free Spoofer_[unknowncheats.me]_.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
2708curl -o C:\Windows\AMIDEWINx64.EXE --silentC:\Windows\System32\curl.execmd.exe
User:
admin
Company:
curl, https://curl.se/
Integrity Level:
MEDIUM
Description:
The curl executable
Exit code:
2
Version:
8.4.0
Modules
Images
c:\windows\system32\curl.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\cryptsp.dll
3076C:\WINDOWS\system32\cmd.exe /c C:\Windows\launcher.bat >nulC:\Windows\System32\cmd.exeUC Free Spoofer_[unknowncheats.me]_.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
3648C:\WINDOWS\system32\cmd.exe /c curl -o C:\Windows\spoof.bat --silentC:\Windows\System32\cmd.exeUC Free Spoofer_[unknowncheats.me]_.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
2
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
3912curl -o C:\Windows\spoof.bat --silentC:\Windows\System32\curl.execmd.exe
User:
admin
Company:
curl, https://curl.se/
Integrity Level:
MEDIUM
Description:
The curl executable
Exit code:
2
Version:
8.4.0
Modules
Images
c:\windows\system32\curl.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\ucrtbase.dll
4476C:\WINDOWS\system32\cmd.exe /c sc stop vgc.sys >nulC:\Windows\System32\cmd.exeUC Free Spoofer_[unknowncheats.me]_.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1060
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
4792\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeUC Free Spoofer_[unknowncheats.me]_.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5240"C:\Users\admin\AppData\Local\Temp\UC Free Spoofer_[unknowncheats.me]_.exe" C:\Users\admin\AppData\Local\Temp\UC Free Spoofer_[unknowncheats.me]_.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
1
Modules
Images
c:\users\admin\appdata\local\temp\uc free spoofer_[unknowncheats.me]_.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\vcruntime140.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140_1.dll
c:\windows\system32\sechost.dll
5828C:\WINDOWS\system32\cmd.exe /c clsC:\Windows\System32\cmd.exeUC Free Spoofer_[unknowncheats.me]_.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
Total events
1 196
Read events
1 196
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

No data
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
37
DNS requests
19
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
2.20.245.138:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
4376
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
7116
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
7116
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
1068
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
6944
svchost.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5488
MoUsoCoreWorker.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2.20.245.138:80
crl.microsoft.com
Akamai International B.V.
SE
whitelisted
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4360
SearchApp.exe
104.126.37.123:443
www.bing.com
Akamai International B.V.
DE
whitelisted
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
4
System
192.168.100.255:138
whitelisted
4376
svchost.exe
40.126.32.134:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
crl.microsoft.com
  • 2.20.245.138
  • 2.20.245.137
whitelisted
google.com
  • 142.250.184.206
whitelisted
www.microsoft.com
  • 184.30.21.171
  • 95.101.149.131
whitelisted
www.bing.com
  • 104.126.37.123
  • 104.126.37.155
  • 104.126.37.178
  • 104.126.37.179
  • 104.126.37.139
  • 104.126.37.130
  • 104.126.37.136
  • 104.126.37.160
  • 104.126.37.163
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
login.live.com
  • 40.126.32.134
  • 40.126.32.138
  • 20.190.160.17
  • 20.190.160.22
  • 40.126.32.136
  • 40.126.32.74
  • 20.190.160.14
  • 40.126.32.76
whitelisted
th.bing.com
  • 2.23.209.130
  • 2.23.209.182
  • 2.23.209.187
whitelisted
go.microsoft.com
  • 184.28.89.167
whitelisted
settings-win.data.microsoft.com
  • 20.73.194.208
  • 51.104.136.2
  • 40.127.240.158
whitelisted
slscr.update.microsoft.com
  • 4.175.87.197
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
UC Free Spoofer_[unknowncheats.me]_.exe