File name:

Spacesniffer_1_3_0_2.zip

Full analysis: https://app.any.run/tasks/67342c79-4c8a-47d4-ad1a-093b7dc599ff
Verdict: Malicious activity
Threats:

Cobalt Strike is a legitimate penetration software toolkit developed by Forta. But its cracked versions are widely adopted by bad actors, who use it as a C2 system of choice for targeted attacks.

Malware Trends Tracker     >>>
Analysis date: July 30, 2024, 19:40:45
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
cobaltstrike
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:

568EBCF0898B13319D440C44AFADAF79

SHA1:

052D81D5E11F36BA017A9D66F1E5B542AF55C009

SHA256:

47D1957D069B598672DDAF83FECDB55E079F236804C1DCE973496526FEB15E9D

SSDEEP:

98304:TyWVEa30gP44Sfefn1ln3c6+x1qLCV8cCq1CgspC8A0UHOZAk4reiqxFXBusIwT9:5VWE6+

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • setup.exe (PID: 7036)
      • WinRAR.exe (PID: 6364)

    • COBALTSTRIKE has been detected (YARA)

      • setup.exe (PID: 7036)
      • sihost.exe (PID: 6076)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • WinRAR.exe (PID: 6364)

    • Reads security settings of Internet Explorer

      • WinRAR.exe (PID: 6364)
      • StartMenuExperienceHost.exe (PID: 2472)

    • Starts a Microsoft application from unusual location

      • setup.exe (PID: 7036)

    • Executable content was dropped or overwritten

      • setup.exe (PID: 7036)

    • Reads the date of Windows installation

      • StartMenuExperienceHost.exe (PID: 2472)
      • SearchApp.exe (PID: 372)

  • INFO

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 6364)

    • Reads security settings of Internet Explorer

      • explorer.exe (PID: 888)

    • Checks supported languages

      • setup.exe (PID: 7036)
      • SpaceSniffer.exe (PID: 6828)
      • StartMenuExperienceHost.exe (PID: 2472)
      • TextInputHost.exe (PID: 6268)
      • SearchApp.exe (PID: 372)

    • Reads the computer name

      • SpaceSniffer.exe (PID: 6828)
      • StartMenuExperienceHost.exe (PID: 2472)
      • TextInputHost.exe (PID: 6268)
      • SearchApp.exe (PID: 372)

    • Reads Microsoft Office registry keys

      • explorer.exe (PID: 888)

    • Process checks computer location settings

      • StartMenuExperienceHost.exe (PID: 2472)
      • SearchApp.exe (PID: 372)

    • Reads the machine GUID from the registry

      • SearchApp.exe (PID: 372)

    • Checks proxy server information

      • SearchApp.exe (PID: 372)
      • explorer.exe (PID: 888)
      • slui.exe (PID: 5304)

    • Process checks Internet Explorer phishing filters

      • SearchApp.exe (PID: 372)

    • Reads the software policy settings

      • SearchApp.exe (PID: 372)
      • slui.exe (PID: 5304)

    • Reads Environment values

      • SearchApp.exe (PID: 372)

    • Creates files in the program directory

      • setup.exe (PID: 7036)

    • Creates files or folders in the user directory

      • explorer.exe (PID: 888)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

CobalStrike

(PID) Process(7036) setup.exe
C2 (1)91.92.250.70/broadcast
BeaconTypeHTTPS
Port10443
SleepTime15500
MaxGetSize13982519
Jitter15
PublicKey-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCKCx0TqxEL7f794xRtav1937lV DGtM4Lqsp0H4tnh87+nsCuqL4povSjRESckHfjoduBm1pNrZScCOHgu3B56PH2ts Yjc3rCXMO/R4xvln2vMRVRLkKXs5QjW2Fw+q4cC/KNaerhSjVRA7eUKXVSzCAVD8 RGh8oQIuJa/kUNdkPQIDAQAB -----END PUBLIC KEY-----
DNS_strategyround-robin
DNS_strategy_rotate_seconds-1
DNS_strategy_fail_x-1
DNS_strategy_fail_seconds-1
SpawnTo00000000000000000000000000000000
Spawnto_x86%windir%\syswow64\gpupdate.exe
Spawnto_x64%windir%\sysnative\gpupdate.exe
CryptoScheme0
HttpGet_VerbGET
HttpPost_VerbPOST
HttpPostChunk0
Watermark1158277545
bStageCleanupTrue
bCFGCautionTrue
UserAgentMozilla/5.0 (Macintosh; Intel Mac OS X 14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
HttpPostUri/1/events/com.amazon.csm.csa.prod
Malleable_C2_InstructionsRemove 1 bytes at the end, Remove 1 bytes at the end, Remove 194 bytes from the beginning, Base64 decode
HttpGet_Metadata
ConstHeaders (8)Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Origin: https://www.amazon.com
Referer: https://www.amazon.com
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: cross-site
Te: trailers
SessionId (2)base64
header: x-amzn-RequestId
HttpPost_Metadata
ConstHeaders (2)Accept: */*
Origin: https://www.amazon.com
SessionId (2)base64url
header: x-amz-rid
Output (5)base64url
prepend: {"events":[{"data":{"schemaId":"csa.VideoInteractions.1","application":"Retail:Prod:,"requestId":"MBFV82TTQV2JNBKJJ50B","title":"Amazon.com. Spend less. Smile more.","subPageType":"desktop","session":{"id":"133-9905055-2677266"},"video":{"id":"
append: "
append: "playerMode":"INLINE","videoRequestId":"MBFV82TTQV2JNBKJJ50B","isAudioOn":"false","player":"IVS","event":"NONE"}}}}]}
print
bUsesCookies0000
Proxy_BehaviorUse IE settings
tcpFrameHeader0004000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
smbFrameHeader0004000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
KillDate0-0-0
bProcInject_StartRWXFalse
bProcInject_UseRWXFalse
bProcInject_MinAllocSize8092
ProcInject_PrependAppend_x866687c944456687d287db49484c400f1f00434287d24766900f1f0400660f1f040040416687db87c990460f1f000f1f00..
ProcInject_PrependAppend_x646687c944456687d287db49484c400f1f00434287d24766900f1f0400660f1f040040416687db87c990460f1f000f1f00..
ProcInject_Stub5462f8cce537c664d9b20f4f03cc8339
ProcInject_AllocationMethodNtMapViewOfSection
(PID) Process(6076) sihost.exe
C2 (1)91.92.250.70/broadcast
BeaconTypeHTTPS
Port10443
SleepTime15500
MaxGetSize13982519
Jitter15
PublicKey-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCKCx0TqxEL7f794xRtav1937lV DGtM4Lqsp0H4tnh87+nsCuqL4povSjRESckHfjoduBm1pNrZScCOHgu3B56PH2ts Yjc3rCXMO/R4xvln2vMRVRLkKXs5QjW2Fw+q4cC/KNaerhSjVRA7eUKXVSzCAVD8 RGh8oQIuJa/kUNdkPQIDAQAB -----END PUBLIC KEY-----
DNS_strategyround-robin
DNS_strategy_rotate_seconds-1
DNS_strategy_fail_x-1
DNS_strategy_fail_seconds-1
SpawnTo00000000000000000000000000000000
Spawnto_x86%windir%\syswow64\gpupdate.exe
Spawnto_x64%windir%\sysnative\gpupdate.exe
CryptoScheme0
HttpGet_VerbGET
HttpPost_VerbPOST
HttpPostChunk0
Watermark1158277545
bStageCleanupTrue
bCFGCautionTrue
UserAgentMozilla/5.0 (Macintosh; Intel Mac OS X 14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
HttpPostUri/1/events/com.amazon.csm.csa.prod
Malleable_C2_InstructionsRemove 1 bytes at the end, Remove 1 bytes at the end, Remove 194 bytes from the beginning, Base64 decode
HttpGet_Metadata
ConstHeaders (8)Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Origin: https://www.amazon.com
Referer: https://www.amazon.com
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: cross-site
Te: trailers
SessionId (2)base64
header: x-amzn-RequestId
HttpPost_Metadata
ConstHeaders (2)Accept: */*
Origin: https://www.amazon.com
SessionId (2)base64url
header: x-amz-rid
Output (5)base64url
prepend: {"events":[{"data":{"schemaId":"csa.VideoInteractions.1","application":"Retail:Prod:,"requestId":"MBFV82TTQV2JNBKJJ50B","title":"Amazon.com. Spend less. Smile more.","subPageType":"desktop","session":{"id":"133-9905055-2677266"},"video":{"id":"
append: "
append: "playerMode":"INLINE","videoRequestId":"MBFV82TTQV2JNBKJJ50B","isAudioOn":"false","player":"IVS","event":"NONE"}}}}]}
print
bUsesCookies0000
Proxy_BehaviorUse IE settings
tcpFrameHeader0004000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
smbFrameHeader0004000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
KillDate0-0-0
bProcInject_StartRWXFalse
bProcInject_UseRWXFalse
bProcInject_MinAllocSize8092
ProcInject_PrependAppend_x866687c944456687d287db49484c400f1f00434287d24766900f1f0400660f1f040040416687db87c990460f1f000f1f00..
ProcInject_PrependAppend_x646687c944456687d287db49484c400f1f00434287d24766900f1f0400660f1f040040416687db87c990460f1f000f1f00..
ProcInject_Stub5462f8cce537c664d9b20f4f03cc8339
ProcInject_AllocationMethodNtMapViewOfSection
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2024:05:28 09:05:20
ZipCRC: 0x750a3590
ZipCompressedSize: 921
ZipUncompressedSize: 1944
ZipFileName: Disclaimer.txt
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
157
Monitored processes
10
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe slui.exe #COBALTSTRIKE setup.exe spacesniffer.exe no specs #COBALTSTRIKE sihost.exe no specs explorer.exe no specs startmenuexperiencehost.exe no specs textinputhost.exe no specs searchapp.exe mobsync.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
372"C:\WINDOWS\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mcaC:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Search application
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\systemapps\microsoft.windows.search_cw5n1h2txyewy\searchapp.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
888explorer.exe /LOADSAVEDWINDOWSC:\Windows\explorer.exesihost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\shcore.dll
2472"C:\WINDOWS\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mcaC:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exesvchost.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\windows\systemapps\microsoft.windows.startmenuexperiencehost_cw5n1h2txyewy\startmenuexperiencehost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\wincorlib.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
3704C:\WINDOWS\System32\mobsync.exe -EmbeddingC:\Windows\System32\mobsync.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Sync Center
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\mobsync.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
5304C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
6076\??\C:\Windows\System32\sihost.exeC:\Windows\System32\sihost.exe
setup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Shell Infrastructure Host
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sihost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
CobalStrike
(PID) Process(6076) sihost.exe
C2 (1)91.92.250.70/broadcast
BeaconTypeHTTPS
Port10443
SleepTime15500
MaxGetSize13982519
Jitter15
PublicKey-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCKCx0TqxEL7f794xRtav1937lV DGtM4Lqsp0H4tnh87+nsCuqL4povSjRESckHfjoduBm1pNrZScCOHgu3B56PH2ts Yjc3rCXMO/R4xvln2vMRVRLkKXs5QjW2Fw+q4cC/KNaerhSjVRA7eUKXVSzCAVD8 RGh8oQIuJa/kUNdkPQIDAQAB -----END PUBLIC KEY-----
DNS_strategyround-robin
DNS_strategy_rotate_seconds-1
DNS_strategy_fail_x-1
DNS_strategy_fail_seconds-1
SpawnTo00000000000000000000000000000000
Spawnto_x86%windir%\syswow64\gpupdate.exe
Spawnto_x64%windir%\sysnative\gpupdate.exe
CryptoScheme0
HttpGet_VerbGET
HttpPost_VerbPOST
HttpPostChunk0
Watermark1158277545
bStageCleanupTrue
bCFGCautionTrue
UserAgentMozilla/5.0 (Macintosh; Intel Mac OS X 14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
HttpPostUri/1/events/com.amazon.csm.csa.prod
Malleable_C2_InstructionsRemove 1 bytes at the end, Remove 1 bytes at the end, Remove 194 bytes from the beginning, Base64 decode
HttpGet_Metadata
ConstHeaders (8)Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Origin: https://www.amazon.com
Referer: https://www.amazon.com
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: cross-site
Te: trailers
SessionId (2)base64
header: x-amzn-RequestId
HttpPost_Metadata
ConstHeaders (2)Accept: */*
Origin: https://www.amazon.com
SessionId (2)base64url
header: x-amz-rid
Output (5)base64url
prepend: {"events":[{"data":{"schemaId":"csa.VideoInteractions.1","application":"Retail:Prod:,"requestId":"MBFV82TTQV2JNBKJJ50B","title":"Amazon.com. Spend less. Smile more.","subPageType":"desktop","session":{"id":"133-9905055-2677266"},"video":{"id":"
append: "
append: "playerMode":"INLINE","videoRequestId":"MBFV82TTQV2JNBKJJ50B","isAudioOn":"false","player":"IVS","event":"NONE"}}}}]}
print
bUsesCookies0000
Proxy_BehaviorUse IE settings
tcpFrameHeader0004000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
smbFrameHeader0004000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
KillDate0-0-0
bProcInject_StartRWXFalse
bProcInject_UseRWXFalse
bProcInject_MinAllocSize8092
ProcInject_PrependAppend_x866687c944456687d287db49484c400f1f00434287d24766900f1f0400660f1f040040416687db87c990460f1f000f1f00..
ProcInject_PrependAppend_x646687c944456687d287db49484c400f1f00434287d24766900f1f0400660f1f040040416687db87c990460f1f000f1f00..
ProcInject_Stub5462f8cce537c664d9b20f4f03cc8339
ProcInject_AllocationMethodNtMapViewOfSection
6268"C:\WINDOWS\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXjd5de1g66v206tj52m9d0dtpppx4cgpn.mcaC:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Version:
123.26505.0.0
Modules
Images
c:\windows\systemapps\microsoftwindows.client.cbs_cw5n1h2txyewy\textinputhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\systemapps\microsoftwindows.client.cbs_cw5n1h2txyewy\vcruntime140_app.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll
6364"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\AppData\Local\Temp\Spacesniffer_1_3_0_2.zipC:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
6828C:\Users\Public\Downloads\SpaceSniffer.exesetup.exe
User:
admin
Company:
Uderzo Software e Consulenza Informatica
Integrity Level:
MEDIUM
Description:
Disk space analysis tool
Exit code:
0
Version:
1.3.0.2
Modules
Images
c:\users\public\downloads\spacesniffer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
7036"C:\Users\admin\AppData\Local\Temp\Rar$EXa6364.27780\setup.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa6364.27780\setup.exe
WinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
2147942487
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa6364.27780\setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
CobalStrike
(PID) Process(7036) setup.exe
C2 (1)91.92.250.70/broadcast
BeaconTypeHTTPS
Port10443
SleepTime15500
MaxGetSize13982519
Jitter15
PublicKey-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCKCx0TqxEL7f794xRtav1937lV DGtM4Lqsp0H4tnh87+nsCuqL4povSjRESckHfjoduBm1pNrZScCOHgu3B56PH2ts Yjc3rCXMO/R4xvln2vMRVRLkKXs5QjW2Fw+q4cC/KNaerhSjVRA7eUKXVSzCAVD8 RGh8oQIuJa/kUNdkPQIDAQAB -----END PUBLIC KEY-----
DNS_strategyround-robin
DNS_strategy_rotate_seconds-1
DNS_strategy_fail_x-1
DNS_strategy_fail_seconds-1
SpawnTo00000000000000000000000000000000
Spawnto_x86%windir%\syswow64\gpupdate.exe
Spawnto_x64%windir%\sysnative\gpupdate.exe
CryptoScheme0
HttpGet_VerbGET
HttpPost_VerbPOST
HttpPostChunk0
Watermark1158277545
bStageCleanupTrue
bCFGCautionTrue
UserAgentMozilla/5.0 (Macintosh; Intel Mac OS X 14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
HttpPostUri/1/events/com.amazon.csm.csa.prod
Malleable_C2_InstructionsRemove 1 bytes at the end, Remove 1 bytes at the end, Remove 194 bytes from the beginning, Base64 decode
HttpGet_Metadata
ConstHeaders (8)Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Origin: https://www.amazon.com
Referer: https://www.amazon.com
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: cross-site
Te: trailers
SessionId (2)base64
header: x-amzn-RequestId
HttpPost_Metadata
ConstHeaders (2)Accept: */*
Origin: https://www.amazon.com
SessionId (2)base64url
header: x-amz-rid
Output (5)base64url
prepend: {"events":[{"data":{"schemaId":"csa.VideoInteractions.1","application":"Retail:Prod:,"requestId":"MBFV82TTQV2JNBKJJ50B","title":"Amazon.com. Spend less. Smile more.","subPageType":"desktop","session":{"id":"133-9905055-2677266"},"video":{"id":"
append: "
append: "playerMode":"INLINE","videoRequestId":"MBFV82TTQV2JNBKJJ50B","isAudioOn":"false","player":"IVS","event":"NONE"}}}}]}
print
bUsesCookies0000
Proxy_BehaviorUse IE settings
tcpFrameHeader0004000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
smbFrameHeader0004000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
KillDate0-0-0
bProcInject_StartRWXFalse
bProcInject_UseRWXFalse
bProcInject_MinAllocSize8092
ProcInject_PrependAppend_x866687c944456687d287db49484c400f1f00434287d24766900f1f0400660f1f040040416687db87c990460f1f000f1f00..
ProcInject_PrependAppend_x646687c944456687d287db49484c400f1f00434287d24766900f1f0400660f1f040040416687db87c990460f1f000f1f00..
ProcInject_Stub5462f8cce537c664d9b20f4f03cc8339
ProcInject_AllocationMethodNtMapViewOfSection
Total events
44 569
Read events
44 291
Write events
255
Delete events
23

Modification events

(PID) Process:(6364) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(6364) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(6364) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\GoogleChromeEnterpriseBundle64.zip
(PID) Process:(6364) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\Spacesniffer_1_3_0_2.zip
(PID) Process:(6364) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(6364) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(6364) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(6364) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(6364) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(6364) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
Executable files
5
Suspicious files
50
Text files
264
Unknown types
28

Dropped files

PID
Process
Filename
Type
372SearchApp.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64Ader
MD5:836D92C831135FFE10D7C33FC0C3FE66
SHA256:BC7E6EB403F7FF1A2DD37814D4455A399951F876F476F79E10D265079EDD597E
6364WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa6364.27780\Release Notes.txttext
MD5:46FEB3FF3CAED4B53B508DB39664B52E
SHA256:1E3E232CAC8757FBFA45DF3D6288860C0CE7F3425BD3CBAF051510B8928B28AA
6364WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa6364.27780\Disclaimer.txttext
MD5:9BE250E513AEB89502B35F21C0FBF0C4
SHA256:AC88CF90B4E7643F27EA762D1643CC58D631DC021135BF9B4F02C43A2242894B
6364WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa6364.27780\SpaceSniffer Quick Start.pdfpdf
MD5:7CAA1C6249587B32273517DD53D34979
SHA256:4D60EBEB8176692FA259A81C8A69622002D272CD13B79E14451980E031E74B79
6364WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa6364.27780\vcruntime140.dllexecutable
MD5:699DD61122D91E80ABDFCC396CE0EC10
SHA256:F843CD00D9AFF9A902DD7C98D6137639A10BD84904D81A085C28A3B29F8223C1
6364WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa6364.27780\SpaceSniffer User Manual.pdfpdf
MD5:3D1F422D948C87957A56A23593818A8D
SHA256:9EF8CF15B269454E4443FC7F99AA7A582DBD98CE108A45485B3BCF3BD437286C
372SearchApp.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\5Y734AMR\58\CYGXBN1kkA_ojDY5vKbCoG4Zy0E[1].csstext
MD5:DF25912CCFEE50A9E57BC97B4D05B5C0
SHA256:3CA3D1262A62E919C72A641F7491B38769CFB8149704E69CB6C960836DD9C6F8
6364WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa6364.27780\werx.dllexecutable
MD5:0A0CD54859A60630714A076934111E7C
SHA256:C91552FCD8829E182B620D29B333ED5187296F9612F79815F87267A2817823F9
6364WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa6364.27780\setup.exeexecutable
MD5:0A9EE8F50EF336B422521E133F6CC751
SHA256:4A135F60A5193F543D452C9D01E98546C44680E7BDF6C043E8837B1DFEAE3875
7036setup.exeC:\Users\Public\Downloads\SpaceSniffer.exeexecutable
MD5:B310E7335EAE66A533E985B377E81612
SHA256:FC0629D450F8A57BC93E1BA1CDEF0BFF49C1A4CF0725C2A1F52116FD67D9FE8E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
56
DNS requests
25
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4424
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
5368
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
5368
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEApDqVCbATUviZV57HIIulA%3D
unknown
whitelisted
3676
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
4584
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
4132
OfficeClickToRun.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEApDqVCbATUviZV57HIIulA%3D
unknown
whitelisted
372
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
3952
svchost.exe
239.255.255.250:1900
whitelisted
4128
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
92.122.215.72:443
Akamai International B.V.
DE
unknown
5900
slui.exe
20.83.72.98:443
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6012
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3976
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
131.253.33.254:443
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
3188
slui.exe
20.83.72.98:443
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.186.78
whitelisted
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.124.78.146
whitelisted
fp-afd-nocache-ccp.azureedge.net
  • 13.107.213.44
  • 13.107.246.44
whitelisted
login.live.com
  • 20.190.160.14
  • 40.126.32.133
  • 20.190.160.20
  • 20.190.160.22
  • 40.126.32.68
  • 40.126.32.76
  • 40.126.32.136
  • 20.190.160.17
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
fd.api.iris.microsoft.com
  • 20.103.156.88
whitelisted
th.bing.com
  • 2.20.142.136
  • 2.20.142.138
  • 92.122.215.99
  • 2.20.142.137
  • 92.122.215.98
  • 2.20.142.122
  • 92.122.215.95
  • 92.122.215.74
  • 2.20.142.128
  • 2.23.209.187
  • 2.23.209.140
  • 2.23.209.189
  • 2.23.209.185
  • 2.23.209.176
  • 2.23.209.179
  • 2.23.209.177
  • 2.23.209.182
  • 2.23.209.130
whitelisted
client.wns.windows.com
  • 40.113.110.67
  • 40.115.3.253
whitelisted
www.bing.com
  • 2.20.142.179
  • 2.20.142.182
  • 2.20.142.162
  • 2.20.142.155
  • 2.20.142.185
  • 2.20.142.154
  • 2.20.142.187
  • 92.122.215.3
  • 2.20.142.184
  • 2.23.209.187
  • 2.23.209.176
  • 2.23.209.140
  • 2.23.209.185
  • 2.23.209.133
  • 2.23.209.130
  • 2.23.209.182
  • 2.23.209.177
  • 2.23.209.189
whitelisted
fp.msedge.net
  • 204.79.197.222
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Spacesniffer_1_3_0_2.zip