File name:

Spacesniffer_1_3_0_2.zip

Full analysis: https://app.any.run/tasks/67342c79-4c8a-47d4-ad1a-093b7dc599ff
Verdict: Malicious activity
Threats:

Cobalt Strike is a legitimate penetration software toolkit developed by Forta. But its cracked versions are widely adopted by bad actors, who use it as a C2 system of choice for targeted attacks.

Malware Trends Tracker     >>>
Analysis date: July 30, 2024, 19:40:45
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
cobaltstrike
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:

568EBCF0898B13319D440C44AFADAF79

SHA1:

052D81D5E11F36BA017A9D66F1E5B542AF55C009

SHA256:

47D1957D069B598672DDAF83FECDB55E079F236804C1DCE973496526FEB15E9D

SSDEEP:

98304:TyWVEa30gP44Sfefn1ln3c6+x1qLCV8cCq1CgspC8A0UHOZAk4reiqxFXBusIwT9:5VWE6+

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 6364)
      • setup.exe (PID: 7036)

    • COBALTSTRIKE has been detected (YARA)

      • setup.exe (PID: 7036)
      • sihost.exe (PID: 6076)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • WinRAR.exe (PID: 6364)

    • Reads security settings of Internet Explorer

      • WinRAR.exe (PID: 6364)
      • StartMenuExperienceHost.exe (PID: 2472)

    • Starts a Microsoft application from unusual location

      • setup.exe (PID: 7036)

    • Executable content was dropped or overwritten

      • setup.exe (PID: 7036)

    • Reads the date of Windows installation

      • StartMenuExperienceHost.exe (PID: 2472)
      • SearchApp.exe (PID: 372)

  • INFO

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 6364)

    • Checks supported languages

      • setup.exe (PID: 7036)
      • StartMenuExperienceHost.exe (PID: 2472)
      • SpaceSniffer.exe (PID: 6828)
      • TextInputHost.exe (PID: 6268)
      • SearchApp.exe (PID: 372)

    • Reads security settings of Internet Explorer

      • explorer.exe (PID: 888)

    • Reads Microsoft Office registry keys

      • explorer.exe (PID: 888)

    • Reads the computer name

      • SpaceSniffer.exe (PID: 6828)
      • StartMenuExperienceHost.exe (PID: 2472)
      • TextInputHost.exe (PID: 6268)
      • SearchApp.exe (PID: 372)

    • Process checks computer location settings

      • StartMenuExperienceHost.exe (PID: 2472)
      • SearchApp.exe (PID: 372)

    • Checks proxy server information

      • SearchApp.exe (PID: 372)
      • explorer.exe (PID: 888)
      • slui.exe (PID: 5304)

    • Reads the machine GUID from the registry

      • SearchApp.exe (PID: 372)

    • Reads the software policy settings

      • SearchApp.exe (PID: 372)
      • slui.exe (PID: 5304)

    • Process checks Internet Explorer phishing filters

      • SearchApp.exe (PID: 372)

    • Reads Environment values

      • SearchApp.exe (PID: 372)

    • Creates files or folders in the user directory

      • explorer.exe (PID: 888)

    • Creates files in the program directory

      • setup.exe (PID: 7036)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

CobalStrike

(PID) Process(7036) setup.exe
C2 (1)91.92.250.70/broadcast
BeaconTypeHTTPS
Port10443
SleepTime15500
MaxGetSize13982519
Jitter15
PublicKey-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCKCx0TqxEL7f794xRtav1937lV DGtM4Lqsp0H4tnh87+nsCuqL4povSjRESckHfjoduBm1pNrZScCOHgu3B56PH2ts Yjc3rCXMO/R4xvln2vMRVRLkKXs5QjW2Fw+q4cC/KNaerhSjVRA7eUKXVSzCAVD8 RGh8oQIuJa/kUNdkPQIDAQAB -----END PUBLIC KEY-----
DNS_strategyround-robin
DNS_strategy_rotate_seconds-1
DNS_strategy_fail_x-1
DNS_strategy_fail_seconds-1
SpawnTo00000000000000000000000000000000
Spawnto_x86%windir%\syswow64\gpupdate.exe
Spawnto_x64%windir%\sysnative\gpupdate.exe
CryptoScheme0
HttpGet_VerbGET
HttpPost_VerbPOST
HttpPostChunk0
Watermark1158277545
bStageCleanupTrue
bCFGCautionTrue
UserAgentMozilla/5.0 (Macintosh; Intel Mac OS X 14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
HttpPostUri/1/events/com.amazon.csm.csa.prod
Malleable_C2_InstructionsRemove 1 bytes at the end, Remove 1 bytes at the end, Remove 194 bytes from the beginning, Base64 decode
HttpGet_Metadata
ConstHeaders (8)Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Origin: https://www.amazon.com
Referer: https://www.amazon.com
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: cross-site
Te: trailers
SessionId (2)base64
header: x-amzn-RequestId
HttpPost_Metadata
ConstHeaders (2)Accept: */*
Origin: https://www.amazon.com
SessionId (2)base64url
header: x-amz-rid
Output (5)base64url
prepend: {"events":[{"data":{"schemaId":"csa.VideoInteractions.1","application":"Retail:Prod:,"requestId":"MBFV82TTQV2JNBKJJ50B","title":"Amazon.com. Spend less. Smile more.","subPageType":"desktop","session":{"id":"133-9905055-2677266"},"video":{"id":"
append: "
append: "playerMode":"INLINE","videoRequestId":"MBFV82TTQV2JNBKJJ50B","isAudioOn":"false","player":"IVS","event":"NONE"}}}}]}
print
bUsesCookies0000
Proxy_BehaviorUse IE settings
tcpFrameHeader0004000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
smbFrameHeader0004000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
KillDate0-0-0
bProcInject_StartRWXFalse
bProcInject_UseRWXFalse
bProcInject_MinAllocSize8092
ProcInject_PrependAppend_x866687c944456687d287db49484c400f1f00434287d24766900f1f0400660f1f040040416687db87c990460f1f000f1f00..
ProcInject_PrependAppend_x646687c944456687d287db49484c400f1f00434287d24766900f1f0400660f1f040040416687db87c990460f1f000f1f00..
ProcInject_Stub5462f8cce537c664d9b20f4f03cc8339
ProcInject_AllocationMethodNtMapViewOfSection
(PID) Process(6076) sihost.exe
C2 (1)91.92.250.70/broadcast
BeaconTypeHTTPS
Port10443
SleepTime15500
MaxGetSize13982519
Jitter15
PublicKey-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCKCx0TqxEL7f794xRtav1937lV DGtM4Lqsp0H4tnh87+nsCuqL4povSjRESckHfjoduBm1pNrZScCOHgu3B56PH2ts Yjc3rCXMO/R4xvln2vMRVRLkKXs5QjW2Fw+q4cC/KNaerhSjVRA7eUKXVSzCAVD8 RGh8oQIuJa/kUNdkPQIDAQAB -----END PUBLIC KEY-----
DNS_strategyround-robin
DNS_strategy_rotate_seconds-1
DNS_strategy_fail_x-1
DNS_strategy_fail_seconds-1
SpawnTo00000000000000000000000000000000
Spawnto_x86%windir%\syswow64\gpupdate.exe
Spawnto_x64%windir%\sysnative\gpupdate.exe
CryptoScheme0
HttpGet_VerbGET
HttpPost_VerbPOST
HttpPostChunk0
Watermark1158277545
bStageCleanupTrue
bCFGCautionTrue
UserAgentMozilla/5.0 (Macintosh; Intel Mac OS X 14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
HttpPostUri/1/events/com.amazon.csm.csa.prod
Malleable_C2_InstructionsRemove 1 bytes at the end, Remove 1 bytes at the end, Remove 194 bytes from the beginning, Base64 decode
HttpGet_Metadata
ConstHeaders (8)Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Origin: https://www.amazon.com
Referer: https://www.amazon.com
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: cross-site
Te: trailers
SessionId (2)base64
header: x-amzn-RequestId
HttpPost_Metadata
ConstHeaders (2)Accept: */*
Origin: https://www.amazon.com
SessionId (2)base64url
header: x-amz-rid
Output (5)base64url
prepend: {"events":[{"data":{"schemaId":"csa.VideoInteractions.1","application":"Retail:Prod:,"requestId":"MBFV82TTQV2JNBKJJ50B","title":"Amazon.com. Spend less. Smile more.","subPageType":"desktop","session":{"id":"133-9905055-2677266"},"video":{"id":"
append: "
append: "playerMode":"INLINE","videoRequestId":"MBFV82TTQV2JNBKJJ50B","isAudioOn":"false","player":"IVS","event":"NONE"}}}}]}
print
bUsesCookies0000
Proxy_BehaviorUse IE settings
tcpFrameHeader0004000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
smbFrameHeader0004000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
KillDate0-0-0
bProcInject_StartRWXFalse
bProcInject_UseRWXFalse
bProcInject_MinAllocSize8092
ProcInject_PrependAppend_x866687c944456687d287db49484c400f1f00434287d24766900f1f0400660f1f040040416687db87c990460f1f000f1f00..
ProcInject_PrependAppend_x646687c944456687d287db49484c400f1f00434287d24766900f1f0400660f1f040040416687db87c990460f1f000f1f00..
ProcInject_Stub5462f8cce537c664d9b20f4f03cc8339
ProcInject_AllocationMethodNtMapViewOfSection
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2024:05:28 09:05:20
ZipCRC: 0x750a3590
ZipCompressedSize: 921
ZipUncompressedSize: 1944
ZipFileName: Disclaimer.txt
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
157
Monitored processes
10
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe slui.exe #COBALTSTRIKE setup.exe spacesniffer.exe no specs #COBALTSTRIKE sihost.exe no specs explorer.exe no specs startmenuexperiencehost.exe no specs textinputhost.exe no specs searchapp.exe mobsync.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
372"C:\WINDOWS\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mcaC:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Search application
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\systemapps\microsoft.windows.search_cw5n1h2txyewy\searchapp.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
888explorer.exe /LOADSAVEDWINDOWSC:\Windows\explorer.exesihost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\shcore.dll
2472"C:\WINDOWS\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mcaC:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exesvchost.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\windows\systemapps\microsoft.windows.startmenuexperiencehost_cw5n1h2txyewy\startmenuexperiencehost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\wincorlib.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
3704C:\WINDOWS\System32\mobsync.exe -EmbeddingC:\Windows\System32\mobsync.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Sync Center
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\mobsync.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
5304C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
6076\??\C:\Windows\System32\sihost.exeC:\Windows\System32\sihost.exe
setup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Shell Infrastructure Host
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sihost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
CobalStrike
(PID) Process(6076) sihost.exe
C2 (1)91.92.250.70/broadcast
BeaconTypeHTTPS
Port10443
SleepTime15500
MaxGetSize13982519
Jitter15
PublicKey-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCKCx0TqxEL7f794xRtav1937lV DGtM4Lqsp0H4tnh87+nsCuqL4povSjRESckHfjoduBm1pNrZScCOHgu3B56PH2ts Yjc3rCXMO/R4xvln2vMRVRLkKXs5QjW2Fw+q4cC/KNaerhSjVRA7eUKXVSzCAVD8 RGh8oQIuJa/kUNdkPQIDAQAB -----END PUBLIC KEY-----
DNS_strategyround-robin
DNS_strategy_rotate_seconds-1
DNS_strategy_fail_x-1
DNS_strategy_fail_seconds-1
SpawnTo00000000000000000000000000000000
Spawnto_x86%windir%\syswow64\gpupdate.exe
Spawnto_x64%windir%\sysnative\gpupdate.exe
CryptoScheme0
HttpGet_VerbGET
HttpPost_VerbPOST
HttpPostChunk0
Watermark1158277545
bStageCleanupTrue
bCFGCautionTrue
UserAgentMozilla/5.0 (Macintosh; Intel Mac OS X 14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
HttpPostUri/1/events/com.amazon.csm.csa.prod
Malleable_C2_InstructionsRemove 1 bytes at the end, Remove 1 bytes at the end, Remove 194 bytes from the beginning, Base64 decode
HttpGet_Metadata
ConstHeaders (8)Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Origin: https://www.amazon.com
Referer: https://www.amazon.com
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: cross-site
Te: trailers
SessionId (2)base64
header: x-amzn-RequestId
HttpPost_Metadata
ConstHeaders (2)Accept: */*
Origin: https://www.amazon.com
SessionId (2)base64url
header: x-amz-rid
Output (5)base64url
prepend: {"events":[{"data":{"schemaId":"csa.VideoInteractions.1","application":"Retail:Prod:,"requestId":"MBFV82TTQV2JNBKJJ50B","title":"Amazon.com. Spend less. Smile more.","subPageType":"desktop","session":{"id":"133-9905055-2677266"},"video":{"id":"
append: "
append: "playerMode":"INLINE","videoRequestId":"MBFV82TTQV2JNBKJJ50B","isAudioOn":"false","player":"IVS","event":"NONE"}}}}]}
print
bUsesCookies0000
Proxy_BehaviorUse IE settings
tcpFrameHeader0004000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
smbFrameHeader0004000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
KillDate0-0-0
bProcInject_StartRWXFalse
bProcInject_UseRWXFalse
bProcInject_MinAllocSize8092
ProcInject_PrependAppend_x866687c944456687d287db49484c400f1f00434287d24766900f1f0400660f1f040040416687db87c990460f1f000f1f00..
ProcInject_PrependAppend_x646687c944456687d287db49484c400f1f00434287d24766900f1f0400660f1f040040416687db87c990460f1f000f1f00..
ProcInject_Stub5462f8cce537c664d9b20f4f03cc8339
ProcInject_AllocationMethodNtMapViewOfSection
6268"C:\WINDOWS\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXjd5de1g66v206tj52m9d0dtpppx4cgpn.mcaC:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Version:
123.26505.0.0
Modules
Images
c:\windows\systemapps\microsoftwindows.client.cbs_cw5n1h2txyewy\textinputhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\systemapps\microsoftwindows.client.cbs_cw5n1h2txyewy\vcruntime140_app.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll
6364"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\AppData\Local\Temp\Spacesniffer_1_3_0_2.zipC:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
6828C:\Users\Public\Downloads\SpaceSniffer.exesetup.exe
User:
admin
Company:
Uderzo Software e Consulenza Informatica
Integrity Level:
MEDIUM
Description:
Disk space analysis tool
Exit code:
0
Version:
1.3.0.2
Modules
Images
c:\users\public\downloads\spacesniffer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
7036"C:\Users\admin\AppData\Local\Temp\Rar$EXa6364.27780\setup.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa6364.27780\setup.exe
WinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
2147942487
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa6364.27780\setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
CobalStrike
(PID) Process(7036) setup.exe
C2 (1)91.92.250.70/broadcast
BeaconTypeHTTPS
Port10443
SleepTime15500
MaxGetSize13982519
Jitter15
PublicKey-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCKCx0TqxEL7f794xRtav1937lV DGtM4Lqsp0H4tnh87+nsCuqL4povSjRESckHfjoduBm1pNrZScCOHgu3B56PH2ts Yjc3rCXMO/R4xvln2vMRVRLkKXs5QjW2Fw+q4cC/KNaerhSjVRA7eUKXVSzCAVD8 RGh8oQIuJa/kUNdkPQIDAQAB -----END PUBLIC KEY-----
DNS_strategyround-robin
DNS_strategy_rotate_seconds-1
DNS_strategy_fail_x-1
DNS_strategy_fail_seconds-1
SpawnTo00000000000000000000000000000000
Spawnto_x86%windir%\syswow64\gpupdate.exe
Spawnto_x64%windir%\sysnative\gpupdate.exe
CryptoScheme0
HttpGet_VerbGET
HttpPost_VerbPOST
HttpPostChunk0
Watermark1158277545
bStageCleanupTrue
bCFGCautionTrue
UserAgentMozilla/5.0 (Macintosh; Intel Mac OS X 14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
HttpPostUri/1/events/com.amazon.csm.csa.prod
Malleable_C2_InstructionsRemove 1 bytes at the end, Remove 1 bytes at the end, Remove 194 bytes from the beginning, Base64 decode
HttpGet_Metadata
ConstHeaders (8)Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Origin: https://www.amazon.com
Referer: https://www.amazon.com
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: cross-site
Te: trailers
SessionId (2)base64
header: x-amzn-RequestId
HttpPost_Metadata
ConstHeaders (2)Accept: */*
Origin: https://www.amazon.com
SessionId (2)base64url
header: x-amz-rid
Output (5)base64url
prepend: {"events":[{"data":{"schemaId":"csa.VideoInteractions.1","application":"Retail:Prod:,"requestId":"MBFV82TTQV2JNBKJJ50B","title":"Amazon.com. Spend less. Smile more.","subPageType":"desktop","session":{"id":"133-9905055-2677266"},"video":{"id":"
append: "
append: "playerMode":"INLINE","videoRequestId":"MBFV82TTQV2JNBKJJ50B","isAudioOn":"false","player":"IVS","event":"NONE"}}}}]}
print
bUsesCookies0000
Proxy_BehaviorUse IE settings
tcpFrameHeader0004000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
smbFrameHeader0004000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
KillDate0-0-0
bProcInject_StartRWXFalse
bProcInject_UseRWXFalse
bProcInject_MinAllocSize8092
ProcInject_PrependAppend_x866687c944456687d287db49484c400f1f00434287d24766900f1f0400660f1f040040416687db87c990460f1f000f1f00..
ProcInject_PrependAppend_x646687c944456687d287db49484c400f1f00434287d24766900f1f0400660f1f040040416687db87c990460f1f000f1f00..
ProcInject_Stub5462f8cce537c664d9b20f4f03cc8339
ProcInject_AllocationMethodNtMapViewOfSection
Total events
44 569
Read events
44 291
Write events
255
Delete events
23

Modification events

(PID) Process:(6364) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(6364) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(6364) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\GoogleChromeEnterpriseBundle64.zip
(PID) Process:(6364) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\Spacesniffer_1_3_0_2.zip
(PID) Process:(6364) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(6364) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(6364) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(6364) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(6364) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(6364) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
Executable files
5
Suspicious files
50
Text files
264
Unknown types
28

Dropped files

PID
Process
Filename
Type
372SearchApp.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\fbaf94e759052658216786bfbabcdced1b67a5c2.tbresbinary
MD5:7EA9E46244F778F48FF83E178CE1A725
SHA256:9DB6E82F8754A3B16689DF1ED5AE935EA6DA7A8602038DA5B6B05E928B3849BB
372SearchApp.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\INetCache\M8N5R19A\-UAIppANYxiGpRWJy2NDph4qOEw.gz[1].jss
MD5:9E527B91C2D8B31B0017B76049B5E4E3
SHA256:38EDF0F961C1CCB287880B88F12F370775FC65B2E28227EEE215E849CDBE9BBC
372SearchApp.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\5Y734AMR\58\8is6HLWQOmmjdhp0hh0w6MjZScI[1].jss
MD5:EA96E2A012B4157CD03BE833845A9373
SHA256:19DA2D4C0173E6A6E9D4971D6F65C93842B99BCF09B52C68DF2D8B44C9302208
372SearchApp.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\5Y734AMR\58\oT6Um3bDKq3bSDJ4e0e-YJ5MXCI[1].csstext
MD5:212CA645026552E6E0430DD815E209A8
SHA256:C7DE31F7449EB7373452E3F942A2B070BC5893087C5BB2BC50E565244DA70CD3
372SearchApp.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64Abinary
MD5:486B6726A3AAB32C593768B2023DCFCC
SHA256:3E845A5F4F7D452810E7800C5E1EAB67BC45C398303A2DFBEC156462CA80CE7A
7036setup.exeC:\Users\Public\Downloads\SpaceSniffer.exeexecutable
MD5:B310E7335EAE66A533E985B377E81612
SHA256:FC0629D450F8A57BC93E1BA1CDEF0BFF49C1A4CF0725C2A1F52116FD67D9FE8E
372SearchApp.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\5Y734AMR\58\CYGXBN1kkA_ojDY5vKbCoG4Zy0E[1].csstext
MD5:DF25912CCFEE50A9E57BC97B4D05B5C0
SHA256:3CA3D1262A62E919C72A641F7491B38769CFB8149704E69CB6C960836DD9C6F8
372SearchApp.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\5Y734AMR\58\_BjeFNPDJ-N9umMValublyrbq4Y[1].csstext
MD5:15DC838A1A66277F9F4D915124DFFBBC
SHA256:9C947D5F732431197DA9DB1F159CB3D4CDC5DBFE55FDC0A9513E571FF31236A1
372SearchApp.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\5Y734AMR\58\QNBBNqWD9F_Blep-UqQSqnMp-FI[1].csstext
MD5:77373397A17BD1987DFCA2E68D022ECF
SHA256:A319AF2E953E7AFDA681B85A62F629A5C37344AF47D2FCD23AB45E1D99497F13
372SearchApp.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\5Y734AMR\58\4-xJy3tX6bM2BGl5zKioiEcQ1TU[1].csstext
MD5:B8C89E50D1A8DF3954C30836B80AFA47
SHA256:F63656D5FE0A12D00F9FD662236FE996E18F036435781B1824F51C5B2BA935EC
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
56
DNS requests
25
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4424
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
5368
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
3676
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
4132
OfficeClickToRun.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEApDqVCbATUviZV57HIIulA%3D
unknown
whitelisted
5368
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEApDqVCbATUviZV57HIIulA%3D
unknown
whitelisted
4584
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
372
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
3952
svchost.exe
239.255.255.250:1900
whitelisted
4128
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
92.122.215.72:443
Akamai International B.V.
DE
unknown
5900
slui.exe
20.83.72.98:443
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6012
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3976
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
131.253.33.254:443
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
3188
slui.exe
20.83.72.98:443
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.186.78
whitelisted
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.124.78.146
whitelisted
fp-afd-nocache-ccp.azureedge.net
  • 13.107.213.44
  • 13.107.246.44
whitelisted
login.live.com
  • 20.190.160.14
  • 40.126.32.133
  • 20.190.160.20
  • 20.190.160.22
  • 40.126.32.68
  • 40.126.32.76
  • 40.126.32.136
  • 20.190.160.17
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
fd.api.iris.microsoft.com
  • 20.103.156.88
whitelisted
th.bing.com
  • 2.20.142.136
  • 2.20.142.138
  • 92.122.215.99
  • 2.20.142.137
  • 92.122.215.98
  • 2.20.142.122
  • 92.122.215.95
  • 92.122.215.74
  • 2.20.142.128
  • 2.23.209.187
  • 2.23.209.140
  • 2.23.209.189
  • 2.23.209.185
  • 2.23.209.176
  • 2.23.209.179
  • 2.23.209.177
  • 2.23.209.182
  • 2.23.209.130
whitelisted
client.wns.windows.com
  • 40.113.110.67
  • 40.115.3.253
whitelisted
www.bing.com
  • 2.20.142.179
  • 2.20.142.182
  • 2.20.142.162
  • 2.20.142.155
  • 2.20.142.185
  • 2.20.142.154
  • 2.20.142.187
  • 92.122.215.3
  • 2.20.142.184
  • 2.23.209.187
  • 2.23.209.176
  • 2.23.209.140
  • 2.23.209.185
  • 2.23.209.133
  • 2.23.209.130
  • 2.23.209.182
  • 2.23.209.177
  • 2.23.209.189
whitelisted
fp.msedge.net
  • 204.79.197.222
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Spacesniffer_1_3_0_2.zip