Malware Analysis Report

2024-10-16 05:20

Sample ID 240702-fv3efs1enl
Target !_ANDROID.zip
SHA256 1383b3b8f79d369214e2b537d15b77b3b362aee0f509c856c0f88a98e8500447
Tags
xmrig evasion miner persistence privilege_escalation spynote
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1383b3b8f79d369214e2b537d15b77b3b362aee0f509c856c0f88a98e8500447

Threat Level: Known bad

The file !_ANDROID.zip was found to be: Known bad.

Malicious Activity Summary

xmrig evasion miner persistence privilege_escalation spynote

xmrig

Spynote payload

Spynote family

XMRig Miner payload

Modifies Windows Firewall

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Declares services with permission to bind to the system

Requests dangerous framework permissions

Declares broadcast receivers with permission to handle system events

AutoIT Executable

Drops file in System32 directory

Event Triggered Execution: Netsh Helper DLL

Unsigned PE

Suspicious use of WriteProcessMemory

Enumerates system info in registry

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Scheduled Task/Job: Scheduled Task

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-02 05:12

Signatures

Spynote family

spynote

Spynote payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write and read the user's call log data. android.permission.WRITE_CALL_LOG N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to see the number being dialed during an outgoing call with the option to redirect the call to a different number or abort the call altogether. android.permission.PROCESS_OUTGOING_CALLS N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-07-02 05:12

Reported

2024-07-02 05:15

Platform

win10v2004-20240508-en

Max time kernel

146s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\!_ANDROID\Spy Note 5\SpyNotex.exe"

Signatures

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\!_ANDROID\Spy Note 5\SpyNotex.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\TiWorker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\!_ANDROID\Spy Note 5\SpyNote.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\MicrosoftWindows.xml C:\Users\Admin\AppData\Local\Temp\!_ANDROID\Spy Note 5\SpyNotex.exe N/A
File opened for modification C:\Windows\SysWOW64\MicrosoftWindows.xml C:\Users\Admin\AppData\Local\Temp\!_ANDROID\Spy Note 5\SpyNotex.exe N/A
File created C:\Windows\SysWOW64\TiWorker.exe C:\Users\Admin\AppData\Local\Temp\!_ANDROID\Spy Note 5\SpyNotex.exe N/A
File opened for modification C:\Windows\SysWOW64\TiWorker.exe C:\Users\Admin\AppData\Local\Temp\!_ANDROID\Spy Note 5\SpyNotex.exe N/A
File created C:\Windows\SysWOW64\config.json C:\Users\Admin\AppData\Local\Temp\!_ANDROID\Spy Note 5\SpyNotex.exe N/A
File opened for modification C:\Windows\SysWOW64\config.json C:\Users\Admin\AppData\Local\Temp\!_ANDROID\Spy Note 5\SpyNotex.exe N/A

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Windows\SysWOW64\TiWorker.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1488 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\!_ANDROID\Spy Note 5\SpyNotex.exe C:\Windows\system32\cmd.exe
PID 1488 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\!_ANDROID\Spy Note 5\SpyNotex.exe C:\Windows\system32\cmd.exe
PID 2828 wrote to memory of 2588 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2828 wrote to memory of 2588 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2828 wrote to memory of 4344 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2828 wrote to memory of 4344 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1488 wrote to memory of 3240 N/A C:\Users\Admin\AppData\Local\Temp\!_ANDROID\Spy Note 5\SpyNotex.exe C:\Windows\system32\cmd.exe
PID 1488 wrote to memory of 3240 N/A C:\Users\Admin\AppData\Local\Temp\!_ANDROID\Spy Note 5\SpyNotex.exe C:\Windows\system32\cmd.exe
PID 3240 wrote to memory of 3696 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 3240 wrote to memory of 3696 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1488 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\!_ANDROID\Spy Note 5\SpyNotex.exe C:\Windows\system32\cmd.exe
PID 1488 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\!_ANDROID\Spy Note 5\SpyNotex.exe C:\Windows\system32\cmd.exe
PID 1752 wrote to memory of 1408 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1752 wrote to memory of 1408 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1488 wrote to memory of 3888 N/A C:\Users\Admin\AppData\Local\Temp\!_ANDROID\Spy Note 5\SpyNotex.exe C:\Windows\system32\cmd.exe
PID 1488 wrote to memory of 3888 N/A C:\Users\Admin\AppData\Local\Temp\!_ANDROID\Spy Note 5\SpyNotex.exe C:\Windows\system32\cmd.exe
PID 3888 wrote to memory of 1280 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3888 wrote to memory of 1280 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1488 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\!_ANDROID\Spy Note 5\SpyNotex.exe C:\Windows\system32\cmd.exe
PID 1488 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\!_ANDROID\Spy Note 5\SpyNotex.exe C:\Windows\system32\cmd.exe
PID 5016 wrote to memory of 4800 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 5016 wrote to memory of 4800 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1488 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\!_ANDROID\Spy Note 5\SpyNotex.exe C:\Windows\system32\cmd.exe
PID 1488 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\!_ANDROID\Spy Note 5\SpyNotex.exe C:\Windows\system32\cmd.exe
PID 1420 wrote to memory of 3504 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1420 wrote to memory of 3504 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1420 wrote to memory of 2392 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1420 wrote to memory of 2392 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1488 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\!_ANDROID\Spy Note 5\SpyNotex.exe C:\Windows\system32\cmd.exe
PID 1488 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\!_ANDROID\Spy Note 5\SpyNotex.exe C:\Windows\system32\cmd.exe
PID 3572 wrote to memory of 1552 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\certutil.exe
PID 3572 wrote to memory of 1552 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\certutil.exe
PID 1488 wrote to memory of 232 N/A C:\Users\Admin\AppData\Local\Temp\!_ANDROID\Spy Note 5\SpyNotex.exe C:\Users\Admin\AppData\Local\Temp\!_ANDROID\Spy Note 5\SpyNote.exe
PID 1488 wrote to memory of 232 N/A C:\Users\Admin\AppData\Local\Temp\!_ANDROID\Spy Note 5\SpyNotex.exe C:\Users\Admin\AppData\Local\Temp\!_ANDROID\Spy Note 5\SpyNote.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\!_ANDROID\Spy Note 5\SpyNotex.exe

"C:\Users\Admin\AppData\Local\Temp\!_ANDROID\Spy Note 5\SpyNotex.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c schtasks /End /TN "Microsoft\Windows\MUI\WindowsUpdate" & schtasks /End /TN "WindowsUpdate" & exit

C:\Windows\system32\schtasks.exe

schtasks /End /TN "Microsoft\Windows\MUI\WindowsUpdate"

C:\Windows\system32\schtasks.exe

schtasks /End /TN "WindowsUpdate"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c schtasks /Delete /TN "WindowsUpdate" /F & exit

C:\Windows\system32\schtasks.exe

schtasks /Delete /TN "WindowsUpdate" /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="System" dir=out action=allow program="%windir%\SysWOW64\TiWorker.exe" enable=yes & exit

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="System" dir=out action=allow program="C:\Windows\SysWOW64\TiWorker.exe" enable=yes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="System" dir=in action=allow program="%windir%\SysWOW64\TiWorker.exe" enable=yes & exit

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="System" dir=in action=allow program="C:\Windows\SysWOW64\TiWorker.exe" enable=yes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c schtasks /Create /XML "%windir%\SysWOW64\MicrosoftWindows.xml" /TN "Microsoft\Windows\MUI\WindowsUpdate" /F & exit

C:\Windows\system32\schtasks.exe

schtasks /Create /XML "C:\Windows\SysWOW64\MicrosoftWindows.xml" /TN "Microsoft\Windows\MUI\WindowsUpdate" /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c schtasks /Change /TN "Microsoft\Windows\MUI\WindowsUpdate" /TR "%windir%\SysWOW64\TiWorker.exe" & schtasks /Run /TN "Microsoft\Windows\MUI\WindowsUpdate" & exit

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\MUI\WindowsUpdate" /TR "C:\Windows\SysWOW64\TiWorker.exe"

C:\Windows\system32\schtasks.exe

schtasks /Run /TN "Microsoft\Windows\MUI\WindowsUpdate"

C:\Windows\SysWOW64\TiWorker.exe

C:\Windows\SysWOW64\TiWorker.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c certutil –addstore –f root MicrosoftWindows.crt & exit

C:\Windows\system32\certutil.exe

certutil –addstore –f root MicrosoftWindows.crt

C:\Users\Admin\AppData\Local\Temp\!_ANDROID\Spy Note 5\SpyNote.exe

"C:\Users\Admin\AppData\Local\Temp\!_ANDROID\Spy Note 5\SpyNote.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4744,i,15142778360084620907,1763097090506261076,262144 --variations-seed-version --mojo-platform-channel-handle=4376 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 pool.minexmr.com udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 pool.minexmr.com udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 pool.minexmr.com udp
US 8.8.8.8:53 pool.minexmr.com udp
US 8.8.8.8:53 pool.minexmr.com udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 pool.minexmr.com udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 21.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 pool.minexmr.com udp
US 8.8.8.8:53 pool.minexmr.com udp
US 8.8.8.8:53 pool.minexmr.com udp
US 8.8.8.8:53 pool.minexmr.com udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 pool.minexmr.com udp
US 8.8.8.8:53 pool.minexmr.com udp
US 8.8.8.8:53 pool.minexmr.com udp
US 8.8.8.8:53 pool.minexmr.com udp
US 8.8.8.8:53 pool.minexmr.com udp
US 8.8.8.8:53 pool.minexmr.com udp
US 8.8.8.8:53 pool.minexmr.com udp
US 8.8.8.8:53 pool.minexmr.com udp
US 8.8.8.8:53 pool.minexmr.com udp
US 8.8.8.8:53 pool.minexmr.com udp
US 8.8.8.8:53 pool.minexmr.com udp
US 8.8.8.8:53 pool.minexmr.com udp
US 8.8.8.8:53 pool.minexmr.com udp
US 8.8.8.8:53 pool.minexmr.com udp
US 8.8.8.8:53 pool.minexmr.com udp
US 8.8.8.8:53 pool.minexmr.com udp
US 8.8.8.8:53 pool.minexmr.com udp

Files

C:\Users\Admin\AppData\Local\Temp\autEAFC.tmp

MD5 ecede3c32ce83ff76ae584c938512c5a
SHA1 090b15025e131cc03098f6f0d8fa5366bc5fa1f0
SHA256 366f1e9f9c99aa81034bada3cc344f2fb5a74246e1d5851441244df1ecc9ae6d
SHA512 61ca6075c8a2086d42b58698484afc0005645507474831cacafc10126f47c8f0cda10c1c215557f9391865b55b16ae881a593d7547cbad560b54369684b23d1d

C:\Windows\SysWOW64\MicrosoftWindows.xml

MD5 b1cbfcc7b7a5716a30b77f5dc5bb6135
SHA1 5c397ffd7a845b2fdf9e82ff73698784a91a2fb9
SHA256 96f2ff4ddcadf6421071daa6cdda2ce866fb7b10d12cc1b20bd07cb131210430
SHA512 d08516e7610e5a08d1c5c2d1cc5a22b1cd2d6b7c890f895caee0cf65577a1315d575d91a8f7f78ffc7bd0dd77b23ece46fadf58ba44257a115330a54a3ebfcf7

memory/4348-19-0x0000000000400000-0x0000000000DCB000-memory.dmp

memory/4348-20-0x0000000000400000-0x0000000000DCB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MicrosoftWindows.crt

MD5 1bb617d3aab1dbe2ec2e4a90bf824846
SHA1 bbe179f1bdc4466661da3638420e6ca862bd50ca
SHA256 1bf4ce2aedc0cfb1365ab15c7e0c8c26b87890ad4008d56317b756b8745ff580
SHA512 ed91750bec3aed806088c271e295550dac1c8cae91569f278d40fbd671b486e70cc9b28f7a9a70e9f340fbe8a038f1ed18f666de4246fc1d60e015e0dd3f1c52

memory/4348-23-0x0000000000400000-0x0000000000DCB000-memory.dmp

memory/4348-29-0x0000000000400000-0x0000000000DCB000-memory.dmp

memory/4348-30-0x0000000000400000-0x0000000000DCB000-memory.dmp

memory/4348-31-0x0000000000400000-0x0000000000DCB000-memory.dmp

memory/4348-32-0x0000000000400000-0x0000000000DCB000-memory.dmp

memory/4348-33-0x0000000000400000-0x0000000000DCB000-memory.dmp

C:\Windows\SysWOW64\config.json

MD5 3da156f2d3307118a8e2c569be30bc87
SHA1 335678ca235af3736677bd8039e25a6c1ee5efca
SHA256 f86ab68eaddd22fbe679ea5ab9cc54775e74081beffd758b30776ba103f396eb
SHA512 59748e02cc4b7f280471b411d6ca3c9986f4c12f84b039bae25269634fc825cde417fe46246f58538668c19cca91e698e31d9f32df69aad89e68423f86bb00c0

C:\Users\Admin\AppData\Local\Temp\!_ANDROID\Spy Note 5\SpyNote.exe

MD5 48e1bf0b6df63a18187e57348b06ad7e
SHA1 605402f1d2ce5a04dd205412ab9edd8f90261967
SHA256 8e154ba521608bcf09bba26189e9e1bf86cae70ef7f283579518a641a0ea955f
SHA512 54dd1dd4d9e2c7a849fe7576f66870978153976e05b029246ebdf8ae43a70a390c9377296d34dd439530609a42047d8bb8cf6be9a1bb7eff9c4e9d91f5041233

memory/232-44-0x0000028EBC2E0000-0x0000028EBC39C000-memory.dmp

memory/232-46-0x0000028ED6B90000-0x0000028ED6D39000-memory.dmp

memory/4348-45-0x0000000000400000-0x0000000000DCB000-memory.dmp

memory/4348-47-0x0000000000400000-0x0000000000DCB000-memory.dmp

memory/4348-49-0x0000000000400000-0x0000000000DCB000-memory.dmp

memory/4348-51-0x0000000000400000-0x0000000000DCB000-memory.dmp

memory/232-52-0x0000028ED6B90000-0x0000028ED6D39000-memory.dmp

memory/4348-53-0x0000000000400000-0x0000000000DCB000-memory.dmp

memory/4348-55-0x0000000000400000-0x0000000000DCB000-memory.dmp

memory/4348-57-0x0000000000400000-0x0000000000DCB000-memory.dmp

memory/4348-59-0x0000000000400000-0x0000000000DCB000-memory.dmp

memory/4348-61-0x0000000000400000-0x0000000000DCB000-memory.dmp

memory/4348-63-0x0000000000400000-0x0000000000DCB000-memory.dmp

memory/4348-65-0x0000000000400000-0x0000000000DCB000-memory.dmp

memory/4348-67-0x0000000000400000-0x0000000000DCB000-memory.dmp

memory/4348-69-0x0000000000400000-0x0000000000DCB000-memory.dmp

memory/4348-71-0x0000000000400000-0x0000000000DCB000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-07-02 05:12

Reported

2024-07-02 05:15

Platform

win10v2004-20240611-en

Max time kernel

132s

Max time network

152s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\!_ANDROID\Spy Note 5\Interop.WMPLib.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\!_ANDROID\Spy Note 5\Interop.WMPLib.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
BE 88.221.83.232:443 www.bing.com tcp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 232.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-07-02 05:12

Reported

2024-07-02 05:13

Platform

android-x86-arm-20240624-en

Max time network

4s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-07-02 05:12

Reported

2024-07-02 05:13

Platform

android-x64-20240624-en

Max time network

5s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-07-02 05:12

Reported

2024-07-02 05:13

Platform

android-x64-20240624-en

Max time network

7s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-07-02 05:12

Reported

2024-07-02 05:13

Platform

android-x64-arm64-20240624-en

Max time network

8s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.16.238:443 tcp
GB 172.217.16.238:443 tcp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-02 05:12

Reported

2024-07-02 05:15

Platform

win7-20240220-en

Max time kernel

65s

Max time network

149s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\!_ANDROID\Spy Note 5\AxInterop.WMPLib.dll",#1

Signatures

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2708 wrote to memory of 2856 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2708 wrote to memory of 2856 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2708 wrote to memory of 2856 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2708 wrote to memory of 1428 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2708 wrote to memory of 1428 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2708 wrote to memory of 1428 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2708 wrote to memory of 1428 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2708 wrote to memory of 1428 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2708 wrote to memory of 1428 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2708 wrote to memory of 1428 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2708 wrote to memory of 1428 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2708 wrote to memory of 1428 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2708 wrote to memory of 1428 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2708 wrote to memory of 1428 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2708 wrote to memory of 1428 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2708 wrote to memory of 1428 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2708 wrote to memory of 1428 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2708 wrote to memory of 1428 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2708 wrote to memory of 1428 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2708 wrote to memory of 1428 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2708 wrote to memory of 1428 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2708 wrote to memory of 1428 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2708 wrote to memory of 1428 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2708 wrote to memory of 1428 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2708 wrote to memory of 1428 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2708 wrote to memory of 1428 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2708 wrote to memory of 1428 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2708 wrote to memory of 1428 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2708 wrote to memory of 1428 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2708 wrote to memory of 1428 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2708 wrote to memory of 1428 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2708 wrote to memory of 1428 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2708 wrote to memory of 1428 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2708 wrote to memory of 1428 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2708 wrote to memory of 1428 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2708 wrote to memory of 1428 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2708 wrote to memory of 1428 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2708 wrote to memory of 1428 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2708 wrote to memory of 1428 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2708 wrote to memory of 1428 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2708 wrote to memory of 1428 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2708 wrote to memory of 1428 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2708 wrote to memory of 1524 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2708 wrote to memory of 1524 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2708 wrote to memory of 1524 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2708 wrote to memory of 1188 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2708 wrote to memory of 1188 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2708 wrote to memory of 1188 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2708 wrote to memory of 1188 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2708 wrote to memory of 1188 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2708 wrote to memory of 1188 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2708 wrote to memory of 1188 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2708 wrote to memory of 1188 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2708 wrote to memory of 1188 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2708 wrote to memory of 1188 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2708 wrote to memory of 1188 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2708 wrote to memory of 1188 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2708 wrote to memory of 1188 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2708 wrote to memory of 1188 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2708 wrote to memory of 1188 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2708 wrote to memory of 1188 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2708 wrote to memory of 1188 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2708 wrote to memory of 1188 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2708 wrote to memory of 1188 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\!_ANDROID\Spy Note 5\AxInterop.WMPLib.dll",#1

C:\Windows\explorer.exe

"C:\Windows\explorer.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef5eb9758,0x7fef5eb9768,0x7fef5eb9778

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1152 --field-trial-handle=1356,i,5956741989909308859,12411688464446081193,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1492 --field-trial-handle=1356,i,5956741989909308859,12411688464446081193,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1568 --field-trial-handle=1356,i,5956741989909308859,12411688464446081193,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2268 --field-trial-handle=1356,i,5956741989909308859,12411688464446081193,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2276 --field-trial-handle=1356,i,5956741989909308859,12411688464446081193,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1452 --field-trial-handle=1356,i,5956741989909308859,12411688464446081193,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3240 --field-trial-handle=1356,i,5956741989909308859,12411688464446081193,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3472 --field-trial-handle=1356,i,5956741989909308859,12411688464446081193,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3580 --field-trial-handle=1356,i,5956741989909308859,12411688464446081193,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3996 --field-trial-handle=1356,i,5956741989909308859,12411688464446081193,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3744 --field-trial-handle=1356,i,5956741989909308859,12411688464446081193,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=3632 --field-trial-handle=1356,i,5956741989909308859,12411688464446081193,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=1812 --field-trial-handle=1356,i,5956741989909308859,12411688464446081193,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2380 --field-trial-handle=1356,i,5956741989909308859,12411688464446081193,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=2504 --field-trial-handle=1356,i,5956741989909308859,12411688464446081193,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=2276 --field-trial-handle=1356,i,5956741989909308859,12411688464446081193,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=2756 --field-trial-handle=1356,i,5956741989909308859,12411688464446081193,131072 /prefetch:1

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:443 www.google.com tcp
US 8.8.8.8:53 apis.google.com udp
GB 142.250.200.14:443 apis.google.com tcp
US 8.8.8.8:53 play.google.com udp
GB 142.250.179.238:443 play.google.com tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 ogs.google.com udp
GB 142.250.187.238:443 ogs.google.com tcp
US 8.8.8.8:53 ssl.gstatic.com udp
GB 172.217.169.3:443 ssl.gstatic.com tcp
GB 142.250.187.196:443 www.google.com udp
GB 142.250.179.238:443 play.google.com udp
US 8.8.8.8:53 consent.google.com udp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 waa-pa.clients6.google.com udp
GB 20.26.156.215:443 github.com tcp
GB 20.26.156.215:443 github.com tcp
GB 20.26.156.215:443 github.com tcp
GB 172.217.16.234:443 waa-pa.clients6.google.com tcp
GB 172.217.16.234:443 waa-pa.clients6.google.com tcp
GB 172.217.16.234:443 waa-pa.clients6.google.com udp
GB 142.250.179.238:443 play.google.com udp
US 8.8.8.8:53 github.githubassets.com udp
US 185.199.109.154:443 github.githubassets.com tcp
US 185.199.109.154:443 github.githubassets.com tcp
US 185.199.109.154:443 github.githubassets.com tcp
US 185.199.109.154:443 github.githubassets.com tcp
US 185.199.109.154:443 github.githubassets.com tcp
US 8.8.8.8:53 avatars.githubusercontent.com udp
US 185.199.109.154:443 github.githubassets.com tcp
US 185.199.111.133:443 avatars.githubusercontent.com tcp
US 8.8.8.8:53 github-cloud.s3.amazonaws.com udp
US 8.8.8.8:53 user-images.githubusercontent.com udp
US 185.199.109.154:443 github.githubassets.com tcp
US 185.199.109.154:443 github.githubassets.com tcp
US 185.199.109.154:443 github.githubassets.com tcp
US 185.199.109.154:443 github.githubassets.com tcp
US 185.199.109.154:443 github.githubassets.com tcp
US 185.199.109.154:443 github.githubassets.com tcp
US 185.199.109.154:443 github.githubassets.com tcp
US 185.199.109.154:443 github.githubassets.com tcp
US 185.199.109.154:443 github.githubassets.com tcp
US 185.199.109.154:443 github.githubassets.com tcp
US 185.199.109.154:443 github.githubassets.com tcp
US 185.199.109.154:443 github.githubassets.com tcp
US 185.199.109.154:443 github.githubassets.com tcp
US 185.199.109.154:443 github.githubassets.com tcp
US 185.199.109.154:443 github.githubassets.com tcp
US 185.199.109.154:443 github.githubassets.com tcp
US 185.199.109.154:443 github.githubassets.com tcp
US 185.199.109.154:443 github.githubassets.com tcp
US 185.199.109.154:443 github.githubassets.com tcp
US 185.199.109.154:443 github.githubassets.com tcp
US 185.199.109.154:443 github.githubassets.com tcp
US 185.199.109.154:443 github.githubassets.com tcp
US 185.199.109.154:443 github.githubassets.com tcp
US 185.199.109.154:443 github.githubassets.com tcp
US 185.199.109.154:443 github.githubassets.com tcp
US 185.199.109.154:443 github.githubassets.com tcp
US 185.199.109.154:443 github.githubassets.com tcp
US 185.199.109.154:443 github.githubassets.com tcp
US 185.199.109.154:443 github.githubassets.com tcp
US 185.199.109.154:443 github.githubassets.com tcp
US 185.199.109.154:443 github.githubassets.com tcp
US 185.199.109.154:443 github.githubassets.com tcp
US 185.199.109.154:443 github.githubassets.com tcp
US 185.199.109.154:443 github.githubassets.com tcp
US 185.199.109.154:443 github.githubassets.com tcp
US 185.199.109.154:443 github.githubassets.com tcp
US 185.199.109.154:443 github.githubassets.com tcp
US 185.199.109.154:443 github.githubassets.com tcp
US 185.199.109.154:443 github.githubassets.com tcp
US 185.199.109.154:443 github.githubassets.com tcp
US 185.199.109.154:443 github.githubassets.com tcp
US 185.199.109.154:443 github.githubassets.com tcp
US 185.199.109.154:443 github.githubassets.com tcp
US 185.199.109.154:443 github.githubassets.com tcp
US 185.199.109.154:443 github.githubassets.com tcp
US 185.199.109.154:443 github.githubassets.com tcp
US 185.199.109.154:443 github.githubassets.com tcp
US 185.199.109.154:443 github.githubassets.com tcp
US 185.199.109.154:443 github.githubassets.com tcp
US 185.199.109.154:443 github.githubassets.com tcp
US 185.199.109.154:443 github.githubassets.com tcp
US 185.199.109.154:443 github.githubassets.com tcp
US 185.199.109.154:443 github.githubassets.com tcp
US 185.199.109.154:443 github.githubassets.com tcp
US 185.199.109.154:443 github.githubassets.com tcp
US 185.199.109.154:443 github.githubassets.com tcp
US 185.199.109.154:443 github.githubassets.com tcp
US 185.199.109.154:443 github.githubassets.com tcp
US 185.199.109.154:443 github.githubassets.com tcp
US 185.199.109.154:443 github.githubassets.com tcp
US 185.199.109.154:443 github.githubassets.com tcp
US 185.199.109.154:443 github.githubassets.com tcp
US 185.199.109.154:443 github.githubassets.com tcp
US 185.199.109.154:443 github.githubassets.com tcp
US 185.199.109.154:443 github.githubassets.com tcp
US 185.199.109.154:443 github.githubassets.com tcp
US 185.199.109.154:443 github.githubassets.com tcp
US 185.199.109.154:443 github.githubassets.com tcp
US 185.199.109.154:443 github.githubassets.com tcp
US 185.199.109.154:443 github.githubassets.com tcp
US 185.199.109.154:443 github.githubassets.com tcp
US 185.199.109.154:443 github.githubassets.com tcp
US 185.199.109.154:443 github.githubassets.com tcp
US 185.199.109.154:443 github.githubassets.com tcp
US 185.199.109.154:443 github.githubassets.com tcp
US 8.8.8.8:53 content-autofill.googleapis.com udp
US 185.199.109.154:443 github.githubassets.com tcp
US 185.199.109.154:443 github.githubassets.com tcp
US 8.8.8.8:53 beacons.gcp.gvt2.com udp
US 192.178.49.163:443 beacons.gcp.gvt2.com tcp
US 192.178.49.163:443 beacons.gcp.gvt2.com tcp
US 192.178.49.163:443 beacons.gcp.gvt2.com tcp
US 8.8.8.8:53 beacons4.gvt2.com udp
US 216.239.32.116:443 beacons4.gvt2.com tcp
US 216.239.32.116:443 beacons4.gvt2.com udp

Files

\??\pipe\crashpad_2708_FKXMMKLZLOWHIEJE

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

MD5 18e723571b00fb1694a3bad6c78e4054
SHA1 afcc0ef32d46fe59e0483f9a3c891d3034d12f32
SHA256 8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa
SHA512 43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

MD5 f50f89a0a91564d0b8a211f8921aa7de
SHA1 112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256 b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512 bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

MD5 aefd77f47fb84fae5ea194496b44c67a
SHA1 dcfbb6a5b8d05662c4858664f81693bb7f803b82
SHA256 4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611
SHA512 b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 ba05348f25d90ff9539c0d751cabe1fe
SHA1 d876723470b9c3fb4167b1a3873dc8dbba75c8ad
SHA256 3268c7d2809c6da51b5dd500a38f605e2d3922cc47c44fa8d98497754c16d35a
SHA512 0a831e8c89192d4783e445e11becd0c7d4b86f9cfe5a009e60d7474d467f3c67b81aa778107785a77b5265c76b4c5ba1034c597f5f7bb5cd2c13bd73391ca910

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 fafdfce914a028f641a0befc3fc523d1
SHA1 cf162c6a7afe968c222812b067e53cb143ad186f
SHA256 a10d672829d2be2b871fd8b363af5461d4bf0b7b2e2ca8b5f4ee729c50360ef3
SHA512 8f145d1b2a641ce6080d0f33c46832601a23371b14b08d631011e6ff13c55b896a5166ba4b8eb0fcd7526b61ac0062d2facb3a176700913e2332032b8f06dd82

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar12DC.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 491a04974369d193bfd975d698367f4c
SHA1 0909b19cd4c1051b3489fec7438850947eb6df78
SHA256 314ad8108c6f4dd66fb023216933837cc7c1bb89781914cce4bc716180c4728e
SHA512 9ae8781733cdd44a1d1c8dee2bf0be2c6aa7cfa2c82d5f45c5e1b2e6ba51f85b0e97a6fb6c64f347ea6858851b752c2b8c5003d04f2bea1c0827073f6ad5807a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 eee585279306ddf9673a6382b74a68cf
SHA1 7d1f04445e5ad01b1c0eae55e591139ae87c357f
SHA256 938227ed09b8d539d8efcc17456653ff4ffdd44edfbce8c37a2d9fe2f3b24750
SHA512 7884243139987899f8a7cc43931971b01bb7c6c33d5740fcfb8b202d198b4df8721ecc56479a361965ed1d626a57d56e8938bbe04d0f3a45c8a88430dbaecbc8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1202f7281d320a95ebc97b717ee728eb
SHA1 2f1e078385c805587fe89ac4136eaf325ae92ad1
SHA256 18ef43a8d303c9279b639e04a7b2e861dc67ea9262d1f789e80d9b9886034738
SHA512 6345fd53b849040f1f6af92328b8260f8a2aea15399fabe81e256386593b53ffcf4ff68258b3f89eb9de7569701c19a3581cc1fcf1251fbba53eb4a5aa4637dd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 95676518deb95557a4e382490b63ac34
SHA1 6877eca72e4c4dc7800cc038141d5ebea5759c9e
SHA256 ba8b1ab411015a0b3fb1abf732b6f8d2513f3285ea2421a32927fb7901d31c72
SHA512 c80dc5ba08e603e6c4d5869d3e157ae99b7f99c1c1cb4d1dbc3fc923fcbbc6b9b61999ca68d50a0f29448291730c372183866e49a8fbc77080502ee1d9b73cf5

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 4a4260dc1d2404aa9660d9ca1e8cccfb
SHA1 6dfcddf1bbad0b159278b085fd7dda307ae6e5e7
SHA256 15460826a0b308aa3af8e658e0006ea6d5de6df2764c4ed6b87ee0659782ee93
SHA512 6c5b0dd09971f75c85ab483d9496e25c5305447f4eb30bf6c5436b178b7fca98568698ce83a31225bc5f3ce1a9e7b32e657b94fe703a301956538256e56ac778

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 f2dd59fc30402e12a1274165960a6eee
SHA1 ba9db008eea4f21ddcb2755a5490d58072db37c5
SHA256 00412021fbecb91cda578736e15c8f3c9dfd6d662f4d78e89c4946c826ded576
SHA512 0f3f189e5acd63ad42c6a8a3b0e91563c54e19d44ecd64a7f414fefd025c597097d4e5fb46b70e33951498e93381c80e378178d8b6a50cda8e7fb4275ad63970

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 84cbf73cf5d27bcf71195fdf66bae845
SHA1 874e04572bdaf18d854ad7b1a34e4c9333bfdd13
SHA256 12bfcaabb8d49ef6c4d2600cb28d14a846b7057ebe0a9af029bfc503a5d97c0b
SHA512 79d057f94dbe0ff88277a30eacd8ca851f82db9bbc956a1099ccd3749699c19c8e7325202e273e24fb6180fa25a9b067f76e613ea3eba7cbf47992aee0992ed4

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-02 05:12

Reported

2024-07-02 05:15

Platform

win10v2004-20240611-en

Max time kernel

148s

Max time network

151s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\!_ANDROID\Spy Note 5\AxInterop.WMPLib.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\!_ANDROID\Spy Note 5\AxInterop.WMPLib.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
BE 88.221.83.225:443 www.bing.com tcp
US 8.8.8.8:53 225.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 21.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 175.117.168.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-07-02 05:12

Reported

2024-07-02 05:13

Platform

android-x86-arm-20240624-en

Max time network

5s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-07-02 05:12

Reported

2024-07-02 05:15

Platform

win7-20240508-en

Max time kernel

145s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\!_ANDROID\Spy Note 5\SpyNotex.exe"

Signatures

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\!_ANDROID\Spy Note 5\SpyNotex.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\TiWorker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\!_ANDROID\Spy Note 5\SpyNote.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskeng.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\TiWorker.exe C:\Users\Admin\AppData\Local\Temp\!_ANDROID\Spy Note 5\SpyNotex.exe N/A
File opened for modification C:\Windows\SysWOW64\TiWorker.exe C:\Users\Admin\AppData\Local\Temp\!_ANDROID\Spy Note 5\SpyNotex.exe N/A
File created C:\Windows\SysWOW64\config.json C:\Users\Admin\AppData\Local\Temp\!_ANDROID\Spy Note 5\SpyNotex.exe N/A
File opened for modification C:\Windows\SysWOW64\config.json C:\Users\Admin\AppData\Local\Temp\!_ANDROID\Spy Note 5\SpyNotex.exe N/A
File created C:\Windows\SysWOW64\MicrosoftWindows.xml C:\Users\Admin\AppData\Local\Temp\!_ANDROID\Spy Note 5\SpyNotex.exe N/A
File opened for modification C:\Windows\SysWOW64\MicrosoftWindows.xml C:\Users\Admin\AppData\Local\Temp\!_ANDROID\Spy Note 5\SpyNotex.exe N/A

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Windows\SysWOW64\TiWorker.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\!_ANDROID\Spy Note 5\SpyNote.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2032 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\!_ANDROID\Spy Note 5\SpyNotex.exe C:\Windows\system32\cmd.exe
PID 2032 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\!_ANDROID\Spy Note 5\SpyNotex.exe C:\Windows\system32\cmd.exe
PID 2032 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\!_ANDROID\Spy Note 5\SpyNotex.exe C:\Windows\system32\cmd.exe
PID 2088 wrote to memory of 2068 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2088 wrote to memory of 2068 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2088 wrote to memory of 2068 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2088 wrote to memory of 2168 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2088 wrote to memory of 2168 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2088 wrote to memory of 2168 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2032 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\!_ANDROID\Spy Note 5\SpyNotex.exe C:\Windows\system32\cmd.exe
PID 2032 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\!_ANDROID\Spy Note 5\SpyNotex.exe C:\Windows\system32\cmd.exe
PID 2032 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\!_ANDROID\Spy Note 5\SpyNotex.exe C:\Windows\system32\cmd.exe
PID 2804 wrote to memory of 2564 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2804 wrote to memory of 2564 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2804 wrote to memory of 2564 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2032 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\!_ANDROID\Spy Note 5\SpyNotex.exe C:\Windows\system32\cmd.exe
PID 2032 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\!_ANDROID\Spy Note 5\SpyNotex.exe C:\Windows\system32\cmd.exe
PID 2032 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\!_ANDROID\Spy Note 5\SpyNotex.exe C:\Windows\system32\cmd.exe
PID 2684 wrote to memory of 2624 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2684 wrote to memory of 2624 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2684 wrote to memory of 2624 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2032 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\!_ANDROID\Spy Note 5\SpyNotex.exe C:\Windows\system32\cmd.exe
PID 2032 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\!_ANDROID\Spy Note 5\SpyNotex.exe C:\Windows\system32\cmd.exe
PID 2032 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\!_ANDROID\Spy Note 5\SpyNotex.exe C:\Windows\system32\cmd.exe
PID 2728 wrote to memory of 2744 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2728 wrote to memory of 2744 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2728 wrote to memory of 2744 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2032 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\!_ANDROID\Spy Note 5\SpyNotex.exe C:\Windows\system32\cmd.exe
PID 2032 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\!_ANDROID\Spy Note 5\SpyNotex.exe C:\Windows\system32\cmd.exe
PID 2032 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\!_ANDROID\Spy Note 5\SpyNotex.exe C:\Windows\system32\cmd.exe
PID 2500 wrote to memory of 2644 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2500 wrote to memory of 2644 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2500 wrote to memory of 2644 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2032 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\!_ANDROID\Spy Note 5\SpyNotex.exe C:\Windows\system32\cmd.exe
PID 2032 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\!_ANDROID\Spy Note 5\SpyNotex.exe C:\Windows\system32\cmd.exe
PID 2032 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\!_ANDROID\Spy Note 5\SpyNotex.exe C:\Windows\system32\cmd.exe
PID 2180 wrote to memory of 2476 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2180 wrote to memory of 2476 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2180 wrote to memory of 2476 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2180 wrote to memory of 2488 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2180 wrote to memory of 2488 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2180 wrote to memory of 2488 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2516 wrote to memory of 2924 N/A C:\Windows\system32\taskeng.exe C:\Windows\SysWOW64\TiWorker.exe
PID 2516 wrote to memory of 2924 N/A C:\Windows\system32\taskeng.exe C:\Windows\SysWOW64\TiWorker.exe
PID 2516 wrote to memory of 2924 N/A C:\Windows\system32\taskeng.exe C:\Windows\SysWOW64\TiWorker.exe
PID 2032 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\!_ANDROID\Spy Note 5\SpyNotex.exe C:\Windows\system32\cmd.exe
PID 2032 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\!_ANDROID\Spy Note 5\SpyNotex.exe C:\Windows\system32\cmd.exe
PID 2032 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\!_ANDROID\Spy Note 5\SpyNotex.exe C:\Windows\system32\cmd.exe
PID 1688 wrote to memory of 1660 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\certutil.exe
PID 1688 wrote to memory of 1660 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\certutil.exe
PID 1688 wrote to memory of 1660 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\certutil.exe
PID 2032 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\!_ANDROID\Spy Note 5\SpyNotex.exe C:\Users\Admin\AppData\Local\Temp\!_ANDROID\Spy Note 5\SpyNote.exe
PID 2032 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\!_ANDROID\Spy Note 5\SpyNotex.exe C:\Users\Admin\AppData\Local\Temp\!_ANDROID\Spy Note 5\SpyNote.exe
PID 2032 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\!_ANDROID\Spy Note 5\SpyNotex.exe C:\Users\Admin\AppData\Local\Temp\!_ANDROID\Spy Note 5\SpyNote.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\!_ANDROID\Spy Note 5\SpyNotex.exe

"C:\Users\Admin\AppData\Local\Temp\!_ANDROID\Spy Note 5\SpyNotex.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c schtasks /End /TN "Microsoft\Windows\MUI\WindowsUpdate" & schtasks /End /TN "WindowsUpdate" & exit

C:\Windows\system32\schtasks.exe

schtasks /End /TN "Microsoft\Windows\MUI\WindowsUpdate"

C:\Windows\system32\schtasks.exe

schtasks /End /TN "WindowsUpdate"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c schtasks /Delete /TN "WindowsUpdate" /F & exit

C:\Windows\system32\schtasks.exe

schtasks /Delete /TN "WindowsUpdate" /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="System" dir=out action=allow program="%windir%\SysWOW64\TiWorker.exe" enable=yes & exit

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="System" dir=out action=allow program="C:\Windows\SysWOW64\TiWorker.exe" enable=yes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="System" dir=in action=allow program="%windir%\SysWOW64\TiWorker.exe" enable=yes & exit

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="System" dir=in action=allow program="C:\Windows\SysWOW64\TiWorker.exe" enable=yes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c schtasks /Create /XML "%windir%\SysWOW64\MicrosoftWindows.xml" /TN "Microsoft\Windows\MUI\WindowsUpdate" /F & exit

C:\Windows\system32\schtasks.exe

schtasks /Create /XML "C:\Windows\SysWOW64\MicrosoftWindows.xml" /TN "Microsoft\Windows\MUI\WindowsUpdate" /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c schtasks /Change /TN "Microsoft\Windows\MUI\WindowsUpdate" /TR "%windir%\SysWOW64\TiWorker.exe" & schtasks /Run /TN "Microsoft\Windows\MUI\WindowsUpdate" & exit

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\MUI\WindowsUpdate" /TR "C:\Windows\SysWOW64\TiWorker.exe"

C:\Windows\system32\schtasks.exe

schtasks /Run /TN "Microsoft\Windows\MUI\WindowsUpdate"

C:\Windows\system32\taskeng.exe

taskeng.exe {DA244595-F473-41EC-8A40-BB0628130DC3} S-1-5-18:NT AUTHORITY\System:Service:

C:\Windows\SysWOW64\TiWorker.exe

C:\Windows\SysWOW64\TiWorker.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c certutil –addstore –f root MicrosoftWindows.crt & exit

C:\Windows\system32\certutil.exe

certutil –addstore –f root MicrosoftWindows.crt

C:\Users\Admin\AppData\Local\Temp\!_ANDROID\Spy Note 5\SpyNote.exe

"C:\Users\Admin\AppData\Local\Temp\!_ANDROID\Spy Note 5\SpyNote.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 pool.minexmr.com udp

Files

C:\Windows\SysWOW64\TiWorker.exe

MD5 ecede3c32ce83ff76ae584c938512c5a
SHA1 090b15025e131cc03098f6f0d8fa5366bc5fa1f0
SHA256 366f1e9f9c99aa81034bada3cc344f2fb5a74246e1d5851441244df1ecc9ae6d
SHA512 61ca6075c8a2086d42b58698484afc0005645507474831cacafc10126f47c8f0cda10c1c215557f9391865b55b16ae881a593d7547cbad560b54369684b23d1d

C:\Windows\SysWOW64\MicrosoftWindows.xml

MD5 b1cbfcc7b7a5716a30b77f5dc5bb6135
SHA1 5c397ffd7a845b2fdf9e82ff73698784a91a2fb9
SHA256 96f2ff4ddcadf6421071daa6cdda2ce866fb7b10d12cc1b20bd07cb131210430
SHA512 d08516e7610e5a08d1c5c2d1cc5a22b1cd2d6b7c890f895caee0cf65577a1315d575d91a8f7f78ffc7bd0dd77b23ece46fadf58ba44257a115330a54a3ebfcf7

memory/2516-20-0x0000000001630000-0x0000000001FFB000-memory.dmp

memory/2924-26-0x0000000000400000-0x0000000000DCB000-memory.dmp

memory/2924-27-0x0000000000400000-0x0000000000DCB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MicrosoftWindows.crt

MD5 1bb617d3aab1dbe2ec2e4a90bf824846
SHA1 bbe179f1bdc4466661da3638420e6ca862bd50ca
SHA256 1bf4ce2aedc0cfb1365ab15c7e0c8c26b87890ad4008d56317b756b8745ff580
SHA512 ed91750bec3aed806088c271e295550dac1c8cae91569f278d40fbd671b486e70cc9b28f7a9a70e9f340fbe8a038f1ed18f666de4246fc1d60e015e0dd3f1c52

memory/2924-30-0x0000000000400000-0x0000000000DCB000-memory.dmp

memory/2924-32-0x0000000000400000-0x0000000000DCB000-memory.dmp

memory/2924-31-0x0000000000400000-0x0000000000DCB000-memory.dmp

memory/2924-34-0x0000000000400000-0x0000000000DCB000-memory.dmp

memory/2924-33-0x0000000000400000-0x0000000000DCB000-memory.dmp

C:\Windows\SysWOW64\config.json

MD5 3da156f2d3307118a8e2c569be30bc87
SHA1 335678ca235af3736677bd8039e25a6c1ee5efca
SHA256 f86ab68eaddd22fbe679ea5ab9cc54775e74081beffd758b30776ba103f396eb
SHA512 59748e02cc4b7f280471b411d6ca3c9986f4c12f84b039bae25269634fc825cde417fe46246f58538668c19cca91e698e31d9f32df69aad89e68423f86bb00c0

memory/2924-35-0x0000000000400000-0x0000000000DCB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\!_ANDROID\Spy Note 5\SpyNote.exe

MD5 48e1bf0b6df63a18187e57348b06ad7e
SHA1 605402f1d2ce5a04dd205412ab9edd8f90261967
SHA256 8e154ba521608bcf09bba26189e9e1bf86cae70ef7f283579518a641a0ea955f
SHA512 54dd1dd4d9e2c7a849fe7576f66870978153976e05b029246ebdf8ae43a70a390c9377296d34dd439530609a42047d8bb8cf6be9a1bb7eff9c4e9d91f5041233

memory/1940-45-0x00000000002C0000-0x000000000037C000-memory.dmp

memory/2924-46-0x0000000000400000-0x0000000000DCB000-memory.dmp

memory/2516-47-0x0000000001630000-0x0000000001FFB000-memory.dmp

memory/2924-48-0x0000000000400000-0x0000000000DCB000-memory.dmp

memory/2924-49-0x0000000000400000-0x0000000000DCB000-memory.dmp

memory/2924-50-0x0000000000400000-0x0000000000DCB000-memory.dmp

memory/2924-51-0x0000000000400000-0x0000000000DCB000-memory.dmp

memory/2924-52-0x0000000000400000-0x0000000000DCB000-memory.dmp

memory/2924-53-0x0000000000400000-0x0000000000DCB000-memory.dmp

memory/2924-54-0x0000000000400000-0x0000000000DCB000-memory.dmp

memory/2924-55-0x0000000000400000-0x0000000000DCB000-memory.dmp

memory/2924-56-0x0000000000400000-0x0000000000DCB000-memory.dmp

memory/2924-57-0x0000000000400000-0x0000000000DCB000-memory.dmp

memory/2924-58-0x0000000000400000-0x0000000000DCB000-memory.dmp

memory/2924-59-0x0000000000400000-0x0000000000DCB000-memory.dmp

memory/2924-60-0x0000000000400000-0x0000000000DCB000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-07-02 05:12

Reported

2024-07-02 05:15

Platform

win7-20240221-en

Max time kernel

118s

Max time network

119s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\!_ANDROID\Spy Note 5\Interop.WMPLib.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\!_ANDROID\Spy Note 5\Interop.WMPLib.dll",#1

Network

N/A

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-07-02 05:12

Reported

2024-07-02 05:13

Platform

android-x64-arm64-20240624-en

Max time network

7s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
GB 216.58.212.238:443 tcp
GB 216.58.212.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
N/A 224.0.0.251:5353 udp

Files

N/A