Analysis Overview
SHA256
077b4fd180fb6b348d58d0a36a5ecd170e381b67b3d36cf41f1d2a64a59f2de1
Threat Level: Known bad
The file SpyNote5.0.zip was found to be: Known bad.
Malicious Activity Summary
Spynote payload
Spynote family
Declares services with permission to bind to the system
Requests dangerous framework permissions
Declares broadcast receivers with permission to handle system events
Enumerates physical storage devices
Unsigned PE
Uses Task Scheduler COM API
Suspicious use of WriteProcessMemory
Suspicious use of SendNotifyMessage
Modifies registry class
Suspicious use of FindShellTrayWindow
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: GetForegroundWindowSpam
Checks processor information in registry
Enumerates system info in registry
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-23 06:34
Signatures
Spynote family
Spynote payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Declares broadcast receivers with permission to handle system events
| Description | Indicator | Process | Target |
| Required by device admin receivers to bind with the system. Allows apps to manage device administration features. | android.permission.BIND_DEVICE_ADMIN | N/A | N/A |
Declares services with permission to bind to the system
| Description | Indicator | Process | Target |
| Required by accessibility services to bind with the system. Allows apps to access accessibility features. | android.permission.BIND_ACCESSIBILITY_SERVICE | N/A | N/A |
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Required to be able to access the camera device. | android.permission.CAMERA | N/A | N/A |
| Allows an application to read from external storage. | android.permission.READ_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to write and read the user's call log data. | android.permission.WRITE_CALL_LOG | N/A | N/A |
| Allows an application to read or write the system settings. | android.permission.WRITE_SETTINGS | N/A | N/A |
| Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. | android.permission.SYSTEM_ALERT_WINDOW | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to send SMS messages. | android.permission.SEND_SMS | N/A | N/A |
| Required to be able to access the camera device. | android.permission.CAMERA | N/A | N/A |
| Allows access to the list of accounts in the Accounts Service. | android.permission.GET_ACCOUNTS | N/A | N/A |
| Allows an application to write the user's contacts data. | android.permission.WRITE_CONTACTS | N/A | N/A |
| Allows an application to read the user's contacts data. | android.permission.READ_CONTACTS | N/A | N/A |
| Allows an application to record audio. | android.permission.RECORD_AUDIO | N/A | N/A |
| Allows an application to read SMS messages. | android.permission.READ_SMS | N/A | N/A |
| Allows an application to read the user's call log. | android.permission.READ_CALL_LOG | N/A | N/A |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. | android.permission.CALL_PHONE | N/A | N/A |
| Allows an app to access approximate location. | android.permission.ACCESS_COARSE_LOCATION | N/A | N/A |
| Allows an app to access precise location. | android.permission.ACCESS_FINE_LOCATION | N/A | N/A |
| Allows an application to receive SMS messages. | android.permission.RECEIVE_SMS | N/A | N/A |
| Allows an application to see the number being dialed during an outgoing call with the option to redirect the call to a different number or abort the call altogether. | android.permission.PROCESS_OUTGOING_CALLS | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-23 06:34
Reported
2024-10-23 06:38
Platform
win11-20241007-en
Max time kernel
218s
Max time network
220s
Command Line
Signatures
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\root\Office16\Winword.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\root\Office16\Winword.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\root\Office16\Winword.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\root\Office16\Winword.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\root\Office16\Winword.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\root\Office16\Winword.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" | C:\Windows\system32\BackgroundTransferHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" | C:\Windows\system32\BackgroundTransferHost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\MuiCache | C:\Windows\system32\BackgroundTransferHost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix | C:\Windows\system32\BackgroundTransferHost.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\root\Office16\Winword.exe | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\root\Office16\Winword.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\apktool\apktool.bat"
C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
java -jar -Duser.language=en "C:\Users\Admin\AppData\Local\Temp\apktool\\apktool.jar"
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Program Files\Microsoft Office\root\Office16\Winword.exe
"C:\Program Files\Microsoft Office\root\Office16\Winword.exe" /n "C:\Users\Admin\AppData\Local\Temp\406273963\payload.dat"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1964 -parentBuildID 20240401114208 -prefsHandle 1892 -prefMapHandle 1884 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {04291610-7993-48c8-8dca-a039d2a377e1} 1440 "\\.\pipe\gecko-crash-server-pipe.1440" gpu
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2364 -parentBuildID 20240401114208 -prefsHandle 2340 -prefMapHandle 2328 -prefsLen 23714 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c39dd402-67ce-489b-86dc-1881c40707fb} 1440 "\\.\pipe\gecko-crash-server-pipe.1440" socket
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3092 -childID 1 -isForBrowser -prefsHandle 3088 -prefMapHandle 3104 -prefsLen 23855 -prefMapSize 244658 -jsInitHandle 1300 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bcf99819-43df-4007-b9ad-42a219463b42} 1440 "\\.\pipe\gecko-crash-server-pipe.1440" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1276 -childID 2 -isForBrowser -prefsHandle 2496 -prefMapHandle 2488 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 1300 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f3cea11c-36f7-4c11-81b2-fd788891e209} 1440 "\\.\pipe\gecko-crash-server-pipe.1440" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4852 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4844 -prefMapHandle 4840 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {891b7b2e-4e96-4038-ac1d-c73a7b5d0e20} 1440 "\\.\pipe\gecko-crash-server-pipe.1440" utility
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5444 -childID 3 -isForBrowser -prefsHandle 5464 -prefMapHandle 5460 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1300 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {42c50892-08fe-4f83-abcc-ac9bf5bc498f} 1440 "\\.\pipe\gecko-crash-server-pipe.1440" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5552 -childID 4 -isForBrowser -prefsHandle 5568 -prefMapHandle 5572 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1300 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3162aec0-78bc-4f4b-9195-9b2689a48d7f} 1440 "\\.\pipe\gecko-crash-server-pipe.1440" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5536 -childID 5 -isForBrowser -prefsHandle 5540 -prefMapHandle 5548 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1300 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d713d742-9c02-4063-81bb-fde9cd91c329} 1440 "\\.\pipe\gecko-crash-server-pipe.1440" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6160 -childID 6 -isForBrowser -prefsHandle 5848 -prefMapHandle 6152 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1300 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {395cdef1-47d9-4c27-abb7-fdc3d96ce833} 1440 "\\.\pipe\gecko-crash-server-pipe.1440" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5460 -childID 7 -isForBrowser -prefsHandle 5416 -prefMapHandle 5428 -prefsLen 27919 -prefMapSize 244658 -jsInitHandle 1300 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d6bf16d7-ffff-43dd-9252-d8724f6d587d} 1440 "\\.\pipe\gecko-crash-server-pipe.1440" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5724 -childID 8 -isForBrowser -prefsHandle 6340 -prefMapHandle 5572 -prefsLen 27919 -prefMapSize 244658 -jsInitHandle 1300 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0fdb0273-1528-4d5e-938c-834b9d094e44} 1440 "\\.\pipe\gecko-crash-server-pipe.1440" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5420 -childID 9 -isForBrowser -prefsHandle 5752 -prefMapHandle 5636 -prefsLen 27919 -prefMapSize 244658 -jsInitHandle 1300 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bfb4499f-11e7-40ee-a2e1-8cbdd4e9a021} 1440 "\\.\pipe\gecko-crash-server-pipe.1440" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6708 -childID 10 -isForBrowser -prefsHandle 5776 -prefMapHandle 5764 -prefsLen 27919 -prefMapSize 244658 -jsInitHandle 1300 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b8f38bff-d750-4638-9044-d624c118f5cc} 1440 "\\.\pipe\gecko-crash-server-pipe.1440" tab
Network
| Country | Destination | Domain | Proto |
| GB | 104.86.110.98:443 | tcp | |
| GB | 2.18.27.76:443 | r.bing.com | tcp |
| GB | 2.18.27.76:443 | r.bing.com | tcp |
| GB | 2.18.27.76:443 | r.bing.com | tcp |
| GB | 2.18.27.76:443 | r.bing.com | tcp |
| GB | 2.18.27.76:443 | r.bing.com | tcp |
| GB | 2.18.27.76:443 | r.bing.com | tcp |
| US | 20.42.65.84:443 | browser.pipe.aria.microsoft.com | tcp |
| US | 8.8.8.8:53 | 76.27.18.2.in-addr.arpa | udp |
| GB | 2.18.27.82:443 | www.bing.com | tcp |
| GB | 52.109.28.47:443 | roaming.officeapps.live.com | tcp |
| N/A | 127.0.0.1:49826 | tcp | |
| US | 8.8.8.8:53 | firefox-api-proxy.cdn.mozilla.net | udp |
| US | 34.149.97.1:443 | firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 34.149.97.1:443 | firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net | tcp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| N/A | 127.0.0.1:49833 | tcp | |
| GB | 142.250.200.4:443 | www.google.com | tcp |
| GB | 142.250.200.4:443 | www.google.com | udp |
| US | 35.190.72.216:443 | location.services.mozilla.com | udp |
| GB | 142.250.200.46:443 | redirector.gvt1.com | tcp |
| DE | 23.55.161.211:80 | ciscobinary.openh264.org | tcp |
| GB | 142.250.200.46:443 | redirector.gvt1.com | udp |
| GB | 173.194.183.137:443 | r4.sn-aigl6ner.gvt1.com | tcp |
| GB | 173.194.183.137:443 | r4.sn-aigl6ner.gvt1.com | udp |
| GB | 142.250.180.17:443 | csp.withgoogle.com | tcp |
| GB | 142.250.180.17:443 | csp.withgoogle.com | udp |
| GB | 172.217.16.238:443 | play.google.com | tcp |
| GB | 172.217.16.238:443 | play.google.com | udp |
| GB | 216.58.201.110:443 | consent.google.com | tcp |
| GB | 216.58.201.110:443 | consent.google.com | udp |
| US | 104.26.3.33:443 | www.freecodecamp.org | tcp |
| US | 104.26.3.33:443 | www.freecodecamp.org | udp |
| US | 172.67.70.149:443 | www.freecodecamp.org | tcp |
| US | 172.67.70.149:443 | www.freecodecamp.org | tcp |
| US | 172.67.70.149:443 | www.freecodecamp.org | tcp |
| US | 172.67.70.149:443 | www.freecodecamp.org | tcp |
| US | 172.67.70.149:443 | www.freecodecamp.org | tcp |
| US | 172.67.70.149:443 | www.freecodecamp.org | tcp |
| US | 104.16.79.73:443 | static.cloudflareinsights.com | tcp |
| US | 172.67.70.149:443 | www.freecodecamp.org | udp |
| US | 151.101.2.208:443 | cdn.hashnode.com | tcp |
| GB | 216.58.204.66:443 | securepubads.g.doubleclick.net | tcp |
| GB | 216.58.204.66:443 | securepubads.g.doubleclick.net | udp |
| GB | 216.58.204.66:443 | securepubads.g.doubleclick.net | udp |
| US | 216.239.34.36:443 | region1.google-analytics.com | tcp |
| US | 216.239.34.36:443 | region1.google-analytics.com | udp |
| US | 8.8.8.8:53 | 14.178.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 36.34.239.216.in-addr.arpa | udp |
| GB | 172.217.169.78:443 | www3.l.google.com | tcp |
| GB | 172.217.169.78:443 | www3.l.google.com | udp |
| GB | 142.250.180.1:443 | googlehosted.l.googleusercontent.com | tcp |
| GB | 142.250.180.1:443 | googlehosted.l.googleusercontent.com | udp |
| GB | 142.250.180.1:443 | googlehosted.l.googleusercontent.com | tcp |
| GB | 142.250.180.1:443 | googlehosted.l.googleusercontent.com | udp |
| GB | 216.58.204.65:443 | tpc.googlesyndication.com | tcp |
| GB | 216.58.204.65:443 | tpc.googlesyndication.com | udp |
| GB | 142.250.200.4:443 | www.google.com | tcp |
| GB | 142.250.200.4:443 | www.google.com | udp |
| US | 142.251.40.131:443 | csi.gstatic.com | tcp |
| US | 142.251.40.131:443 | csi.gstatic.com | udp |
| GB | 142.250.200.33:443 | cdn-content.ampproject.org | tcp |
| GB | 142.250.200.33:443 | cdn-content.ampproject.org | tcp |
| GB | 142.250.200.33:443 | cdn-content.ampproject.org | tcp |
| GB | 142.250.200.33:443 | cdn-content.ampproject.org | tcp |
| GB | 142.250.200.33:443 | cdn-content.ampproject.org | tcp |
| GB | 142.250.200.33:443 | cdn-content.ampproject.org | udp |
| GB | 216.58.204.66:443 | securepubads.g.doubleclick.net | tcp |
Files
memory/1924-2-0x00000167E6440000-0x00000167E66B0000-memory.dmp
memory/1924-11-0x00000167E4C60000-0x00000167E4C61000-memory.dmp
memory/1924-14-0x00000167E4C60000-0x00000167E4C61000-memory.dmp
memory/1924-15-0x00000167E6440000-0x00000167E66B0000-memory.dmp
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\71506cc5-4815-4240-87dd-82ee3f225f74.down_data
| MD5 | 5683c0028832cae4ef93ca39c8ac5029 |
| SHA1 | 248755e4e1db552e0b6f8651b04ca6d1b31a86fb |
| SHA256 | 855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e |
| SHA512 | aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3 |
memory/3848-22-0x00007FFF36510000-0x00007FFF36520000-memory.dmp
memory/3848-23-0x00007FFF36510000-0x00007FFF36520000-memory.dmp
memory/3848-24-0x00007FFF36510000-0x00007FFF36520000-memory.dmp
memory/3848-25-0x00007FFF36510000-0x00007FFF36520000-memory.dmp
memory/3848-26-0x00007FFF36510000-0x00007FFF36520000-memory.dmp
memory/3848-27-0x00007FFF33CE0000-0x00007FFF33CF0000-memory.dmp
memory/3848-28-0x00007FFF33CE0000-0x00007FFF33CF0000-memory.dmp
memory/3848-54-0x00007FFF36510000-0x00007FFF36520000-memory.dmp
memory/3848-57-0x00007FFF36510000-0x00007FFF36520000-memory.dmp
memory/3848-56-0x00007FFF36510000-0x00007FFF36520000-memory.dmp
memory/3848-55-0x00007FFF36510000-0x00007FFF36520000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\datareporting\glean\db\data.safe.tmp
| MD5 | 7a00b5a6864ad00aba6fb714dd132339 |
| SHA1 | 85abbaeea1247210b7d33fb969ad446a7c0a47a8 |
| SHA256 | fb72caf5b7a784aadded55d781b841e630ac83f79a051aa5a25f131f68c196e7 |
| SHA512 | d700ddfdbfd6d0b80021e30690f2ad0da93121d5a7d3e3e8fd88ed099a250147b35c377c57940d6a2505b6433a520f01ce4e108a35967e5390b724d0ae25d257 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\datareporting\glean\pending_pings\ca79d28e-d8f0-40dc-8348-62716e19d109
| MD5 | 38e4962323fe6732200aaa4d6e2667f4 |
| SHA1 | b66bbfa1e23a4a143658adf4cdf30bd7272d64b6 |
| SHA256 | 02c34e499968569cd680c7eb961c38809fa191ec11747e49db7e5527f614f7ce |
| SHA512 | fa9240268da4a80080347f7e19041652efaf8a6b9adbec17f6eeb4b718b929e9aba22deddc55a7dbfe54eedfc8ddbd19cefda000ad4b95db2777a96ff7a7774c |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\datareporting\glean\pending_pings\ea647c9e-a75d-4841-bb50-0d536ff6dde8
| MD5 | 6da7c35cfeada52c80001b66d99b6eb5 |
| SHA1 | 4581f4bfa361d05a7f692c86da6666a545b6f9a1 |
| SHA256 | ee4a80ace188b1e9a28565b54d74df48d5ba4894caa4435b9d7f2e2cd2830aa9 |
| SHA512 | e23d07348a335cf2500129ac9af9f3b1cf1576ed3f13035b4ba25ff3b5e68d8588aa1573e618ab3d9acbf4811c8de03ce217d09dee9c3691e644f2f94864ac34 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\datareporting\glean\pending_pings\52368118-c8a8-4ada-9430-65823bbe5024
| MD5 | f7f2c90f6a9798d574984fc4c174f54f |
| SHA1 | 5425db820ad73184c7ff6af3fbd346a8a41b8c56 |
| SHA256 | 9b44855c0617cc3cab935acc25f69f89dc3769ada8ee9ddf5d1cc1359e3f6d83 |
| SHA512 | 65b87bbd1084380dcb4158b1848d01372ac591c2aed02e5789c566e5c6580dea73277810a1b2a3a3c4ca8d37e9c2f6250f3e13b0f9efa89feaf4710dee0fee63 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\activity-stream.discovery_stream.json
| MD5 | 98811c061bb624c88d109baacf3eaa74 |
| SHA1 | 08087632fcffbad10745813654036feda3b7671a |
| SHA256 | fc7ac243b3bb41baaf6d9af53544f335279d41bed4ec4cd0152c0470fd15f120 |
| SHA512 | b9d556ae1fb9daffb53d0d02fe32dc24fff1dde289f6633d48f0c4711dfa8d65808e314c762965b5762d3220a6da67616a205eb37b38f857f2b4abf7bb3b3e1f |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\datareporting\glean\db\data.safe.tmp
| MD5 | dc61dd3ab67b754bee89511a1ea1848d |
| SHA1 | be8ad0270c868cd967f1a34ed9b62a5cd83dc8cf |
| SHA256 | 4ad263137bd34a5542f1200278c0ed864a2a3e8bd015c176c4e169e6b090ab13 |
| SHA512 | c31f03f332e9a572325a8f1120d6bbb91bde18a533aebf6ce1cfe96bce0d1e7b265b12a241ef440ff1f3bde6df4ba8681c6b729ec3f5a9c8990b35bef07df236 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\prefs.js
| MD5 | 6304f76e5709f80d4320a0703f5bbcba |
| SHA1 | 118ca10be8aee60971d07dcde1cb0c3f6959bbb1 |
| SHA256 | 097aeec64b7c812ae18ff521b5f9ef611407758fabd73875058279d7414e82cd |
| SHA512 | 19221a1f284a7e5948f54a610b5b664346d6784df1a76e32bd7221f4b272d4e3767debbcf0490362e306de8d5ba4fc4dec9eeb0bd840a60822354bf6da30f35a |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\prefs.js
| MD5 | ec20b5e01b56bc3ceedae69e0a4bd42e |
| SHA1 | c7fd94ea493e1e2adcd3d93d686ca933bc3b6034 |
| SHA256 | 4754d910d303323064add176f49392f99fb58ce625edbc2f45a1625edc643801 |
| SHA512 | c03c3f3f99e4a0be5d3f0204ba80045cb4ade25ada34122f6cd208b4af420defce354692df9e693478aa8cab90a04ac9d2ffbf4e31cbbb458f9056539feb0b76 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\AlternateServices.bin
| MD5 | 483e1f9981383532ca8a3b3ac2f8ce76 |
| SHA1 | 783437029ba5d548c498a238bccad3840b63ff73 |
| SHA256 | bbeaf3e2313d57437564ac839ace27e0a2947dcabdc3e45754868606fcabedd2 |
| SHA512 | 7c6d020df0fe3c9b19204d06ece4c4077e278f9509710f8a4adfe7d12cd6508d65718edf7c5fd8c278c9d86da87e018870aeb451586a1267ea3621bc2e7a8efd |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\cache2\entries\6915ADB9552E6ED57657BAEEF0AAE1DA1B8F2C5E
| MD5 | 48e3ad6f053ec3a6550eac98b89bdbbf |
| SHA1 | 870c74d29d4b1122d8da37853c23109b860c0330 |
| SHA256 | b81516957bad89ee1285d92993d987b5d1f59452109cdf0d15a713e99aa7ba71 |
| SHA512 | 8963c88c1c1f643ae082af46d94dc5f10d4291ad9073c6a3bdfc446a2f15ea96ae5c921b888b9c2dd28efd6675efe0b40afed486e2152054a9dc7f8cd979b071 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\datareporting\glean\db\data.safe.tmp
| MD5 | d6e60b13ced579465fd7fd3b1dd18b2f |
| SHA1 | ebbf605020a2a5f77e4ebf7c812354e53af99d00 |
| SHA256 | 8624fb9b9dde42f121a74c30e3e6f3b824a7b7939d503e64d15a343522f0c4ea |
| SHA512 | aba629f1567e317c9fb47d91e90a6e4c5cb482360031e10b954af17f8b1db29103c831bc7e38ee77c6e862d33d42a4dbf5a9ed314e1d5775584bab3c3c2aac3f |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\sessionstore-backups\recovery.baklz4
| MD5 | e6826124b58a1771915e5b9358c149fa |
| SHA1 | 93797ffb55adf70a2bb8def6dcb0472a0929472b |
| SHA256 | 5cadbf11d863ce004929452224cad7b853d435f2f65d86b4be249d8c15995c27 |
| SHA512 | 34acd16b2b5952897020974d11b78005fe04ea234ca2ddab283c42efcea85b0a1b48af8bfedd70f639214d099c6750d34077165fcf252fff96d5a786a9ecd535 |
C:\Users\Admin\AppData\Local\Temp\tmpaddon
| MD5 | 09372174e83dbbf696ee732fd2e875bb |
| SHA1 | ba360186ba650a769f9303f48b7200fb5eaccee1 |
| SHA256 | c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f |
| SHA512 | b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
| MD5 | 2a461e9eb87fd1955cea740a3444ee7a |
| SHA1 | b10755914c713f5a4677494dbe8a686ed458c3c5 |
| SHA256 | 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc |
| SHA512 | 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
| MD5 | 842039753bf41fa5e11b3a1383061a87 |
| SHA1 | 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153 |
| SHA256 | d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c |
| SHA512 | d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\AlternateServices.bin
| MD5 | aae44705ff7de16a689d93a38ae6562f |
| SHA1 | dc43131c66898b6f79722244f4a1e2e80185a6d1 |
| SHA256 | 2e6ccde1a8a50f753f0e9485fe11bafc428ff02ba7384aa72a07d5fda942e522 |
| SHA512 | 337524688475934aa22a9ad74b6c5ef3be16bf1523e94edff5054751588bde4383f2214dab435057bf07652db9dabbcde46f19d6aab1886fbf1872463be7c467 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\prefs-1.js
| MD5 | a44864fa675aac05bf3ee39a69ee0acf |
| SHA1 | f9c0062f29fbac42ea5f734421826894c4f4ac12 |
| SHA256 | 5ade0913e3fa490f002a6c76311c196dde84a95c9da5c9fc9a9ecca9f4a28efc |
| SHA512 | 8135da9cbbd940bd3494593be4c531d45421ca331acf5ebdfc7e9479d49bf92fbc1342995837bbad71c690d37fe6f353f23d0cc8ff3218bfd41a893dd4ddf637 |
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1
| MD5 | 0a8747a2ac9ac08ae9508f36c6d75692 |
| SHA1 | b287a96fd6cc12433adb42193dfe06111c38eaf0 |
| SHA256 | 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03 |
| SHA512 | 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
| MD5 | bf957ad58b55f64219ab3f793e374316 |
| SHA1 | a11adc9d7f2c28e04d9b35e23b7616d0527118a1 |
| SHA256 | bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda |
| SHA512 | 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
| MD5 | daf7ef3acccab478aaa7d6dc1c60f865 |
| SHA1 | f8246162b97ce4a945feced27b6ea114366ff2ad |
| SHA256 | bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e |
| SHA512 | 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\sessionstore-backups\recovery.baklz4
| MD5 | 939205816aef6eab4257b504c4b6c4b8 |
| SHA1 | 3b964a70bc0a7b68d2795f776e290cbbb834c6e3 |
| SHA256 | 2eba5dc775870e0094672affae3d506a92b857b0a585c0a97a2ebc4c7f681e44 |
| SHA512 | e55f2f8558ea6ed5697fb208b873afc9fe2f186b8801c4a66f3839f1fac033ce5210a7654399ed12bbcd225c0226384d4e1562c81aab2a3bcc2fa5d20c160d37 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\sessionstore-backups\recovery.baklz4
| MD5 | b8b139b7603c29a289de6bbc593f4433 |
| SHA1 | f098dfabe9122747037098e450f94dd14891b51c |
| SHA256 | f5f828c6f4c64ca00eebd3e4c584eea3940a415a1e322691f399a794a441321e |
| SHA512 | eff8a7486843f05662248416e20668077054400f31586d011761be3e8e14955a9e4d1e618fa26a8661a37feb3a8131ce2043c79d7fa0ce16ccf91efb442f2269 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\sessionstore-backups\recovery.baklz4
| MD5 | 6daf8aa739309e8167409dd85c5e7845 |
| SHA1 | 36a44912c2ccbd771a1a04488b6b43eeb9da0b7f |
| SHA256 | 4e02b63823206c70717e1a27156e636eb8a78b1644ed3c93669f625902969cec |
| SHA512 | a8ec8fb237b6f2ea81a0a3bd8f98460bcb3a022aca10fae603e994c074531dd75978e4e66d390cf3fb28e2987248ebb41f73f6650025a40ffb648165d11f4544 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\sessionstore-backups\recovery.baklz4
| MD5 | c224095a21b5d41fa1eb1a0b50769617 |
| SHA1 | cc0ccfc825eefd0edaba4ca35d562c9febe228a5 |
| SHA256 | 01628f960d2e30ac751184a6a674bfeea556f3e3253ba45147919f386d8f2686 |
| SHA512 | 3564144aeb0e00b8190945ec271f9ce5eb61246347558ea6a440661d60394b2ae48234f5289a30c68b68856d3c92e76db9e26350af543be881aaeea930ef0af2 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\prefs-1.js
| MD5 | 2cd2b3a9e6164d532fea48c28648abc8 |
| SHA1 | 51df22f33cbe9dd6d3d89980c8ed9376dae86aa2 |
| SHA256 | ac0ea711f199815901a999f76b22c7470cdce2481447cf5fe00f8d1ed51f41b3 |
| SHA512 | e2186354358d4b93269c786b748ffb624d45aa38dd5b7162beb520109a347562f6d72b2f016d8f78611e7adea4b38d76ee1dbba92cea39e5956692f257aa7cd8 |
Analysis: behavioral3
Detonation Overview
Submitted
2024-10-23 06:34
Reported
2024-10-23 06:37
Platform
win11-20241007-en
Max time kernel
146s
Max time network
150s
Command Line
Signatures
Processes
C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\apktool\signapk.jar
Network
Files
memory/236-2-0x0000018A5D930000-0x0000018A5DBA0000-memory.dmp
memory/236-11-0x0000018A5C030000-0x0000018A5C031000-memory.dmp
memory/236-12-0x0000018A5D930000-0x0000018A5DBA0000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-10-23 06:34
Reported
2024-10-23 06:37
Platform
win11-20241007-en
Max time kernel
146s
Max time network
152s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\SpyNote5.0\AxInterop.WMPLib.dll,#1
Network
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-10-23 06:34
Reported
2024-10-23 06:37
Platform
win11-20241007-en
Max time kernel
92s
Max time network
94s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\SpyNote5.0\Interop.WMPLib.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-10-23 06:34
Reported
2024-10-23 06:37
Platform
win11-20241007-en
Max time kernel
91s
Max time network
96s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\SpyNote5.0\Patch\Patch-StaminaMode-release.apk
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-23 06:34
Reported
2024-10-23 06:37
Platform
win11-20241007-en
Max time kernel
147s
Max time network
153s
Command Line
Signatures
Processes
C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\apktool\apktool.jar
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
Files
memory/4712-2-0x000001E200000000-0x000001E200270000-memory.dmp
memory/4712-11-0x000001E271A10000-0x000001E271A11000-memory.dmp
memory/4712-14-0x000001E271A10000-0x000001E271A11000-memory.dmp
memory/4712-15-0x000001E200000000-0x000001E200270000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2024-10-23 06:34
Reported
2024-10-23 06:37
Platform
win11-20241007-en
Max time kernel
146s
Max time network
152s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\SpyNote5.0\Patch\Patch-release.apk
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
Files
Analysis: behavioral8
Detonation Overview
Submitted
2024-10-23 06:34
Reported
2024-10-23 06:37
Platform
win11-20241007-en
Max time kernel
149s
Max time network
154s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\SpyNote5.0\SpyNote.exe
"C:\Users\Admin\AppData\Local\Temp\SpyNote5.0\SpyNote.exe"
Network
Files
memory/1636-0-0x00007FFC76EA3000-0x00007FFC76EA5000-memory.dmp
memory/1636-1-0x000001F3DD9D0000-0x000001F3DDA8C000-memory.dmp
memory/1636-2-0x00007FFC76EA0000-0x00007FFC77962000-memory.dmp
memory/1636-3-0x00007FFC76EA0000-0x00007FFC77962000-memory.dmp
memory/1636-4-0x00007FFC76EA0000-0x00007FFC77962000-memory.dmp
memory/1636-5-0x00007FFC76EA3000-0x00007FFC76EA5000-memory.dmp
memory/1636-6-0x00007FFC76EA0000-0x00007FFC77962000-memory.dmp
memory/1636-7-0x00007FFC76EA0000-0x00007FFC77962000-memory.dmp
memory/1636-8-0x00007FFC76EA0000-0x00007FFC77962000-memory.dmp