fa0cfe8274608f23cef8c819fb121d55c4750e28f484ebdb37d57878c665aa5d

Analysis

max time kernel
120s
max time network
125s
platform
windows11-21h2_x64
resource
win11-20250218-en
resource tags

arch:x64arch:x86image:win11-20250218-enlocale:en-usos:windows11-21h2-x64system
submitted
10/03/2025, 18:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SpyNote-V7.3.1.zip
Size

132.8MB
MD5

e4f1d7f911262ec816ca98cfeb6126d3
SHA1

8dbcea8c9ccccc3a002bd9262ee5bad8920f6167
SHA256

fa0cfe8274608f23cef8c819fb121d55c4750e28f484ebdb37d57878c665aa5d
SHA512

fb147f4d03e1a6d54a649dd214c2d9c1acb495de66092dd205da119cff0492c647783bfb80ce19f0d86452fefb68b64569617ba9b7a6592c36bef59cd134fc59
SSDEEP

3145728:CInrJgElMeW/ZL170hS15nrJgEUsanBG9XI2qiKLz4:CSFp25/d1hlFpUNBz2qPLk

Score

9^/10

defense_evasion discovery themida

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	SpyNote.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	SpyNote.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	SpyNote.exe

Loads dropped DLL 1 IoCs

pid	Process
3468	SpyNote.exe

Themida packer 13 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral3/files/0x001900000002b226-20.dat	themida
behavioral3/memory/3468-22-0x0000000072080000-0x0000000072660000-memory.dmp	themida
behavioral3/memory/3468-24-0x0000000072080000-0x0000000072660000-memory.dmp	themida
behavioral3/memory/3468-25-0x0000000072080000-0x0000000072660000-memory.dmp	themida
behavioral3/memory/3468-35-0x0000000072080000-0x0000000072660000-memory.dmp	themida
behavioral3/memory/3468-33-0x0000000072080000-0x0000000072660000-memory.dmp	themida
behavioral3/memory/3468-41-0x0000000072080000-0x0000000072660000-memory.dmp	themida
behavioral3/memory/3468-45-0x0000000072080000-0x0000000072660000-memory.dmp	themida
behavioral3/memory/3468-46-0x0000000072080000-0x0000000072660000-memory.dmp	themida
behavioral3/memory/3468-47-0x0000000072080000-0x0000000072660000-memory.dmp	themida
behavioral3/memory/3468-50-0x0000000072080000-0x0000000072660000-memory.dmp	themida
behavioral3/memory/3468-52-0x0000000072080000-0x0000000072660000-memory.dmp	themida
behavioral3/memory/3468-53-0x0000000072080000-0x0000000072660000-memory.dmp	themida

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1116	payload.exe
1116	payload.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3768	1116	WerFault.exe	99

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SpyNote.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	payload.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	SpyNote.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	SpyNote.exe

Modifies registry class 54 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\1\0 = 68003100000000006a5a9b9610005350594e4f547e312e3100004e0009000400efbe6a5a9a966a5a9b962e00000005b10200000019000000000000000000000000000000bce56c005300700079004e006f00740065002d00560037002e0033002e00310000001a000000	SpyNote.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\1\0\0\0 = 50003100000000006a5a9a96100069636f6e73003c0009000400efbe6a5a9a966a5a9a962e00000018b10200000019000000000000000000000000000000fdc20800690063006f006e007300000014000000	SpyNote.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\1\0\0\MRUListEx = 00000000ffffffff	SpyNote.exe
Key created	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg	SpyNote.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	SpyNote.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\GroupByKey:PID = "0"	SpyNote.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\FFlags = "1"	SpyNote.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	SpyNote.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\1 = 84003100000000006a5a9a961100444f43554d457e3100006c0009000400efbe525a66466a5a9a962e0000003857020000000100000000000000000042000000000095f97f0044006f00630075006d0065006e0074007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370037003000000018000000	SpyNote.exe
Key created	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\1	SpyNote.exe
Key created	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\1\0\0\0	SpyNote.exe
Key created	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6	SpyNote.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\IconSize = "96"	SpyNote.exe
Key created	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	SpyNote.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\1\0\0\0\0 = 56003100000000006a5a9a9610007061796c6f616400400009000400efbe6a5a9a966a5a9a962e0000007bb10200000019000000000000000000000000000000db373d007000610079006c006f0061006400000016000000	SpyNote.exe
Key created	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\1\0\0\0\0	SpyNote.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202	SpyNote.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\SniffedFolderType = "Documents"	SpyNote.exe
Key created	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	SpyNote.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\SniffedFolderType = "Pictures"	SpyNote.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	SpyNote.exe
Key created	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\Local Settings	SpyNote.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202	SpyNote.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\1\0\MRUListEx = 00000000ffffffff	SpyNote.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\1\0\0\0\0\0\MRUListEx = ffffffff	SpyNote.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	SpyNote.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	SpyNote.exe
Key created	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0	SpyNote.exe
Key created	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0	SpyNote.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\1\0\0\0\0\0 = 50003100000000006a5a9a96100069636f6e73003c0009000400efbe6a5a9a966a5a9a962e00000080b102000000190000000000000000000000000000000afd2200690063006f006e007300000014000000	SpyNote.exe
Key created	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\1\0\0\0\0\0	SpyNote.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\1\0\0\0\0\MRUListEx = 00000000ffffffff	SpyNote.exe
Key created	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	SpyNote.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	SpyNote.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\MRUListEx = 0100000000000000ffffffff	SpyNote.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\1\0\0 = 5c003100000000006a5a9b9610005245534f55527e310000440009000400efbe6a5a9a966a5a9b962e00000007b10200000019000000000000000000000000000000c76630015200650073006f0075007200630065007300000018000000	SpyNote.exe
Key created	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\1\0\0	SpyNote.exe
Key created	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell	SpyNote.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\Mode = "1"	SpyNote.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\FFlags = "1092616257"	SpyNote.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000050000001800000030f125b7ef471a10a5f102608c9eebac0a000000a0000000b474dbf787420341afbaf1b13dcd75cf64000000a000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000e0859ff2f94f6810ab9108002b27b3d90500000058000000	SpyNote.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	SpyNote.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\1\MRUListEx = 00000000ffffffff	SpyNote.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\1\0\0\0\MRUListEx = 00000000ffffffff	SpyNote.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\1\0\0\0\0\0\NodeSlot = "6"	SpyNote.exe
Key created	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}	SpyNote.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\GroupView = "0"	SpyNote.exe
Key created	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\1\0	SpyNote.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\LogicalViewMode = "3"	SpyNote.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\GroupByDirection = "1"	SpyNote.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

pid	Process
3468	SpyNote.exe
3468	SpyNote.exe
3468	SpyNote.exe
3468	SpyNote.exe
3468	SpyNote.exe
3468	SpyNote.exe
3468	SpyNote.exe
3468	SpyNote.exe
3468	SpyNote.exe
3468	SpyNote.exe
3468	SpyNote.exe
3468	SpyNote.exe
3468	SpyNote.exe
3468	SpyNote.exe
3468	SpyNote.exe
3468	SpyNote.exe
3468	SpyNote.exe
3468	SpyNote.exe
3468	SpyNote.exe
3468	SpyNote.exe
3468	SpyNote.exe
3468	SpyNote.exe
3468	SpyNote.exe
3468	SpyNote.exe
3468	SpyNote.exe
3468	SpyNote.exe
3468	SpyNote.exe
3468	SpyNote.exe
3468	SpyNote.exe
3468	SpyNote.exe
3468	SpyNote.exe
3468	SpyNote.exe
3468	SpyNote.exe
3468	SpyNote.exe
3468	SpyNote.exe
3468	SpyNote.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3468	SpyNote.exe
Token: 33	2948	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2948	AUDIODG.EXE
Token: SeDebugPrivilege	1116	payload.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1116	payload.exe
3468	SpyNote.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3468 wrote to memory of 1116	3468	SpyNote.exe	99
PID 3468 wrote to memory of 1116	3468	SpyNote.exe	99
PID 3468 wrote to memory of 1116	3468	SpyNote.exe	99

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\SpyNote-V7.3.1.zip
1⤵
PID:3340

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --string-annotations --always-read-main-dll --field-trial-handle=3664,i,1287081917707126974,2546641302406706180,262144 --variations-seed-version --mojo-platform-channel-handle=2816 /prefetch:14
1⤵
PID:4252

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:4844

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1624

C:\Users\Admin\Documents\SpyNote-V7.3.1\SpyNote.exe
"C:\Users\Admin\Documents\SpyNote-V7.3.1\SpyNote.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3468
- C:\Users\Admin\Documents\SpyNote-V7.3.1\payload.exe
  "C:\Users\Admin\Documents\SpyNote-V7.3.1\payload.exe" kinP6dl87UCOxRdtpCpI7Ch1AMTUxH/K77Ercy+R6a+stzV7qsTLeshaNDjrSDAjcwyuZJu0vkKTlb1iupcweGjazheCLwbU0KGOFBDpUExDIxlkYdnX87h/C7/gy9eACCasEIUAkYL80G5RfCMpb/T8NHfB7dK3JAeCqz6RhpQjiqOt3r2bpMfRdba4YSU30/d9NlRMQSStX3eR3a/pMSMKN4pLxrKbOBbGf6xHUUEae3r2p6raAM0r0LFmM23ZI10DFxXhtQ/YD4xzNPCynq9C2QIANQggwmeSG+o7l3ovRFnJOix+ROQkQn+SNirHWicR/8cz/MQVeb+Sy2VcCqbuQakKApX1eRXHgTNr2u4=
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1116
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1116 -s 1072
    3⤵
    - Program crash
    PID:3768

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:3800

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004E8 0x00000000000004F0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1116 -ip 1116
1⤵
PID:2444

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
- System Location Discovery: System Language Discovery
PID:1884

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --string-annotations --always-read-main-dll --field-trial-handle=4100,i,1287081917707126974,2546641302406706180,262144 --variations-seed-version --mojo-platform-channel-handle=5232 /prefetch:14
1⤵
PID:3720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\6344c96b-1f82-49ff-a383-b908fd1fc804.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\24d7ccce-8982-41f3-932e-dded1025f567\MicrosoftNetRT.dll

Filesize
2.3MB

MD5
5f449db8083ca4060253a0b4f40ff8ae

SHA1
2b77b8c86fda7cd13d133c93370ff302cd08674b

SHA256
7df49cba50cc184b0fbb31349bd9f2b18acf5f7e7fac9670759efa48564eaef1

SHA512
4ce668cf2391422ef37963a5fd6c6251d414f63545efb3f1facb77e4695cd5a8af347bd77fc2bebfa7fd3ef10ff413a7acfde32957037a51c59806577351825f

Download Submit
C:\Users\Admin\Documents\SpyNote-V7.3.1\Resources\json\port.json

Filesize
54B

MD5
f026af4415cb44cf2da2647391a360ce

SHA1
e48e80ce3d9ac785b3aaa6a9d56cd0ea9aa57f20

SHA256
57e2be780fd8fc01e6c7cd97ed558638391c76c17fc6f7c075c705fca5e3b1d4

SHA512
adc8c71f559e9f74efbcae37e3b275f9cef40b41f0e135a8b311c38754d75b4c0c6f7d4cbbae95b9c7d611493ae66e1828f8fa9615ef71208e8e43de23e71bcc

Download Submit
memory/1116-40-0x0000000000820000-0x0000000001220000-memory.dmp

Filesize
10.0MB

Download
memory/1116-38-0x0000000000820000-0x0000000001220000-memory.dmp

Filesize
10.0MB

Download
memory/1116-37-0x0000000000820000-0x0000000001220000-memory.dmp

Filesize
10.0MB

Download
memory/1116-36-0x0000000000820000-0x0000000001220000-memory.dmp

Filesize
10.0MB

Download
memory/3468-11-0x0000000007900000-0x0000000007932000-memory.dmp

Filesize
200KB

Download
memory/3468-32-0x000000000D060000-0x000000000D3B7000-memory.dmp

Filesize
3.3MB

Download
memory/3468-14-0x0000000008200000-0x0000000008266000-memory.dmp

Filesize
408KB

Download
memory/3468-12-0x00000000072C0000-0x00000000072DA000-memory.dmp

Filesize
104KB

Download
memory/3468-22-0x0000000072080000-0x0000000072660000-memory.dmp

Filesize
5.9MB

Download
memory/3468-24-0x0000000072080000-0x0000000072660000-memory.dmp

Filesize
5.9MB

Download
memory/3468-25-0x0000000072080000-0x0000000072660000-memory.dmp

Filesize
5.9MB

Download
memory/3468-26-0x0000000073990000-0x0000000073A1A000-memory.dmp

Filesize
552KB

Download
memory/3468-28-0x0000000008E80000-0x0000000008ED6000-memory.dmp

Filesize
344KB

Download
memory/3468-27-0x00000000082F0000-0x00000000082FA000-memory.dmp

Filesize
40KB

Download
memory/3468-29-0x000000000C240000-0x000000000C2B6000-memory.dmp

Filesize
472KB

Download
memory/3468-30-0x000000000BB30000-0x000000000BB94000-memory.dmp

Filesize
400KB

Download
memory/3468-31-0x000000000BBA0000-0x000000000BBC2000-memory.dmp

Filesize
136KB

Download
memory/3468-13-0x0000000008150000-0x0000000008184000-memory.dmp

Filesize
208KB

Download
memory/3468-35-0x0000000072080000-0x0000000072660000-memory.dmp

Filesize
5.9MB

Download
memory/3468-33-0x0000000072080000-0x0000000072660000-memory.dmp

Filesize
5.9MB

Download
memory/3468-10-0x0000000007450000-0x0000000007500000-memory.dmp

Filesize
704KB

Download
memory/3468-9-0x00000000073B0000-0x0000000007442000-memory.dmp

Filesize
584KB

Download
memory/3468-8-0x0000000007960000-0x0000000007F06000-memory.dmp

Filesize
5.6MB

Download
memory/3468-7-0x0000000007310000-0x00000000073AC000-memory.dmp

Filesize
624KB

Download
memory/3468-41-0x0000000072080000-0x0000000072660000-memory.dmp

Filesize
5.9MB

Download
memory/3468-45-0x0000000072080000-0x0000000072660000-memory.dmp

Filesize
5.9MB

Download
memory/3468-46-0x0000000072080000-0x0000000072660000-memory.dmp

Filesize
5.9MB

Download
memory/3468-47-0x0000000072080000-0x0000000072660000-memory.dmp

Filesize
5.9MB

Download
memory/3468-50-0x0000000072080000-0x0000000072660000-memory.dmp

Filesize
5.9MB

Download
memory/3468-6-0x0000000000E50000-0x000000000205C000-memory.dmp

Filesize
18.0MB

Download
memory/3468-52-0x0000000072080000-0x0000000072660000-memory.dmp

Filesize
5.9MB

Download
memory/3468-53-0x0000000072080000-0x0000000072660000-memory.dmp

Filesize
5.9MB

Download