Malware Analysis Report

2025-08-05 16:00

Sample ID 240610-g4q88adb3s
Target 2024-06-10_e349ae2bd8e6d7e8e47852c2a2bc8edc_mafia_nionspy
SHA256 9dee8eab9e86f148928de506ccaa80acb21bfa63fcb792d85c9a3572373ee924
Tags
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

9dee8eab9e86f148928de506ccaa80acb21bfa63fcb792d85c9a3572373ee924

Threat Level: Shows suspicious behavior

The file 2024-06-10_e349ae2bd8e6d7e8e47852c2a2bc8edc_mafia_nionspy was found to be: Shows suspicious behavior.

Malicious Activity Summary


Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Unsigned PE

Enumerates physical storage devices

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-10 06:25

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-10 06:21

Reported

2024-06-10 06:38

Platform

win7-20231129-en

Max time kernel

121s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-10_e349ae2bd8e6d7e8e47852c2a2bc8edc_mafia_nionspy.exe"

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\prochost\ = "Application" C:\Users\Admin\AppData\Local\Temp\2024-06-10_e349ae2bd8e6d7e8e47852c2a2bc8edc_mafia_nionspy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\2024-06-10_e349ae2bd8e6d7e8e47852c2a2bc8edc_mafia_nionspy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\prochost\shell\runas\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\2024-06-10_e349ae2bd8e6d7e8e47852c2a2bc8edc_mafia_nionspy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.exe\ = "prochost" C:\Users\Admin\AppData\Local\Temp\2024-06-10_e349ae2bd8e6d7e8e47852c2a2bc8edc_mafia_nionspy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\prochost\shell\runas C:\Users\Admin\AppData\Local\Temp\2024-06-10_e349ae2bd8e6d7e8e47852c2a2bc8edc_mafia_nionspy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_e349ae2bd8e6d7e8e47852c2a2bc8edc_mafia_nionspy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.exe\DefaultIcon C:\Users\Admin\AppData\Local\Temp\2024-06-10_e349ae2bd8e6d7e8e47852c2a2bc8edc_mafia_nionspy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.exe\shell\open\command C:\Users\Admin\AppData\Local\Temp\2024-06-10_e349ae2bd8e6d7e8e47852c2a2bc8edc_mafia_nionspy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.exe\shell\runas C:\Users\Admin\AppData\Local\Temp\2024-06-10_e349ae2bd8e6d7e8e47852c2a2bc8edc_mafia_nionspy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\prochost\shell C:\Users\Admin\AppData\Local\Temp\2024-06-10_e349ae2bd8e6d7e8e47852c2a2bc8edc_mafia_nionspy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.exe\shell C:\Users\Admin\AppData\Local\Temp\2024-06-10_e349ae2bd8e6d7e8e47852c2a2bc8edc_mafia_nionspy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SysWOW_amd64\\sidebar2.exe\" /START \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\2024-06-10_e349ae2bd8e6d7e8e47852c2a2bc8edc_mafia_nionspy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\prochost\Content-Type = "application/x-msdownload" C:\Users\Admin\AppData\Local\Temp\2024-06-10_e349ae2bd8e6d7e8e47852c2a2bc8edc_mafia_nionspy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\prochost\DefaultIcon C:\Users\Admin\AppData\Local\Temp\2024-06-10_e349ae2bd8e6d7e8e47852c2a2bc8edc_mafia_nionspy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\prochost\DefaultIcon\ = "%1" C:\Users\Admin\AppData\Local\Temp\2024-06-10_e349ae2bd8e6d7e8e47852c2a2bc8edc_mafia_nionspy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\prochost\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SysWOW_amd64\\sidebar2.exe\" /START \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\2024-06-10_e349ae2bd8e6d7e8e47852c2a2bc8edc_mafia_nionspy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.exe\shell\runas\command C:\Users\Admin\AppData\Local\Temp\2024-06-10_e349ae2bd8e6d7e8e47852c2a2bc8edc_mafia_nionspy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.exe\shell\runas\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\2024-06-10_e349ae2bd8e6d7e8e47852c2a2bc8edc_mafia_nionspy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\prochost C:\Users\Admin\AppData\Local\Temp\2024-06-10_e349ae2bd8e6d7e8e47852c2a2bc8edc_mafia_nionspy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\prochost\shell\open\command C:\Users\Admin\AppData\Local\Temp\2024-06-10_e349ae2bd8e6d7e8e47852c2a2bc8edc_mafia_nionspy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\prochost\shell\open\command\IsolatedCommand = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\2024-06-10_e349ae2bd8e6d7e8e47852c2a2bc8edc_mafia_nionspy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\prochost\shell\runas\command C:\Users\Admin\AppData\Local\Temp\2024-06-10_e349ae2bd8e6d7e8e47852c2a2bc8edc_mafia_nionspy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\prochost\shell\open C:\Users\Admin\AppData\Local\Temp\2024-06-10_e349ae2bd8e6d7e8e47852c2a2bc8edc_mafia_nionspy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\prochost\shell\runas\command\IsolatedCommand = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\2024-06-10_e349ae2bd8e6d7e8e47852c2a2bc8edc_mafia_nionspy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.exe\Content-Type = "application/x-msdownload" C:\Users\Admin\AppData\Local\Temp\2024-06-10_e349ae2bd8e6d7e8e47852c2a2bc8edc_mafia_nionspy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.exe\DefaultIcon\ = "%1" C:\Users\Admin\AppData\Local\Temp\2024-06-10_e349ae2bd8e6d7e8e47852c2a2bc8edc_mafia_nionspy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.exe\shell\open C:\Users\Admin\AppData\Local\Temp\2024-06-10_e349ae2bd8e6d7e8e47852c2a2bc8edc_mafia_nionspy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\2024-06-10_e349ae2bd8e6d7e8e47852c2a2bc8edc_mafia_nionspy.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\sidebar2.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2372 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_e349ae2bd8e6d7e8e47852c2a2bc8edc_mafia_nionspy.exe C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\sidebar2.exe
PID 2372 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_e349ae2bd8e6d7e8e47852c2a2bc8edc_mafia_nionspy.exe C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\sidebar2.exe
PID 2372 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_e349ae2bd8e6d7e8e47852c2a2bc8edc_mafia_nionspy.exe C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\sidebar2.exe
PID 2372 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_e349ae2bd8e6d7e8e47852c2a2bc8edc_mafia_nionspy.exe C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\sidebar2.exe
PID 2532 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\sidebar2.exe C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\sidebar2.exe
PID 2532 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\sidebar2.exe C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\sidebar2.exe
PID 2532 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\sidebar2.exe C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\sidebar2.exe
PID 2532 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\sidebar2.exe C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\sidebar2.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-10_e349ae2bd8e6d7e8e47852c2a2bc8edc_mafia_nionspy.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-10_e349ae2bd8e6d7e8e47852c2a2bc8edc_mafia_nionspy.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\sidebar2.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\sidebar2.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\sidebar2.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\sidebar2.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\sidebar2.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 nwoccs.zapto.org udp

Files

\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\sidebar2.exe

MD5 81b5a41b1d5a20c3118cbc9a68766f63
SHA1 8c0fe2ec135fe28cd1ad32f2be875acd3a09ee27
SHA256 9e446dd0333b2efdc17f8e8bcee15caadfd563f7b466f3b043683e9c0f327b54
SHA512 930e3fc64d82e69bd74b3dd37489f62505952c0baabb053519c64d040ab6f8c12a0211a7ff1889ebf713cf7227467e5edd4f003472553c06b4c62ec03172fef0

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-10 06:21

Reported

2024-06-10 06:38

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-10_e349ae2bd8e6d7e8e47852c2a2bc8edc_mafia_nionspy.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2024-06-10_e349ae2bd8e6d7e8e47852c2a2bc8edc_mafia_nionspy.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\.exe\shell\open C:\Users\Admin\AppData\Local\Temp\2024-06-10_e349ae2bd8e6d7e8e47852c2a2bc8edc_mafia_nionspy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\2024-06-10_e349ae2bd8e6d7e8e47852c2a2bc8edc_mafia_nionspy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\.exe\shell\runas\command C:\Users\Admin\AppData\Local\Temp\2024-06-10_e349ae2bd8e6d7e8e47852c2a2bc8edc_mafia_nionspy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\.exe\shell\runas\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\2024-06-10_e349ae2bd8e6d7e8e47852c2a2bc8edc_mafia_nionspy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\cmos\Content-Type = "application/x-msdownload" C:\Users\Admin\AppData\Local\Temp\2024-06-10_e349ae2bd8e6d7e8e47852c2a2bc8edc_mafia_nionspy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\.exe\Content-Type = "application/x-msdownload" C:\Users\Admin\AppData\Local\Temp\2024-06-10_e349ae2bd8e6d7e8e47852c2a2bc8edc_mafia_nionspy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\.exe\DefaultIcon\ = "%1" C:\Users\Admin\AppData\Local\Temp\2024-06-10_e349ae2bd8e6d7e8e47852c2a2bc8edc_mafia_nionspy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\cmos\DefaultIcon C:\Users\Admin\AppData\Local\Temp\2024-06-10_e349ae2bd8e6d7e8e47852c2a2bc8edc_mafia_nionspy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\cmos\shell\runas\command\IsolatedCommand = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\2024-06-10_e349ae2bd8e6d7e8e47852c2a2bc8edc_mafia_nionspy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\cmos\shell\runas\command C:\Users\Admin\AppData\Local\Temp\2024-06-10_e349ae2bd8e6d7e8e47852c2a2bc8edc_mafia_nionspy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_e349ae2bd8e6d7e8e47852c2a2bc8edc_mafia_nionspy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\cmos\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\XMMC\\SearchIndexerDB.exe\" /START \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\2024-06-10_e349ae2bd8e6d7e8e47852c2a2bc8edc_mafia_nionspy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\.exe\ = "cmos" C:\Users\Admin\AppData\Local\Temp\2024-06-10_e349ae2bd8e6d7e8e47852c2a2bc8edc_mafia_nionspy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\.exe\shell\open\command C:\Users\Admin\AppData\Local\Temp\2024-06-10_e349ae2bd8e6d7e8e47852c2a2bc8edc_mafia_nionspy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\XMMC\\SearchIndexerDB.exe\" /START \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\2024-06-10_e349ae2bd8e6d7e8e47852c2a2bc8edc_mafia_nionspy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\2024-06-10_e349ae2bd8e6d7e8e47852c2a2bc8edc_mafia_nionspy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\cmos\DefaultIcon\ = "%1" C:\Users\Admin\AppData\Local\Temp\2024-06-10_e349ae2bd8e6d7e8e47852c2a2bc8edc_mafia_nionspy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\cmos\shell C:\Users\Admin\AppData\Local\Temp\2024-06-10_e349ae2bd8e6d7e8e47852c2a2bc8edc_mafia_nionspy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\cmos\shell\runas C:\Users\Admin\AppData\Local\Temp\2024-06-10_e349ae2bd8e6d7e8e47852c2a2bc8edc_mafia_nionspy.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\2024-06-10_e349ae2bd8e6d7e8e47852c2a2bc8edc_mafia_nionspy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\2024-06-10_e349ae2bd8e6d7e8e47852c2a2bc8edc_mafia_nionspy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\cmos\shell\open\command\IsolatedCommand = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\2024-06-10_e349ae2bd8e6d7e8e47852c2a2bc8edc_mafia_nionspy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\.exe\DefaultIcon C:\Users\Admin\AppData\Local\Temp\2024-06-10_e349ae2bd8e6d7e8e47852c2a2bc8edc_mafia_nionspy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\.exe\shell C:\Users\Admin\AppData\Local\Temp\2024-06-10_e349ae2bd8e6d7e8e47852c2a2bc8edc_mafia_nionspy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\cmos\shell\open C:\Users\Admin\AppData\Local\Temp\2024-06-10_e349ae2bd8e6d7e8e47852c2a2bc8edc_mafia_nionspy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\cmos\shell\runas\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\2024-06-10_e349ae2bd8e6d7e8e47852c2a2bc8edc_mafia_nionspy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\.exe\shell\runas C:\Users\Admin\AppData\Local\Temp\2024-06-10_e349ae2bd8e6d7e8e47852c2a2bc8edc_mafia_nionspy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\cmos C:\Users\Admin\AppData\Local\Temp\2024-06-10_e349ae2bd8e6d7e8e47852c2a2bc8edc_mafia_nionspy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\cmos\ = "Application" C:\Users\Admin\AppData\Local\Temp\2024-06-10_e349ae2bd8e6d7e8e47852c2a2bc8edc_mafia_nionspy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\cmos\shell\open\command C:\Users\Admin\AppData\Local\Temp\2024-06-10_e349ae2bd8e6d7e8e47852c2a2bc8edc_mafia_nionspy.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\SearchIndexerDB.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-10_e349ae2bd8e6d7e8e47852c2a2bc8edc_mafia_nionspy.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-10_e349ae2bd8e6d7e8e47852c2a2bc8edc_mafia_nionspy.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\SearchIndexerDB.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\SearchIndexerDB.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\SearchIndexerDB.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\SearchIndexerDB.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\SearchIndexerDB.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 nwoccs.zapto.org udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 nwoccs.zapto.org udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 nwoccs.zapto.org udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 nwoccs.zapto.org udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 nwoccs.zapto.org udp
US 8.8.8.8:53 udp

Files

C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\SearchIndexerDB.exe

MD5 26b5c45c56cd86ffba1e1cfe1f10346a
SHA1 637e149445f0bcd495554077e178f5aac6e3f617
SHA256 d017f0ca453280e9f82de0831ebdfe2bf439c74dd18aaabef39f4d4b5e6a4835
SHA512 a9ac6fb7ebad08d7d83d6f6e54e60917823cffb08e4d98cd431e3a2fdee0ac8edeb2560a823eb4beb9a3e36400ec93ec917051c93c5b07b7eaa0faa23beac320