Malware Analysis Report

2025-06-16 06:37

Sample ID 240825-l6zets1ajq
Target 2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy
SHA256 690c99dbd24a6160a035e6b2aa327ffe21bcc99e4e7afd0e5ec28c1b110b21ae
Tags
discovery
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

690c99dbd24a6160a035e6b2aa327ffe21bcc99e4e7afd0e5ec28c1b110b21ae

Threat Level: Shows suspicious behavior

The file 2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-25 10:09

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-25 10:09

Reported

2024-08-25 10:11

Platform

win7-20240729-en

Max time kernel

120s

Max time network

63s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\SView\dwmsys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\SView\dwmsys.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsoft\SView\dwmsys.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\systemui\shell\open\command C:\Users\Admin\AppData\Local\Temp\2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\systemui\shell\open C:\Users\Admin\AppData\Local\Temp\2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\.exe\DefaultIcon\ = "%1" C:\Users\Admin\AppData\Local\Temp\2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\.exe\shell C:\Users\Admin\AppData\Local\Temp\2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SView\\dwmsys.exe\" /START \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\systemui\DefaultIcon C:\Users\Admin\AppData\Local\Temp\2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\systemui\shell\runas\command C:\Users\Admin\AppData\Local\Temp\2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\.exe\shell\open\command C:\Users\Admin\AppData\Local\Temp\2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\.exe\shell\runas\command C:\Users\Admin\AppData\Local\Temp\2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\systemui\shell\runas\command\IsolatedCommand = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\.exe\DefaultIcon C:\Users\Admin\AppData\Local\Temp\2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\.exe\shell\open C:\Users\Admin\AppData\Local\Temp\2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\systemui\Content-Type = "application/x-msdownload" C:\Users\Admin\AppData\Local\Temp\2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\systemui\shell C:\Users\Admin\AppData\Local\Temp\2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\systemui\shell\runas C:\Users\Admin\AppData\Local\Temp\2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\.exe\Content-Type = "application/x-msdownload" C:\Users\Admin\AppData\Local\Temp\2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\.exe\shell\runas C:\Users\Admin\AppData\Local\Temp\2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\.exe\shell\runas\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\systemui\shell\runas\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\.exe C:\Users\Admin\AppData\Local\Temp\2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\systemui C:\Users\Admin\AppData\Local\Temp\2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\systemui\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SView\\dwmsys.exe\" /START \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\systemui\shell\open\command\IsolatedCommand = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\.exe\ = "systemui" C:\Users\Admin\AppData\Local\Temp\2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\systemui\ = "Application" C:\Users\Admin\AppData\Local\Temp\2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000_CLASSES\systemui\DefaultIcon\ = "%1" C:\Users\Admin\AppData\Local\Temp\2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\SView\dwmsys.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\SView\dwmsys.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\SView\dwmsys.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\SView\dwmsys.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\SView\dwmsys.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\SView\dwmsys.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 nwoccs.zapto.org udp

Files

\Users\Admin\AppData\Roaming\Microsoft\SView\dwmsys.exe

MD5 a3f8cbc0c01d908299e7128d61ca044f
SHA1 3aaea9dd2f1f37ca0e013a87dc05ec08118813e4
SHA256 0133f7f5e45800dd4ca6e13eb91d1fb171a555ac370f6326bda711379ff20649
SHA512 f2cad0f5ba348c815698f23d50428bbf364125295482f60af8547023e2fd4b8c80983812c2adb639f1dcd2d1cc1ec1134ce51af674a93cdb2cdc92188c99b966

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-25 10:09

Reported

2024-08-25 10:12

Platform

win10v2004-20240802-en

Max time kernel

144s

Max time network

130s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\wlogon32.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\wlogon32.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\wlogon32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\haldriver\DefaultIcon C:\Users\Admin\AppData\Local\Temp\2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\haldriver\shell C:\Users\Admin\AppData\Local\Temp\2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\haldriver\shell\runas\command C:\Users\Admin\AppData\Local\Temp\2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\.exe\Content-Type = "application/x-msdownload" C:\Users\Admin\AppData\Local\Temp\2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\.exe\DefaultIcon C:\Users\Admin\AppData\Local\Temp\2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\.exe\shell\runas\command C:\Users\Admin\AppData\Local\Temp\2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\haldriver C:\Users\Admin\AppData\Local\Temp\2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\haldriver\ = "Application" C:\Users\Admin\AppData\Local\Temp\2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\haldriver\shell\open C:\Users\Admin\AppData\Local\Temp\2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\haldriver\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\XMMC\\wlogon32.exe\" /START \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\.exe\shell\open\command C:\Users\Admin\AppData\Local\Temp\2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\haldriver\shell\runas C:\Users\Admin\AppData\Local\Temp\2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\.exe\ = "haldriver" C:\Users\Admin\AppData\Local\Temp\2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\.exe\shell\runas C:\Users\Admin\AppData\Local\Temp\2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\haldriver\Content-Type = "application/x-msdownload" C:\Users\Admin\AppData\Local\Temp\2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\haldriver\shell\open\command\IsolatedCommand = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\.exe C:\Users\Admin\AppData\Local\Temp\2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\.exe\DefaultIcon\ = "%1" C:\Users\Admin\AppData\Local\Temp\2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\.exe\shell C:\Users\Admin\AppData\Local\Temp\2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\haldriver\DefaultIcon\ = "%1" C:\Users\Admin\AppData\Local\Temp\2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\.exe\shell\runas\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\haldriver\shell\open\command C:\Users\Admin\AppData\Local\Temp\2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\haldriver\shell\runas\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\haldriver\shell\runas\command\IsolatedCommand = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\.exe\shell\open C:\Users\Admin\AppData\Local\Temp\2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\XMMC\\wlogon32.exe\" /START \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\wlogon32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-25_790c93e93ca7b7c3cdc9da3e70dc52cc_mafia_nionspy.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\wlogon32.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\wlogon32.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\wlogon32.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\wlogon32.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\wlogon32.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 nwoccs.zapto.org udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 nwoccs.zapto.org udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 nwoccs.zapto.org udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 nwoccs.zapto.org udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 nwoccs.zapto.org udp

Files

C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\wlogon32.exe

MD5 9a60869d3d959f755ccfe51904310cb8
SHA1 259086fa356e2724eb70142c0504d7f334923511
SHA256 335125eee227589085f287e5a08fcc29a08cca4e915b614aa1afad3a5008e378
SHA512 0a814c8ea311337234eaeb8d9cd2b07a4581e74a8d911a3029b4ea79892133ca257ada5cfb49b03be22773f387e466c74e6bbed1198722d70d417bbc4e21612c