Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    148s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/09/2024, 21:02 UTC

General

  • Target

    4b92fdaa113dac47177e66fc158ef7ba8d8e30604d2befaf93308289e8758559.exe

  • Size

    349KB

  • MD5

    090e974c7161cffe453d7b57b9023308

  • SHA1

    2ff3846c3800e0f729c30352f01a8b742b44569f

  • SHA256

    4b92fdaa113dac47177e66fc158ef7ba8d8e30604d2befaf93308289e8758559

  • SHA512

    930b42fa9668f0ea56194e5d3e1374fe6bdd70402f9ef0609fe2d4ba7912c105b4f6909d265ea5d2e9432a0f3531ef085f1bd3f3569236a58d691ea5dcf313c6

  • SSDEEP

    6144:FB1QKZaOpBjQepew/PjuGyFPr527Uf2u/jGw0qun597/QKjJ8zkjDpyAYpIq:FB1Q6rpr7MrswfLjGwW5xFdRyJpt

Malware Config

Extracted

Family

nanocore

Version

1.2.2.2

C2

bemery2.no-ip.biz:57628

127.0.0.1:57628

Mutex

997af15f-5576-4030-975c-eb3264fb6789

Attributes
  • activate_away_mode

    true

  • backup_connection_host

    127.0.0.1

  • backup_dns_server

    8.8.4.4

  • buffer_size

    65535

  • build_time

    2015-04-23T21:31:33.540664436Z

  • bypass_user_account_control

    true

  • bypass_user_account_control_data

  • clear_access_control

    true

  • clear_zone_identifier

    true

  • connect_delay

    4000

  • connection_port

    57628

  • default_group

    grace

  • enable_debug_mode

    true

  • gc_threshold

    1.048576e+08

  • keep_alive_timeout

    30000

  • keyboard_logging

    false

  • lan_timeout

    2500

  • max_packet_size

    1.048576e+09

  • mutex

    997af15f-5576-4030-975c-eb3264fb6789

  • mutex_timeout

    5000

  • prevent_system_sleep

    true

  • primary_connection_host

    bemery2.no-ip.biz

  • primary_dns_server

    8.8.8.8

  • request_elevation

    true

  • restart_delay

    5000

  • run_delay

    0

  • run_on_startup

    false

  • set_critical_process

    true

  • timeout_interval

    5000

  • use_custom_dns_server

    false

  • version

    1.2.2.2

  • wan_timeout

    8000

Signatures

  • NanoCore

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

  • Sets file to hidden 1 TTPs 1 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 18 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 40 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 20 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Runs ping.exe 1 TTPs 20 IoCs
  • Suspicious behavior: EnumeratesProcesses 35 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4b92fdaa113dac47177e66fc158ef7ba8d8e30604d2befaf93308289e8758559.exe
    "C:\Users\Admin\AppData\Local\Temp\4b92fdaa113dac47177e66fc158ef7ba8d8e30604d2befaf93308289e8758559.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2024
    • C:\Windows\SysWOW64\ping.exe
      C:\Windows\System32\ping.exe google.com
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:4856
    • C:\Windows\SysWOW64\ping.exe
      C:\Windows\System32\ping.exe google.com
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:3044
    • C:\Windows\SysWOW64\ping.exe
      C:\Windows\System32\ping.exe google.com
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:3944
    • C:\Windows\SysWOW64\ping.exe
      C:\Windows\System32\ping.exe google.com
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:2440
    • C:\Windows\SysWOW64\ping.exe
      C:\Windows\System32\ping.exe google.com
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:636
    • C:\Windows\SysWOW64\ping.exe
      C:\Windows\System32\ping.exe google.com
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:1120
    • C:\Windows\SysWOW64\ping.exe
      C:\Windows\System32\ping.exe google.com
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:2412
    • C:\Windows\SysWOW64\ping.exe
      C:\Windows\System32\ping.exe google.com
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:4816
    • C:\Windows\SysWOW64\ping.exe
      C:\Windows\System32\ping.exe google.com
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:2860
    • C:\Windows\SysWOW64\ping.exe
      C:\Windows\System32\ping.exe google.com
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:1640
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
      "\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
      2⤵
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      PID:2984
    • C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +s +h C:\Users\Admin\AppData\Local\Temp\4b92fdaa113dac47177e66fc158ef7ba8d8e30604d2befaf93308289e8758559.exe
      2⤵
      • Sets file to hidden
      • System Location Discovery: System Language Discovery
      • Views/modifies file attributes
      PID:1356
    • C:\Windows\SysWOW64\ping.exe
      C:\Windows\System32\ping.exe google.com
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:4420
    • C:\Windows\SysWOW64\ping.exe
      C:\Windows\System32\ping.exe google.com
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:1800
    • C:\Windows\SysWOW64\ping.exe
      C:\Windows\System32\ping.exe google.com
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:4724
    • C:\Windows\SysWOW64\ping.exe
      C:\Windows\System32\ping.exe google.com
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:1040
    • C:\Windows\SysWOW64\ping.exe
      C:\Windows\System32\ping.exe google.com
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:2644
    • C:\Windows\SysWOW64\ping.exe
      C:\Windows\System32\ping.exe google.com
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:1956
    • C:\Windows\SysWOW64\ping.exe
      C:\Windows\System32\ping.exe google.com
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:4848
    • C:\Windows\SysWOW64\ping.exe
      C:\Windows\System32\ping.exe google.com
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:4396
    • C:\Windows\SysWOW64\ping.exe
      C:\Windows\System32\ping.exe google.com
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:1612
    • C:\Windows\SysWOW64\ping.exe
      C:\Windows\System32\ping.exe google.com
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:2716
    • C:\Windows\SysWOW64\REG.exe
      REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Google Chrome" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\subfolder\chrome.exe.exe
      2⤵
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      PID:2288
    • C:\Windows\SysWOW64\REG.exe
      REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Google Chrome" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\subfolder\chrome.exe.exe
      2⤵
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      PID:3524
    • C:\Windows\SysWOW64\REG.exe
      REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Google Chrome" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\subfolder\chrome.exe.exe
      2⤵
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      PID:4924
    • C:\Windows\SysWOW64\REG.exe
      REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Google Chrome" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\subfolder\chrome.exe.exe
      2⤵
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      PID:3376
    • C:\Windows\SysWOW64\REG.exe
      REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Google Chrome" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\subfolder\chrome.exe.exe
      2⤵
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      PID:1844
    • C:\Windows\SysWOW64\REG.exe
      REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Google Chrome" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\subfolder\chrome.exe.exe
      2⤵
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      PID:2060
    • C:\Windows\SysWOW64\REG.exe
      REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Google Chrome" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\subfolder\chrome.exe.exe
      2⤵
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      PID:2600
    • C:\Windows\SysWOW64\REG.exe
      REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Google Chrome" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\subfolder\chrome.exe.exe
      2⤵
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      PID:1636
    • C:\Windows\SysWOW64\REG.exe
      REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Google Chrome" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\subfolder\chrome.exe.exe
      2⤵
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      PID:5016
    • C:\Windows\SysWOW64\REG.exe
      REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Google Chrome" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\subfolder\chrome.exe.exe
      2⤵
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      PID:4888
    • C:\Windows\SysWOW64\REG.exe
      REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Google Chrome" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\subfolder\chrome.exe.exe
      2⤵
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      PID:4352
    • C:\Windows\SysWOW64\REG.exe
      REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Google Chrome" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\subfolder\chrome.exe.exe
      2⤵
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      PID:4548
    • C:\Windows\SysWOW64\REG.exe
      REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Google Chrome" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\subfolder\chrome.exe.exe
      2⤵
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      PID:3356
    • C:\Windows\SysWOW64\REG.exe
      REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Google Chrome" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\subfolder\chrome.exe.exe
      2⤵
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      PID:940
    • C:\Windows\SysWOW64\REG.exe
      REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Google Chrome" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\subfolder\chrome.exe.exe
      2⤵
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      PID:3592
    • C:\Windows\SysWOW64\REG.exe
      REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Google Chrome" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\subfolder\chrome.exe.exe
      2⤵
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      PID:3032
    • C:\Windows\SysWOW64\REG.exe
      REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Google Chrome" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\subfolder\chrome.exe.exe
      2⤵
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      PID:1416

Network

  • flag-us
    DNS
    196.249.167.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    196.249.167.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.214.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.214.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    138.32.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    138.32.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    google.com
    ping.exe
    Remote address:
    8.8.8.8:53
    Request
    google.com
    IN A
    Response
    google.com
    IN A
    142.250.200.14
  • flag-us
    DNS
    58.55.71.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    58.55.71.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    56.163.245.4.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    56.163.245.4.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    198.187.3.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    198.187.3.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    5.210.23.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    5.210.23.2.in-addr.arpa
    IN PTR
    Response
    5.210.23.2.in-addr.arpa
    IN PTR
    a2-23-210-5deploystaticakamaitechnologiescom
  • flag-us
    DNS
    bemery2.no-ip.biz
    RegAsm.exe
    Remote address:
    8.8.8.8:53
    Request
    bemery2.no-ip.biz
    IN A
    Response
  • flag-us
    DNS
    bemery2.no-ip.biz
    RegAsm.exe
    Remote address:
    8.8.4.4:53
    Request
    bemery2.no-ip.biz
    IN A
    Response
  • flag-us
    DNS
    bemery2.no-ip.biz
    RegAsm.exe
    Remote address:
    8.8.8.8:53
    Request
    bemery2.no-ip.biz
    IN A
    Response
  • flag-us
    DNS
    4.4.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    4.4.8.8.in-addr.arpa
    IN PTR
    Response
    4.4.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    bemery2.no-ip.biz
    RegAsm.exe
    Remote address:
    8.8.8.8:53
    Request
    bemery2.no-ip.biz
    IN A
    Response
  • flag-us
    DNS
    bemery2.no-ip.biz
    RegAsm.exe
    Remote address:
    8.8.4.4:53
    Request
    bemery2.no-ip.biz
    IN A
    Response
  • flag-us
    DNS
    bemery2.no-ip.biz
    RegAsm.exe
    Remote address:
    8.8.8.8:53
    Request
    bemery2.no-ip.biz
    IN A
    Response
  • flag-us
    DNS
    bemery2.no-ip.biz
    RegAsm.exe
    Remote address:
    8.8.4.4:53
    Request
    bemery2.no-ip.biz
    IN A
    Response
  • flag-us
    DNS
    bemery2.no-ip.biz
    RegAsm.exe
    Remote address:
    8.8.8.8:53
    Request
    bemery2.no-ip.biz
    IN A
    Response
  • flag-us
    DNS
    83.210.23.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    83.210.23.2.in-addr.arpa
    IN PTR
    Response
    83.210.23.2.in-addr.arpa
    IN PTR
    a2-23-210-83deploystaticakamaitechnologiescom
  • flag-us
    DNS
    bemery2.no-ip.biz
    RegAsm.exe
    Remote address:
    8.8.8.8:53
    Request
    bemery2.no-ip.biz
    IN A
    Response
  • flag-us
    DNS
    bemery2.no-ip.biz
    RegAsm.exe
    Remote address:
    8.8.4.4:53
    Request
    bemery2.no-ip.biz
    IN A
    Response
  • flag-us
    DNS
    bemery2.no-ip.biz
    RegAsm.exe
    Remote address:
    8.8.8.8:53
    Request
    bemery2.no-ip.biz
    IN A
    Response
  • flag-us
    DNS
    bemery2.no-ip.biz
    RegAsm.exe
    Remote address:
    8.8.8.8:53
    Request
    bemery2.no-ip.biz
    IN A
    Response
  • flag-us
    DNS
    bemery2.no-ip.biz
    RegAsm.exe
    Remote address:
    8.8.4.4:53
    Request
    bemery2.no-ip.biz
    IN A
    Response
  • flag-us
    DNS
    bemery2.no-ip.biz
    RegAsm.exe
    Remote address:
    8.8.8.8:53
    Request
    bemery2.no-ip.biz
    IN A
    Response
  • flag-us
    DNS
    bemery2.no-ip.biz
    RegAsm.exe
    Remote address:
    8.8.4.4:53
    Request
    bemery2.no-ip.biz
    IN A
    Response
  • flag-us
    DNS
    bemery2.no-ip.biz
    RegAsm.exe
    Remote address:
    8.8.8.8:53
    Request
    bemery2.no-ip.biz
    IN A
    Response
  • flag-us
    DNS
    19.229.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    19.229.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    bemery2.no-ip.biz
    RegAsm.exe
    Remote address:
    8.8.8.8:53
    Request
    bemery2.no-ip.biz
    IN A
    Response
  • flag-us
    DNS
    bemery2.no-ip.biz
    RegAsm.exe
    Remote address:
    8.8.4.4:53
    Request
    bemery2.no-ip.biz
    IN A
    Response
  • flag-us
    DNS
    bemery2.no-ip.biz
    RegAsm.exe
    Remote address:
    8.8.8.8:53
    Request
    bemery2.no-ip.biz
    IN A
    Response
  • flag-us
    DNS
    bemery2.no-ip.biz
    RegAsm.exe
    Remote address:
    8.8.8.8:53
    Request
    bemery2.no-ip.biz
    IN A
    Response
  • flag-us
    DNS
    bemery2.no-ip.biz
    RegAsm.exe
    Remote address:
    8.8.4.4:53
    Request
    bemery2.no-ip.biz
    IN A
    Response
  • flag-us
    DNS
    bemery2.no-ip.biz
    RegAsm.exe
    Remote address:
    8.8.8.8:53
    Request
    bemery2.no-ip.biz
    IN A
    Response
  • flag-us
    DNS
    bemery2.no-ip.biz
    RegAsm.exe
    Remote address:
    8.8.8.8:53
    Request
    bemery2.no-ip.biz
    IN A
    Response
  • flag-us
    DNS
    bemery2.no-ip.biz
    RegAsm.exe
    Remote address:
    8.8.4.4:53
    Request
    bemery2.no-ip.biz
    IN A
    Response
  • flag-us
    DNS
    bemery2.no-ip.biz
    RegAsm.exe
    Remote address:
    8.8.8.8:53
    Request
    bemery2.no-ip.biz
    IN A
    Response
  • flag-us
    DNS
    bemery2.no-ip.biz
    RegAsm.exe
    Remote address:
    8.8.4.4:53
    Request
    bemery2.no-ip.biz
    IN A
    Response
  • flag-us
    DNS
    bemery2.no-ip.biz
    RegAsm.exe
    Remote address:
    8.8.8.8:53
    Request
    bemery2.no-ip.biz
    IN A
    Response
  • flag-us
    DNS
    bemery2.no-ip.biz
    RegAsm.exe
    Remote address:
    8.8.8.8:53
    Request
    bemery2.no-ip.biz
    IN A
    Response
  • flag-us
    DNS
    bemery2.no-ip.biz
    RegAsm.exe
    Remote address:
    8.8.4.4:53
    Request
    bemery2.no-ip.biz
    IN A
    Response
  • flag-us
    DNS
    bemery2.no-ip.biz
    RegAsm.exe
    Remote address:
    8.8.8.8:53
    Request
    bemery2.no-ip.biz
    IN A
    Response
  • flag-us
    DNS
    bemery2.no-ip.biz
    RegAsm.exe
    Remote address:
    8.8.4.4:53
    Request
    bemery2.no-ip.biz
    IN A
    Response
  • flag-us
    DNS
    bemery2.no-ip.biz
    RegAsm.exe
    Remote address:
    8.8.8.8:53
    Request
    bemery2.no-ip.biz
    IN A
    Response
  • 127.0.0.1:57628
    RegAsm.exe
  • 127.0.0.1:57628
    RegAsm.exe
  • 127.0.0.1:57628
    RegAsm.exe
  • 127.0.0.1:57628
    RegAsm.exe
  • 127.0.0.1:57628
    RegAsm.exe
  • 127.0.0.1:57628
    RegAsm.exe
  • 127.0.0.1:57628
    RegAsm.exe
  • 127.0.0.1:57628
    RegAsm.exe
  • 127.0.0.1:57628
    RegAsm.exe
  • 127.0.0.1:57628
    RegAsm.exe
  • 127.0.0.1:57628
    RegAsm.exe
  • 8.8.8.8:53
    196.249.167.52.in-addr.arpa
    dns
    73 B
    147 B
    1
    1

    DNS Request

    196.249.167.52.in-addr.arpa

  • 8.8.8.8:53
    172.214.232.199.in-addr.arpa
    dns
    74 B
    128 B
    1
    1

    DNS Request

    172.214.232.199.in-addr.arpa

  • 8.8.8.8:53
    138.32.126.40.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    138.32.126.40.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
    144 B
    1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    google.com
    dns
    ping.exe
    56 B
    72 B
    1
    1

    DNS Request

    google.com

    DNS Response

    142.250.200.14

  • 8.8.8.8:53
    58.55.71.13.in-addr.arpa
    dns
    70 B
    144 B
    1
    1

    DNS Request

    58.55.71.13.in-addr.arpa

  • 8.8.8.8:53
    56.163.245.4.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    56.163.245.4.in-addr.arpa

  • 8.8.8.8:53
    198.187.3.20.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    198.187.3.20.in-addr.arpa

  • 8.8.8.8:53
    5.210.23.2.in-addr.arpa
    dns
    69 B
    131 B
    1
    1

    DNS Request

    5.210.23.2.in-addr.arpa

  • 8.8.8.8:53
    bemery2.no-ip.biz
    dns
    RegAsm.exe
    63 B
    123 B
    1
    1

    DNS Request

    bemery2.no-ip.biz

  • 8.8.4.4:53
    bemery2.no-ip.biz
    dns
    RegAsm.exe
    63 B
    123 B
    1
    1

    DNS Request

    bemery2.no-ip.biz

  • 8.8.8.8:53
    bemery2.no-ip.biz
    dns
    RegAsm.exe
    63 B
    123 B
    1
    1

    DNS Request

    bemery2.no-ip.biz

  • 8.8.8.8:53
    4.4.8.8.in-addr.arpa
    dns
    66 B
    90 B
    1
    1

    DNS Request

    4.4.8.8.in-addr.arpa

  • 8.8.8.8:53
    bemery2.no-ip.biz
    dns
    RegAsm.exe
    63 B
    123 B
    1
    1

    DNS Request

    bemery2.no-ip.biz

  • 8.8.4.4:53
    bemery2.no-ip.biz
    dns
    RegAsm.exe
    63 B
    123 B
    1
    1

    DNS Request

    bemery2.no-ip.biz

  • 8.8.8.8:53
    bemery2.no-ip.biz
    dns
    RegAsm.exe
    63 B
    123 B
    1
    1

    DNS Request

    bemery2.no-ip.biz

  • 8.8.4.4:53
    bemery2.no-ip.biz
    dns
    RegAsm.exe
    63 B
    123 B
    1
    1

    DNS Request

    bemery2.no-ip.biz

  • 8.8.8.8:53
    bemery2.no-ip.biz
    dns
    RegAsm.exe
    63 B
    123 B
    1
    1

    DNS Request

    bemery2.no-ip.biz

  • 8.8.8.8:53
    83.210.23.2.in-addr.arpa
    dns
    70 B
    133 B
    1
    1

    DNS Request

    83.210.23.2.in-addr.arpa

  • 8.8.8.8:53
    bemery2.no-ip.biz
    dns
    RegAsm.exe
    63 B
    123 B
    1
    1

    DNS Request

    bemery2.no-ip.biz

  • 8.8.4.4:53
    bemery2.no-ip.biz
    dns
    RegAsm.exe
    63 B
    123 B
    1
    1

    DNS Request

    bemery2.no-ip.biz

  • 8.8.8.8:53
    bemery2.no-ip.biz
    dns
    RegAsm.exe
    63 B
    123 B
    1
    1

    DNS Request

    bemery2.no-ip.biz

  • 8.8.8.8:53
    bemery2.no-ip.biz
    dns
    RegAsm.exe
    63 B
    123 B
    1
    1

    DNS Request

    bemery2.no-ip.biz

  • 8.8.4.4:53
    bemery2.no-ip.biz
    dns
    RegAsm.exe
    63 B
    123 B
    1
    1

    DNS Request

    bemery2.no-ip.biz

  • 8.8.8.8:53
    bemery2.no-ip.biz
    dns
    RegAsm.exe
    63 B
    123 B
    1
    1

    DNS Request

    bemery2.no-ip.biz

  • 8.8.4.4:53
    bemery2.no-ip.biz
    dns
    RegAsm.exe
    63 B
    123 B
    1
    1

    DNS Request

    bemery2.no-ip.biz

  • 8.8.8.8:53
    bemery2.no-ip.biz
    dns
    RegAsm.exe
    63 B
    123 B
    1
    1

    DNS Request

    bemery2.no-ip.biz

  • 8.8.8.8:53
    19.229.111.52.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    19.229.111.52.in-addr.arpa

  • 8.8.8.8:53
    bemery2.no-ip.biz
    dns
    RegAsm.exe
    63 B
    123 B
    1
    1

    DNS Request

    bemery2.no-ip.biz

  • 8.8.4.4:53
    bemery2.no-ip.biz
    dns
    RegAsm.exe
    63 B
    123 B
    1
    1

    DNS Request

    bemery2.no-ip.biz

  • 8.8.8.8:53
    bemery2.no-ip.biz
    dns
    RegAsm.exe
    63 B
    123 B
    1
    1

    DNS Request

    bemery2.no-ip.biz

  • 8.8.8.8:53
    bemery2.no-ip.biz
    dns
    RegAsm.exe
    63 B
    123 B
    1
    1

    DNS Request

    bemery2.no-ip.biz

  • 8.8.4.4:53
    bemery2.no-ip.biz
    dns
    RegAsm.exe
    63 B
    123 B
    1
    1

    DNS Request

    bemery2.no-ip.biz

  • 8.8.8.8:53
    bemery2.no-ip.biz
    dns
    RegAsm.exe
    63 B
    123 B
    1
    1

    DNS Request

    bemery2.no-ip.biz

  • 8.8.8.8:53
    bemery2.no-ip.biz
    dns
    RegAsm.exe
    63 B
    123 B
    1
    1

    DNS Request

    bemery2.no-ip.biz

  • 8.8.4.4:53
    bemery2.no-ip.biz
    dns
    RegAsm.exe
    63 B
    123 B
    1
    1

    DNS Request

    bemery2.no-ip.biz

  • 8.8.8.8:53
    bemery2.no-ip.biz
    dns
    RegAsm.exe
    63 B
    123 B
    1
    1

    DNS Request

    bemery2.no-ip.biz

  • 8.8.4.4:53
    bemery2.no-ip.biz
    dns
    RegAsm.exe
    63 B
    123 B
    1
    1

    DNS Request

    bemery2.no-ip.biz

  • 8.8.8.8:53
    bemery2.no-ip.biz
    dns
    RegAsm.exe
    63 B
    123 B
    1
    1

    DNS Request

    bemery2.no-ip.biz

  • 8.8.8.8:53
    bemery2.no-ip.biz
    dns
    RegAsm.exe
    63 B
    123 B
    1
    1

    DNS Request

    bemery2.no-ip.biz

  • 8.8.4.4:53
    bemery2.no-ip.biz
    dns
    RegAsm.exe
    63 B
    123 B
    1
    1

    DNS Request

    bemery2.no-ip.biz

  • 8.8.8.8:53
    bemery2.no-ip.biz
    dns
    RegAsm.exe
    63 B
    123 B
    1
    1

    DNS Request

    bemery2.no-ip.biz

  • 8.8.4.4:53
    bemery2.no-ip.biz
    dns
    RegAsm.exe
    63 B
    123 B
    1
    1

    DNS Request

    bemery2.no-ip.biz

  • 8.8.8.8:53
    bemery2.no-ip.biz
    dns
    RegAsm.exe
    63 B
    123 B
    1
    1

    DNS Request

    bemery2.no-ip.biz

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\subfolder\chrome.exe.exe

    Filesize

    349KB

    MD5

    afdc9bc67929288fbc720dd366129967

    SHA1

    cd269c5bdda94be2f18f36b9054ad83e83978dc7

    SHA256

    75b8a2ada1452d01880956495283748f3368295387858cdcbbd05923a3b0197a

    SHA512

    e1a5616ee6251a14bbe0fadc3678ae13f74b95bc543ea1797afa707876c90e80fa064b9eb086b063326047253e31d6254d77b1fb0dea0c07772497710bc0e1b4

  • memory/2024-0-0x0000000074822000-0x0000000074823000-memory.dmp

    Filesize

    4KB

  • memory/2024-1-0x0000000074820000-0x0000000074DD1000-memory.dmp

    Filesize

    5.7MB

  • memory/2024-2-0x0000000074820000-0x0000000074DD1000-memory.dmp

    Filesize

    5.7MB

  • memory/2024-4-0x0000000074822000-0x0000000074823000-memory.dmp

    Filesize

    4KB

  • memory/2024-5-0x0000000074820000-0x0000000074DD1000-memory.dmp

    Filesize

    5.7MB

  • memory/2984-6-0x0000000000400000-0x0000000000438000-memory.dmp

    Filesize

    224KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.