Analysis

  • max time kernel
    148s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-10-2024 23:55

General

  • Target

    8405d2de069db4148cf23d308bf0b98a50e92b3cf097c14188dcad7af188c474.exe

  • Size

    349KB

  • MD5

    c110b67a5962c753fdd7e10c9c637190

  • SHA1

    e4555b52e0d8da9d396cddbe1422ef9c39e96612

  • SHA256

    8405d2de069db4148cf23d308bf0b98a50e92b3cf097c14188dcad7af188c474

  • SHA512

    39eb3e2ef6243a990d4974ec464bd783d047a7edc678e3d9b4fff141eeb5303a9797273e25d2577eaa8be0878c67bb3bec549a7c6b44496fcd4db4968fc7920c

  • SSDEEP

    6144:FB1QKZaOpBjQepew/PjuGyFPr527Uf2u/jGw0qun597/QKjJ8zkjDpyAYpIS:FB1Q6rpr7MrswfLjGwW5xFdRyJpZ

Malware Config

Extracted

Family

nanocore

Version

1.2.2.2

C2

bemery2.no-ip.biz:57628

127.0.0.1:57628

Mutex

997af15f-5576-4030-975c-eb3264fb6789

Attributes
  • activate_away_mode

    true

  • backup_connection_host

    127.0.0.1

  • backup_dns_server

    8.8.4.4

  • buffer_size

    65535

  • build_time

    2015-04-23T21:31:33.540664436Z

  • bypass_user_account_control

    true

  • bypass_user_account_control_data

  • clear_access_control

    true

  • clear_zone_identifier

    true

  • connect_delay

    4000

  • connection_port

    57628

  • default_group

    grace

  • enable_debug_mode

    true

  • gc_threshold

    1.048576e+08

  • keep_alive_timeout

    30000

  • keyboard_logging

    false

  • lan_timeout

    2500

  • max_packet_size

    1.048576e+09

  • mutex

    997af15f-5576-4030-975c-eb3264fb6789

  • mutex_timeout

    5000

  • prevent_system_sleep

    true

  • primary_connection_host

    bemery2.no-ip.biz

  • primary_dns_server

    8.8.8.8

  • request_elevation

    true

  • restart_delay

    5000

  • run_delay

    0

  • run_on_startup

    false

  • set_critical_process

    true

  • timeout_interval

    5000

  • use_custom_dns_server

    false

  • version

    1.2.2.2

  • wan_timeout

    8000

Signatures

  • NanoCore

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

  • Sets file to hidden 1 TTPs 1 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 17 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 39 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 20 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Runs ping.exe 1 TTPs 20 IoCs
  • Suspicious behavior: EnumeratesProcesses 33 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8405d2de069db4148cf23d308bf0b98a50e92b3cf097c14188dcad7af188c474.exe
    "C:\Users\Admin\AppData\Local\Temp\8405d2de069db4148cf23d308bf0b98a50e92b3cf097c14188dcad7af188c474.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4712
    • C:\Windows\SysWOW64\ping.exe
      C:\Windows\System32\ping.exe google.com
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:904
    • C:\Windows\SysWOW64\ping.exe
      C:\Windows\System32\ping.exe google.com
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:1984
    • C:\Windows\SysWOW64\ping.exe
      C:\Windows\System32\ping.exe google.com
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:2608
    • C:\Windows\SysWOW64\ping.exe
      C:\Windows\System32\ping.exe google.com
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:992
    • C:\Windows\SysWOW64\ping.exe
      C:\Windows\System32\ping.exe google.com
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:648
    • C:\Windows\SysWOW64\ping.exe
      C:\Windows\System32\ping.exe google.com
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:1172
    • C:\Windows\SysWOW64\ping.exe
      C:\Windows\System32\ping.exe google.com
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:1192
    • C:\Windows\SysWOW64\ping.exe
      C:\Windows\System32\ping.exe google.com
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:3768
    • C:\Windows\SysWOW64\ping.exe
      C:\Windows\System32\ping.exe google.com
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:2192
    • C:\Windows\SysWOW64\ping.exe
      C:\Windows\System32\ping.exe google.com
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:4852
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
      "\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
      2⤵
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      PID:3060
    • C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +s +h C:\Users\Admin\AppData\Local\Temp\8405d2de069db4148cf23d308bf0b98a50e92b3cf097c14188dcad7af188c474.exe
      2⤵
      • Sets file to hidden
      • System Location Discovery: System Language Discovery
      • Views/modifies file attributes
      PID:1040
    • C:\Windows\SysWOW64\ping.exe
      C:\Windows\System32\ping.exe google.com
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:3464
    • C:\Windows\SysWOW64\ping.exe
      C:\Windows\System32\ping.exe google.com
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:3240
    • C:\Windows\SysWOW64\ping.exe
      C:\Windows\System32\ping.exe google.com
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:1120
    • C:\Windows\SysWOW64\ping.exe
      C:\Windows\System32\ping.exe google.com
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:4376
    • C:\Windows\SysWOW64\ping.exe
      C:\Windows\System32\ping.exe google.com
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:4000
    • C:\Windows\SysWOW64\ping.exe
      C:\Windows\System32\ping.exe google.com
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:2952
    • C:\Windows\SysWOW64\ping.exe
      C:\Windows\System32\ping.exe google.com
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:1708
    • C:\Windows\SysWOW64\ping.exe
      C:\Windows\System32\ping.exe google.com
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:3040
    • C:\Windows\SysWOW64\ping.exe
      C:\Windows\System32\ping.exe google.com
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:376
    • C:\Windows\SysWOW64\ping.exe
      C:\Windows\System32\ping.exe google.com
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:3640
    • C:\Windows\SysWOW64\REG.exe
      REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Google Chrome" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\subfolder\chrome.exe.exe
      2⤵
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      PID:1556
    • C:\Windows\SysWOW64\REG.exe
      REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Google Chrome" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\subfolder\chrome.exe.exe
      2⤵
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      PID:3992
    • C:\Windows\SysWOW64\REG.exe
      REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Google Chrome" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\subfolder\chrome.exe.exe
      2⤵
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      PID:2720
    • C:\Windows\SysWOW64\REG.exe
      REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Google Chrome" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\subfolder\chrome.exe.exe
      2⤵
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      PID:1428
    • C:\Windows\SysWOW64\REG.exe
      REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Google Chrome" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\subfolder\chrome.exe.exe
      2⤵
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      PID:3500
    • C:\Windows\SysWOW64\REG.exe
      REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Google Chrome" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\subfolder\chrome.exe.exe
      2⤵
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      PID:3608
    • C:\Windows\SysWOW64\REG.exe
      REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Google Chrome" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\subfolder\chrome.exe.exe
      2⤵
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      PID:5036
    • C:\Windows\SysWOW64\REG.exe
      REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Google Chrome" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\subfolder\chrome.exe.exe
      2⤵
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      PID:4360
    • C:\Windows\SysWOW64\REG.exe
      REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Google Chrome" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\subfolder\chrome.exe.exe
      2⤵
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      PID:996
    • C:\Windows\SysWOW64\REG.exe
      REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Google Chrome" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\subfolder\chrome.exe.exe
      2⤵
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      PID:3244
    • C:\Windows\SysWOW64\REG.exe
      REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Google Chrome" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\subfolder\chrome.exe.exe
      2⤵
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      PID:5000
    • C:\Windows\SysWOW64\REG.exe
      REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Google Chrome" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\subfolder\chrome.exe.exe
      2⤵
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      PID:4356
    • C:\Windows\SysWOW64\REG.exe
      REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Google Chrome" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\subfolder\chrome.exe.exe
      2⤵
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      PID:372
    • C:\Windows\SysWOW64\REG.exe
      REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Google Chrome" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\subfolder\chrome.exe.exe
      2⤵
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      PID:2172
    • C:\Windows\SysWOW64\REG.exe
      REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Google Chrome" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\subfolder\chrome.exe.exe
      2⤵
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      PID:4168
    • C:\Windows\SysWOW64\REG.exe
      REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Google Chrome" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\subfolder\chrome.exe.exe
      2⤵
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      PID:1624

Network

  • flag-us
    DNS
    76.32.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    76.32.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    google.com
    ping.exe
    Remote address:
    8.8.8.8:53
    Request
    google.com
    IN A
    Response
    google.com
    IN A
    216.58.212.238
  • flag-us
    DNS
    212.20.149.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    212.20.149.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    241.42.69.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    241.42.69.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    66.209.201.84.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    66.209.201.84.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    bemery2.no-ip.biz
    RegAsm.exe
    Remote address:
    8.8.8.8:53
    Request
    bemery2.no-ip.biz
    IN A
    Response
  • flag-us
    DNS
    bemery2.no-ip.biz
    RegAsm.exe
    Remote address:
    8.8.4.4:53
    Request
    bemery2.no-ip.biz
    IN A
    Response
  • flag-us
    DNS
    bemery2.no-ip.biz
    RegAsm.exe
    Remote address:
    8.8.8.8:53
    Request
    bemery2.no-ip.biz
    IN A
    Response
  • flag-us
    DNS
    4.4.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    4.4.8.8.in-addr.arpa
    IN PTR
    Response
    4.4.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    bemery2.no-ip.biz
    RegAsm.exe
    Remote address:
    8.8.8.8:53
    Request
    bemery2.no-ip.biz
    IN A
    Response
  • flag-us
    DNS
    bemery2.no-ip.biz
    RegAsm.exe
    Remote address:
    8.8.4.4:53
    Request
    bemery2.no-ip.biz
    IN A
    Response
  • flag-us
    DNS
    bemery2.no-ip.biz
    RegAsm.exe
    Remote address:
    8.8.8.8:53
    Request
    bemery2.no-ip.biz
    IN A
    Response
  • flag-us
    DNS
    bemery2.no-ip.biz
    RegAsm.exe
    Remote address:
    8.8.4.4:53
    Request
    bemery2.no-ip.biz
    IN A
    Response
  • flag-us
    DNS
    bemery2.no-ip.biz
    RegAsm.exe
    Remote address:
    8.8.8.8:53
    Request
    bemery2.no-ip.biz
    IN A
    Response
  • flag-us
    DNS
    240.221.184.93.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    240.221.184.93.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    bemery2.no-ip.biz
    RegAsm.exe
    Remote address:
    8.8.8.8:53
    Request
    bemery2.no-ip.biz
    IN A
    Response
  • flag-us
    DNS
    bemery2.no-ip.biz
    RegAsm.exe
    Remote address:
    8.8.4.4:53
    Request
    bemery2.no-ip.biz
    IN A
    Response
  • flag-us
    DNS
    bemery2.no-ip.biz
    RegAsm.exe
    Remote address:
    8.8.8.8:53
    Request
    bemery2.no-ip.biz
    IN A
    Response
  • flag-us
    DNS
    bemery2.no-ip.biz
    RegAsm.exe
    Remote address:
    8.8.4.4:53
    Request
    bemery2.no-ip.biz
    IN A
    Response
  • flag-us
    DNS
    bemery2.no-ip.biz
    RegAsm.exe
    Remote address:
    8.8.8.8:53
    Request
    bemery2.no-ip.biz
    IN A
    Response
  • flag-us
    DNS
    bemery2.no-ip.biz
    RegAsm.exe
    Remote address:
    8.8.8.8:53
    Request
    bemery2.no-ip.biz
    IN A
    Response
  • flag-us
    DNS
    bemery2.no-ip.biz
    RegAsm.exe
    Remote address:
    8.8.4.4:53
    Request
    bemery2.no-ip.biz
    IN A
    Response
  • flag-us
    DNS
    11.227.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    11.227.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    bemery2.no-ip.biz
    RegAsm.exe
    Remote address:
    8.8.8.8:53
    Request
    bemery2.no-ip.biz
    IN A
    Response
  • flag-us
    DNS
    bemery2.no-ip.biz
    RegAsm.exe
    Remote address:
    8.8.4.4:53
    Request
    bemery2.no-ip.biz
    IN A
    Response
  • flag-us
    DNS
    bemery2.no-ip.biz
    RegAsm.exe
    Remote address:
    8.8.8.8:53
    Request
    bemery2.no-ip.biz
    IN A
    Response
  • flag-us
    DNS
    bemery2.no-ip.biz
    RegAsm.exe
    Remote address:
    8.8.8.8:53
    Request
    bemery2.no-ip.biz
    IN A
    Response
  • flag-us
    DNS
    bemery2.no-ip.biz
    RegAsm.exe
    Remote address:
    8.8.4.4:53
    Request
    bemery2.no-ip.biz
    IN A
    Response
  • flag-us
    DNS
    bemery2.no-ip.biz
    RegAsm.exe
    Remote address:
    8.8.8.8:53
    Request
    bemery2.no-ip.biz
    IN A
    Response
  • flag-us
    DNS
    bemery2.no-ip.biz
    RegAsm.exe
    Remote address:
    8.8.4.4:53
    Request
    bemery2.no-ip.biz
    IN A
    Response
  • flag-us
    DNS
    bemery2.no-ip.biz
    RegAsm.exe
    Remote address:
    8.8.8.8:53
    Request
    bemery2.no-ip.biz
    IN A
    Response
  • flag-us
    DNS
    bemery2.no-ip.biz
    RegAsm.exe
    Remote address:
    8.8.8.8:53
    Request
    bemery2.no-ip.biz
    IN A
    Response
  • flag-us
    DNS
    bemery2.no-ip.biz
    RegAsm.exe
    Remote address:
    8.8.4.4:53
    Request
    bemery2.no-ip.biz
    IN A
    Response
  • flag-us
    DNS
    bemery2.no-ip.biz
    RegAsm.exe
    Remote address:
    8.8.8.8:53
    Request
    bemery2.no-ip.biz
    IN A
    Response
  • flag-us
    DNS
    bemery2.no-ip.biz
    RegAsm.exe
    Remote address:
    8.8.8.8:53
    Request
    bemery2.no-ip.biz
    IN A
    Response
  • flag-us
    DNS
    bemery2.no-ip.biz
    RegAsm.exe
    Remote address:
    8.8.4.4:53
    Request
    bemery2.no-ip.biz
    IN A
    Response
  • flag-us
    DNS
    bemery2.no-ip.biz
    RegAsm.exe
    Remote address:
    8.8.8.8:53
    Request
    bemery2.no-ip.biz
    IN A
    Response
  • flag-us
    DNS
    bemery2.no-ip.biz
    RegAsm.exe
    Remote address:
    8.8.4.4:53
    Request
    bemery2.no-ip.biz
    IN A
    Response
  • flag-us
    DNS
    bemery2.no-ip.biz
    RegAsm.exe
    Remote address:
    8.8.8.8:53
    Request
    bemery2.no-ip.biz
    IN A
    Response
  • 127.0.0.1:57628
    RegAsm.exe
  • 127.0.0.1:57628
    RegAsm.exe
  • 127.0.0.1:57628
    RegAsm.exe
  • 127.0.0.1:57628
    RegAsm.exe
  • 127.0.0.1:57628
    RegAsm.exe
  • 127.0.0.1:57628
    RegAsm.exe
  • 127.0.0.1:57628
    RegAsm.exe
  • 127.0.0.1:57628
    RegAsm.exe
  • 127.0.0.1:57628
    RegAsm.exe
  • 127.0.0.1:57628
    RegAsm.exe
  • 8.8.8.8:53
    76.32.126.40.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    76.32.126.40.in-addr.arpa

  • 8.8.8.8:53
    google.com
    dns
    ping.exe
    56 B
    72 B
    1
    1

    DNS Request

    google.com

    DNS Response

    216.58.212.238

  • 8.8.8.8:53
    212.20.149.52.in-addr.arpa
    dns
    72 B
    146 B
    1
    1

    DNS Request

    212.20.149.52.in-addr.arpa

  • 8.8.8.8:53
    241.42.69.40.in-addr.arpa
    dns
    71 B
    145 B
    1
    1

    DNS Request

    241.42.69.40.in-addr.arpa

  • 8.8.8.8:53
    66.209.201.84.in-addr.arpa
    dns
    72 B
    132 B
    1
    1

    DNS Request

    66.209.201.84.in-addr.arpa

  • 8.8.8.8:53
    bemery2.no-ip.biz
    dns
    RegAsm.exe
    63 B
    123 B
    1
    1

    DNS Request

    bemery2.no-ip.biz

  • 8.8.4.4:53
    bemery2.no-ip.biz
    dns
    RegAsm.exe
    63 B
    123 B
    1
    1

    DNS Request

    bemery2.no-ip.biz

  • 8.8.8.8:53
    bemery2.no-ip.biz
    dns
    RegAsm.exe
    63 B
    123 B
    1
    1

    DNS Request

    bemery2.no-ip.biz

  • 8.8.8.8:53
    4.4.8.8.in-addr.arpa
    dns
    66 B
    90 B
    1
    1

    DNS Request

    4.4.8.8.in-addr.arpa

  • 8.8.8.8:53
    bemery2.no-ip.biz
    dns
    RegAsm.exe
    63 B
    123 B
    1
    1

    DNS Request

    bemery2.no-ip.biz

  • 8.8.4.4:53
    bemery2.no-ip.biz
    dns
    RegAsm.exe
    63 B
    123 B
    1
    1

    DNS Request

    bemery2.no-ip.biz

  • 8.8.8.8:53
    bemery2.no-ip.biz
    dns
    RegAsm.exe
    63 B
    123 B
    1
    1

    DNS Request

    bemery2.no-ip.biz

  • 8.8.4.4:53
    bemery2.no-ip.biz
    dns
    RegAsm.exe
    63 B
    123 B
    1
    1

    DNS Request

    bemery2.no-ip.biz

  • 8.8.8.8:53
    bemery2.no-ip.biz
    dns
    RegAsm.exe
    63 B
    123 B
    1
    1

    DNS Request

    bemery2.no-ip.biz

  • 8.8.8.8:53
    240.221.184.93.in-addr.arpa
    dns
    73 B
    144 B
    1
    1

    DNS Request

    240.221.184.93.in-addr.arpa

  • 8.8.8.8:53
    bemery2.no-ip.biz
    dns
    RegAsm.exe
    63 B
    123 B
    1
    1

    DNS Request

    bemery2.no-ip.biz

  • 8.8.4.4:53
    bemery2.no-ip.biz
    dns
    RegAsm.exe
    63 B
    123 B
    1
    1

    DNS Request

    bemery2.no-ip.biz

  • 8.8.8.8:53
    bemery2.no-ip.biz
    dns
    RegAsm.exe
    63 B
    123 B
    1
    1

    DNS Request

    bemery2.no-ip.biz

  • 8.8.4.4:53
    bemery2.no-ip.biz
    dns
    RegAsm.exe
    63 B
    123 B
    1
    1

    DNS Request

    bemery2.no-ip.biz

  • 8.8.8.8:53
    bemery2.no-ip.biz
    dns
    RegAsm.exe
    63 B
    123 B
    1
    1

    DNS Request

    bemery2.no-ip.biz

  • 8.8.8.8:53
    bemery2.no-ip.biz
    dns
    RegAsm.exe
    63 B
    123 B
    1
    1

    DNS Request

    bemery2.no-ip.biz

  • 8.8.4.4:53
    bemery2.no-ip.biz
    dns
    RegAsm.exe
    63 B
    123 B
    1
    1

    DNS Request

    bemery2.no-ip.biz

  • 8.8.8.8:53
    11.227.111.52.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    11.227.111.52.in-addr.arpa

  • 8.8.8.8:53
    bemery2.no-ip.biz
    dns
    RegAsm.exe
    63 B
    123 B
    1
    1

    DNS Request

    bemery2.no-ip.biz

  • 8.8.4.4:53
    bemery2.no-ip.biz
    dns
    RegAsm.exe
    63 B
    123 B
    1
    1

    DNS Request

    bemery2.no-ip.biz

  • 8.8.8.8:53
    bemery2.no-ip.biz
    dns
    RegAsm.exe
    63 B
    123 B
    1
    1

    DNS Request

    bemery2.no-ip.biz

  • 8.8.8.8:53
    bemery2.no-ip.biz
    dns
    RegAsm.exe
    63 B
    123 B
    1
    1

    DNS Request

    bemery2.no-ip.biz

  • 8.8.4.4:53
    bemery2.no-ip.biz
    dns
    RegAsm.exe
    63 B
    123 B
    1
    1

    DNS Request

    bemery2.no-ip.biz

  • 8.8.8.8:53
    bemery2.no-ip.biz
    dns
    RegAsm.exe
    63 B
    123 B
    1
    1

    DNS Request

    bemery2.no-ip.biz

  • 8.8.4.4:53
    bemery2.no-ip.biz
    dns
    RegAsm.exe
    63 B
    123 B
    1
    1

    DNS Request

    bemery2.no-ip.biz

  • 8.8.8.8:53
    bemery2.no-ip.biz
    dns
    RegAsm.exe
    63 B
    123 B
    1
    1

    DNS Request

    bemery2.no-ip.biz

  • 8.8.8.8:53
    bemery2.no-ip.biz
    dns
    RegAsm.exe
    63 B
    123 B
    1
    1

    DNS Request

    bemery2.no-ip.biz

  • 8.8.4.4:53
    bemery2.no-ip.biz
    dns
    RegAsm.exe
    63 B
    123 B
    1
    1

    DNS Request

    bemery2.no-ip.biz

  • 8.8.8.8:53
    bemery2.no-ip.biz
    dns
    RegAsm.exe
    63 B
    123 B
    1
    1

    DNS Request

    bemery2.no-ip.biz

  • 8.8.8.8:53
    bemery2.no-ip.biz
    dns
    RegAsm.exe
    63 B
    123 B
    1
    1

    DNS Request

    bemery2.no-ip.biz

  • 8.8.4.4:53
    bemery2.no-ip.biz
    dns
    RegAsm.exe
    63 B
    123 B
    1
    1

    DNS Request

    bemery2.no-ip.biz

  • 8.8.8.8:53
    bemery2.no-ip.biz
    dns
    RegAsm.exe
    63 B
    123 B
    1
    1

    DNS Request

    bemery2.no-ip.biz

  • 8.8.4.4:53
    bemery2.no-ip.biz
    dns
    RegAsm.exe
    63 B
    123 B
    1
    1

    DNS Request

    bemery2.no-ip.biz

  • 8.8.8.8:53
    bemery2.no-ip.biz
    dns
    RegAsm.exe
    63 B
    123 B
    1
    1

    DNS Request

    bemery2.no-ip.biz

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\subfolder\chrome.exe.exe

    Filesize

    349KB

    MD5

    696391d20c109b4cbcd9a2de4c7f616e

    SHA1

    6da474adbf09acf476eacdd713c9f70bb67784e6

    SHA256

    12106bbc0022b750ea2cf3a04912f1c59f8e95934a1f60e7960c915871bba303

    SHA512

    ab5dcf66cfd6396afb1f184cd6d6d63fcf1cd48b11619ab3d2f45d01d499bd7469869a20ccc2860a9cc4108874d7868d368b88875de937effec11bf4a1e7404a

  • memory/3060-6-0x0000000000400000-0x0000000000438000-memory.dmp

    Filesize

    224KB

  • memory/4712-0-0x0000000075352000-0x0000000075353000-memory.dmp

    Filesize

    4KB

  • memory/4712-1-0x0000000075350000-0x0000000075901000-memory.dmp

    Filesize

    5.7MB

  • memory/4712-2-0x0000000075350000-0x0000000075901000-memory.dmp

    Filesize

    5.7MB

  • memory/4712-4-0x0000000075352000-0x0000000075353000-memory.dmp

    Filesize

    4KB

  • memory/4712-5-0x0000000075350000-0x0000000075901000-memory.dmp

    Filesize

    5.7MB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.