troldesh | hxxps://github[.]com/Endermanch/MalwareDatabase/raw/master/ransomwares/NoMoreRansom[.]zip

Resubmissions

21/07/2024, 11:29 UTC

240721-nlvl9aygqb 6

21/07/2024, 11:22 UTC

240721-ngvrfs1dkr 10

Analysis

max time kernel
149s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
21/07/2024, 11:22 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Endermanch/MalwareDatabase/raw/master/ransomwares/NoMoreRansom.zip

Score

10^/10

troldesh persistence ransomware trojan upx

Malware Config

Signatures

Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
ransomware trojan troldesh

UPX packed file 17 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3712-136-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3712-138-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3712-140-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3712-137-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3712-143-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1544-144-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1544-145-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1544-146-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4552-150-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4016-152-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3712-153-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4180-155-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4552-156-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4016-160-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4180-162-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3712-179-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3712-180-0x0000000000400000-0x00000000005DE000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\""	Endermanch@NoMoreRansom.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
15	raw.githubusercontent.com
16	raw.githubusercontent.com
114	camo.githubusercontent.com
115	camo.githubusercontent.com

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133660346349762864"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 46 IoCs

pid	Process
1868	msedge.exe
1868	msedge.exe
3532	msedge.exe
3532	msedge.exe
1740	identity_helper.exe
1740	identity_helper.exe
4152	msedge.exe
4152	msedge.exe
3712	Endermanch@NoMoreRansom.exe
3712	Endermanch@NoMoreRansom.exe
3712	Endermanch@NoMoreRansom.exe
3712	Endermanch@NoMoreRansom.exe
1544	Endermanch@NoMoreRansom.exe
1544	Endermanch@NoMoreRansom.exe
1544	Endermanch@NoMoreRansom.exe
1544	Endermanch@NoMoreRansom.exe
4552	Endermanch@NoMoreRansom.exe
4552	Endermanch@NoMoreRansom.exe
4552	Endermanch@NoMoreRansom.exe
4552	Endermanch@NoMoreRansom.exe
4016	Endermanch@NoMoreRansom.exe
4016	Endermanch@NoMoreRansom.exe
4016	Endermanch@NoMoreRansom.exe
4016	Endermanch@NoMoreRansom.exe
4180	Endermanch@NoMoreRansom.exe
4180	Endermanch@NoMoreRansom.exe
4180	Endermanch@NoMoreRansom.exe
4180	Endermanch@NoMoreRansom.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
1908	chrome.exe
1908	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2256	taskmgr.exe
Token: SeSystemProfilePrivilege	2256	taskmgr.exe
Token: SeCreateGlobalPrivilege	2256	taskmgr.exe
Token: 33	2256	taskmgr.exe
Token: SeIncBasePriorityPrivilege	2256	taskmgr.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3532 wrote to memory of 4076	3532	msedge.exe	84
PID 3532 wrote to memory of 4076	3532	msedge.exe	84
PID 3532 wrote to memory of 824	3532	msedge.exe	85
PID 3532 wrote to memory of 824	3532	msedge.exe	85
PID 3532 wrote to memory of 824	3532	msedge.exe	85
PID 3532 wrote to memory of 824	3532	msedge.exe	85
PID 3532 wrote to memory of 824	3532	msedge.exe	85
PID 3532 wrote to memory of 824	3532	msedge.exe	85
PID 3532 wrote to memory of 824	3532	msedge.exe	85
PID 3532 wrote to memory of 824	3532	msedge.exe	85
PID 3532 wrote to memory of 824	3532	msedge.exe	85
PID 3532 wrote to memory of 824	3532	msedge.exe	85
PID 3532 wrote to memory of 824	3532	msedge.exe	85
PID 3532 wrote to memory of 824	3532	msedge.exe	85
PID 3532 wrote to memory of 824	3532	msedge.exe	85
PID 3532 wrote to memory of 824	3532	msedge.exe	85
PID 3532 wrote to memory of 824	3532	msedge.exe	85
PID 3532 wrote to memory of 824	3532	msedge.exe	85
PID 3532 wrote to memory of 824	3532	msedge.exe	85
PID 3532 wrote to memory of 824	3532	msedge.exe	85
PID 3532 wrote to memory of 824	3532	msedge.exe	85
PID 3532 wrote to memory of 824	3532	msedge.exe	85
PID 3532 wrote to memory of 824	3532	msedge.exe	85
PID 3532 wrote to memory of 824	3532	msedge.exe	85
PID 3532 wrote to memory of 824	3532	msedge.exe	85
PID 3532 wrote to memory of 824	3532	msedge.exe	85
PID 3532 wrote to memory of 824	3532	msedge.exe	85
PID 3532 wrote to memory of 824	3532	msedge.exe	85
PID 3532 wrote to memory of 824	3532	msedge.exe	85
PID 3532 wrote to memory of 824	3532	msedge.exe	85
PID 3532 wrote to memory of 824	3532	msedge.exe	85
PID 3532 wrote to memory of 824	3532	msedge.exe	85
PID 3532 wrote to memory of 824	3532	msedge.exe	85
PID 3532 wrote to memory of 824	3532	msedge.exe	85
PID 3532 wrote to memory of 824	3532	msedge.exe	85
PID 3532 wrote to memory of 824	3532	msedge.exe	85
PID 3532 wrote to memory of 824	3532	msedge.exe	85
PID 3532 wrote to memory of 824	3532	msedge.exe	85
PID 3532 wrote to memory of 824	3532	msedge.exe	85
PID 3532 wrote to memory of 824	3532	msedge.exe	85
PID 3532 wrote to memory of 824	3532	msedge.exe	85
PID 3532 wrote to memory of 824	3532	msedge.exe	85
PID 3532 wrote to memory of 1868	3532	msedge.exe	86
PID 3532 wrote to memory of 1868	3532	msedge.exe	86
PID 3532 wrote to memory of 1048	3532	msedge.exe	87
PID 3532 wrote to memory of 1048	3532	msedge.exe	87
PID 3532 wrote to memory of 1048	3532	msedge.exe	87
PID 3532 wrote to memory of 1048	3532	msedge.exe	87
PID 3532 wrote to memory of 1048	3532	msedge.exe	87
PID 3532 wrote to memory of 1048	3532	msedge.exe	87
PID 3532 wrote to memory of 1048	3532	msedge.exe	87
PID 3532 wrote to memory of 1048	3532	msedge.exe	87
PID 3532 wrote to memory of 1048	3532	msedge.exe	87
PID 3532 wrote to memory of 1048	3532	msedge.exe	87
PID 3532 wrote to memory of 1048	3532	msedge.exe	87
PID 3532 wrote to memory of 1048	3532	msedge.exe	87
PID 3532 wrote to memory of 1048	3532	msedge.exe	87
PID 3532 wrote to memory of 1048	3532	msedge.exe	87
PID 3532 wrote to memory of 1048	3532	msedge.exe	87
PID 3532 wrote to memory of 1048	3532	msedge.exe	87
PID 3532 wrote to memory of 1048	3532	msedge.exe	87
PID 3532 wrote to memory of 1048	3532	msedge.exe	87
PID 3532 wrote to memory of 1048	3532	msedge.exe	87
PID 3532 wrote to memory of 1048	3532	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Endermanch/MalwareDatabase/raw/master/ransomwares/NoMoreRansom.zip
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff904346f8,0x7fff90434708,0x7fff90434718
  2⤵
  PID:4076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,17400405778938111267,16662504175630584977,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2
  2⤵
  PID:824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,17400405778938111267,16662504175630584977,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,17400405778938111267,16662504175630584977,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2900 /prefetch:8
  2⤵
  PID:1048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,17400405778938111267,16662504175630584977,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
  2⤵
  PID:432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,17400405778938111267,16662504175630584977,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
  2⤵
  PID:3684
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,17400405778938111267,16662504175630584977,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5424 /prefetch:8
  2⤵
  PID:4940
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,17400405778938111267,16662504175630584977,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5424 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2108,17400405778938111267,16662504175630584977,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4724 /prefetch:8
  2⤵
  PID:2332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,17400405778938111267,16662504175630584977,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5528 /prefetch:1
  2⤵
  PID:4572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2108,17400405778938111267,16662504175630584977,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5700 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4152

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2112

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4188

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:916

C:\Users\Admin\Desktop\Endermanch@NoMoreRansom.exe
"C:\Users\Admin\Desktop\Endermanch@NoMoreRansom.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:3712

C:\Users\Admin\Desktop\Endermanch@NoMoreRansom.exe
"C:\Users\Admin\Desktop\Endermanch@NoMoreRansom.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1544

C:\Users\Admin\Desktop\Endermanch@NoMoreRansom.exe
"C:\Users\Admin\Desktop\Endermanch@NoMoreRansom.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:4552

C:\Users\Admin\Desktop\Endermanch@NoMoreRansom.exe
"C:\Users\Admin\Desktop\Endermanch@NoMoreRansom.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:4016

C:\Users\Admin\Desktop\Endermanch@NoMoreRansom.exe
"C:\Users\Admin\Desktop\Endermanch@NoMoreRansom.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:4180

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2256

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
PID:1908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7fff80e0cc40,0x7fff80e0cc4c,0x7fff80e0cc58
  2⤵
  PID:1020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1740,i,11450505293904766831,1793703975618013858,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=1736 /prefetch:2
  2⤵
  PID:4052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2108,i,11450505293904766831,1793703975618013858,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=2176 /prefetch:3
  2⤵
  PID:1264
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2268,i,11450505293904766831,1793703975618013858,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=2456 /prefetch:8
  2⤵
  PID:1168
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3152,i,11450505293904766831,1793703975618013858,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=3160 /prefetch:1
  2⤵
  PID:3648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3392,i,11450505293904766831,1793703975618013858,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=3412 /prefetch:1
  2⤵
  PID:1720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4528,i,11450505293904766831,1793703975618013858,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=4516 /prefetch:1
  2⤵
  PID:4368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4832,i,11450505293904766831,1793703975618013858,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=4840 /prefetch:8
  2⤵
  PID:920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4908,i,11450505293904766831,1793703975618013858,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=4916 /prefetch:8
  2⤵
  PID:3224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=5324,i,11450505293904766831,1793703975618013858,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=5376 /prefetch:1
  2⤵
  PID:6052

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
PID:3692

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4528

Network

DNS

github.com

chrome.exe

Remote address:

8.8.8.8:53

Request

github.com

IN A

Response

github.com

IN A

20.26.156.215
GET

https://github.com/Endermanch/MalwareDatabase/raw/master/ransomwares/NoMoreRansom.zip

msedge.exe

Remote address:

20.26.156.215:443

Request

GET /Endermanch/MalwareDatabase/raw/master/ransomwares/NoMoreRansom.zip HTTP/2.0
host: github.com
sec-ch-ua: "Chromium";v="92", " Not A;Brand";v="99", "Microsoft Edge";v="92"
sec-ch-ua-mobile: ?0
dnt: 1
upgrade-insecure-requests: 1
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
sec-fetch-site: none
sec-fetch-mode: navigate
sec-fetch-user: ?1
sec-fetch-dest: document
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9

Response

HTTP/2.0 302

server: GitHub.com
date: Sun, 21 Jul 2024 11:22:49 GMT
content-type: text/html; charset=utf-8
vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, Accept-Encoding, Accept, X-Requested-With
access-control-allow-origin:
location: https://raw.githubusercontent.com/Endermanch/MalwareDatabase/master/ransomwares/NoMoreRansom.zip
cache-control: no-cache
strict-transport-security: max-age=31536000; includeSubdomains; preload
x-frame-options: deny
x-content-type-options: nosniff
x-xss-protection: 0
referrer-policy: no-referrer-when-downgrade
content-security-policy: default-src 'none'; base-uri 'self'; child-src github.com/assets-cdn/worker/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.com raw.githubusercontent.com api.github.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com api.githubcopilot.com objects-origin.githubusercontent.com copilot-proxy.githubusercontent.com/v1/engines/github-completion/completions proxy.enterprise.githubcopilot.com/v1/engines/github-completion/completions *.actions.githubusercontent.com wss://*.actions.githubusercontent.com productionresultssa0.blob.core.windows.net/ productionresultssa1.blob.core.windows.net/ productionresultssa2.blob.core.windows.net/ productionresultssa3.blob.core.windows.net/ productionresultssa4.blob.core.windows.net/ productionresultssa5.blob.core.windows.net/ productionresultssa6.blob.core.windows.net/ productionresultssa7.blob.core.windows.net/ productionresultssa8.blob.core.windows.net/ productionresultssa9.blob.core.windows.net/ productionresultssa10.blob.core.windows.net/ productionresultssa11.blob.core.windows.net/ productionresultssa12.blob.core.windows.net/ productionresultssa13.blob.core.windows.net/ productionresultssa14.blob.core.windows.net/ productionresultssa15.blob.core.windows.net/ productionresultssa16.blob.core.windows.net/ productionresultssa17.blob.core.windows.net/ productionresultssa18.blob.core.windows.net/ productionresultssa19.blob.core.windows.net/ github-production-repository-image-32fea6.s3.amazonaws.com github-production-release-asset-2e65be.s3.amazonaws.com insights.github.com wss://alive.github.com; font-src github.githubassets.com; form-action 'self' github.com gist.github.com copilot-workspace.githubnext.com objects-origin.githubusercontent.com; frame-ancestors 'none'; frame-src viewscreen.githubusercontent.com notebooks.githubusercontent.com; img-src 'self' data: blob: github.githubassets.com media.githubusercontent.com camo.githubusercontent.com identicons.github.com avatars.githubusercontent.com github-cloud.s3.amazonaws.com objects.githubusercontent.com secured-user-images.githubusercontent.com/ user-images.githubusercontent.com/ private-user-images.githubusercontent.com opengraph.githubassets.com github-production-user-asset-6210df.s3.amazonaws.com customer-stories-feed.github.com spotlights-feed.github.com objects-origin.githubusercontent.com *.githubusercontent.com; manifest-src 'self'; media-src github.com user-images.githubusercontent.com/ secured-user-images.githubusercontent.com/ private-user-images.githubusercontent.com github-production-user-asset-6210df.s3.amazonaws.com gist.github.com; script-src github.githubassets.com; style-src 'unsafe-inline' github.githubassets.com; upgrade-insecure-requests; worker-src github.com/assets-cdn/worker/ gist.github.com/assets-cdn/worker/
content-length: 0
x-github-request-id: D633:14DB61:259EB86:2A22F52:669CEF89
DNS

raw.githubusercontent.com

msedge.exe

Remote address:

8.8.8.8:53

Request

raw.githubusercontent.com

IN A

Response

raw.githubusercontent.com

IN A

185.199.108.133

raw.githubusercontent.com

IN A

185.199.109.133

raw.githubusercontent.com

IN A

185.199.111.133

raw.githubusercontent.com

IN A

185.199.110.133
GET

https://raw.githubusercontent.com/Endermanch/MalwareDatabase/master/ransomwares/NoMoreRansom.zip

msedge.exe

Remote address:

185.199.108.133:443

Request

GET /Endermanch/MalwareDatabase/master/ransomwares/NoMoreRansom.zip HTTP/2.0
host: raw.githubusercontent.com
dnt: 1
upgrade-insecure-requests: 1
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
sec-fetch-site: none
sec-fetch-mode: navigate
sec-fetch-user: ?1
sec-fetch-dest: document
sec-ch-ua: "Chromium";v="92", " Not A;Brand";v="99", "Microsoft Edge";v="92"
sec-ch-ua-mobile: ?0
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9

Response

HTTP/2.0 200

cache-control: max-age=300
content-security-policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
content-type: application/zip
etag: W/"2c2e0f8071b5f5c50b750de55dec04d3c4c06319c150c609825afcb049b48fad"
strict-transport-security: max-age=31536000
x-content-type-options: nosniff
x-frame-options: deny
x-xss-protection: 1; mode=block
x-github-request-id: C768:854E4:2CD24E:3901BF:669CEF88
accept-ranges: bytes
date: Sun, 21 Jul 2024 11:22:49 GMT
via: 1.1 varnish
x-served-by: cache-lon4267-LON
x-cache: MISS
x-cache-hits: 0
x-timer: S1721560970.823009,VS0,VE153
vary: Authorization,Accept-Encoding,Origin
access-control-allow-origin: *
cross-origin-resource-policy: cross-origin
x-fastly-request-id: 9d4998aa03ed4300d402d0d589a3fb5e39f19ee9
expires: Sun, 21 Jul 2024 11:27:49 GMT
source-age: 0
content-length: 938498
DNS

104.219.191.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

104.219.191.52.in-addr.arpa

IN PTR

Response
DNS

215.156.26.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

215.156.26.20.in-addr.arpa

IN PTR

Response
DNS

240.143.123.92.in-addr.arpa

Remote address:

8.8.8.8:53

Request

240.143.123.92.in-addr.arpa

IN PTR

Response

240.143.123.92.in-addr.arpa

IN PTR

a92-123-143-240deploystaticakamaitechnologiescom
DNS

133.32.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

133.32.126.40.in-addr.arpa

IN PTR

Response
DNS

133.108.199.185.in-addr.arpa

Remote address:

8.8.8.8:53

Request

133.108.199.185.in-addr.arpa

IN PTR

Response

133.108.199.185.in-addr.arpa

IN PTR

cdn-185-199-108-133githubcom
DNS

88.156.103.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

88.156.103.20.in-addr.arpa

IN PTR

Response
DNS

232.168.11.51.in-addr.arpa

Remote address:

8.8.8.8:53

Request

232.168.11.51.in-addr.arpa

IN PTR

Response
DNS

244.244.23.193.in-addr.arpa

Remote address:

8.8.8.8:53

Request

244.244.23.193.in-addr.arpa

IN PTR

Response

244.244.23.193.in-addr.arpa

IN PTR

dannenbergtorauthde
DNS

157.123.68.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

157.123.68.40.in-addr.arpa

IN PTR

Response
DNS

206.23.85.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

206.23.85.13.in-addr.arpa

IN PTR

Response
DNS

147.142.123.92.in-addr.arpa

Remote address:

8.8.8.8:53

Request

147.142.123.92.in-addr.arpa

IN PTR

Response

147.142.123.92.in-addr.arpa

IN PTR

a92-123-142-147deploystaticakamaitechnologiescom
DNS

26.35.223.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

26.35.223.20.in-addr.arpa

IN PTR

Response
DNS

www.google.com

chrome.exe

Remote address:

8.8.8.8:53

Request

www.google.com

IN A

Response

www.google.com

IN A

142.250.180.4
DNS

3.178.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

3.178.250.142.in-addr.arpa

IN PTR

Response

3.178.250.142.in-addr.arpa

IN PTR

lhr48s27-in-f31e100net
DNS

10.180.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

10.180.250.142.in-addr.arpa

IN PTR

Response

10.180.250.142.in-addr.arpa

IN PTR

lhr25s32-in-f101e100net
DNS

4.180.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

4.180.250.142.in-addr.arpa

IN PTR

Response

4.180.250.142.in-addr.arpa

IN PTR

lhr25s32-in-f41e100net
DNS

clients2.google.com

chrome.exe

Remote address:

8.8.8.8:53

Request

clients2.google.com

IN A

Response

clients2.google.com

IN CNAME

clients.l.google.com

clients.l.google.com

IN A

172.217.16.238
DNS

238.16.217.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

238.16.217.172.in-addr.arpa

IN PTR

Response

238.16.217.172.in-addr.arpa

IN PTR

lhr48s28-in-f141e100net

238.16.217.172.in-addr.arpa

IN PTR

mad08s04-in-f14�I
DNS

tse1.mm.bing.net

Remote address:

8.8.8.8:53

Request

tse1.mm.bing.net

IN A

Response

tse1.mm.bing.net

IN CNAME

mm-mm.bing.net.trafficmanager.net

mm-mm.bing.net.trafficmanager.net

IN CNAME

ax-0001.ax-msedge.net

ax-0001.ax-msedge.net

IN A

150.171.28.10

ax-0001.ax-msedge.net

IN A

150.171.27.10
GET

https://tse1.mm.bing.net/th?id=OADD2.10239340418547_1N5DXBL93QHFGMSRD&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

150.171.28.10:443

Request

GET /th?id=OADD2.10239340418547_1N5DXBL93QHFGMSRD&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 589683
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 679AA08062B14C0582D41528DD98B578 Ref B: LON04EDGE1221 Ref C: 2024-07-21T11:24:15Z
date: Sun, 21 Jul 2024 11:24:14 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239339388056_1O9WMGQV7BVEGHO4D&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

150.171.28.10:443

Request

GET /th?id=OADD2.10239339388056_1O9WMGQV7BVEGHO4D&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 797704
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 3C2B1E9D49CA4196BB6457265993616E Ref B: LON04EDGE1221 Ref C: 2024-07-21T11:24:15Z
date: Sun, 21 Jul 2024 11:24:14 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239317301308_1V23M6H7DG8T3CRA5&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

150.171.28.10:443

Request

GET /th?id=OADD2.10239317301308_1V23M6H7DG8T3CRA5&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 554838
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 97B50249A1CE4E39BB75522F60E88667 Ref B: LON04EDGE1221 Ref C: 2024-07-21T11:24:15Z
date: Sun, 21 Jul 2024 11:24:14 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239317301717_1QD8K4REPRL31N6EW&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

150.171.28.10:443

Request

GET /th?id=OADD2.10239317301717_1QD8K4REPRL31N6EW&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 575578
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: DB4E73302E1D48E6B768736D630323B9 Ref B: LON04EDGE1221 Ref C: 2024-07-21T11:24:15Z
date: Sun, 21 Jul 2024 11:24:14 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239339388057_1GGG85785BK7BP6Y7&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

150.171.28.10:443

Request

GET /th?id=OADD2.10239339388057_1GGG85785BK7BP6Y7&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 706510
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: C547686804B844E8B256585E8DE7E621 Ref B: LON04EDGE1221 Ref C: 2024-07-21T11:24:15Z
date: Sun, 21 Jul 2024 11:24:14 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239340418548_1UEU8RPM3S7H7G0D8&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

150.171.28.10:443

Request

GET /th?id=OADD2.10239340418548_1UEU8RPM3S7H7G0D8&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 458468
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 7AAFB519DC6E48478E08C3539C4F887E Ref B: LON04EDGE1221 Ref C: 2024-07-21T11:24:15Z
date: Sun, 21 Jul 2024 11:24:15 GMT
DNS

14.227.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

14.227.111.52.in-addr.arpa

IN PTR

Response
DNS

github.com

chrome.exe

Remote address:

8.8.8.8:53

Request

github.com

IN A

Response

github.com

IN A

20.26.156.215
DNS

github.githubassets.com

chrome.exe

Remote address:

8.8.8.8:53

Request

github.githubassets.com

IN A

Response

github.githubassets.com

IN A

185.199.108.154

github.githubassets.com

IN A

185.199.111.154

github.githubassets.com

IN A

185.199.110.154

github.githubassets.com

IN A

185.199.109.154
DNS

avatars.githubusercontent.com

chrome.exe

Remote address:

8.8.8.8:53

Request

avatars.githubusercontent.com

IN A

Response

avatars.githubusercontent.com

IN A

185.199.111.133

avatars.githubusercontent.com

IN A

185.199.108.133

avatars.githubusercontent.com

IN A

185.199.109.133

avatars.githubusercontent.com

IN A

185.199.110.133
DNS

user-images.githubusercontent.com

chrome.exe

Remote address:

8.8.8.8:53

Request

user-images.githubusercontent.com

IN A

Response

user-images.githubusercontent.com

IN A

185.199.109.133

user-images.githubusercontent.com

IN A

185.199.108.133

user-images.githubusercontent.com

IN A

185.199.111.133

user-images.githubusercontent.com

IN A

185.199.110.133
DNS

github-cloud.s3.amazonaws.com

chrome.exe

Remote address:

8.8.8.8:53

Request

github-cloud.s3.amazonaws.com

IN A

Response

github-cloud.s3.amazonaws.com

IN CNAME

s3-1-w.amazonaws.com

s3-1-w.amazonaws.com

IN CNAME

s3-w.us-east-1.amazonaws.com

s3-w.us-east-1.amazonaws.com

IN A

52.217.116.161

s3-w.us-east-1.amazonaws.com

IN A

16.182.106.9

s3-w.us-east-1.amazonaws.com

IN A

52.217.123.9

s3-w.us-east-1.amazonaws.com

IN A

52.217.226.121

s3-w.us-east-1.amazonaws.com

IN A

52.216.146.235

s3-w.us-east-1.amazonaws.com

IN A

54.231.128.153

s3-w.us-east-1.amazonaws.com

IN A

3.5.27.115

s3-w.us-east-1.amazonaws.com

IN A

16.182.34.217
DNS

camo.githubusercontent.com

chrome.exe

Remote address:

8.8.8.8:53

Request

camo.githubusercontent.com

IN A

Response

camo.githubusercontent.com

IN A

185.199.111.133

camo.githubusercontent.com

IN A

185.199.108.133

camo.githubusercontent.com

IN A

185.199.110.133

camo.githubusercontent.com

IN A

185.199.109.133
DNS

154.108.199.185.in-addr.arpa

Remote address:

8.8.8.8:53

Request

154.108.199.185.in-addr.arpa

IN PTR

Response

154.108.199.185.in-addr.arpa

IN PTR

cdn-185-199-108-154githubcom
DNS

133.111.199.185.in-addr.arpa

Remote address:

8.8.8.8:53

Request

133.111.199.185.in-addr.arpa

IN PTR

Response

133.111.199.185.in-addr.arpa

IN PTR

cdn-185-199-111-133githubcom
DNS

content-autofill.googleapis.com

chrome.exe

Remote address:

8.8.8.8:53

Request

content-autofill.googleapis.com

IN A

Response

content-autofill.googleapis.com

IN A

216.58.212.234

content-autofill.googleapis.com

IN A

142.250.200.42

content-autofill.googleapis.com

IN A

142.250.187.234

content-autofill.googleapis.com

IN A

172.217.16.234

content-autofill.googleapis.com

IN A

142.250.187.202

content-autofill.googleapis.com

IN A

142.250.200.10

content-autofill.googleapis.com

IN A

142.250.179.234

content-autofill.googleapis.com

IN A

142.250.180.10

content-autofill.googleapis.com

IN A

216.58.212.202

content-autofill.googleapis.com

IN A

216.58.204.74

content-autofill.googleapis.com

IN A

142.250.178.10

content-autofill.googleapis.com

IN A

172.217.169.10

content-autofill.googleapis.com

IN A

216.58.201.106
DNS

collector.github.com

chrome.exe

Remote address:

8.8.8.8:53

Request

collector.github.com

IN A

Response

collector.github.com

IN CNAME

glb-db52c2cf8be544.github.com

glb-db52c2cf8be544.github.com

IN A

140.82.114.21
DNS

api.github.com

chrome.exe

Remote address:

8.8.8.8:53

Request

api.github.com

IN A

Response

api.github.com

IN A

20.26.156.210
DNS

234.212.58.216.in-addr.arpa

Remote address:

8.8.8.8:53

Request

234.212.58.216.in-addr.arpa

IN PTR

Response

234.212.58.216.in-addr.arpa

IN PTR

ams16s22-in-f2341e100net

234.212.58.216.in-addr.arpa

IN PTR

lhr25s28-in-f10�J

234.212.58.216.in-addr.arpa

IN PTR

ams16s22-in-f10�J
DNS

210.156.26.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

210.156.26.20.in-addr.arpa

IN PTR

Response
DNS

210.156.26.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

210.156.26.20.in-addr.arpa

IN PTR

Response
DNS

21.114.82.140.in-addr.arpa

Remote address:

8.8.8.8:53

Request

21.114.82.140.in-addr.arpa

IN PTR

Response

21.114.82.140.in-addr.arpa

IN PTR

lb-140-82-114-21-iadgithubcom

20.26.156.215:443

https://github.com/Endermanch/MalwareDatabase/raw/master/ransomwares/NoMoreRansom.zip

tls, http2

msedge.exe

1.9kB
7.9kB
15
13

HTTP Request

GET https://github.com/Endermanch/MalwareDatabase/raw/master/ransomwares/NoMoreRansom.zip

HTTP Response

302
185.199.108.133:443

https://raw.githubusercontent.com/Endermanch/MalwareDatabase/master/ransomwares/NoMoreRansom.zip

tls, http2

msedge.exe

17.9kB
974.3kB
364
712

HTTP Request

GET https://raw.githubusercontent.com/Endermanch/MalwareDatabase/master/ransomwares/NoMoreRansom.zip

HTTP Response

200
127.0.0.1:57742

Endermanch@NoMoreRansom.exe
193.23.244.244:443

www.hkq3a5.com

tls

Endermanch@NoMoreRansom.exe

3.0kB
5.6kB
12
9
127.0.0.1:57755

Endermanch@NoMoreRansom.exe
127.0.0.1:57762

Endermanch@NoMoreRansom.exe
127.0.0.1:57766

Endermanch@NoMoreRansom.exe
127.0.0.1:57771

Endermanch@NoMoreRansom.exe
142.250.180.4:443

www.google.com

tls

chrome.exe

1.0kB
4.6kB
8
9
172.217.16.238:443

clients2.google.com

tls

chrome.exe

1.1kB
8.1kB
10
10
150.171.28.10:443

tse1.mm.bing.net

tls, http2

1.2kB
6.9kB
15
13
150.171.28.10:443

tse1.mm.bing.net

tls, http2

1.2kB
6.9kB
15
13
150.171.28.10:443

tse1.mm.bing.net

tls, http2

1.2kB
6.9kB
15
13
150.171.28.10:443

https://tse1.mm.bing.net/th?id=OADD2.10239340418548_1UEU8RPM3S7H7G0D8&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

tls, http2

133.1kB
3.8MB
2779
2775

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239340418547_1N5DXBL93QHFGMSRD&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239339388056_1O9WMGQV7BVEGHO4D&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239317301308_1V23M6H7DG8T3CRA5&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239317301717_1QD8K4REPRL31N6EW&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239339388057_1GGG85785BK7BP6Y7&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239340418548_1UEU8RPM3S7H7G0D8&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Response

200
150.171.28.10:443

tse1.mm.bing.net

tls, http2

1.2kB
6.9kB
15
13
20.26.156.215:443

github.com

tls

chrome.exe

897 B
4.0kB
7
8
20.26.156.215:443

github.com

tls

chrome.exe

7.5kB
166.9kB
93
155
185.199.108.154:443

github.githubassets.com

tls

chrome.exe

1.0kB
4.2kB
8
9
185.199.108.154:443

github.githubassets.com

tls

chrome.exe

1.0kB
4.2kB
8
9
185.199.108.154:443

github.githubassets.com

tls

chrome.exe

1.0kB
4.2kB
8
9
185.199.108.154:443

github.githubassets.com

tls

chrome.exe

969 B
4.2kB
8
9
185.199.108.154:443

github.githubassets.com

tls

chrome.exe

1.0kB
4.2kB
8
9
185.199.108.154:443

github.githubassets.com

tls

chrome.exe

43.8kB
1.1MB
645
930
185.199.111.133:443

avatars.githubusercontent.com

tls

chrome.exe

3.0kB
27.6kB
32
40
185.199.111.133:443

camo.githubusercontent.com

tls

chrome.exe

2.1kB
5.8kB
13
16
216.58.212.234:443

content-autofill.googleapis.com

tls

chrome.exe

2.1kB
7.0kB
15
18
185.199.108.154:443

github.githubassets.com

tls

chrome.exe

2.3kB
22.3kB
22
27
140.82.114.21:443

collector.github.com

tls

chrome.exe

1.0kB
4.6kB
10
8
140.82.114.21:443

collector.github.com

tls

chrome.exe

10.6kB
8.5kB
27
28
20.26.156.210:443

api.github.com

tls

chrome.exe

6.2kB
6.5kB
17
18

8.8.8.8:53

github.com

dns

chrome.exe

56 B
72 B
1
1

DNS Request

github.com

DNS Response

20.26.156.215
8.8.8.8:53

raw.githubusercontent.com

dns

msedge.exe

71 B
135 B
1
1

DNS Request

raw.githubusercontent.com

DNS Response

185.199.108.133

185.199.109.133

185.199.111.133

185.199.110.133
8.8.8.8:53

104.219.191.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

104.219.191.52.in-addr.arpa
8.8.8.8:53

215.156.26.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

215.156.26.20.in-addr.arpa
8.8.8.8:53

240.143.123.92.in-addr.arpa

dns

73 B
139 B
1
1

DNS Request

240.143.123.92.in-addr.arpa
8.8.8.8:53

133.32.126.40.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

133.32.126.40.in-addr.arpa
224.0.0.251:5353

chrome.exe

408 B
6
8.8.8.8:53

133.108.199.185.in-addr.arpa

dns

74 B
118 B
1
1

DNS Request

133.108.199.185.in-addr.arpa
8.8.8.8:53

88.156.103.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

88.156.103.20.in-addr.arpa
8.8.8.8:53

232.168.11.51.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

232.168.11.51.in-addr.arpa
8.8.8.8:53

244.244.23.193.in-addr.arpa

dns

73 B
108 B
1
1

DNS Request

244.244.23.193.in-addr.arpa
8.8.8.8:53

157.123.68.40.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

157.123.68.40.in-addr.arpa
8.8.8.8:53

206.23.85.13.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

206.23.85.13.in-addr.arpa
8.8.8.8:53

147.142.123.92.in-addr.arpa

dns

73 B
139 B
1
1

DNS Request

147.142.123.92.in-addr.arpa
8.8.8.8:53

26.35.223.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

26.35.223.20.in-addr.arpa
8.8.8.8:53

www.google.com

dns

chrome.exe

60 B
76 B
1
1

DNS Request

www.google.com

DNS Response

142.250.180.4
142.250.180.4:443

www.google.com

https

chrome.exe

5.6kB
22.6kB
34
36
8.8.8.8:53

3.178.250.142.in-addr.arpa

dns

72 B
110 B
1
1

DNS Request

3.178.250.142.in-addr.arpa
8.8.8.8:53

10.180.250.142.in-addr.arpa

dns

73 B
112 B
1
1

DNS Request

10.180.250.142.in-addr.arpa
8.8.8.8:53

4.180.250.142.in-addr.arpa

dns

72 B
110 B
1
1

DNS Request

4.180.250.142.in-addr.arpa
8.8.8.8:53

clients2.google.com

dns

chrome.exe

65 B
105 B
1
1

DNS Request

clients2.google.com

DNS Response

172.217.16.238
172.217.16.238:443

clients2.google.com

https

chrome.exe

2.4kB
8.1kB
9
12
8.8.8.8:53

238.16.217.172.in-addr.arpa

dns

73 B
142 B
1
1

DNS Request

238.16.217.172.in-addr.arpa
8.8.8.8:53

tse1.mm.bing.net

dns

62 B
170 B
1
1

DNS Request

tse1.mm.bing.net

DNS Response

150.171.28.10

150.171.27.10
8.8.8.8:53

14.227.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

14.227.111.52.in-addr.arpa
8.8.8.8:53

github.com

dns

chrome.exe

56 B
72 B
1
1

DNS Request

github.com

DNS Response

20.26.156.215
8.8.8.8:53

github.githubassets.com

dns

chrome.exe

69 B
133 B
1
1

DNS Request

github.githubassets.com

DNS Response

185.199.108.154

185.199.111.154

185.199.110.154

185.199.109.154
8.8.8.8:53

avatars.githubusercontent.com

dns

chrome.exe

75 B
139 B
1
1

DNS Request

avatars.githubusercontent.com

DNS Response

185.199.111.133

185.199.108.133

185.199.109.133

185.199.110.133
8.8.8.8:53

user-images.githubusercontent.com

dns

chrome.exe

79 B
143 B
1
1

DNS Request

user-images.githubusercontent.com

DNS Response

185.199.109.133

185.199.108.133

185.199.111.133

185.199.110.133
8.8.8.8:53

github-cloud.s3.amazonaws.com

dns

chrome.exe

75 B
253 B
1
1

DNS Request

github-cloud.s3.amazonaws.com

DNS Response

52.217.116.161

16.182.106.9

52.217.123.9

52.217.226.121

52.216.146.235

54.231.128.153

3.5.27.115

16.182.34.217
8.8.8.8:53

camo.githubusercontent.com

dns

chrome.exe

72 B
136 B
1
1

DNS Request

camo.githubusercontent.com

DNS Response

185.199.111.133

185.199.108.133

185.199.110.133

185.199.109.133
8.8.8.8:53

154.108.199.185.in-addr.arpa

dns

74 B
118 B
1
1

DNS Request

154.108.199.185.in-addr.arpa
8.8.8.8:53

133.111.199.185.in-addr.arpa

dns

74 B
118 B
1
1

DNS Request

133.111.199.185.in-addr.arpa
8.8.8.8:53

content-autofill.googleapis.com

dns

chrome.exe

77 B
285 B
1
1

DNS Request

content-autofill.googleapis.com

DNS Response

216.58.212.234

142.250.200.42

142.250.187.234

172.217.16.234

142.250.187.202

142.250.200.10

142.250.179.234

142.250.180.10

216.58.212.202

216.58.204.74

142.250.178.10

172.217.169.10

216.58.201.106
8.8.8.8:53

collector.github.com

dns

chrome.exe

66 B
115 B
1
1

DNS Request

collector.github.com

DNS Response

140.82.114.21
8.8.8.8:53

api.github.com

dns

chrome.exe

60 B
76 B
1
1

DNS Request

api.github.com

DNS Response

20.26.156.210
216.58.212.234:443

content-autofill.googleapis.com

https

chrome.exe

2.2kB
7.0kB
7
11
8.8.8.8:53

234.212.58.216.in-addr.arpa

dns

73 B
173 B
1
1

DNS Request

234.212.58.216.in-addr.arpa
8.8.8.8:53

210.156.26.20.in-addr.arpa

dns

144 B
316 B
2
2

DNS Request

210.156.26.20.in-addr.arpa

DNS Request

210.156.26.20.in-addr.arpa
8.8.8.8:53

21.114.82.140.in-addr.arpa

dns

72 B
117 B
1
1

DNS Request

21.114.82.140.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Windows\csrss.exe

Filesize
1.4MB

MD5
63210f8f1dde6c40a7f3643ccf0ff313

SHA1
57edd72391d710d71bead504d44389d0462ccec9

SHA256
2aab13d49b60001de3aa47fb8f7251a973faa7f3c53a3840cdf5fd0b26e9a09f

SHA512
87a89e8ab85be150a783a9f8d41797cfa12f86fdccb48f2180c0498bfd2b1040b730dee4665fe2c83b98d436453680226051b7f1532e1c0e0cda0cf702e80a11

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
78f3dd894aeb1530d2a97e2025476668

SHA1
aa855aeba1e4c1dd6d4c33c5617b4937374f178a

SHA256
8397c08ccff92c027d1b407d8f0d1fd474f0c39947a5a06e168a819f5c528bd7

SHA512
6f85af30dc07c98d1787cffba3a196108847e3a60cd73ed60109f3cff5cbd761e47173a64721a4b6af17220f50fe80770e21e4fb272f2afcc10655568ba0b77a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
e93980c4122c2570bf17a0d1e2c890be

SHA1
14efc026bd1c58446e9788c98d57aa83d466d639

SHA256
fbb4f93711e0764d9da85564803f688cd89f5763d5ace9ea169ef4d9d7f9c5f0

SHA512
bead31cbc82774ceab7dda8c8219052588a0143d4a0c05905e9f798405175952eae07d795ce62600a3292860db2086888e00f6cf153d29cd102e59546a2fac52

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
354B

MD5
1d072a9db966275110a6ab4e93bc1e8e

SHA1
7b0cc49cc83429e774bc18d5b15c179a468acb4c

SHA256
e5848302d9f5c57add0e87f5a8d398ccbffca7d71df154ed3d8b7d3a470deb26

SHA512
164b2ac6fcd261f1f5b671273e7573a4803aae649002a440df0cffb73eee3731415b39973f2abc5b896dc56efbeb41fd8b28a105d001210b61bf0a464c46fdd0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
bdfa8584bc88b4cc74e522fe3c2846ab

SHA1
ab51b216e45ad6c5998a20bac4740d5997f2b648

SHA256
1a184fc12737f81de3bf36c18ac724605a4cde30acf781690b409f893eb8db80

SHA512
21c05950f71341e133395dc4cbb5aa3bc9cefd2e54dca22b6976ce58713c6de687264a0199c698a648f50032e413e7a5236d97c0a832f8fea72184f43b0c417b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
38c85ea21bf290989abc012517407dd9

SHA1
6acbf91a6e78b96f20f0dc99009d4ebc902b1cd7

SHA256
9d64dacc4c54b0e1340df77988b2cf01e6e98586d3bfc2bd04dc6cd0de73205f

SHA512
9c25bb2b34c522171063e8c497b27563cd35456640833671538a3d0db6399a743d5d70e0fd58785f56e60f0498ef2b108e20483873849c81848b7f768cae5016

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
5a7eec352961c379e07765e8964338c4

SHA1
a0dd1beecd3951b04d3ecd49b5541fdf5c397982

SHA256
6f5e0baa06bd019d8daf149c4a17e7d2ec3ba7809f0436efc6f01c72d6d77189

SHA512
6b37e5841f08a2154ce8dd23ddd7faf08d619ad3db77d18657bb60a788947f02fa3d5eccfba0fb1393d76322601108b98373af57a55a97cde3b7a5cb8cf085d8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
70abdfdef4ee4ffe9db904afc930f50b

SHA1
31964586279c7a0c8399ba2ebdc595c31152ce45

SHA256
db7bc923e10fdbb24d642e91b60e1e8d160ba0871dac229406a508415af20f4e

SHA512
b3a0561e7a8669dfd5661ef52f99e5d89e6ea21ab065a02fa6805504831cfc42619c9267b714da59081ab91b33eb78ca5bf7b731a0cb296fb2eeb3646e093de7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
dbd27c0b90fa4e98dec670ea00f87e34

SHA1
439aa9ca3420a76ddb55fa22ffc747be3673dba8

SHA256
07701406c637a10f479139b88abec60dcaf23af188d6d35a228aaf9aae1c2ffa

SHA512
c895d76d56fca02aba53f3ccdd4e5b78b3bb509c3a26a0d9808d9eb28768fee319e45713fda2456f779d477d7630d2600480ea976a0914a0e62516ab3de7e1fb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
6883dc81f7876e35e7be9a6b25af53a4

SHA1
fbc94714a05e5a33fc2f81702ba6ce30365ed2af

SHA256
fdd313f03d764d84a2bdcc60a9bf04db113068c949c8dcacc87a62d54c0c469d

SHA512
0365e0f065dfcfa32c4469fc74d15add7300d8d8e8aba6f36d0b5a7edb9e0366f258ee7aa073540dd3016d03afd5d255f10708720dd37ff09a8de872192b5de0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
abb43758e5ac28dda6ad6d8421570e92

SHA1
9b47f0a008d0d94e111c83f864739c1147ed4bda

SHA256
f4a42650461cd31db49ecfb078975a085f29dd4b20e338bbc5dca418cad6a3f0

SHA512
82a913e86cabfe0112ef3e21f1b73d1c40206d9790c3840ebaa0cb47f089fc5086f784e58cbf186a6767087c9ebeeb216ae8f5363ea62759caf49aad43fb3fbb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
185KB

MD5
baf30fdd36390395e08110764b8fbbdc

SHA1
06369c38c1b47364551d111310e1d11076e28539

SHA256
a64b40162f91b3d5a550c6a395dc00ba95ddddb62b5811a190953606b8d89689

SHA512
856d2088e53666612522c4bb49fc44a8940bff0445596e93140063b10241585a523563221f5e02583381012706eb5a184d6c4c0ce05ae533aabe1f0dc0bf62fc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
185KB

MD5
72dc1b00cbd8678c7ef6f4562ca80259

SHA1
6b1a342a7b9c10f8c3d4c97ddab3ad666df2cee7

SHA256
105cfe13a8390f50fdbec81c990a9b8487b44fc4202bd3362084cf365c484e30

SHA512
5a84d16b20fefefcf1489bda0e1bfc9c1aaf1bb1d93a2f199fd39697c34a7b0b8c56275378ee854c4c7a947c864419783c6f880169164025b0cace7079fd4df8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
bafce9e4c53a0cb85310891b6b21791b

SHA1
5d70027cc137a7cbb38f5801b15fd97b05e89ee2

SHA256
71fb546b5d2210a56e90b448ee10120cd92c518c8f79fb960f01b918f89f2b00

SHA512
c0e4d3eccc0135ac92051539a18f64b8b8628cfe74e5b019d4f8e1dcbb51a9b49c486a1523885fe6be53da7118c013852e753c26a5490538c1e721fd0188836c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a499254d6b5d91f97eb7a86e5f8ca573

SHA1
03dbfebfec8c94a9c06f9b0cd81ebe0a2b8be3d1

SHA256
fb87b758c2b98989df851380293ff6786cb9a5cf2b3a384cec70d9f3eb064499

SHA512
d7adcc76d0470bcd68d7644de3c8d2b6d61df8485979a4752ceea3df4d85bd1c290f72b3d8d5c8d639d5a10afa48d80e457f76b44dd8107ac97eb80fd98c7b0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
261B

MD5
2c2e6472d05e3832905f0ad4a04d21c3

SHA1
007edbf35759af62a5b847ab09055e7d9b86ffcc

SHA256
283d954fa21caa1f3b4aba941b154fab3e626ff27e7b8029f5357872c48cbe03

SHA512
8c4ce1ea02da6ffb7e7041c50528da447d087d9ee3c9f4a8c525d2d856cf48e46f5dd9a1fedd23dd047634e719c8886457f7e7240aa3cc36f1a6216e4c00ee37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
b99802bb4191f6b47189af3f3c6be246

SHA1
0ec187ef3ec6582fb1c64499d96c14327cbd4e5f

SHA256
b9341e55e1dc1140bc45194a9003ff7869480b1918eeb1a995cfceb923f754db

SHA512
b0329ea1a833893a23af1e35fe082a41f6ad1706b259835e4a285b97e78c8f5c7ee6186da342d2b1a4d60da265c20cfb48aeb0fb32deb495caf3200d33fac28a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0b09b426565ba8b55629190172c064da

SHA1
fa747fd4f2c6281849b1c09af533d04cd48fa1e8

SHA256
6b49de4270bde53964dbd511ad702cef468b15798b8cf820a44333c1d22caada

SHA512
d2727f8375f68d3dc4f28825cb9b4643ed382e8c78e25177a878a444c39dd3e1010d78783b66c216a5dbbf457157b89d40753b18e5a2bf8a836ce197c2ce03d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
3ae48bbc68774b383d41127bc30a06b3

SHA1
3777df8d86439ef625c86eaa1cc44e31ba309529

SHA256
cf7edd55aa5ba4ec4a69b9d9be220d8a485b0a1c9fed6c35e427da29c3d95781

SHA512
bd6448c7432c4c77e06d5ceff72bc2ccd894a8182a0f467c85e5876a3f78432074b473c36acbd0866053b9aafb10db2328e1b5f5aa53ed84105806572968e7a0

Download Submit
C:\Users\Admin\Downloads\NoMoreRansom.zip

Filesize
916KB

MD5
f315e49d46914e3989a160bbcfc5de85

SHA1
99654bfeaad090d95deef3a2e9d5d021d2dc5f63

SHA256
5cbb6442c47708558da29588e0d8ef0b34c4716be4a47e7c715ea844fbcf60d7

SHA512
224747b15d0713afcb2641f8f3aa1687516d42e045d456b3ed096a42757a6c10c6626672366c9b632349cf6ffe41011724e6f4b684837de9b719d0f351dfd22e

Download Submit
memory/1544-145-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1544-146-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1544-144-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2256-165-0x000001DA3D6C0000-0x000001DA3D6C1000-memory.dmp

Filesize
4KB

Download
memory/2256-177-0x000001DA3D6C0000-0x000001DA3D6C1000-memory.dmp

Filesize
4KB

Download
memory/2256-176-0x000001DA3D6C0000-0x000001DA3D6C1000-memory.dmp

Filesize
4KB

Download
memory/2256-175-0x000001DA3D6C0000-0x000001DA3D6C1000-memory.dmp

Filesize
4KB

Download
memory/2256-174-0x000001DA3D6C0000-0x000001DA3D6C1000-memory.dmp

Filesize
4KB

Download
memory/2256-173-0x000001DA3D6C0000-0x000001DA3D6C1000-memory.dmp

Filesize
4KB

Download
memory/2256-172-0x000001DA3D6C0000-0x000001DA3D6C1000-memory.dmp

Filesize
4KB

Download
memory/2256-171-0x000001DA3D6C0000-0x000001DA3D6C1000-memory.dmp

Filesize
4KB

Download
memory/2256-167-0x000001DA3D6C0000-0x000001DA3D6C1000-memory.dmp

Filesize
4KB

Download
memory/2256-166-0x000001DA3D6C0000-0x000001DA3D6C1000-memory.dmp

Filesize
4KB

Download
memory/3712-137-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3712-143-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3712-179-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3712-136-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3712-138-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3712-140-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3712-180-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3712-153-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4016-152-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4016-160-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4180-155-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4180-162-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4552-150-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4552-156-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Response

HTTP Response

HTTP Response

HTTP Response

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.