Analysis Overview
SHA256
fe4b7a7b525619582b8a13328d025240b287f2746b8110c3ee09538a7f78fc9a
Threat Level: Known bad
The file aa1422c69390f675a8c5b1d864dc3d2c_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Ramnit
Loads dropped DLL
Executes dropped EXE
UPX packed file
Drops file in Program Files directory
Suspicious use of SendNotifyMessage
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates system info in registry
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of SetWindowsHookEx
Modifies Internet Explorer settings
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-14 14:03
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-14 14:03
Reported
2024-06-14 14:06
Platform
win7-20240508-en
Max time kernel
144s
Max time network
148s
Command Line
Signatures
Ramnit
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Microsoft\px3939.tmp | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "424535719" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{EC68A611-2A56-11EF-B8F6-D6B84878A518} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\DesktopLayer.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\aa1422c69390f675a8c5b1d864dc3d2c_JaffaCakes118.html
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2928 CREDAT:275457 /prefetch:2
C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2928 CREDAT:406544 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | quanjianhuoliao.net | udp |
| US | 8.8.8.8:53 | cpro.baidustatic.com | udp |
| US | 8.8.8.8:53 | dup.baidustatic.com | udp |
| US | 8.8.8.8:53 | tjs.sjs.sinajs.cn | udp |
| US | 8.8.8.8:53 | tjs.sjs.sinajs.cn | udp |
| US | 8.8.8.8:53 | dup.baidustatic.com | udp |
| US | 8.8.8.8:53 | cpro.baidustatic.com | udp |
| US | 8.8.8.8:53 | quanjianhuoliao.net | udp |
| US | 8.8.8.8:53 | quanjianhuoliao.net | udp |
| US | 8.8.8.8:53 | download.macromedia.com | udp |
| US | 8.8.8.8:53 | quanjianhuoliao.net | udp |
| US | 8.8.8.8:53 | download.macromedia.com | udp |
| US | 8.8.8.8:53 | quanjianhuoliao.net | udp |
| US | 8.8.8.8:53 | v2.uyan.cc | udp |
| US | 8.8.8.8:53 | v1.ujian.cc | udp |
| US | 8.8.8.8:53 | img.ujian.cc | udp |
| US | 8.8.8.8:53 | www.quanjianhuoliao.net | udp |
| US | 8.8.8.8:53 | cpro.baidustatic.com | udp |
| US | 8.8.8.8:53 | www.quanjianhuoliao.net | udp |
| US | 8.8.8.8:53 | quanjianhuoliao.net | udp |
| US | 8.8.8.8:53 | cpro.baidustatic.com | udp |
| US | 8.8.8.8:53 | v1.ujian.cc | udp |
| US | 8.8.8.8:53 | img.ujian.cc | udp |
| US | 8.8.8.8:53 | v2.uyan.cc | udp |
| US | 8.8.8.8:53 | quanjianhuoliao.net | udp |
| US | 8.8.8.8:53 | bdimg.share.baidu.com | udp |
| US | 8.8.8.8:53 | quanjianhuoliao.net | udp |
| US | 8.8.8.8:53 | bdimg.share.baidu.com | udp |
| US | 8.8.8.8:53 | quanjianhuoliao.net | udp |
| US | 8.8.8.8:53 | s4.cnzz.com | udp |
| US | 8.8.8.8:53 | s4.cnzz.com | udp |
| US | 8.8.8.8:53 | api.bing.com | udp |
Files
\Users\Admin\AppData\Local\Temp\svchost.exe
| MD5 | 572052b656fcf301d062d4a08afcda8a |
| SHA1 | 83b772dbb572db4e4a4c084d08ee3dacc4745bcb |
| SHA256 | d57cb87af2c717fdbd410d59eb644657b61cdd790c13e7350060d90d89ed252a |
| SHA512 | 8f5d162a08a9b8665cbb52e4e8286c850d1921dba61380dda2c9b6b31551cd2e6f35ca247851cf22a27a1e122d7e4af54ec29ceadced8af4f6edcfb4c380d9a5 |
memory/912-10-0x0000000000230000-0x000000000023F000-memory.dmp
memory/912-9-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1344-18-0x0000000000400000-0x0000000000435000-memory.dmp
memory/912-17-0x0000000000240000-0x0000000000275000-memory.dmp
memory/1344-19-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1344-21-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1344-22-0x0000000000240000-0x0000000000241000-memory.dmp
memory/1344-24-0x0000000000400000-0x0000000000435000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-14 14:03
Reported
2024-06-14 14:06
Platform
win10v2004-20240611-en
Max time kernel
145s
Max time network
147s
Command Line
Signatures
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\aa1422c69390f675a8c5b1d864dc3d2c_JaffaCakes118.html
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffed0ef46f8,0x7ffed0ef4708,0x7ffed0ef4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2192,18356452961888286380,2009979852952009023,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2220 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2192,18356452961888286380,2009979852952009023,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2272 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2192,18356452961888286380,2009979852952009023,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2588 /prefetch:8
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,18356452961888286380,2009979852952009023,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3168 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,18356452961888286380,2009979852952009023,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3212 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,18356452961888286380,2009979852952009023,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1144 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,18356452961888286380,2009979852952009023,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5244 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2192,18356452961888286380,2009979852952009023,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4724 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | tjs.sjs.sinajs.cn | udp |
| US | 8.8.8.8:53 | cpro.baidustatic.com | udp |
| CN | 220.169.152.35:80 | cpro.baidustatic.com | tcp |
| CN | 220.169.152.35:80 | cpro.baidustatic.com | tcp |
| US | 163.181.154.232:80 | tjs.sjs.sinajs.cn | tcp |
| CN | 220.169.152.35:80 | cpro.baidustatic.com | tcp |
| CN | 220.169.152.35:80 | cpro.baidustatic.com | tcp |
| US | 8.8.8.8:53 | v2.uyan.cc | udp |
| US | 8.8.8.8:53 | dup.baidustatic.com | udp |
| US | 8.8.8.8:53 | v1.ujian.cc | udp |
| US | 8.8.8.8:53 | quanjianhuoliao.net | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.22.237:443 | g.bing.com | tcp |
| CA | 43.130.192.184:80 | v1.ujian.cc | tcp |
| HK | 154.209.162.213:80 | quanjianhuoliao.net | tcp |
| HK | 154.209.162.213:80 | quanjianhuoliao.net | tcp |
| HK | 154.209.162.213:80 | quanjianhuoliao.net | tcp |
| HK | 154.209.162.213:80 | quanjianhuoliao.net | tcp |
| HK | 154.209.162.213:80 | quanjianhuoliao.net | tcp |
| CA | 43.130.192.184:80 | v1.ujian.cc | tcp |
| HK | 154.209.162.213:80 | quanjianhuoliao.net | tcp |
| US | 8.8.8.8:53 | 232.154.181.163.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.22.107.13.in-addr.arpa | udp |
| CA | 43.130.192.184:80 | v1.ujian.cc | tcp |
| US | 8.8.8.8:53 | www.quanjianhuoliao.net | udp |
| CN | 119.188.176.49:80 | dup.baidustatic.com | tcp |
| CN | 119.188.176.49:80 | dup.baidustatic.com | tcp |
| CA | 43.130.192.184:80 | v1.ujian.cc | tcp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 213.162.209.154.in-addr.arpa | udp |
| HK | 154.209.162.213:443 | www.quanjianhuoliao.net | tcp |
| HK | 154.209.162.213:443 | www.quanjianhuoliao.net | tcp |
| HK | 154.209.162.213:443 | www.quanjianhuoliao.net | tcp |
| HK | 154.209.162.213:443 | www.quanjianhuoliao.net | tcp |
| HK | 154.209.162.213:443 | www.quanjianhuoliao.net | tcp |
| HK | 154.209.162.213:443 | www.quanjianhuoliao.net | tcp |
| US | 8.8.8.8:53 | www.zhongwang.com | udp |
| NL | 23.62.61.113:443 | www.bing.com | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| CN | 49.4.86.77:80 | www.zhongwang.com | tcp |
| CN | 49.4.86.77:80 | www.zhongwang.com | tcp |
| US | 8.8.8.8:53 | 113.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | img.ujian.cc | udp |
| CA | 43.130.192.184:80 | img.ujian.cc | tcp |
| CA | 43.130.192.184:80 | img.ujian.cc | tcp |
| HK | 154.209.162.213:80 | www.quanjianhuoliao.net | tcp |
| HK | 154.209.162.213:80 | www.quanjianhuoliao.net | tcp |
| CN | 220.169.152.35:80 | cpro.baidustatic.com | tcp |
| CN | 220.169.152.35:80 | cpro.baidustatic.com | tcp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.251.17.2.in-addr.arpa | udp |
| CN | 220.169.152.35:80 | cpro.baidustatic.com | tcp |
| CA | 43.130.192.184:80 | img.ujian.cc | tcp |
| US | 8.8.8.8:53 | bdimg.share.baidu.com | udp |
| CA | 43.130.192.184:80 | img.ujian.cc | tcp |
| CN | 14.215.182.161:80 | bdimg.share.baidu.com | tcp |
| CN | 14.215.182.161:80 | bdimg.share.baidu.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | s4.cnzz.com | udp |
| CN | 180.101.212.103:80 | bdimg.share.baidu.com | tcp |
| CN | 180.101.212.103:80 | bdimg.share.baidu.com | tcp |
| CN | 220.185.168.234:80 | s4.cnzz.com | tcp |
| CN | 220.185.168.234:80 | s4.cnzz.com | tcp |
| CN | 39.156.68.163:80 | bdimg.share.baidu.com | tcp |
| CN | 39.156.68.163:80 | bdimg.share.baidu.com | tcp |
| US | 8.8.8.8:53 | push.zhanzhang.baidu.com | udp |
| US | 8.8.8.8:53 | js.t.sinajs.cn | udp |
| US | 8.8.8.8:53 | timg.sjs.sinajs.cn | udp |
| US | 163.181.154.238:443 | timg.sjs.sinajs.cn | tcp |
| US | 163.181.154.237:443 | timg.sjs.sinajs.cn | tcp |
| CN | 182.61.201.94:445 | push.zhanzhang.baidu.com | tcp |
| US | 8.8.8.8:53 | open.weibo.com | udp |
| US | 8.8.8.8:53 | widget.weibo.com | udp |
| HK | 36.51.224.126:80 | widget.weibo.com | tcp |
| HK | 36.51.224.126:80 | widget.weibo.com | tcp |
| HK | 36.51.224.126:443 | widget.weibo.com | tcp |
| US | 8.8.8.8:53 | 238.154.181.163.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.154.181.163.in-addr.arpa | udp |
| HK | 36.51.224.126:443 | widget.weibo.com | tcp |
| HK | 36.51.224.126:80 | widget.weibo.com | tcp |
| HK | 36.51.224.126:80 | widget.weibo.com | tcp |
| CN | 112.34.113.148:445 | push.zhanzhang.baidu.com | tcp |
| CN | 182.61.201.93:445 | push.zhanzhang.baidu.com | tcp |
| CN | 180.101.212.103:445 | push.zhanzhang.baidu.com | tcp |
| CN | 14.215.182.161:445 | push.zhanzhang.baidu.com | tcp |
| CN | 182.61.244.229:445 | push.zhanzhang.baidu.com | tcp |
| CN | 39.156.68.163:445 | push.zhanzhang.baidu.com | tcp |
| CN | 163.177.17.97:445 | push.zhanzhang.baidu.com | tcp |
| US | 8.8.8.8:53 | 126.224.51.36.in-addr.arpa | udp |
| US | 8.8.8.8:53 | img.t.sinajs.cn | udp |
| US | 8.8.8.8:53 | tjs.sjs.sinajs.cn | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rs.sinajs.cn | udp |
| CN | 49.7.37.33:443 | rs.sinajs.cn | tcp |
| CN | 49.7.37.33:443 | rs.sinajs.cn | tcp |
| CN | 163.177.17.97:80 | push.zhanzhang.baidu.com | tcp |
| CN | 163.177.17.97:80 | push.zhanzhang.baidu.com | tcp |
| US | 8.8.8.8:53 | push.zhanzhang.baidu.com | udp |
| CN | 182.61.201.94:80 | push.zhanzhang.baidu.com | tcp |
| CN | 182.61.201.94:80 | push.zhanzhang.baidu.com | tcp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 3a09f853479af373691d131247040276 |
| SHA1 | 1b6f098e04da87e9cf2d3284943ec2144f36ac04 |
| SHA256 | a358de2c0eba30c70a56022c44a3775aa99ffa819cd7f42f7c45ac358b5e739f |
| SHA512 | 341cf0f363621ee02525cd398ae0d462319c6a80e05fd25d9aca44234c42a3071b51991d4cf102ac9d89561a1567cbe76dfeaad786a304bec33821ca77080016 |
\??\pipe\LOCAL\crashpad_4212_DJEBQZNYHCLKCMAC
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | db9081c34e133c32d02f593df88f047a |
| SHA1 | a0da007c14fd0591091924edc44bee90456700c6 |
| SHA256 | c9cd202ebb55fe8dd3e5563948bab458e947d7ba33bc0f38c6b37ce5d0bd7c3e |
| SHA512 | 12f9809958b024571891fae646208a76f3823ae333716a5cec303e15c38281db042b7acf95bc6523b6328ac9c8644794d39a0e03d9db196f156a6ee1fb4f2744 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | f0758d30fdb143556114f5d6d617e06b |
| SHA1 | 4d82494c4bad078ba6b369388ecd7008ada57bd3 |
| SHA256 | 7bda1aaf339b3f207a70837fd529e3c1e35e6f1f82aa008ac611b74ac23f70ed |
| SHA512 | 96dcd2023ff60ea9c83be14c7adc4748ac7519a13685b266c42d2e79884ae6de9d2d3f45df815ef5209f22ef5fbf2c310674967ff8649a2bbd0c61cce1ad9551 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ac830ac7-1360-4f4f-90c4-f2782e1eebe8.tmp
| MD5 | d0599cce12c2bcbd9b1996a66a3e7d00 |
| SHA1 | 3f0a44b8b0defe47e9c492f35092ba1cb05e5525 |
| SHA256 | 31d9da8fc02fbf10636337ded242b7fe7905b41d757997f7f69a5c774c1db6d1 |
| SHA512 | 4722bdfbbe8ec20e42e05d762e8a1751ad90807c3f1f1cca2dbce516b72b7c5d6b2f642a3030887eb68cd3ba4b35e566541b772244be08d2d747d9070205fd62 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | a291ad4f03d0c6d85651d297c8852757 |
| SHA1 | 2c087876b5986a9fc71d4e3b8bbea4a8b3a7c9a0 |
| SHA256 | ff82ac81a71ed21ecdcd9bab3e758d74b605684f7f86caf0d235550abe681b98 |
| SHA512 | 6eb79c1731e6148df4c245cc51ad8e2bc83e040300e18699170348374436c7ae69e473dae68000fd4587a30162b59872d8c90adb5784df49883d4dc9bbb8a2c3 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 807419ca9a4734feaf8d8563a003b048 |
| SHA1 | a723c7d60a65886ffa068711f1e900ccc85922a6 |
| SHA256 | aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631 |
| SHA512 | f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 0493a328d7ffd994ea6f69a40e832ad7 |
| SHA1 | cf9d8ed576cb1a8e2a3a6d9843de5a3e6bd2b6b6 |
| SHA256 | 5a9a91cd8c5cd7b24b32c48e03562559126dd777b983b0a705afffd39e4f0c37 |
| SHA512 | e8f5fb3df6196e7a989565d9c7ed98b6896b6b44942b130c357e3eded6749f82e0af35b4fc5cdf1e047a973173f2ef357c4065eb508144db44f769a988ce19a9 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | bf1781740cc0ddc45460b1c52961fe00 |
| SHA1 | 6ec08c4747b97b493d119de544eac492595cfdd5 |
| SHA256 | 83015a279d77d22740cca570f81226c6013a0f7004fdcce43d8b12bd754d3e83 |
| SHA512 | d8db0f54e9d4ba4cdcbd76e43d8d7b03f1faaf9007579e149e116bb545058a85f78249475fa0fba408c9493d257e3e960cc62eb1f5f67ae2a701af641df3ebbc |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | a32cac947bf96ffffa6655e35afdc52a |
| SHA1 | 7de36712ec76416d21f78d5b484b2d4a10a5dfc6 |
| SHA256 | bc2e43ada8af732726a0baf953f4f973826763610a8e39d39503061a4570115a |
| SHA512 | 537dc375361a9cf94369c0c2a6b67837041b055de7ee95e88e5164134bb96680bc4a7127473c4e67d49d83cf8070ae26ce6c5701844e2ca250857297cb64996b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 9844ecd03c641a21eded0cdb7cc4c9f2 |
| SHA1 | 10086de604b613da353fe24f97a113a5bf4c311a |
| SHA256 | 49b29bb9111570253aa5ff0f343d56fd35c24bf1e0a65f06c8257d383b9a9110 |
| SHA512 | 3c766ca1fc6004dc91c53afc657633f53a4465cd12bf875403677b8df837884324b8410446021eb79382a33e9721f26b5b611eab873f76718735b365f749b32e |