d050de9f6e7a053aa91550a8a883748b212388b0bd6bf15c7b3de64b0447089f

Analysis

max time kernel
144s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
24-05-2022 23:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d050de9f6e7a053aa91550a8a883748b212388b0bd6bf15c7b3de64b0447089f.exe
Size

3.1MB
MD5

bfb661b2999df3c09616b6e8e51e4030
SHA1

989d746fb3e3819ced480aa680b9d99aa0420135
SHA256

d050de9f6e7a053aa91550a8a883748b212388b0bd6bf15c7b3de64b0447089f
SHA512

57b8dba368189b69a47e65085548a24860ae39f3630c458a126332c9e2dd37063850c04cefc9b9383ed9e208a329bf420ad53381f36eade5509ae33604dc37b9

Score

8^/10

aspackv2 bootkit discovery persistence

Malware Config

Signatures

ASPack v2.12-2.42 6 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
\??\c:\ÉñÍ¾\zhengfustc.exe	aspack_v212_v242
C:\ÉñÍ¾\zhengfustc.exe	aspack_v212_v242
C:\ÉñÍ¾\DownloadTemp\zhengfustc.exe	aspack_v212_v242
\??\c:\ÉñÍ¾\DownloadTemp\zhengfustc.exe	aspack_v212_v242
C:\ÉñÍ¾\zhengfustc.exe	aspack_v212_v242
\??\c:\ÉñÍ¾\zhengfustc.exe	aspack_v212_v242

Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

zhengfustc.exezhengfustc.exezhengfustc.exe

pid process

5116 zhengfustc.exe
4348 zhengfustc.exe
5088 zhengfustc.exe

pid	process
5116	zhengfustc.exe
4348	zhengfustc.exe
5088	zhengfustc.exe

Unexpected DNS network traffic destination 30 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description	ioc
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	223.5.5.5
Destination IP	223.5.5.5
Destination IP	223.5.5.5
Destination IP	223.6.6.6
Destination IP	223.5.5.5
Destination IP	223.6.6.6
Destination IP	223.5.5.5
Destination IP	223.6.6.6
Destination IP	114.114.114.114
Destination IP	223.6.6.6
Destination IP	223.6.6.6
Destination IP	114.114.114.114
Destination IP	223.5.5.5
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	223.5.5.5
Destination IP	114.114.114.114
Destination IP	223.6.6.6
Destination IP	223.6.6.6
Destination IP	114.114.114.114
Destination IP	223.5.5.5
Destination IP	223.6.6.6
Destination IP	223.6.6.6
Destination IP	223.5.5.5
Destination IP	114.114.114.114
Destination IP	223.5.5.5
Destination IP	223.6.6.6

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Writes to the Master Boot Record (MBR) 1 TTPs 4 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

Processes:

zhengfustc.exed050de9f6e7a053aa91550a8a883748b212388b0bd6bf15c7b3de64b0447089f.exezhengfustc.exezhengfustc.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	zhengfustc.exe
File opened for modification	\??\PhysicalDrive0	d050de9f6e7a053aa91550a8a883748b212388b0bd6bf15c7b3de64b0447089f.exe
File opened for modification	\??\PhysicalDrive0	zhengfustc.exe
File opened for modification	\??\PhysicalDrive0	zhengfustc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1140	4792	WerFault.exe	d050de9f6e7a053aa91550a8a883748b212388b0bd6bf15c7b3de64b0447089f.exe
4112	5116	WerFault.exe	zhengfustc.exe
3864	4348	WerFault.exe
4140	5088	WerFault.exe

Modifies Internet Explorer settings 1 TTPs 8 IoCs

adware spyware

Modify Registry

T1112

Processes:

zhengfustc.exezhengfustc.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	zhengfustc.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Internet Explorer\IESettingSync	zhengfustc.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	zhengfustc.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	zhengfustc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	zhengfustc.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	zhengfustc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	zhengfustc.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Internet Explorer\IESettingSync	zhengfustc.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

d050de9f6e7a053aa91550a8a883748b212388b0bd6bf15c7b3de64b0447089f.exezhengfustc.exezhengfustc.exezhengfustc.exe

pid	process
4792	d050de9f6e7a053aa91550a8a883748b212388b0bd6bf15c7b3de64b0447089f.exe
4792	d050de9f6e7a053aa91550a8a883748b212388b0bd6bf15c7b3de64b0447089f.exe
5116	zhengfustc.exe
5116	zhengfustc.exe
4348	zhengfustc.exe
4348	zhengfustc.exe
5088	zhengfustc.exe
5088	zhengfustc.exe

Suspicious use of SetWindowsHookEx 11 IoCs

Processes:

d050de9f6e7a053aa91550a8a883748b212388b0bd6bf15c7b3de64b0447089f.exezhengfustc.exezhengfustc.exezhengfustc.exe

pid	process
4792	d050de9f6e7a053aa91550a8a883748b212388b0bd6bf15c7b3de64b0447089f.exe
4792	d050de9f6e7a053aa91550a8a883748b212388b0bd6bf15c7b3de64b0447089f.exe
5116	zhengfustc.exe
5116	zhengfustc.exe
5116	zhengfustc.exe
5116	zhengfustc.exe
4348	zhengfustc.exe
5088	zhengfustc.exe
5088	zhengfustc.exe
5088	zhengfustc.exe
5088	zhengfustc.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

d050de9f6e7a053aa91550a8a883748b212388b0bd6bf15c7b3de64b0447089f.exezhengfustc.exezhengfustc.exe

description	pid	process	target process
PID 4792 wrote to memory of 5116	4792	d050de9f6e7a053aa91550a8a883748b212388b0bd6bf15c7b3de64b0447089f.exe	zhengfustc.exe
PID 4792 wrote to memory of 5116	4792	d050de9f6e7a053aa91550a8a883748b212388b0bd6bf15c7b3de64b0447089f.exe	zhengfustc.exe
PID 4792 wrote to memory of 5116	4792	d050de9f6e7a053aa91550a8a883748b212388b0bd6bf15c7b3de64b0447089f.exe	zhengfustc.exe
PID 5116 wrote to memory of 4348	5116	zhengfustc.exe	zhengfustc.exe
PID 5116 wrote to memory of 4348	5116	zhengfustc.exe	zhengfustc.exe
PID 5116 wrote to memory of 4348	5116	zhengfustc.exe	zhengfustc.exe
PID 4348 wrote to memory of 5088	4348	zhengfustc.exe	zhengfustc.exe
PID 4348 wrote to memory of 5088	4348	zhengfustc.exe	zhengfustc.exe
PID 4348 wrote to memory of 5088	4348	zhengfustc.exe	zhengfustc.exe

C:\Users\Admin\AppData\Local\Temp\d050de9f6e7a053aa91550a8a883748b212388b0bd6bf15c7b3de64b0447089f.exe
"C:\Users\Admin\AppData\Local\Temp\d050de9f6e7a053aa91550a8a883748b212388b0bd6bf15c7b3de64b0447089f.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4792 -s 556
2⤵
- Program crash
PID:1140

\??\c:\ÉñÍ¾\zhengfustc.exe
"c:\ÉñÍ¾\zhengfustc.exe" MOV 4792 C:\Users\Admin\AppData\Local\Temp\d050de9f6e7a053aa91550a8a883748b212388b0bd6bf15c7b3de64b0447089f.exe
2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5116 -s 564
3⤵
- Program crash
PID:4112

\??\c:\ÉñÍ¾\DownloadTemp\zhengfustc.exe
"c:\ÉñÍ¾\DownloadTemp\zhengfustc.exe" RPL 5116 c:\ÉñÍ¾\zhengfustc.exe
3⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4348

\??\c:\ÉñÍ¾\zhengfustc.exe
"c:\ÉñÍ¾\zhengfustc.exe" NEW
4⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4792 -ip 4792
1⤵
PID:1200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 5116 -ip 5116
1⤵
PID:4612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4348 -ip 4348
1⤵
PID:3208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4348 -s 560
1⤵
- Program crash
PID:3864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5088 -s 536
1⤵
- Program crash
PID:4140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 5088 -ip 5088
1⤵
PID:1236

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ÉñÍ¾\Ð¶ÔØÕ÷·þÉñÍ¾Çá±ä°æC.lnk
Filesize
656B

MD5
2f172a7bb0e6ac0ed4bdf62ea33ce7f6

SHA1
79987b81aeaaeedd70fea647d3ddea725843a44f

SHA256
d79a84b6b64d1136d35220f7914370335da2fbccdecb4adc9367d5b727e0a215

SHA512
364ba8003199b29fd9583f812ce7794813fe02acfde8e3ffdd080ce23112d7dcb36d27490321d1390080620f3120e743b7fd234853e3b42cebfed87c69787548

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ÉñÍ¾\Ð¶ÔØÕ÷·þÉñÍ¾Çá±ä°æC.lnk
Filesize
656B

MD5
03e878e6bb8af9bcba3c97a093e44ae7

SHA1
70b8ceed1beb4959253332782027576141ee7324

SHA256
d8c4add9e648880857e9b8334c91a55f32dba021f47ff33bd39673415c420074

SHA512
5cb51125a64790a7f15fbfdd7eee546f1cc23c39fe0274a722ea480fa5ac81cd03c9336dff883ed70f625feefda3c001a7992973e9b45d64334d3ddba27fda1f

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ÉñÍ¾\Õ÷·þÉñÍ¾Çá±ä°æC.lnk
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ÉñÍ¾\Õ÷·þÉñÍ¾Çá±ä°æC.lnk
Filesize
648B

MD5
426ed001019488e7623b05896f19d8e8

SHA1
175b36ddda87559de632ed82c04fb95a0cbdfc82

SHA256
104c419aff20e650f23c320be41180fd8177a4c95eb6c65552d2a5efd303f2db

SHA512
ad8c996cd602278f4d081230cedf11ddb59f660a18d9243e00a76731aa28005e03633433fba5b7a0254ba0831e35081b3940d2af1e32eaa32d23ad220aaf11b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\AWDQ28Q6\bj[1].jpg
Filesize
30KB

MD5
691e196986396d74d043939a5087823d

SHA1
03ceb694f700a87b4d46b191b64e25727ececabc

SHA256
24655d34af3b70150d6f701e43ca96d8f2bb0dc2c4651ba022b954a1a5d3cee4

SHA512
7180c1121c48f1d47645c0d147d5c18e412727d57a20b414c33e9561214525e627ed8b538fd7d51778219896636893dd488aafd6280368dd7ed85798e8b084ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\AWDQ28Q6\c3[1].jpg
Filesize
5KB

MD5
0bf9e9ca4237218cfadebbc350081e86

SHA1
92b61935ab658b8aa226f428aa2ecfa12d072559

SHA256
5ff3b1f895a3c6fa76192c37602b527dc8e468d5485becbb701947ea5ac73f9f

SHA512
b9fe7d007ab75faa0c10468b7d829c4ecc19ed227d462c7b282a9240b91195270ab900d7343dccdcc4501f0101be39dba7c6a149d66f0562554e236940cc91da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DNOBF6Z3\title[1].jpg
Filesize
26KB

MD5
f75c54140753aec16e2317d7a0c7d82c

SHA1
363c3bf339913d8248fffe02172c9c09d185472d

SHA256
f8717e88c203ee426999ff426ab83a1902bad4f53aadd38e6b261b444141eb43

SHA512
464c8ab0318913960276aef64088b34e24725d2e7a6cd059b6024c0d76068037a26b59a902a4be8d2f09f02231b54c4356760ca7e7c6675fadcd3a40dc367826

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\T4LT4978\a3[1].jpg
Filesize
6KB

MD5
18f47d904aba5f8fc233e489810b28e1

SHA1
f1121354d2f7fa7a6fe4f917420979f26d5c84c1

SHA256
6aeef59dff5ef1861362a833fe86ac5c9876c0c7454170ebda6be01928a697a1

SHA512
a546f0caadff36277d9a85f3beb6432f6b386c880b0335724df994345ff4c0c52143e1f8fc1d23abc6ffdea0935ce56ca9f3218aaf8b4c451541ca85177d6594

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\T4LT4978\c2[1].jpg
Filesize
6KB

MD5
54f8c490792bafa787c3eafb24d5cf9a

SHA1
4656d5f4c0f4bab240badeba946d10fea48b5c8a

SHA256
b1057b96ff40aeb0cac6706b4163c24ecf6b5f454dbca2a66bd7c3008a50dc8f

SHA512
615980a7506fba762e64b5c98cb88b2815f422f6965817d46f4c5f2443c8278ec857077cf9d40fbee0dd0004ad7a8f0bab39b26b311580930fa8fed82897a0ba

Download Submit
C:\Users\Public\Desktop\Õ÷·þÉñÍ¾Çá±ä°æC.lnk
Filesize
393B

MD5
57ba48d3941406936a4c53f70fdc518f

SHA1
fe613a843cb8999ba27837462871afc002af3f9f

SHA256
b726b84b25f6edc3f9002a326c31c49fac700e828cbeb58331a938ab67ef30d9

SHA512
c1b395360b5d21b440149c023713ebaacd456a65bd4078eee6dfc12df764a28c0b4bd6e61cffac3e4ffc8303c3a192c10c395d36c5f2423dc9997f8aba6a0288

Download Submit
C:\ÉñÍ¾\DownloadTemp\zhengfustc.exe
Filesize
2.8MB

MD5
c98d395f85f73b647cb0aa1befc6e24f

SHA1
6447608561ab1885abe9d23e8afacfd37808ce74

SHA256
bed88a6170b1f50112539def0ab9870d6fff01d493d25357f81990074e704230

SHA512
2d128a51fb37fbb8a7e7a50041ba70719e6fae355ff92db9c8814bc965d53263d3aab2c050e8b13207000995cdb4ad08880a3365da4133c88e1f986c88483579

Download Submit
C:\ÉñÍ¾\zhengfustc.exe
Filesize
2.8MB

MD5
c98d395f85f73b647cb0aa1befc6e24f

SHA1
6447608561ab1885abe9d23e8afacfd37808ce74

SHA256
bed88a6170b1f50112539def0ab9870d6fff01d493d25357f81990074e704230

SHA512
2d128a51fb37fbb8a7e7a50041ba70719e6fae355ff92db9c8814bc965d53263d3aab2c050e8b13207000995cdb4ad08880a3365da4133c88e1f986c88483579

Download Submit
C:\ÉñÍ¾\zhengfustc.exe
Filesize
3.1MB

MD5
bfb661b2999df3c09616b6e8e51e4030

SHA1
989d746fb3e3819ced480aa680b9d99aa0420135

SHA256
d050de9f6e7a053aa91550a8a883748b212388b0bd6bf15c7b3de64b0447089f

SHA512
57b8dba368189b69a47e65085548a24860ae39f3630c458a126332c9e2dd37063850c04cefc9b9383ed9e208a329bf420ad53381f36eade5509ae33604dc37b9

Download Submit
\??\c:\ÉñÍ¾\DownloadTemp\LoginServerList.xml
Filesize
108KB

MD5
b859bd287d87c562b0e7d317fe815e3d

SHA1
88e44f63084c749453f5da58a1dd24aa7b6bf874

SHA256
478321518e00a96d747083fde27929495aa2eb2a86090de58d17e59a15e80376

SHA512
39eed9ac14dc0594f3e1f7e6ac38c1aa3eec955bdf72b2b648562bc25085714431c67d3860061527aa14a8ffd214e81995a61abaf486696c48707170e30b8e8d

Download Submit
\??\c:\ÉñÍ¾\DownloadTemp\LoginServerList.xml
Filesize
108KB

MD5
b859bd287d87c562b0e7d317fe815e3d

SHA1
88e44f63084c749453f5da58a1dd24aa7b6bf874

SHA256
478321518e00a96d747083fde27929495aa2eb2a86090de58d17e59a15e80376

SHA512
39eed9ac14dc0594f3e1f7e6ac38c1aa3eec955bdf72b2b648562bc25085714431c67d3860061527aa14a8ffd214e81995a61abaf486696c48707170e30b8e8d

Download Submit
\??\c:\ÉñÍ¾\DownloadTemp\mtdl_OEMSVRLIST0_tmp.dat
Filesize
108KB

MD5
b859bd287d87c562b0e7d317fe815e3d

SHA1
88e44f63084c749453f5da58a1dd24aa7b6bf874

SHA256
478321518e00a96d747083fde27929495aa2eb2a86090de58d17e59a15e80376

SHA512
39eed9ac14dc0594f3e1f7e6ac38c1aa3eec955bdf72b2b648562bc25085714431c67d3860061527aa14a8ffd214e81995a61abaf486696c48707170e30b8e8d

Download Submit
\??\c:\ÉñÍ¾\DownloadTemp\mtdl_OEMSVRLIST1_tmp.dat
Filesize
108KB

MD5
b859bd287d87c562b0e7d317fe815e3d

SHA1
88e44f63084c749453f5da58a1dd24aa7b6bf874

SHA256
478321518e00a96d747083fde27929495aa2eb2a86090de58d17e59a15e80376

SHA512
39eed9ac14dc0594f3e1f7e6ac38c1aa3eec955bdf72b2b648562bc25085714431c67d3860061527aa14a8ffd214e81995a61abaf486696c48707170e30b8e8d

Download Submit
\??\c:\ÉñÍ¾\DownloadTemp\mtdl_OEMSVRLIST1_tmp.dat
Filesize
108KB

MD5
b859bd287d87c562b0e7d317fe815e3d

SHA1
88e44f63084c749453f5da58a1dd24aa7b6bf874

SHA256
478321518e00a96d747083fde27929495aa2eb2a86090de58d17e59a15e80376

SHA512
39eed9ac14dc0594f3e1f7e6ac38c1aa3eec955bdf72b2b648562bc25085714431c67d3860061527aa14a8ffd214e81995a61abaf486696c48707170e30b8e8d

Download Submit
\??\c:\ÉñÍ¾\DownloadTemp\mtdl_OEMSVRLIST2_tmp.dat
Filesize
108KB

MD5
b859bd287d87c562b0e7d317fe815e3d

SHA1
88e44f63084c749453f5da58a1dd24aa7b6bf874

SHA256
478321518e00a96d747083fde27929495aa2eb2a86090de58d17e59a15e80376

SHA512
39eed9ac14dc0594f3e1f7e6ac38c1aa3eec955bdf72b2b648562bc25085714431c67d3860061527aa14a8ffd214e81995a61abaf486696c48707170e30b8e8d

Download Submit
\??\c:\ÉñÍ¾\DownloadTemp\mtdl_OEMSVRLIST3_tmp.dat
Filesize
108KB

MD5
b859bd287d87c562b0e7d317fe815e3d

SHA1
88e44f63084c749453f5da58a1dd24aa7b6bf874

SHA256
478321518e00a96d747083fde27929495aa2eb2a86090de58d17e59a15e80376

SHA512
39eed9ac14dc0594f3e1f7e6ac38c1aa3eec955bdf72b2b648562bc25085714431c67d3860061527aa14a8ffd214e81995a61abaf486696c48707170e30b8e8d

Download Submit
\??\c:\ÉñÍ¾\DownloadTemp\zhengfustc.exe
Filesize
2.8MB

MD5
c98d395f85f73b647cb0aa1befc6e24f

SHA1
6447608561ab1885abe9d23e8afacfd37808ce74

SHA256
bed88a6170b1f50112539def0ab9870d6fff01d493d25357f81990074e704230

SHA512
2d128a51fb37fbb8a7e7a50041ba70719e6fae355ff92db9c8814bc965d53263d3aab2c050e8b13207000995cdb4ad08880a3365da4133c88e1f986c88483579

Download Submit
\??\c:\ÉñÍ¾\GameStartSetting.xml
Filesize
1KB

MD5
cb675e6b2f7085ba2af2b1c17fc0b4f0

SHA1
df50a8be72652acf399e1c50ac1fcce019c6ade5

SHA256
b59c9bc5f35ca2e747a5a67267ee3c467b3319262e9f51219e537f09562fcc65

SHA512
85e72a0554ff70d0233249bf4dd8509585ded52c4a6348fb6aa3144e2a14fc7750a65354e4614e917d8c7e9e483d1705ea674867fe09dc114e17f8a79054a6bb

Download Submit
\??\c:\ÉñÍ¾\Log\GameUpdateLog_3635.txt
Filesize
1KB

MD5
5166477c6d7826c1fa682bd603c6ac5e

SHA1
1761fe53c7480213af6ad09920664d58783dcb44

SHA256
8d65a912bdbdeeb7e82ec6a7a68bf8c68aab04786428730a800c80b6ae7e08e1

SHA512
8eec42da78be7f6af0e677695a258f306402751910233edb9c61a278e2828979fdaa587c46baa96e52fd5d5c47b4bc399012978962a1ad271f9cdf5b1e9aaebe

Download Submit
\??\c:\ÉñÍ¾\Setting\GameStartSetting.xml
Filesize
1KB

MD5
cb675e6b2f7085ba2af2b1c17fc0b4f0

SHA1
df50a8be72652acf399e1c50ac1fcce019c6ade5

SHA256
b59c9bc5f35ca2e747a5a67267ee3c467b3319262e9f51219e537f09562fcc65

SHA512
85e72a0554ff70d0233249bf4dd8509585ded52c4a6348fb6aa3144e2a14fc7750a65354e4614e917d8c7e9e483d1705ea674867fe09dc114e17f8a79054a6bb

Download Submit
\??\c:\ÉñÍ¾\Setting\GameStartSetting.xml
Filesize
1KB

MD5
cb675e6b2f7085ba2af2b1c17fc0b4f0

SHA1
df50a8be72652acf399e1c50ac1fcce019c6ade5

SHA256
b59c9bc5f35ca2e747a5a67267ee3c467b3319262e9f51219e537f09562fcc65

SHA512
85e72a0554ff70d0233249bf4dd8509585ded52c4a6348fb6aa3144e2a14fc7750a65354e4614e917d8c7e9e483d1705ea674867fe09dc114e17f8a79054a6bb

Download Submit
\??\c:\ÉñÍ¾\zhengfustc.exe
Filesize
2.8MB

MD5
c98d395f85f73b647cb0aa1befc6e24f

SHA1
6447608561ab1885abe9d23e8afacfd37808ce74

SHA256
bed88a6170b1f50112539def0ab9870d6fff01d493d25357f81990074e704230

SHA512
2d128a51fb37fbb8a7e7a50041ba70719e6fae355ff92db9c8814bc965d53263d3aab2c050e8b13207000995cdb4ad08880a3365da4133c88e1f986c88483579

Download Submit
\??\c:\ÉñÍ¾\zhengfustc.exe
Filesize
3.1MB

MD5
bfb661b2999df3c09616b6e8e51e4030

SHA1
989d746fb3e3819ced480aa680b9d99aa0420135

SHA256
d050de9f6e7a053aa91550a8a883748b212388b0bd6bf15c7b3de64b0447089f

SHA512
57b8dba368189b69a47e65085548a24860ae39f3630c458a126332c9e2dd37063850c04cefc9b9383ed9e208a329bf420ad53381f36eade5509ae33604dc37b9

Download Submit
memory/4348-154-0x0000000000400000-0x000000000084E000-memory.dmp

Filesize
4.3MB

Download
memory/4348-153-0x0000000000400000-0x000000000084E000-memory.dmp

Filesize
4.3MB

Download
memory/4348-157-0x0000000000400000-0x000000000084E000-memory.dmp

Filesize
4.3MB

Download
memory/4348-148-0x0000000000000000-mapping.dmp

Download
memory/4348-152-0x0000000000400000-0x000000000084E000-memory.dmp

Filesize
4.3MB

Download
memory/4792-136-0x0000000000400000-0x00000000008EC000-memory.dmp

Filesize
4.9MB

Download
memory/4792-132-0x0000000000400000-0x00000000008EC000-memory.dmp

Filesize
4.9MB

Download
memory/4792-130-0x0000000000400000-0x00000000008EC000-memory.dmp

Filesize
4.9MB

Download
memory/4792-131-0x0000000000400000-0x00000000008EC000-memory.dmp

Filesize
4.9MB

Download
memory/5088-155-0x0000000000000000-mapping.dmp

Download
memory/5088-159-0x0000000000400000-0x000000000084E000-memory.dmp

Filesize
4.3MB

Download
memory/5088-175-0x0000000000400000-0x000000000084E000-memory.dmp

Filesize
4.3MB

Download
memory/5088-160-0x0000000000400000-0x000000000084E000-memory.dmp

Filesize
4.3MB

Download
memory/5088-158-0x0000000000400000-0x000000000084E000-memory.dmp

Filesize
4.3MB

Download
memory/5116-138-0x0000000000400000-0x00000000008EC000-memory.dmp

Filesize
4.9MB

Download
memory/5116-133-0x0000000000000000-mapping.dmp

Download
memory/5116-137-0x0000000000400000-0x00000000008EC000-memory.dmp

Filesize
4.9MB

Download
memory/5116-139-0x0000000000400000-0x00000000008EC000-memory.dmp

Filesize
4.9MB

Download
memory/5116-151-0x0000000000400000-0x00000000008EC000-memory.dmp

Filesize
4.9MB

Download