184196bb279106c16e67d3ae0d29bd865267b6fcda1f41c2f5fba84fc25b9e82

Analysis

max time kernel
151s
max time network
121s
platform
windows7_x64
resource
win7-en-20211208
submitted
11-02-2022 04:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

184196bb279106c16e67d3ae0d29bd865267b6fcda1f41c2f5fba84fc25b9e82.exe
Size

407KB
MD5

d9c3b4e5faa03bc8d83396837bd7e23c
SHA1

fe391b8f10f99a5a9f7d3dcd49d8d0e9551b663e
SHA256

184196bb279106c16e67d3ae0d29bd865267b6fcda1f41c2f5fba84fc25b9e82
SHA512

529043ab300e6fa1efbd374e429a30cdab431fbeaae8ea2a4ba1ad322bb3cf20136057059b6d095e157c69c3153093c286304ae7a83327e2f07441db802a4a1b

Score

8^/10

evasion link pdf persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

Kungfu.exekungfu1.exeKungfu.exe

pid process

964 Kungfu.exe
1700 kungfu1.exe
1972 Kungfu.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

pid	process
964	Kungfu.exe
1700	kungfu1.exe
1972	Kungfu.exe

Loads dropped DLL 10 IoCs

Processes:

cmd.execmd.exeKungfu.exekungfu1.exeWerFault.exe

pid	process
564	cmd.exe
1004	cmd.exe
964	Kungfu.exe
1700	kungfu1.exe
964	Kungfu.exe
1700	kungfu1.exe
1736	WerFault.exe
1736	WerFault.exe
1736	WerFault.exe
1736	WerFault.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exereg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\CertificateHash = "C:\\MSOCache\\kungfu1.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CertificateHash = "C:\\MSOCache\\kungfu1.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe

HTTP links in PDF interactive object 1 IoCs

Detects HTTP links in interactive objects within PDF files.

pdf link

Processes:

resource	yara_rule
C:\MSOCache\BiblevsQuran.pdf	pdf_with_link_action

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1736 1700 WerFault.exe kungfu1.exe

pid	pid_target	process	target process
1736	1700	WerFault.exe	kungfu1.exe

Modifies data under HKEY_USERS 6 IoCs

Processes:

Kungfu.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	Kungfu.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	Kungfu.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Kungfu.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	Kungfu.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	Kungfu.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Kungfu.exe

Runs net.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

WerFault.exe

pid process

1736 WerFault.exe
1736 WerFault.exe
1736 WerFault.exe
1736 WerFault.exe
1736 WerFault.exe
Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

AcroRd32.exeWerFault.exe

pid process

1864 AcroRd32.exe
1736 WerFault.exe

pid	process
1736	WerFault.exe
1736	WerFault.exe
1736	WerFault.exe
1736	WerFault.exe
1736	WerFault.exe

pid	process
1864	AcroRd32.exe
1736	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

184196bb279106c16e67d3ae0d29bd865267b6fcda1f41c2f5fba84fc25b9e82.exeWerFault.exe

description	pid	process
Token: SeRestorePrivilege	1596	184196bb279106c16e67d3ae0d29bd865267b6fcda1f41c2f5fba84fc25b9e82.exe
Token: SeBackupPrivilege	1596	184196bb279106c16e67d3ae0d29bd865267b6fcda1f41c2f5fba84fc25b9e82.exe
Token: SeDebugPrivilege	1736	WerFault.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

AcroRd32.exe

pid process

1864 AcroRd32.exe
1864 AcroRd32.exe
1864 AcroRd32.exe
1864 AcroRd32.exe

pid	process
1864	AcroRd32.exe
1864	AcroRd32.exe
1864	AcroRd32.exe
1864	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

184196bb279106c16e67d3ae0d29bd865267b6fcda1f41c2f5fba84fc25b9e82.exeWScript.execmd.execmd.exekungfu1.exe

description	pid	process	target process
PID 1596 wrote to memory of 672	1596	184196bb279106c16e67d3ae0d29bd865267b6fcda1f41c2f5fba84fc25b9e82.exe	WScript.exe
PID 1596 wrote to memory of 672	1596	184196bb279106c16e67d3ae0d29bd865267b6fcda1f41c2f5fba84fc25b9e82.exe	WScript.exe
PID 1596 wrote to memory of 672	1596	184196bb279106c16e67d3ae0d29bd865267b6fcda1f41c2f5fba84fc25b9e82.exe	WScript.exe
PID 1596 wrote to memory of 672	1596	184196bb279106c16e67d3ae0d29bd865267b6fcda1f41c2f5fba84fc25b9e82.exe	WScript.exe
PID 1596 wrote to memory of 672	1596	184196bb279106c16e67d3ae0d29bd865267b6fcda1f41c2f5fba84fc25b9e82.exe	WScript.exe
PID 1596 wrote to memory of 672	1596	184196bb279106c16e67d3ae0d29bd865267b6fcda1f41c2f5fba84fc25b9e82.exe	WScript.exe
PID 1596 wrote to memory of 672	1596	184196bb279106c16e67d3ae0d29bd865267b6fcda1f41c2f5fba84fc25b9e82.exe	WScript.exe
PID 672 wrote to memory of 564	672	WScript.exe	cmd.exe
PID 672 wrote to memory of 564	672	WScript.exe	cmd.exe
PID 672 wrote to memory of 564	672	WScript.exe	cmd.exe
PID 672 wrote to memory of 564	672	WScript.exe	cmd.exe
PID 672 wrote to memory of 564	672	WScript.exe	cmd.exe
PID 672 wrote to memory of 564	672	WScript.exe	cmd.exe
PID 672 wrote to memory of 564	672	WScript.exe	cmd.exe
PID 672 wrote to memory of 1004	672	WScript.exe	cmd.exe
PID 672 wrote to memory of 1004	672	WScript.exe	cmd.exe
PID 672 wrote to memory of 1004	672	WScript.exe	cmd.exe
PID 672 wrote to memory of 1004	672	WScript.exe	cmd.exe
PID 672 wrote to memory of 1004	672	WScript.exe	cmd.exe
PID 672 wrote to memory of 1004	672	WScript.exe	cmd.exe
PID 672 wrote to memory of 1004	672	WScript.exe	cmd.exe
PID 1004 wrote to memory of 1864	1004	cmd.exe	AcroRd32.exe
PID 1004 wrote to memory of 1864	1004	cmd.exe	AcroRd32.exe
PID 1004 wrote to memory of 1864	1004	cmd.exe	AcroRd32.exe
PID 564 wrote to memory of 1524	564	cmd.exe	AcroRd32.exe
PID 564 wrote to memory of 1524	564	cmd.exe	AcroRd32.exe
PID 564 wrote to memory of 1524	564	cmd.exe	AcroRd32.exe
PID 1004 wrote to memory of 1864	1004	cmd.exe	AcroRd32.exe
PID 1004 wrote to memory of 1864	1004	cmd.exe	AcroRd32.exe
PID 1004 wrote to memory of 1864	1004	cmd.exe	AcroRd32.exe
PID 564 wrote to memory of 1524	564	cmd.exe	AcroRd32.exe
PID 564 wrote to memory of 1524	564	cmd.exe	AcroRd32.exe
PID 564 wrote to memory of 1524	564	cmd.exe	AcroRd32.exe
PID 1004 wrote to memory of 1864	1004	cmd.exe	AcroRd32.exe
PID 564 wrote to memory of 1524	564	cmd.exe	AcroRd32.exe
PID 564 wrote to memory of 976	564	cmd.exe	netsh.exe
PID 564 wrote to memory of 976	564	cmd.exe	netsh.exe
PID 564 wrote to memory of 976	564	cmd.exe	netsh.exe
PID 564 wrote to memory of 976	564	cmd.exe	netsh.exe
PID 564 wrote to memory of 976	564	cmd.exe	netsh.exe
PID 564 wrote to memory of 976	564	cmd.exe	netsh.exe
PID 564 wrote to memory of 976	564	cmd.exe	netsh.exe
PID 1004 wrote to memory of 960	1004	cmd.exe	netsh.exe
PID 1004 wrote to memory of 960	1004	cmd.exe	netsh.exe
PID 1004 wrote to memory of 960	1004	cmd.exe	netsh.exe
PID 1004 wrote to memory of 960	1004	cmd.exe	netsh.exe
PID 1004 wrote to memory of 960	1004	cmd.exe	netsh.exe
PID 1004 wrote to memory of 960	1004	cmd.exe	netsh.exe
PID 1004 wrote to memory of 960	1004	cmd.exe	netsh.exe
PID 564 wrote to memory of 964	564	cmd.exe	Kungfu.exe
PID 564 wrote to memory of 964	564	cmd.exe	Kungfu.exe
PID 564 wrote to memory of 964	564	cmd.exe	Kungfu.exe
PID 564 wrote to memory of 964	564	cmd.exe	Kungfu.exe
PID 564 wrote to memory of 964	564	cmd.exe	Kungfu.exe
PID 564 wrote to memory of 964	564	cmd.exe	Kungfu.exe
PID 564 wrote to memory of 964	564	cmd.exe	Kungfu.exe
PID 1004 wrote to memory of 1700	1004	cmd.exe	kungfu1.exe
PID 1004 wrote to memory of 1700	1004	cmd.exe	kungfu1.exe
PID 1004 wrote to memory of 1700	1004	cmd.exe	kungfu1.exe
PID 1004 wrote to memory of 1700	1004	cmd.exe	kungfu1.exe
PID 1004 wrote to memory of 1700	1004	cmd.exe	kungfu1.exe
PID 1004 wrote to memory of 1700	1004	cmd.exe	kungfu1.exe
PID 1004 wrote to memory of 1700	1004	cmd.exe	kungfu1.exe
PID 1700 wrote to memory of 1072	1700	kungfu1.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\184196bb279106c16e67d3ae0d29bd865267b6fcda1f41c2f5fba84fc25b9e82.exe
"C:\Users\Admin\AppData\Local\Temp\184196bb279106c16e67d3ae0d29bd865267b6fcda1f41c2f5fba84fc25b9e82.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1596

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\MSOCache\test.vbs"
2⤵
- Suspicious use of WriteProcessMemory
PID:672

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\MSOCache\start1.bat" "
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:564

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\MSOCache\BiblevsQuran.pdf"
4⤵
PID:1524

C:\Windows\SysWOW64\netsh.exe
netsh firewall set opmode disable
4⤵
PID:976

C:\MSOCache\Kungfu.exe
C:\MSOCache\kungfu.exe -i
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:964

C:\Windows\SysWOW64\net.exe
net start gpsvs
4⤵
PID:1952

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start gpsvs
5⤵
PID:1748

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\MSOCache\start.bat" "
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1004

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\MSOCache\BiblevsQuran.pdf"
4⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1864

C:\Windows\SysWOW64\netsh.exe
netsh firewall set opmode disable
4⤵
PID:960

C:\MSOCache\kungfu1.exe
C:\MSOCache\kungfu1.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1700

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v CertificateHash /d "C:\MSOCache\kungfu1.exe" /f
5⤵
PID:1072

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v CertificateHash /d "C:\MSOCache\kungfu1.exe" /f
6⤵
- Adds Run key to start application
PID:1708

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v CertificateHash /d "C:\MSOCache\kungfu1.exe" /f
5⤵
PID:1768

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v CertificateHash /d "C:\MSOCache\kungfu1.exe" /f
6⤵
- Adds Run key to start application
PID:1856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1700 -s 300
5⤵
- Loads dropped DLL
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1736

C:\MSOCache\Kungfu.exe
C:\MSOCache\Kungfu.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1972

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\BiblevsQuran.pdf
MD5
d4dc3b84e57f20221abd9029d948ad03

SHA1
d9ca35777088e2496c9f697b29e45f24a9dfb8fc

SHA256
519b22268ab6c9121f750df2942fb4557cd24a581011440ed159b500bb9abf31

SHA512
80d77f9e1bed346e99d3f2664f62df6f4866c5611f1e29ca0553ed8a203aeb7c8f312a2dcced316790485f4ea7b285bbf86b52cb50343ae6c67fb5aea1afc0d5

Download Submit
C:\MSOCache\Kungfu.exe
MD5
ec760838ab731860054cf43b59a7d72f

SHA1
9b373e7213a064df2a9f07e14c831580a7ec6da2

SHA256
3038ecf1ac6efa37175fb9fed9729830fcaaf9193ccdfbe995cc91d387b52a0d

SHA512
c8968a182c217b75b9017c42206a1be84d27f5cafb8ea4324c3fc57d5e7f23c99cd9ff096d9d1da40db25cedea65c1325e90648e660cd2d43557bc9f54b7d953

Download Submit
C:\MSOCache\Kungfu.exe
MD5
ec760838ab731860054cf43b59a7d72f

SHA1
9b373e7213a064df2a9f07e14c831580a7ec6da2

SHA256
3038ecf1ac6efa37175fb9fed9729830fcaaf9193ccdfbe995cc91d387b52a0d

SHA512
c8968a182c217b75b9017c42206a1be84d27f5cafb8ea4324c3fc57d5e7f23c99cd9ff096d9d1da40db25cedea65c1325e90648e660cd2d43557bc9f54b7d953

Download Submit
C:\MSOCache\Kungfu.exe
MD5
ec760838ab731860054cf43b59a7d72f

SHA1
9b373e7213a064df2a9f07e14c831580a7ec6da2

SHA256
3038ecf1ac6efa37175fb9fed9729830fcaaf9193ccdfbe995cc91d387b52a0d

SHA512
c8968a182c217b75b9017c42206a1be84d27f5cafb8ea4324c3fc57d5e7f23c99cd9ff096d9d1da40db25cedea65c1325e90648e660cd2d43557bc9f54b7d953

Download Submit
C:\MSOCache\kungfu1.exe
MD5
9ef3677054efe5ffc30fbbbfe2f833d9

SHA1
87106f7474a00f98fb2fc86d128f37541ade6c3b

SHA256
1083637f5a5aee1d0ea9768c372533da4fe28096eac35e71dd568429ee4086c3

SHA512
1d0cba5bcf921c58315429cf23ad82a31d9f804ac948577b05ade6b6245e038961fac3c8f1672f2f7e1d7c599c9143741f175d6190496d1b13b49c4b9f089a4b

Download Submit
C:\MSOCache\kungfu1.exe
MD5
9ef3677054efe5ffc30fbbbfe2f833d9

SHA1
87106f7474a00f98fb2fc86d128f37541ade6c3b

SHA256
1083637f5a5aee1d0ea9768c372533da4fe28096eac35e71dd568429ee4086c3

SHA512
1d0cba5bcf921c58315429cf23ad82a31d9f804ac948577b05ade6b6245e038961fac3c8f1672f2f7e1d7c599c9143741f175d6190496d1b13b49c4b9f089a4b

Download Submit
C:\MSOCache\start.bat
MD5
7fa4b5494ec2037bf837ddd92fe80f75

SHA1
09e48046d10460f4917b07ebbbb57364419871b5

SHA256
b3cf5eaea45d127c5e4c82953f5c97cc37768e219a87353f6ba5cc659ad2ebbc

SHA512
8ae99172b1f189c26c73e5a3520bbe5870d096c1d0b776c6540696821c41fb99752b7470bd2e7457d5606d59a3ea35bd289950b686c1f7c7f12554c78cf12486

Download Submit
C:\MSOCache\start1.bat
MD5
cf73766dc2da3a50f091da6974c50fa4

SHA1
be5e4446e769233e215edc30647efbc483149aae

SHA256
c7da1f593473d922992191b715f2db96f14ce291d7043cffaa6a49ec3864a6a2

SHA512
3f39c34cd28cbdd4cc5cc64a3e33f33140956702a893acbccc9fdb199324e88bf331b654855226dc1065f37164e199d91f2f539001373a87d096d7ca99908df4

Download Submit
C:\MSOCache\test.vbs
MD5
65b3843fe5eff1df7d0dac47ea541a45

SHA1
f19bcd40eef3d526101fc3bbba0a88a68138bb77

SHA256
c76a603f6abdf273375d2ac0e3e9cc693bcdc3142e75243f99335ad530d0ebcf

SHA512
028fad888adce166e8c71f31393f616740d6fea248b8217564d10564d58065e321d5a12e8afabd5b3a999853c9561ecbf9c0400232c1bd62c6a45565568d8a4d

Download Submit
\MSOCache\Kungfu.exe
MD5
ec760838ab731860054cf43b59a7d72f

SHA1
9b373e7213a064df2a9f07e14c831580a7ec6da2

SHA256
3038ecf1ac6efa37175fb9fed9729830fcaaf9193ccdfbe995cc91d387b52a0d

SHA512
c8968a182c217b75b9017c42206a1be84d27f5cafb8ea4324c3fc57d5e7f23c99cd9ff096d9d1da40db25cedea65c1325e90648e660cd2d43557bc9f54b7d953

Download Submit
\MSOCache\Kungfu.exe
MD5
ec760838ab731860054cf43b59a7d72f

SHA1
9b373e7213a064df2a9f07e14c831580a7ec6da2

SHA256
3038ecf1ac6efa37175fb9fed9729830fcaaf9193ccdfbe995cc91d387b52a0d

SHA512
c8968a182c217b75b9017c42206a1be84d27f5cafb8ea4324c3fc57d5e7f23c99cd9ff096d9d1da40db25cedea65c1325e90648e660cd2d43557bc9f54b7d953

Download Submit
\MSOCache\Kungfu.exe
MD5
ec760838ab731860054cf43b59a7d72f

SHA1
9b373e7213a064df2a9f07e14c831580a7ec6da2

SHA256
3038ecf1ac6efa37175fb9fed9729830fcaaf9193ccdfbe995cc91d387b52a0d

SHA512
c8968a182c217b75b9017c42206a1be84d27f5cafb8ea4324c3fc57d5e7f23c99cd9ff096d9d1da40db25cedea65c1325e90648e660cd2d43557bc9f54b7d953

Download Submit
\MSOCache\kungfu1.exe
MD5
9ef3677054efe5ffc30fbbbfe2f833d9

SHA1
87106f7474a00f98fb2fc86d128f37541ade6c3b

SHA256
1083637f5a5aee1d0ea9768c372533da4fe28096eac35e71dd568429ee4086c3

SHA512
1d0cba5bcf921c58315429cf23ad82a31d9f804ac948577b05ade6b6245e038961fac3c8f1672f2f7e1d7c599c9143741f175d6190496d1b13b49c4b9f089a4b

Download Submit
\MSOCache\kungfu1.exe
MD5
9ef3677054efe5ffc30fbbbfe2f833d9

SHA1
87106f7474a00f98fb2fc86d128f37541ade6c3b

SHA256
1083637f5a5aee1d0ea9768c372533da4fe28096eac35e71dd568429ee4086c3

SHA512
1d0cba5bcf921c58315429cf23ad82a31d9f804ac948577b05ade6b6245e038961fac3c8f1672f2f7e1d7c599c9143741f175d6190496d1b13b49c4b9f089a4b

Download Submit
\MSOCache\kungfu1.exe
MD5
9ef3677054efe5ffc30fbbbfe2f833d9

SHA1
87106f7474a00f98fb2fc86d128f37541ade6c3b

SHA256
1083637f5a5aee1d0ea9768c372533da4fe28096eac35e71dd568429ee4086c3

SHA512
1d0cba5bcf921c58315429cf23ad82a31d9f804ac948577b05ade6b6245e038961fac3c8f1672f2f7e1d7c599c9143741f175d6190496d1b13b49c4b9f089a4b

Download Submit
\MSOCache\kungfu1.exe
MD5
9ef3677054efe5ffc30fbbbfe2f833d9

SHA1
87106f7474a00f98fb2fc86d128f37541ade6c3b

SHA256
1083637f5a5aee1d0ea9768c372533da4fe28096eac35e71dd568429ee4086c3

SHA512
1d0cba5bcf921c58315429cf23ad82a31d9f804ac948577b05ade6b6245e038961fac3c8f1672f2f7e1d7c599c9143741f175d6190496d1b13b49c4b9f089a4b

Download Submit
\MSOCache\kungfu1.exe
MD5
9ef3677054efe5ffc30fbbbfe2f833d9

SHA1
87106f7474a00f98fb2fc86d128f37541ade6c3b

SHA256
1083637f5a5aee1d0ea9768c372533da4fe28096eac35e71dd568429ee4086c3

SHA512
1d0cba5bcf921c58315429cf23ad82a31d9f804ac948577b05ade6b6245e038961fac3c8f1672f2f7e1d7c599c9143741f175d6190496d1b13b49c4b9f089a4b

Download Submit
\MSOCache\kungfu1.exe
MD5
9ef3677054efe5ffc30fbbbfe2f833d9

SHA1
87106f7474a00f98fb2fc86d128f37541ade6c3b

SHA256
1083637f5a5aee1d0ea9768c372533da4fe28096eac35e71dd568429ee4086c3

SHA512
1d0cba5bcf921c58315429cf23ad82a31d9f804ac948577b05ade6b6245e038961fac3c8f1672f2f7e1d7c599c9143741f175d6190496d1b13b49c4b9f089a4b

Download Submit
\MSOCache\kungfu1.exe
MD5
9ef3677054efe5ffc30fbbbfe2f833d9

SHA1
87106f7474a00f98fb2fc86d128f37541ade6c3b

SHA256
1083637f5a5aee1d0ea9768c372533da4fe28096eac35e71dd568429ee4086c3

SHA512
1d0cba5bcf921c58315429cf23ad82a31d9f804ac948577b05ade6b6245e038961fac3c8f1672f2f7e1d7c599c9143741f175d6190496d1b13b49c4b9f089a4b

Download Submit
memory/1596-55-0x0000000076731000-0x0000000076733000-memory.dmp

Filesize
8KB

Download
memory/1736-91-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download