Analysis
-
max time kernel
151s -
max time network
121s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
11-02-2022 04:50
Static task
static1
Behavioral task
behavioral1
Sample
184196bb279106c16e67d3ae0d29bd865267b6fcda1f41c2f5fba84fc25b9e82.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
184196bb279106c16e67d3ae0d29bd865267b6fcda1f41c2f5fba84fc25b9e82.exe
Resource
win10v2004-en-20220113
General
-
Target
184196bb279106c16e67d3ae0d29bd865267b6fcda1f41c2f5fba84fc25b9e82.exe
-
Size
407KB
-
MD5
d9c3b4e5faa03bc8d83396837bd7e23c
-
SHA1
fe391b8f10f99a5a9f7d3dcd49d8d0e9551b663e
-
SHA256
184196bb279106c16e67d3ae0d29bd865267b6fcda1f41c2f5fba84fc25b9e82
-
SHA512
529043ab300e6fa1efbd374e429a30cdab431fbeaae8ea2a4ba1ad322bb3cf20136057059b6d095e157c69c3153093c286304ae7a83327e2f07441db802a4a1b
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
Kungfu.exekungfu1.exeKungfu.exepid process 964 Kungfu.exe 1700 kungfu1.exe 1972 Kungfu.exe -
Modifies Windows Firewall 1 TTPs
-
Loads dropped DLL 10 IoCs
Processes:
cmd.execmd.exeKungfu.exekungfu1.exeWerFault.exepid process 564 cmd.exe 1004 cmd.exe 964 Kungfu.exe 1700 kungfu1.exe 964 Kungfu.exe 1700 kungfu1.exe 1736 WerFault.exe 1736 WerFault.exe 1736 WerFault.exe 1736 WerFault.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
reg.exereg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\CertificateHash = "C:\\MSOCache\\kungfu1.exe" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CertificateHash = "C:\\MSOCache\\kungfu1.exe" reg.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run reg.exe -
HTTP links in PDF interactive object 1 IoCs
Detects HTTP links in interactive objects within PDF files.
Processes:
resource yara_rule C:\MSOCache\BiblevsQuran.pdf pdf_with_link_action -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1736 1700 WerFault.exe kungfu1.exe -
Modifies data under HKEY_USERS 6 IoCs
Processes:
Kungfu.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings Kungfu.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections Kungfu.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Kungfu.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings Kungfu.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" Kungfu.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Kungfu.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
WerFault.exepid process 1736 WerFault.exe 1736 WerFault.exe 1736 WerFault.exe 1736 WerFault.exe 1736 WerFault.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
AcroRd32.exeWerFault.exepid process 1864 AcroRd32.exe 1736 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
184196bb279106c16e67d3ae0d29bd865267b6fcda1f41c2f5fba84fc25b9e82.exeWerFault.exedescription pid process Token: SeRestorePrivilege 1596 184196bb279106c16e67d3ae0d29bd865267b6fcda1f41c2f5fba84fc25b9e82.exe Token: SeBackupPrivilege 1596 184196bb279106c16e67d3ae0d29bd865267b6fcda1f41c2f5fba84fc25b9e82.exe Token: SeDebugPrivilege 1736 WerFault.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
AcroRd32.exepid process 1864 AcroRd32.exe 1864 AcroRd32.exe 1864 AcroRd32.exe 1864 AcroRd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
184196bb279106c16e67d3ae0d29bd865267b6fcda1f41c2f5fba84fc25b9e82.exeWScript.execmd.execmd.exekungfu1.exedescription pid process target process PID 1596 wrote to memory of 672 1596 184196bb279106c16e67d3ae0d29bd865267b6fcda1f41c2f5fba84fc25b9e82.exe WScript.exe PID 1596 wrote to memory of 672 1596 184196bb279106c16e67d3ae0d29bd865267b6fcda1f41c2f5fba84fc25b9e82.exe WScript.exe PID 1596 wrote to memory of 672 1596 184196bb279106c16e67d3ae0d29bd865267b6fcda1f41c2f5fba84fc25b9e82.exe WScript.exe PID 1596 wrote to memory of 672 1596 184196bb279106c16e67d3ae0d29bd865267b6fcda1f41c2f5fba84fc25b9e82.exe WScript.exe PID 1596 wrote to memory of 672 1596 184196bb279106c16e67d3ae0d29bd865267b6fcda1f41c2f5fba84fc25b9e82.exe WScript.exe PID 1596 wrote to memory of 672 1596 184196bb279106c16e67d3ae0d29bd865267b6fcda1f41c2f5fba84fc25b9e82.exe WScript.exe PID 1596 wrote to memory of 672 1596 184196bb279106c16e67d3ae0d29bd865267b6fcda1f41c2f5fba84fc25b9e82.exe WScript.exe PID 672 wrote to memory of 564 672 WScript.exe cmd.exe PID 672 wrote to memory of 564 672 WScript.exe cmd.exe PID 672 wrote to memory of 564 672 WScript.exe cmd.exe PID 672 wrote to memory of 564 672 WScript.exe cmd.exe PID 672 wrote to memory of 564 672 WScript.exe cmd.exe PID 672 wrote to memory of 564 672 WScript.exe cmd.exe PID 672 wrote to memory of 564 672 WScript.exe cmd.exe PID 672 wrote to memory of 1004 672 WScript.exe cmd.exe PID 672 wrote to memory of 1004 672 WScript.exe cmd.exe PID 672 wrote to memory of 1004 672 WScript.exe cmd.exe PID 672 wrote to memory of 1004 672 WScript.exe cmd.exe PID 672 wrote to memory of 1004 672 WScript.exe cmd.exe PID 672 wrote to memory of 1004 672 WScript.exe cmd.exe PID 672 wrote to memory of 1004 672 WScript.exe cmd.exe PID 1004 wrote to memory of 1864 1004 cmd.exe AcroRd32.exe PID 1004 wrote to memory of 1864 1004 cmd.exe AcroRd32.exe PID 1004 wrote to memory of 1864 1004 cmd.exe AcroRd32.exe PID 564 wrote to memory of 1524 564 cmd.exe AcroRd32.exe PID 564 wrote to memory of 1524 564 cmd.exe AcroRd32.exe PID 564 wrote to memory of 1524 564 cmd.exe AcroRd32.exe PID 1004 wrote to memory of 1864 1004 cmd.exe AcroRd32.exe PID 1004 wrote to memory of 1864 1004 cmd.exe AcroRd32.exe PID 1004 wrote to memory of 1864 1004 cmd.exe AcroRd32.exe PID 564 wrote to memory of 1524 564 cmd.exe AcroRd32.exe PID 564 wrote to memory of 1524 564 cmd.exe AcroRd32.exe PID 564 wrote to memory of 1524 564 cmd.exe AcroRd32.exe PID 1004 wrote to memory of 1864 1004 cmd.exe AcroRd32.exe PID 564 wrote to memory of 1524 564 cmd.exe AcroRd32.exe PID 564 wrote to memory of 976 564 cmd.exe netsh.exe PID 564 wrote to memory of 976 564 cmd.exe netsh.exe PID 564 wrote to memory of 976 564 cmd.exe netsh.exe PID 564 wrote to memory of 976 564 cmd.exe netsh.exe PID 564 wrote to memory of 976 564 cmd.exe netsh.exe PID 564 wrote to memory of 976 564 cmd.exe netsh.exe PID 564 wrote to memory of 976 564 cmd.exe netsh.exe PID 1004 wrote to memory of 960 1004 cmd.exe netsh.exe PID 1004 wrote to memory of 960 1004 cmd.exe netsh.exe PID 1004 wrote to memory of 960 1004 cmd.exe netsh.exe PID 1004 wrote to memory of 960 1004 cmd.exe netsh.exe PID 1004 wrote to memory of 960 1004 cmd.exe netsh.exe PID 1004 wrote to memory of 960 1004 cmd.exe netsh.exe PID 1004 wrote to memory of 960 1004 cmd.exe netsh.exe PID 564 wrote to memory of 964 564 cmd.exe Kungfu.exe PID 564 wrote to memory of 964 564 cmd.exe Kungfu.exe PID 564 wrote to memory of 964 564 cmd.exe Kungfu.exe PID 564 wrote to memory of 964 564 cmd.exe Kungfu.exe PID 564 wrote to memory of 964 564 cmd.exe Kungfu.exe PID 564 wrote to memory of 964 564 cmd.exe Kungfu.exe PID 564 wrote to memory of 964 564 cmd.exe Kungfu.exe PID 1004 wrote to memory of 1700 1004 cmd.exe kungfu1.exe PID 1004 wrote to memory of 1700 1004 cmd.exe kungfu1.exe PID 1004 wrote to memory of 1700 1004 cmd.exe kungfu1.exe PID 1004 wrote to memory of 1700 1004 cmd.exe kungfu1.exe PID 1004 wrote to memory of 1700 1004 cmd.exe kungfu1.exe PID 1004 wrote to memory of 1700 1004 cmd.exe kungfu1.exe PID 1004 wrote to memory of 1700 1004 cmd.exe kungfu1.exe PID 1700 wrote to memory of 1072 1700 kungfu1.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\184196bb279106c16e67d3ae0d29bd865267b6fcda1f41c2f5fba84fc25b9e82.exe"C:\Users\Admin\AppData\Local\Temp\184196bb279106c16e67d3ae0d29bd865267b6fcda1f41c2f5fba84fc25b9e82.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\MSOCache\test.vbs"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\MSOCache\start1.bat" "3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\MSOCache\BiblevsQuran.pdf"4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode disable4⤵
-
C:\MSOCache\Kungfu.exeC:\MSOCache\kungfu.exe -i4⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\net.exenet start gpsvs4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start gpsvs5⤵
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\MSOCache\start.bat" "3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\MSOCache\BiblevsQuran.pdf"4⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode disable4⤵
-
C:\MSOCache\kungfu1.exeC:\MSOCache\kungfu1.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v CertificateHash /d "C:\MSOCache\kungfu1.exe" /f5⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v CertificateHash /d "C:\MSOCache\kungfu1.exe" /f6⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v CertificateHash /d "C:\MSOCache\kungfu1.exe" /f5⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v CertificateHash /d "C:\MSOCache\kungfu1.exe" /f6⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1700 -s 3005⤵
- Loads dropped DLL
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\MSOCache\Kungfu.exeC:\MSOCache\Kungfu.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\MSOCache\BiblevsQuran.pdfMD5
d4dc3b84e57f20221abd9029d948ad03
SHA1d9ca35777088e2496c9f697b29e45f24a9dfb8fc
SHA256519b22268ab6c9121f750df2942fb4557cd24a581011440ed159b500bb9abf31
SHA51280d77f9e1bed346e99d3f2664f62df6f4866c5611f1e29ca0553ed8a203aeb7c8f312a2dcced316790485f4ea7b285bbf86b52cb50343ae6c67fb5aea1afc0d5
-
C:\MSOCache\Kungfu.exeMD5
ec760838ab731860054cf43b59a7d72f
SHA19b373e7213a064df2a9f07e14c831580a7ec6da2
SHA2563038ecf1ac6efa37175fb9fed9729830fcaaf9193ccdfbe995cc91d387b52a0d
SHA512c8968a182c217b75b9017c42206a1be84d27f5cafb8ea4324c3fc57d5e7f23c99cd9ff096d9d1da40db25cedea65c1325e90648e660cd2d43557bc9f54b7d953
-
C:\MSOCache\Kungfu.exeMD5
ec760838ab731860054cf43b59a7d72f
SHA19b373e7213a064df2a9f07e14c831580a7ec6da2
SHA2563038ecf1ac6efa37175fb9fed9729830fcaaf9193ccdfbe995cc91d387b52a0d
SHA512c8968a182c217b75b9017c42206a1be84d27f5cafb8ea4324c3fc57d5e7f23c99cd9ff096d9d1da40db25cedea65c1325e90648e660cd2d43557bc9f54b7d953
-
C:\MSOCache\Kungfu.exeMD5
ec760838ab731860054cf43b59a7d72f
SHA19b373e7213a064df2a9f07e14c831580a7ec6da2
SHA2563038ecf1ac6efa37175fb9fed9729830fcaaf9193ccdfbe995cc91d387b52a0d
SHA512c8968a182c217b75b9017c42206a1be84d27f5cafb8ea4324c3fc57d5e7f23c99cd9ff096d9d1da40db25cedea65c1325e90648e660cd2d43557bc9f54b7d953
-
C:\MSOCache\kungfu1.exeMD5
9ef3677054efe5ffc30fbbbfe2f833d9
SHA187106f7474a00f98fb2fc86d128f37541ade6c3b
SHA2561083637f5a5aee1d0ea9768c372533da4fe28096eac35e71dd568429ee4086c3
SHA5121d0cba5bcf921c58315429cf23ad82a31d9f804ac948577b05ade6b6245e038961fac3c8f1672f2f7e1d7c599c9143741f175d6190496d1b13b49c4b9f089a4b
-
C:\MSOCache\kungfu1.exeMD5
9ef3677054efe5ffc30fbbbfe2f833d9
SHA187106f7474a00f98fb2fc86d128f37541ade6c3b
SHA2561083637f5a5aee1d0ea9768c372533da4fe28096eac35e71dd568429ee4086c3
SHA5121d0cba5bcf921c58315429cf23ad82a31d9f804ac948577b05ade6b6245e038961fac3c8f1672f2f7e1d7c599c9143741f175d6190496d1b13b49c4b9f089a4b
-
C:\MSOCache\start.batMD5
7fa4b5494ec2037bf837ddd92fe80f75
SHA109e48046d10460f4917b07ebbbb57364419871b5
SHA256b3cf5eaea45d127c5e4c82953f5c97cc37768e219a87353f6ba5cc659ad2ebbc
SHA5128ae99172b1f189c26c73e5a3520bbe5870d096c1d0b776c6540696821c41fb99752b7470bd2e7457d5606d59a3ea35bd289950b686c1f7c7f12554c78cf12486
-
C:\MSOCache\start1.batMD5
cf73766dc2da3a50f091da6974c50fa4
SHA1be5e4446e769233e215edc30647efbc483149aae
SHA256c7da1f593473d922992191b715f2db96f14ce291d7043cffaa6a49ec3864a6a2
SHA5123f39c34cd28cbdd4cc5cc64a3e33f33140956702a893acbccc9fdb199324e88bf331b654855226dc1065f37164e199d91f2f539001373a87d096d7ca99908df4
-
C:\MSOCache\test.vbsMD5
65b3843fe5eff1df7d0dac47ea541a45
SHA1f19bcd40eef3d526101fc3bbba0a88a68138bb77
SHA256c76a603f6abdf273375d2ac0e3e9cc693bcdc3142e75243f99335ad530d0ebcf
SHA512028fad888adce166e8c71f31393f616740d6fea248b8217564d10564d58065e321d5a12e8afabd5b3a999853c9561ecbf9c0400232c1bd62c6a45565568d8a4d
-
\MSOCache\Kungfu.exeMD5
ec760838ab731860054cf43b59a7d72f
SHA19b373e7213a064df2a9f07e14c831580a7ec6da2
SHA2563038ecf1ac6efa37175fb9fed9729830fcaaf9193ccdfbe995cc91d387b52a0d
SHA512c8968a182c217b75b9017c42206a1be84d27f5cafb8ea4324c3fc57d5e7f23c99cd9ff096d9d1da40db25cedea65c1325e90648e660cd2d43557bc9f54b7d953
-
\MSOCache\Kungfu.exeMD5
ec760838ab731860054cf43b59a7d72f
SHA19b373e7213a064df2a9f07e14c831580a7ec6da2
SHA2563038ecf1ac6efa37175fb9fed9729830fcaaf9193ccdfbe995cc91d387b52a0d
SHA512c8968a182c217b75b9017c42206a1be84d27f5cafb8ea4324c3fc57d5e7f23c99cd9ff096d9d1da40db25cedea65c1325e90648e660cd2d43557bc9f54b7d953
-
\MSOCache\Kungfu.exeMD5
ec760838ab731860054cf43b59a7d72f
SHA19b373e7213a064df2a9f07e14c831580a7ec6da2
SHA2563038ecf1ac6efa37175fb9fed9729830fcaaf9193ccdfbe995cc91d387b52a0d
SHA512c8968a182c217b75b9017c42206a1be84d27f5cafb8ea4324c3fc57d5e7f23c99cd9ff096d9d1da40db25cedea65c1325e90648e660cd2d43557bc9f54b7d953
-
\MSOCache\kungfu1.exeMD5
9ef3677054efe5ffc30fbbbfe2f833d9
SHA187106f7474a00f98fb2fc86d128f37541ade6c3b
SHA2561083637f5a5aee1d0ea9768c372533da4fe28096eac35e71dd568429ee4086c3
SHA5121d0cba5bcf921c58315429cf23ad82a31d9f804ac948577b05ade6b6245e038961fac3c8f1672f2f7e1d7c599c9143741f175d6190496d1b13b49c4b9f089a4b
-
\MSOCache\kungfu1.exeMD5
9ef3677054efe5ffc30fbbbfe2f833d9
SHA187106f7474a00f98fb2fc86d128f37541ade6c3b
SHA2561083637f5a5aee1d0ea9768c372533da4fe28096eac35e71dd568429ee4086c3
SHA5121d0cba5bcf921c58315429cf23ad82a31d9f804ac948577b05ade6b6245e038961fac3c8f1672f2f7e1d7c599c9143741f175d6190496d1b13b49c4b9f089a4b
-
\MSOCache\kungfu1.exeMD5
9ef3677054efe5ffc30fbbbfe2f833d9
SHA187106f7474a00f98fb2fc86d128f37541ade6c3b
SHA2561083637f5a5aee1d0ea9768c372533da4fe28096eac35e71dd568429ee4086c3
SHA5121d0cba5bcf921c58315429cf23ad82a31d9f804ac948577b05ade6b6245e038961fac3c8f1672f2f7e1d7c599c9143741f175d6190496d1b13b49c4b9f089a4b
-
\MSOCache\kungfu1.exeMD5
9ef3677054efe5ffc30fbbbfe2f833d9
SHA187106f7474a00f98fb2fc86d128f37541ade6c3b
SHA2561083637f5a5aee1d0ea9768c372533da4fe28096eac35e71dd568429ee4086c3
SHA5121d0cba5bcf921c58315429cf23ad82a31d9f804ac948577b05ade6b6245e038961fac3c8f1672f2f7e1d7c599c9143741f175d6190496d1b13b49c4b9f089a4b
-
\MSOCache\kungfu1.exeMD5
9ef3677054efe5ffc30fbbbfe2f833d9
SHA187106f7474a00f98fb2fc86d128f37541ade6c3b
SHA2561083637f5a5aee1d0ea9768c372533da4fe28096eac35e71dd568429ee4086c3
SHA5121d0cba5bcf921c58315429cf23ad82a31d9f804ac948577b05ade6b6245e038961fac3c8f1672f2f7e1d7c599c9143741f175d6190496d1b13b49c4b9f089a4b
-
\MSOCache\kungfu1.exeMD5
9ef3677054efe5ffc30fbbbfe2f833d9
SHA187106f7474a00f98fb2fc86d128f37541ade6c3b
SHA2561083637f5a5aee1d0ea9768c372533da4fe28096eac35e71dd568429ee4086c3
SHA5121d0cba5bcf921c58315429cf23ad82a31d9f804ac948577b05ade6b6245e038961fac3c8f1672f2f7e1d7c599c9143741f175d6190496d1b13b49c4b9f089a4b
-
\MSOCache\kungfu1.exeMD5
9ef3677054efe5ffc30fbbbfe2f833d9
SHA187106f7474a00f98fb2fc86d128f37541ade6c3b
SHA2561083637f5a5aee1d0ea9768c372533da4fe28096eac35e71dd568429ee4086c3
SHA5121d0cba5bcf921c58315429cf23ad82a31d9f804ac948577b05ade6b6245e038961fac3c8f1672f2f7e1d7c599c9143741f175d6190496d1b13b49c4b9f089a4b
-
memory/1596-55-0x0000000076731000-0x0000000076733000-memory.dmpFilesize
8KB
-
memory/1736-91-0x0000000000640000-0x0000000000641000-memory.dmpFilesize
4KB