Analysis Overview
SHA256
61f7409c356d9376b580f156b4b775fb91aa34a4687642bc9c7f4673cffca0ca
Threat Level: Known bad
The file 1.exe.vir was found to be: Known bad.
Malicious Activity Summary
Formbook
Xloader family
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
suricata: ET MALWARE FormBook CnC Checkin (GET)
Xloader Payload
Xloader
Xloader Payload
Executes dropped EXE
Adds policy Run key to start application
Checks computer location settings
Reads user/profile data of web browsers
Deletes itself
Adds Run key to start application
Suspicious use of SetThreadContext
Drops file in Program Files directory
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of FindShellTrayWindow
Gathers network information
Suspicious use of AdjustPrivilegeToken
Modifies Internet Explorer settings
Suspicious use of SendNotifyMessage
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-06-21 09:23
Signatures
Xloader Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xloader family
Analysis: behavioral1
Detonation Overview
Submitted
2022-06-21 09:23
Reported
2022-06-21 09:25
Platform
win7-20220414-en
Max time kernel
150s
Max time network
153s
Command Line
Signatures
Formbook
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Xloader Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Windows\SysWOW64\cmmon32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\JRMXEFPPWFM = "C:\\Program Files (x86)\\Ger1tiv_h\\mfcer-p6tep.exe" | C:\Windows\SysWOW64\cmmon32.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Ger1tiv_h\mfcer-p6tep.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1520 set thread context of 1296 | N/A | C:\Users\Admin\AppData\Local\Temp\1.exe | C:\Windows\Explorer.EXE |
| PID 876 set thread context of 1296 | N/A | C:\Windows\SysWOW64\cmmon32.exe | C:\Windows\Explorer.EXE |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Ger1tiv_h\mfcer-p6tep.exe | C:\Windows\SysWOW64\cmmon32.exe | N/A |
| File created | C:\Program Files (x86)\Ger1tiv_h\mfcer-p6tep.exe | C:\Windows\Explorer.EXE | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \Registry\User\S-1-5-21-2277218442-1199762539-2004043321-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 | C:\Windows\SysWOW64\cmmon32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmmon32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmmon32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmmon32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmmon32.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\cmmon32.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files (x86)\Ger1tiv_h\mfcer-p6tep.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\1.exe
"C:\Users\Admin\AppData\Local\Temp\1.exe"
C:\Windows\SysWOW64\cmmon32.exe
"C:\Windows\SysWOW64\cmmon32.exe"
C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\1.exe"
C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
C:\Program Files (x86)\Ger1tiv_h\mfcer-p6tep.exe
"C:\Program Files (x86)\Ger1tiv_h\mfcer-p6tep.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.diraim.com | udp |
| US | 172.67.146.119:80 | www.diraim.com | tcp |
| US | 8.8.8.8:53 | www.siempreesvierness.com | udp |
| ES | 31.214.178.109:80 | www.siempreesvierness.com | tcp |
| US | 8.8.8.8:53 | www.shoppingmodernobrasil.com | udp |
| US | 192.185.222.95:80 | www.shoppingmodernobrasil.com | tcp |
| US | 8.8.8.8:53 | www.mrrooterzanesville.com | udp |
| US | 172.67.197.42:80 | www.mrrooterzanesville.com | tcp |
| US | 8.8.8.8:53 | www.unlockada.com | udp |
| US | 34.117.168.233:80 | www.unlockada.com | tcp |
| US | 8.8.8.8:53 | www.saketotomoni.com | udp |
| JP | 160.251.71.93:80 | www.saketotomoni.com | tcp |
| US | 8.8.8.8:53 | www.toto86.xyz | udp |
| US | 188.114.97.0:80 | www.toto86.xyz | tcp |
| US | 8.8.8.8:53 | www.tolbertasc.com | udp |
| US | 34.117.168.233:80 | www.tolbertasc.com | tcp |
| US | 8.8.8.8:53 | www.e9hwcloud.com | udp |
| US | 8.8.8.8:53 | www.mexicalimerchandisecompany.net | udp |
| US | 8.8.8.8:53 | www.meanfriendsnft.com | udp |
| US | 172.67.135.169:80 | www.meanfriendsnft.com | tcp |
| US | 8.8.8.8:53 | www.senior-living-homes1.life | udp |
| DE | 64.190.62.22:80 | www.senior-living-homes1.life | tcp |
| US | 8.8.8.8:53 | www.ginnusgbs.com | udp |
| US | 68.65.121.25:80 | www.ginnusgbs.com | tcp |
| US | 8.8.8.8:53 | www.centra4858.com | udp |
| US | 40.65.124.100:80 | www.centra4858.com | tcp |
| US | 40.65.124.100:80 | www.centra4858.com | tcp |
| US | 8.8.8.8:53 | www.relxedm.com | udp |
| ID | 139.99.67.104:80 | www.relxedm.com | tcp |
| ID | 139.99.67.104:80 | www.relxedm.com | tcp |
| US | 8.8.8.8:53 | www.gq5sf0.xyz | udp |
| CN | 45.248.10.244:80 | www.gq5sf0.xyz | tcp |
| US | 8.8.8.8:53 | www.softlandingny.com | udp |
Files
memory/1520-54-0x00000000008B0000-0x0000000000BB3000-memory.dmp
memory/1520-55-0x0000000000270000-0x0000000000281000-memory.dmp
memory/1296-56-0x00000000072D0000-0x0000000007476000-memory.dmp
memory/876-57-0x0000000000000000-mapping.dmp
memory/964-58-0x0000000000000000-mapping.dmp
memory/876-59-0x0000000000210000-0x000000000021D000-memory.dmp
memory/876-60-0x0000000001F20000-0x0000000002223000-memory.dmp
memory/876-61-0x0000000000080000-0x00000000000AC000-memory.dmp
memory/1296-63-0x0000000006240000-0x00000000062E4000-memory.dmp
memory/876-62-0x0000000001D90000-0x0000000001E20000-memory.dmp
memory/876-64-0x0000000000080000-0x00000000000AC000-memory.dmp
memory/1296-65-0x0000000006240000-0x00000000062E4000-memory.dmp
memory/876-66-0x0000000076451000-0x0000000076453000-memory.dmp
C:\Program Files (x86)\Ger1tiv_h\mfcer-p6tep.exe
| MD5 | 509edfdb29a62b6e704548051f8288d7 |
| SHA1 | 092709e1a4bdb9e154201f243faf7be0a6754806 |
| SHA256 | 61f7409c356d9376b580f156b4b775fb91aa34a4687642bc9c7f4673cffca0ca |
| SHA512 | 10f97e788c0753de73f47ce30eb0617d84db1731e3279aa96343ce7fbf77b6ae6b073a6fad3dfafd26bbf10928a0ce1daf35aa382d8d2b717d182aab235ee954 |
memory/1564-69-0x0000000000880000-0x0000000000B83000-memory.dmp
memory/1564-67-0x0000000000000000-mapping.dmp
C:\Program Files (x86)\Ger1tiv_h\mfcer-p6tep.exe
| MD5 | 509edfdb29a62b6e704548051f8288d7 |
| SHA1 | 092709e1a4bdb9e154201f243faf7be0a6754806 |
| SHA256 | 61f7409c356d9376b580f156b4b775fb91aa34a4687642bc9c7f4673cffca0ca |
| SHA512 | 10f97e788c0753de73f47ce30eb0617d84db1731e3279aa96343ce7fbf77b6ae6b073a6fad3dfafd26bbf10928a0ce1daf35aa382d8d2b717d182aab235ee954 |
Analysis: behavioral2
Detonation Overview
Submitted
2022-06-21 09:23
Reported
2022-06-21 09:25
Platform
win10v2004-20220414-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Formbook
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
Xloader Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Dqdf8\chkdskp6ql.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \Registry\Machine\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\NETSTAT.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\XBML08-X = "C:\\Program Files (x86)\\Dqdf8\\chkdskp6ql.exe" | C:\Windows\SysWOW64\NETSTAT.EXE | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1088 set thread context of 3084 | N/A | C:\Users\Admin\AppData\Local\Temp\1.exe | C:\Windows\Explorer.EXE |
| PID 4644 set thread context of 3084 | N/A | C:\Windows\SysWOW64\NETSTAT.EXE | C:\Windows\Explorer.EXE |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Dqdf8\chkdskp6ql.exe | C:\Windows\SysWOW64\NETSTAT.EXE | N/A |
| File opened for modification | C:\Program Files (x86)\Dqdf8 | C:\Windows\Explorer.EXE | N/A |
| File created | C:\Program Files (x86)\Dqdf8\chkdskp6ql.exe | C:\Windows\Explorer.EXE | N/A |
| File opened for modification | C:\Program Files (x86)\Dqdf8\chkdskp6ql.exe | C:\Windows\Explorer.EXE | N/A |
Gathers network information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\NETSTAT.EXE | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \Registry\User\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 | C:\Windows\SysWOW64\NETSTAT.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\NETSTAT.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\NETSTAT.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\NETSTAT.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\NETSTAT.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\NETSTAT.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files (x86)\Dqdf8\chkdskp6ql.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\1.exe
"C:\Users\Admin\AppData\Local\Temp\1.exe"
C:\Windows\SysWOW64\NETSTAT.EXE
"C:\Windows\SysWOW64\NETSTAT.EXE"
C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\1.exe"
C:\Windows\SysWOW64\cmd.exe
/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
C:\Windows\SysWOW64\cmd.exe
/c copy "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
C:\Program Files (x86)\Dqdf8\chkdskp6ql.exe
"C:\Program Files (x86)\Dqdf8\chkdskp6ql.exe"
Network
| Country | Destination | Domain | Proto |
| US | 93.184.220.29:80 | tcp | |
| US | 8.8.8.8:53 | www.3dayofferf648.com | udp |
| US | 103.224.182.242:80 | www.3dayofferf648.com | tcp |
| US | 8.8.8.8:53 | www.ginnusgbs.com | udp |
| US | 68.65.121.25:80 | www.ginnusgbs.com | tcp |
| US | 8.8.8.8:53 | www.merdekaonlineindo.com | udp |
| SG | 172.104.57.50:80 | www.merdekaonlineindo.com | tcp |
| SG | 172.104.57.50:80 | www.merdekaonlineindo.com | tcp |
| SG | 172.104.57.50:80 | www.merdekaonlineindo.com | tcp |
| US | 8.8.8.8:53 | www.israel-postal.com | udp |
| US | 209.197.3.8:80 | tcp | |
| US | 8.8.8.8:53 | www.senior-living-homes1.life | udp |
| DE | 64.190.62.22:80 | www.senior-living-homes1.life | tcp |
| DE | 64.190.62.22:80 | www.senior-living-homes1.life | tcp |
| DE | 64.190.62.22:80 | www.senior-living-homes1.life | tcp |
| US | 8.8.8.8:53 | www.saketotomoni.com | udp |
| JP | 160.251.71.93:80 | www.saketotomoni.com | tcp |
| JP | 160.251.71.93:80 | www.saketotomoni.com | tcp |
| JP | 160.251.71.93:80 | www.saketotomoni.com | tcp |
| NL | 104.110.191.140:80 | tcp | |
| NL | 104.110.191.140:80 | tcp | |
| US | 8.8.8.8:53 | www.buyordie.tech | udp |
| US | 8.8.8.8:53 | www.jineshsolar.com | udp |
| US | 15.197.142.173:80 | www.jineshsolar.com | tcp |
| US | 15.197.142.173:80 | www.jineshsolar.com | tcp |
| US | 15.197.142.173:80 | www.jineshsolar.com | tcp |
| US | 8.8.8.8:53 | www.district3.community | udp |
| NL | 216.58.214.19:80 | www.district3.community | tcp |
| NL | 216.58.214.19:80 | www.district3.community | tcp |
| NL | 216.58.214.19:80 | www.district3.community | tcp |
| US | 8.8.8.8:53 | www.elfworld.info | udp |
| SG | 54.251.89.90:80 | www.elfworld.info | tcp |
| SG | 54.251.89.90:80 | www.elfworld.info | tcp |
| SG | 54.251.89.90:80 | www.elfworld.info | tcp |
| US | 8.8.8.8:53 | www.aperfectsteps.com | udp |
| IN | 103.20.127.61:80 | www.aperfectsteps.com | tcp |
| IN | 103.20.127.61:80 | www.aperfectsteps.com | tcp |
| IN | 103.20.127.61:80 | www.aperfectsteps.com | tcp |
| US | 8.8.8.8:53 | www.legallyspanked.com | udp |
| US | 172.80.101.220:80 | www.legallyspanked.com | tcp |
| US | 172.80.101.220:80 | www.legallyspanked.com | tcp |
| US | 172.80.101.220:80 | www.legallyspanked.com | tcp |
| US | 8.8.8.8:53 | www.arcjewelleryireland.com | udp |
| CA | 23.227.38.74:80 | www.arcjewelleryireland.com | tcp |
| CA | 23.227.38.74:80 | www.arcjewelleryireland.com | tcp |
| CA | 23.227.38.74:80 | www.arcjewelleryireland.com | tcp |
| US | 8.8.8.8:53 | www.kercombe.com | udp |
| US | 8.8.8.8:53 | www.hhbrl.com | udp |
| US | 198.54.117.210:80 | www.hhbrl.com | tcp |
| US | 198.54.117.210:80 | www.hhbrl.com | tcp |
| US | 198.54.117.210:80 | www.hhbrl.com | tcp |
| US | 8.8.8.8:53 | www.mamemama-blog.com | udp |
| JP | 162.43.118.157:80 | www.mamemama-blog.com | tcp |
| US | 68.65.121.25:80 | www.ginnusgbs.com | tcp |
| US | 68.65.121.25:80 | www.ginnusgbs.com | tcp |
| US | 68.65.121.25:80 | www.ginnusgbs.com | tcp |
| US | 8.8.8.8:53 | www.sen-eg.com | udp |
| NL | 145.14.151.24:80 | www.sen-eg.com | tcp |
| NL | 145.14.151.24:80 | www.sen-eg.com | tcp |
| NL | 145.14.151.24:80 | www.sen-eg.com | tcp |
| US | 8.8.8.8:53 | www.xlmhcb.com | udp |
| HK | 23.235.173.189:80 | www.xlmhcb.com | tcp |
| HK | 23.235.173.189:80 | www.xlmhcb.com | tcp |
| HK | 23.235.173.189:80 | www.xlmhcb.com | tcp |
| US | 8.8.8.8:53 | www.mrrooterzanesville.com | udp |
| US | 172.67.197.42:80 | www.mrrooterzanesville.com | tcp |
| US | 172.67.197.42:80 | www.mrrooterzanesville.com | tcp |
| US | 172.67.197.42:80 | www.mrrooterzanesville.com | tcp |
Files
memory/1088-130-0x00000000010F0000-0x000000000143A000-memory.dmp
memory/1088-131-0x00000000015F0000-0x0000000001601000-memory.dmp
memory/3084-132-0x0000000002B10000-0x0000000002C5B000-memory.dmp
memory/4644-133-0x0000000000000000-mapping.dmp
memory/1988-134-0x0000000000000000-mapping.dmp
memory/4644-136-0x0000000000E30000-0x000000000117A000-memory.dmp
memory/4644-135-0x00000000003D0000-0x00000000003DB000-memory.dmp
memory/4644-137-0x0000000000340000-0x000000000036C000-memory.dmp
memory/4644-138-0x0000000000B50000-0x0000000000BE0000-memory.dmp
memory/3084-139-0x0000000002E00000-0x0000000002EC4000-memory.dmp
memory/4644-140-0x0000000000340000-0x000000000036C000-memory.dmp
memory/3084-141-0x0000000002E00000-0x0000000002EC4000-memory.dmp
memory/3992-142-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\DB1
| MD5 | b608d407fc15adea97c26936bc6f03f6 |
| SHA1 | 953e7420801c76393902c0d6bb56148947e41571 |
| SHA256 | b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf |
| SHA512 | cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4 |
memory/2960-144-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\DB1
| MD5 | 349e6eb110e34a08924d92f6b334801d |
| SHA1 | bdfb289daff51890cc71697b6322aa4b35ec9169 |
| SHA256 | c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a |
| SHA512 | 2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574 |
memory/4928-146-0x0000000000000000-mapping.dmp
C:\Program Files (x86)\Dqdf8\chkdskp6ql.exe
| MD5 | 509edfdb29a62b6e704548051f8288d7 |
| SHA1 | 092709e1a4bdb9e154201f243faf7be0a6754806 |
| SHA256 | 61f7409c356d9376b580f156b4b775fb91aa34a4687642bc9c7f4673cffca0ca |
| SHA512 | 10f97e788c0753de73f47ce30eb0617d84db1731e3279aa96343ce7fbf77b6ae6b073a6fad3dfafd26bbf10928a0ce1daf35aa382d8d2b717d182aab235ee954 |
C:\Program Files (x86)\Dqdf8\chkdskp6ql.exe
| MD5 | 509edfdb29a62b6e704548051f8288d7 |
| SHA1 | 092709e1a4bdb9e154201f243faf7be0a6754806 |
| SHA256 | 61f7409c356d9376b580f156b4b775fb91aa34a4687642bc9c7f4673cffca0ca |
| SHA512 | 10f97e788c0753de73f47ce30eb0617d84db1731e3279aa96343ce7fbf77b6ae6b073a6fad3dfafd26bbf10928a0ce1daf35aa382d8d2b717d182aab235ee954 |
memory/4928-149-0x00000000018C0000-0x0000000001C0A000-memory.dmp