Malware Analysis Report

2025-08-10 14:16

Sample ID 241016-bz7grawdpc
Target 9967333e71cb9d20c01e54504586c51651cf090306eb21dba9c477f209ea61ab
SHA256 9967333e71cb9d20c01e54504586c51651cf090306eb21dba9c477f209ea61ab
Tags
bootkit discovery persistence spyware stealer
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

9967333e71cb9d20c01e54504586c51651cf090306eb21dba9c477f209ea61ab

Threat Level: Likely malicious

The file 9967333e71cb9d20c01e54504586c51651cf090306eb21dba9c477f209ea61ab was found to be: Likely malicious.

Malicious Activity Summary

bootkit discovery persistence spyware stealer

Blocklisted process makes network request

Loads dropped DLL

ACProtect 1.3x - 1.4x DLL software

Deletes itself

Reads user/profile data of web browsers

Executes dropped EXE

Writes to the Master Boot Record (MBR)

Adds Run key to start application

Enumerates connected drives

Unsigned PE

System Location Discovery: System Language Discovery

System Network Configuration Discovery: Internet Connection Discovery

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Runs ping.exe

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-16 01:35

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-16 01:35

Reported

2024-10-16 01:38

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9967333e71cb9d20c01e54504586c51651cf090306eb21dba9c477f209ea61ab.exe"

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A \??\c:\fytjuhv.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\fytjuhv.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EvtMgr = "c:\\windows\\SysWOW64\\rundll32.exe \"c:\\cnfde\\jbudw.dll\",DoVirusScan" \??\c:\windows\SysWOW64\rundll32.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\l: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\n: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\o: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\t: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\b: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\e: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\i: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\m: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\r: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\s: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\a: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\v: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\x: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\y: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\w: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\g: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\h: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\j: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\k: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\p: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\q: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\u: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\z: \??\c:\windows\SysWOW64\rundll32.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 \??\c:\windows\SysWOW64\rundll32.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\9967333e71cb9d20c01e54504586c51651cf090306eb21dba9c477f209ea61ab.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\PING.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\fytjuhv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\SysWOW64\rundll32.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 \??\c:\windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString \??\c:\windows\SysWOW64\rundll32.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9967333e71cb9d20c01e54504586c51651cf090306eb21dba9c477f209ea61ab.exe N/A
N/A N/A \??\c:\fytjuhv.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9967333e71cb9d20c01e54504586c51651cf090306eb21dba9c477f209ea61ab.exe

"C:\Users\Admin\AppData\Local\Temp\9967333e71cb9d20c01e54504586c51651cf090306eb21dba9c477f209ea61ab.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c ping 127.0.0.1 -n 2&c:\fytjuhv.exe "C:\Users\Admin\AppData\Local\Temp\9967333e71cb9d20c01e54504586c51651cf090306eb21dba9c477f209ea61ab.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

\??\c:\fytjuhv.exe

c:\fytjuhv.exe "C:\Users\Admin\AppData\Local\Temp\9967333e71cb9d20c01e54504586c51651cf090306eb21dba9c477f209ea61ab.exe"

\??\c:\windows\SysWOW64\rundll32.exe

c:\windows\system32\rundll32.exe "c:\cnfde\jbudw.dll",DoVirusScan c:\fytjuhv.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 krnaver.com udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 107.163.241.232:12354 tcp
US 107.163.241.232:12354 tcp
US 107.163.241.232:12354 tcp
US 8.8.8.8:53 krnaver.com udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 krnaver.com udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 krnaver.com udp
US 8.8.8.8:53 krnaver.com udp
US 8.8.8.8:53 krnaver.com udp
US 8.8.8.8:53 krnaver.com udp
US 8.8.8.8:53 krnaver.com udp
US 8.8.8.8:53 krnaver.com udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 krnaver.com udp
US 8.8.8.8:53 krnaver.com udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 krnaver.com udp
US 8.8.8.8:53 krnaver.com udp
US 8.8.8.8:53 krnaver.com udp
US 8.8.8.8:53 krnaver.com udp
US 8.8.8.8:53 136.71.105.51.in-addr.arpa udp

Files

memory/2284-0-0x0000000000400000-0x0000000000417000-memory.dmp

memory/2284-2-0x0000000000400000-0x0000000000417000-memory.dmp

C:\fytjuhv.exe

MD5 012b52b30fcba353718a19cba796bb5a
SHA1 d99d8c607e00580edf47f327f910ed7b97e5c9e4
SHA256 89167f31763ab46812ac0e2a43d7a50c1c5012dcbe77df262c5fe91c43ff85cc
SHA512 519d8dd14c835e979b4cf7bda4ce71b67eff974a1f85b3420a3cfe6ab23ca862a2ebcdd1cd5a2697158a6432733ea8f645c408c8fc184a42b7a829528c0696a9

memory/2060-7-0x0000000000400000-0x0000000000417000-memory.dmp

\??\c:\cnfde\jbudw.dll

MD5 cbfc06794d16ace6adf42210183fc1b9
SHA1 74fc68a2af225b0aca954b3684940747511013c5
SHA256 b2d21c40c5bfc0f7695945946fa1cdd4eaf2f66a8391ddde6307c5f765fbf525
SHA512 181dbe8b63e28a81cb8e0b7240df8745da350e1ab433b157b8b4fd36aa10f0782e807c09563bcffe37cfe64aa1b514b2cc1f179fbcba422d96867179d88e13c9

memory/3652-10-0x0000000010000000-0x0000000010032000-memory.dmp

memory/3652-11-0x0000000010001000-0x0000000010021000-memory.dmp

memory/3652-12-0x0000000010000000-0x0000000010032000-memory.dmp

memory/3652-13-0x0000000010001000-0x0000000010021000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-16 01:35

Reported

2024-10-16 01:38

Platform

win7-20240903-en

Max time kernel

144s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9967333e71cb9d20c01e54504586c51651cf090306eb21dba9c477f209ea61ab.exe"

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A \??\c:\umqyn.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\umqyn.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\EvtMgr = "c:\\windows\\SysWOW64\\rundll32.exe \"c:\\tktni\\cewymhr.dll\",DoVirusScan" \??\c:\windows\SysWOW64\rundll32.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\e: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\m: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\o: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\q: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\t: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\x: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\y: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\a: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\j: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\v: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\g: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\n: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\u: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\z: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\s: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\b: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\h: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\i: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\k: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\l: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\p: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\r: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\w: \??\c:\windows\SysWOW64\rundll32.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 \??\c:\windows\SysWOW64\rundll32.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\9967333e71cb9d20c01e54504586c51651cf090306eb21dba9c477f209ea61ab.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\PING.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\umqyn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\SysWOW64\rundll32.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 \??\c:\windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString \??\c:\windows\SysWOW64\rundll32.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9967333e71cb9d20c01e54504586c51651cf090306eb21dba9c477f209ea61ab.exe N/A
N/A N/A \??\c:\umqyn.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2244 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\9967333e71cb9d20c01e54504586c51651cf090306eb21dba9c477f209ea61ab.exe C:\Windows\SysWOW64\cmd.exe
PID 2244 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\9967333e71cb9d20c01e54504586c51651cf090306eb21dba9c477f209ea61ab.exe C:\Windows\SysWOW64\cmd.exe
PID 2244 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\9967333e71cb9d20c01e54504586c51651cf090306eb21dba9c477f209ea61ab.exe C:\Windows\SysWOW64\cmd.exe
PID 2244 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\9967333e71cb9d20c01e54504586c51651cf090306eb21dba9c477f209ea61ab.exe C:\Windows\SysWOW64\cmd.exe
PID 1040 wrote to memory of 388 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1040 wrote to memory of 388 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1040 wrote to memory of 388 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1040 wrote to memory of 388 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1040 wrote to memory of 2428 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\umqyn.exe
PID 1040 wrote to memory of 2428 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\umqyn.exe
PID 1040 wrote to memory of 2428 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\umqyn.exe
PID 1040 wrote to memory of 2428 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\umqyn.exe
PID 2428 wrote to memory of 2580 N/A \??\c:\umqyn.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2428 wrote to memory of 2580 N/A \??\c:\umqyn.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2428 wrote to memory of 2580 N/A \??\c:\umqyn.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2428 wrote to memory of 2580 N/A \??\c:\umqyn.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2428 wrote to memory of 2580 N/A \??\c:\umqyn.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2428 wrote to memory of 2580 N/A \??\c:\umqyn.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2428 wrote to memory of 2580 N/A \??\c:\umqyn.exe \??\c:\windows\SysWOW64\rundll32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9967333e71cb9d20c01e54504586c51651cf090306eb21dba9c477f209ea61ab.exe

"C:\Users\Admin\AppData\Local\Temp\9967333e71cb9d20c01e54504586c51651cf090306eb21dba9c477f209ea61ab.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c ping 127.0.0.1 -n 2&c:\umqyn.exe "C:\Users\Admin\AppData\Local\Temp\9967333e71cb9d20c01e54504586c51651cf090306eb21dba9c477f209ea61ab.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

\??\c:\umqyn.exe

c:\umqyn.exe "C:\Users\Admin\AppData\Local\Temp\9967333e71cb9d20c01e54504586c51651cf090306eb21dba9c477f209ea61ab.exe"

\??\c:\windows\SysWOW64\rundll32.exe

c:\windows\system32\rundll32.exe "c:\tktni\cewymhr.dll",DoVirusScan c:\umqyn.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 krnaver.com udp
US 107.163.241.232:12354 tcp
US 107.163.241.232:12354 tcp
US 107.163.241.232:12354 tcp
US 107.163.241.232:12354 tcp

Files

memory/2244-0-0x0000000000400000-0x0000000000417000-memory.dmp

memory/2244-2-0x0000000000400000-0x0000000000417000-memory.dmp

\??\c:\umqyn.exe

MD5 e368bc1abdf9ace70440ca3828cb7105
SHA1 de7e6e97f84b383e118a38c902324b4fa4c0135b
SHA256 bf537b8dc07eeb08a8761e5d3cad3ac0fd68ea5cd20e35546194a5b4b76c7dce
SHA512 35a36ae562eb390b555d7c4cac4d89fc6400aa0ff0332a81f086f2230ef8378065b77234bbbd22a65151cf1cbbaea542b5c5fc9bcb867b603cef62063c95f1cf

memory/2428-6-0x0000000000400000-0x0000000000417000-memory.dmp

\??\c:\tktni\cewymhr.dll

MD5 cbfc06794d16ace6adf42210183fc1b9
SHA1 74fc68a2af225b0aca954b3684940747511013c5
SHA256 b2d21c40c5bfc0f7695945946fa1cdd4eaf2f66a8391ddde6307c5f765fbf525
SHA512 181dbe8b63e28a81cb8e0b7240df8745da350e1ab433b157b8b4fd36aa10f0782e807c09563bcffe37cfe64aa1b514b2cc1f179fbcba422d96867179d88e13c9

memory/2580-15-0x000000001002C000-0x000000001002D000-memory.dmp

memory/2580-14-0x0000000010000000-0x0000000010032000-memory.dmp

memory/2580-13-0x0000000010000000-0x0000000010032000-memory.dmp

memory/2580-11-0x0000000010000000-0x0000000010032000-memory.dmp

memory/2580-16-0x0000000010000000-0x0000000010032000-memory.dmp

memory/2580-17-0x0000000010000000-0x0000000010032000-memory.dmp

memory/2580-18-0x0000000010000000-0x0000000010032000-memory.dmp

memory/2580-19-0x0000000010000000-0x0000000010032000-memory.dmp