Malware Analysis Report

2025-08-11 01:20

Sample ID 231223-p7znrsafbn
Target cp.exe
SHA256 ca1fb3d8a70ec2e8baf3e420426c8c5db796df0799c4f94c03f7330c3c4d3cfe
Tags
vmprotect
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

ca1fb3d8a70ec2e8baf3e420426c8c5db796df0799c4f94c03f7330c3c4d3cfe

Threat Level: Shows suspicious behavior

The file cp.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

vmprotect

Checks computer location settings

VMProtect packed file

Executes dropped EXE

Loads dropped DLL

Enumerates physical storage devices

Delays execution with timeout.exe

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-23 12:58

Signatures

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-23 12:58

Reported

2023-12-23 13:04

Platform

win7-20231215-en

Max time kernel

287s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cp.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2236 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\cp.exe C:\Windows\SysWOW64\cmd.exe
PID 2236 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\cp.exe C:\Windows\SysWOW64\cmd.exe
PID 2236 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\cp.exe C:\Windows\SysWOW64\cmd.exe
PID 2236 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\cp.exe C:\Windows\SysWOW64\cmd.exe
PID 2696 wrote to memory of 2848 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2696 wrote to memory of 2848 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2696 wrote to memory of 2848 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2696 wrote to memory of 2848 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2696 wrote to memory of 2840 N/A C:\Windows\SysWOW64\cmd.exe C:\ProgramData\pinterests\XRJNZC.exe
PID 2696 wrote to memory of 2840 N/A C:\Windows\SysWOW64\cmd.exe C:\ProgramData\pinterests\XRJNZC.exe
PID 2696 wrote to memory of 2840 N/A C:\Windows\SysWOW64\cmd.exe C:\ProgramData\pinterests\XRJNZC.exe
PID 2696 wrote to memory of 2840 N/A C:\Windows\SysWOW64\cmd.exe C:\ProgramData\pinterests\XRJNZC.exe
PID 2840 wrote to memory of 2628 N/A C:\ProgramData\pinterests\XRJNZC.exe C:\Windows\SysWOW64\schtasks.exe
PID 2840 wrote to memory of 2628 N/A C:\ProgramData\pinterests\XRJNZC.exe C:\Windows\SysWOW64\schtasks.exe
PID 2840 wrote to memory of 2628 N/A C:\ProgramData\pinterests\XRJNZC.exe C:\Windows\SysWOW64\schtasks.exe
PID 2840 wrote to memory of 2628 N/A C:\ProgramData\pinterests\XRJNZC.exe C:\Windows\SysWOW64\schtasks.exe
PID 476 wrote to memory of 1508 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\pinterests\XRJNZC.exe
PID 476 wrote to memory of 1508 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\pinterests\XRJNZC.exe
PID 476 wrote to memory of 1508 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\pinterests\XRJNZC.exe
PID 476 wrote to memory of 1508 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\pinterests\XRJNZC.exe
PID 476 wrote to memory of 2188 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\pinterests\XRJNZC.exe
PID 476 wrote to memory of 2188 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\pinterests\XRJNZC.exe
PID 476 wrote to memory of 2188 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\pinterests\XRJNZC.exe
PID 476 wrote to memory of 2188 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\pinterests\XRJNZC.exe
PID 476 wrote to memory of 3008 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\pinterests\XRJNZC.exe
PID 476 wrote to memory of 3008 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\pinterests\XRJNZC.exe
PID 476 wrote to memory of 3008 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\pinterests\XRJNZC.exe
PID 476 wrote to memory of 3008 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\pinterests\XRJNZC.exe
PID 476 wrote to memory of 1728 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\pinterests\XRJNZC.exe
PID 476 wrote to memory of 1728 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\pinterests\XRJNZC.exe
PID 476 wrote to memory of 1728 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\pinterests\XRJNZC.exe
PID 476 wrote to memory of 1728 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\pinterests\XRJNZC.exe
PID 476 wrote to memory of 2416 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\pinterests\XRJNZC.exe
PID 476 wrote to memory of 2416 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\pinterests\XRJNZC.exe
PID 476 wrote to memory of 2416 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\pinterests\XRJNZC.exe
PID 476 wrote to memory of 2416 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\pinterests\XRJNZC.exe

Processes

C:\Users\Admin\AppData\Local\Temp\cp.exe

"C:\Users\Admin\AppData\Local\Temp\cp.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\s1q4.0.bat" "

C:\Windows\SysWOW64\timeout.exe

timeout 3

C:\ProgramData\pinterests\XRJNZC.exe

"C:\ProgramData\pinterests\XRJNZC.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /RL HIGHEST /tn "XRJNZC" /tr C:\ProgramData\pinterests\XRJNZC.exe /f

C:\Windows\system32\taskeng.exe

taskeng.exe {7B9AB9CA-BA82-4030-B161-979CC6A6EF32} S-1-5-21-1268429524-3929314613-1992311491-1000:XBTLDBHN\Admin:Interactive:[1]

C:\ProgramData\pinterests\XRJNZC.exe

C:\ProgramData\pinterests\XRJNZC.exe

C:\ProgramData\pinterests\XRJNZC.exe

C:\ProgramData\pinterests\XRJNZC.exe

C:\ProgramData\pinterests\XRJNZC.exe

C:\ProgramData\pinterests\XRJNZC.exe

C:\ProgramData\pinterests\XRJNZC.exe

C:\ProgramData\pinterests\XRJNZC.exe

C:\ProgramData\pinterests\XRJNZC.exe

C:\ProgramData\pinterests\XRJNZC.exe

Network

N/A

Files

memory/2236-0-0x0000000001080000-0x0000000001AF0000-memory.dmp

memory/2236-5-0x0000000001080000-0x0000000001AF0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\s1q4.0.bat

MD5 5bc242e249b07840b8bcb7a2395dcfea
SHA1 c837caf6ec4dc22d600b0749e422b067069c06d0
SHA256 1d19b40faa63bc1a95aec176bfa55dce634d628b5d3f4507608adeb466534ae8
SHA512 79dad833e364006237e44c99e0cda2ff336d12661bd3cc39e1525dc436dd5c7a0ab011454e547e21a6a8ad25e3fa2234b01948119cdaadfa0ceaf015fc0cbfb2

C:\ProgramData\pinterests\XRJNZC.exe

MD5 7e1bf4569ac9626d6f57726e10d8cd9d
SHA1 ff01ebe46eab7a1c2cb0074ef7447fe100519041
SHA256 ebed1cf0c65b9b95ac712a0481d3880fb2cefd1ae7051b890804fe9c8dc2613f
SHA512 24476642c73344a64618b46f68b87f190dfcb07c38fa2909274270caed01bdc26396d8464d8df784820af82feccffc5667fb7dfb248706ead123987b63e89b75

C:\ProgramData\pinterests\XRJNZC.exe

MD5 49a4de41a330e3067a95d9fcb6e96e49
SHA1 e7713c0b182f3367312493c28980f7b0977ef1db
SHA256 bc3c4deef83882f08180358805ac152f9f4a9aed85584ffc4d501db399954ad9
SHA512 14dbcc99518b65db198c563a8fb59023529945a4c8de22e2392ff64be822a9750f701d6c6e248e4ce114d8313dc5c9e4f3161d670ef46e37b3e3691aaaad74c2

\ProgramData\pinterests\XRJNZC.exe

MD5 38a0a78d1c87f907c6df04cc0c374ff8
SHA1 cf698b88d3f95c0cd2e38f10f2c163f0b8e45ea2
SHA256 2affe3896cd7de67999fc4d8a65e4665ae48dbe6b235557fb45da6d2de782b16
SHA512 266a03ef3e3131241821fea936c5820674a39845ccc4870587782dee0a7fecdc5992b314e8db7ac8afffbc491d1acd442bce7f9b917eb06a6227ccb8822e43ce

memory/2840-21-0x0000000000E30000-0x00000000018A0000-memory.dmp

memory/2840-26-0x0000000000E30000-0x00000000018A0000-memory.dmp

C:\ProgramData\pinterests\XRJNZC.exe

MD5 97fc90ce77f293466189544a4ae08917
SHA1 4444a7037e5963ccb517ae00d64849bb13e7480d
SHA256 b410611d0680b3c5668b70660fb28137c67781c59dd8c39a1377a7d2dc0013d6
SHA512 c33c7502bbd16b87792ac3bc7ea2c81c305a8cbded8a0778f248b6f3da9907bd42463b0c6d03aba553c9a78393809302d68b6351b9d691f8926f76f8fbe30fe2

memory/1508-29-0x0000000000E30000-0x00000000018A0000-memory.dmp

memory/1508-34-0x0000000000E30000-0x00000000018A0000-memory.dmp

C:\ProgramData\pinterests\XRJNZC.exe

MD5 acb2db049a06e628fc42b67b76835542
SHA1 466f8c4305ee2ceb5754da506e543f858f58eeee
SHA256 01164bf77a4b2a865d661970c6955049f7825ba9d9dd041938328ab74b4d7978
SHA512 216e94e24a2580979e31725ffe121fc9dcdd41344eb772caec5d99bdcf03a7e269d98d00ab19c57b6f3643ef3d7d26a5a0ebd2563b1eded9238006b94be496d9

memory/2188-37-0x0000000000E30000-0x00000000018A0000-memory.dmp

memory/2188-42-0x0000000000E30000-0x00000000018A0000-memory.dmp

C:\ProgramData\pinterests\XRJNZC.exe

MD5 cc71eb3e2a0256d54e822ffcb1f39424
SHA1 527b3670c2e312d5bc2c9790ce558aee99495731
SHA256 adfff9fa397d97eb9d74afc4cc8c2a40d604427c92ce664692c890a67c766d79
SHA512 7ad0b57879a3a386ae144449f97dc165fb38484f77a50528540f180a24104fc80405472e6dae80d54907366f68933d700735bfa9a7050016fd138a89914ce10b

memory/3008-45-0x0000000000E30000-0x00000000018A0000-memory.dmp

memory/3008-50-0x0000000000E30000-0x00000000018A0000-memory.dmp

C:\ProgramData\pinterests\XRJNZC.exe

MD5 c6e54e75a8f3964411e08ea6ff7205be
SHA1 fa6e20feb414fbbc1ff99f8051baabe2331144b8
SHA256 e4ab9dd831e876a7d04cfb2a2040ac5b8da7f37e923caf8ccf0bdc0d880c2899
SHA512 2da6c59a0875a25c324eb27813cb684937350dfdb58ff2f4d605e9348dc0303374776db7594a8cc7c0af266c6a463aef67596450a88cd5a0ce8d0ff512e7e27f

memory/1728-53-0x0000000000E30000-0x00000000018A0000-memory.dmp

memory/1728-58-0x0000000000E30000-0x00000000018A0000-memory.dmp

C:\ProgramData\pinterests\XRJNZC.exe

MD5 96065bbca72f86a092447d6ef4f397d8
SHA1 b8e98ce298180164f7e8711d4b8dec6ee976dd39
SHA256 9eae9e3eed2d5f550fe22297a2d2352b164229a01b1d15a8cb5fef3f6e32ced1
SHA512 4d9655bb9988d73eb174101c30dcd0047a41b17c4884c54b6cb7a4740d7fb34f6e607cc8f1ef310f30d8f5f4e3900f5016558aa43c21af32e70302bf37b32a03

memory/2416-61-0x0000000000E30000-0x00000000018A0000-memory.dmp

memory/2416-66-0x0000000000E30000-0x00000000018A0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-23 12:58

Reported

2023-12-23 13:04

Platform

win10v2004-20231215-en

Max time kernel

298s

Max time network

300s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cp.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\cp.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation C:\ProgramData\pinterests\XRJNZC.exe N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\cp.exe

"C:\Users\Admin\AppData\Local\Temp\cp.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\s154.0.bat" "

C:\Windows\SysWOW64\timeout.exe

timeout 3

C:\ProgramData\pinterests\XRJNZC.exe

"C:\ProgramData\pinterests\XRJNZC.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /RL HIGHEST /tn "XRJNZC" /tr C:\ProgramData\pinterests\XRJNZC.exe /f

C:\ProgramData\pinterests\XRJNZC.exe

C:\ProgramData\pinterests\XRJNZC.exe

C:\ProgramData\pinterests\XRJNZC.exe

C:\ProgramData\pinterests\XRJNZC.exe

C:\ProgramData\pinterests\XRJNZC.exe

C:\ProgramData\pinterests\XRJNZC.exe

C:\ProgramData\pinterests\XRJNZC.exe

C:\ProgramData\pinterests\XRJNZC.exe

C:\ProgramData\pinterests\XRJNZC.exe

C:\ProgramData\pinterests\XRJNZC.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 4.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 195.233.44.23.in-addr.arpa udp
US 8.8.8.8:53 16.234.44.23.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 100.5.17.2.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 174.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 7.173.189.20.in-addr.arpa udp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp

Files

memory/1480-0-0x0000000000200000-0x0000000000C70000-memory.dmp

memory/1480-5-0x0000000000200000-0x0000000000C70000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\s154.0.bat

MD5 bdc923a8555ef651fb7cd28c5e1053e2
SHA1 7d6bfa04bd3292b0f5bd662132086a06819476a7
SHA256 2b525e113980fa7e0584ef86db031fbb09c6c5ea247218f387581b683f8f81fc
SHA512 f01d193edba828e053868674ed485d447246de455ff0b0a539755e8e8b066b5c15aa5e19c1359352b6db05068784bae8452068bf4eb1648139b3ff7d111b5af5

C:\ProgramData\pinterests\XRJNZC.exe

MD5 c00ba6a1c746f197e2577181419087bb
SHA1 acb2e2ae53b0631b09ded197dbd03cdffd375193
SHA256 a11edb8468f403efc569f669c39bd9490badf9b438b8fa52f17f73731e95df9d
SHA512 adef50a91606b55b88a228eb2bffacfd3128d794a1eaacc0d0921e88d5eed8b98a04fd9b24ba0bcbdf98f9908250afc226f135598c72836ecaf0bddb48da5673

C:\ProgramData\pinterests\XRJNZC.exe

MD5 8027475573cf0d5b669ee82da5ed94a0
SHA1 45457aff62bb358698ed73b706e454110992ce92
SHA256 f7d915166d97430504adc58aad0e98b55817d07601b7ea4fb9a1569e0b25dfe1
SHA512 bef6838bae06134fe629121aa223a799ba3b837cd270c70e6d85dbae6a3a4b23cb97eb96f7df086026f4bb5e5bef3e6dbf8f5020a5d81a2bb8625c022b08e561

memory/2056-16-0x00000000005B0000-0x0000000001020000-memory.dmp

memory/2056-21-0x00000000005B0000-0x0000000001020000-memory.dmp

C:\ProgramData\pinterests\XRJNZC.exe

MD5 2ce664a8f0fdc5e69f4f5ad452771b1d
SHA1 8df505351da5cbbc0430d1726c31736f68581548
SHA256 5d746123121dae5bd41d75e56ac14e450b8585cee0540ecd36b9f844ede18453
SHA512 70e9340c0b18003c440a30041e01a82fb12207cd00263ac705252d09ee3c4e756a35a9736242f813cb0411f0ec882d4868bc9a9496026b82bf187c3a00e82b29

memory/3816-24-0x00000000005B0000-0x0000000001020000-memory.dmp

memory/3816-29-0x00000000005B0000-0x0000000001020000-memory.dmp

C:\ProgramData\pinterests\XRJNZC.exe

MD5 1c5d52c406d248c773214bfd814ba8f4
SHA1 c56d95697ee40a7675da31e9c4cbad9f0101eefa
SHA256 57e5bebaf5a89443f060601efe9ac8232deba0bda87c11e76712825f3203c508
SHA512 93cd96b0c69fcc959acf03453413a2588078152df6a98e4f3ae3494ec649a6b2c9d37910fd38141ba93274b0dcab87c013e1018921e7eabafa6181a3845c1915

memory/4540-32-0x00000000005B0000-0x0000000001020000-memory.dmp

memory/4540-37-0x00000000005B0000-0x0000000001020000-memory.dmp

C:\ProgramData\pinterests\XRJNZC.exe

MD5 eb604ba588c97d9e67b4e0a1b4671611
SHA1 d5a9cdd2b63451a760cd4b70ec15f4825d939551
SHA256 11dff5b7cc03e15b41884b4a2e496b716945a1191ddfd6a9462c2b1b0ad56256
SHA512 9ea717f55c994d2d858ec75bd8d7c867d89a657c95a7cd2afacd817a6da1afc53895b082ea95e794b5e1f79342589c8d9eaa4b5e9e555c8dc50396743467d6fb

memory/4072-40-0x00000000005B0000-0x0000000001020000-memory.dmp

memory/4072-45-0x00000000005B0000-0x0000000001020000-memory.dmp

C:\ProgramData\pinterests\XRJNZC.exe

MD5 ba616edeb8b2459ffb0b6241ef90f210
SHA1 2fd17f95b4a3a124842953e5e61c263581d66850
SHA256 ebd25ddb967dacbb1e69db2a4fb4d4137e759fe6dd3fe6a3ed6507c127680424
SHA512 789c96ae2eb44345297585f6e9d990fe2ac61a2d0952ec69448e0de415da619386b761ed4de6d8c3bef6e790093e0b0218a3ee1a7b33a09cf18312114649eb6c

memory/1832-48-0x00000000005B0000-0x0000000001020000-memory.dmp

memory/1832-53-0x00000000005B0000-0x0000000001020000-memory.dmp

C:\ProgramData\pinterests\XRJNZC.exe

MD5 85f3a7304da8e13d7f496d8825ff7d27
SHA1 96633a9db839c03e1d650ef5fbdc493811b767a9
SHA256 97e1e68ffa83a51aee5d5726d649b0780b18417d1be87479a08163f1e4f7db8a
SHA512 c4e10289f1e5b6d50a2a63a42ab2ebc10e3fb0ccaeab36dca87c3c5204eaee752159be8d64ffe281d48634d314e4eeaa086c7af2c9af6bdfcdbb3f2e16c4a189

memory/3136-56-0x00000000005B0000-0x0000000001020000-memory.dmp

memory/3136-61-0x00000000005B0000-0x0000000001020000-memory.dmp