Malware Analysis Report

2025-05-05 21:12

Sample ID 240626-qmnlfawepe
Target 2024-06-26_44d0e7753e5e40231be7c7902fc7657d_mafia
SHA256 c929abac70998995f0bcbbfe913a408c0b487e8c33c16199d269c232d3dda932
Tags
pyinstaller
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

c929abac70998995f0bcbbfe913a408c0b487e8c33c16199d269c232d3dda932

Threat Level: Shows suspicious behavior

The file 2024-06-26_44d0e7753e5e40231be7c7902fc7657d_mafia was found to be: Shows suspicious behavior.

Malicious Activity Summary

pyinstaller

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

Detects Pyinstaller

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-26 13:22

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-26 13:22

Reported

2024-06-26 13:25

Platform

win7-20231129-en

Max time kernel

118s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-26_44d0e7753e5e40231be7c7902fc7657d_mafia.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\TMP6C4.tmp\GRR.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-26_44d0e7753e5e40231be7c7902fc7657d_mafia.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-26_44d0e7753e5e40231be7c7902fc7657d_mafia.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TMP6C4.tmp\GRR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TMP6C4.tmp\GRR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TMP6C4.tmp\GRR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TMP6C4.tmp\GRR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TMP6C4.tmp\GRR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TMP6C4.tmp\GRR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TMP6C4.tmp\GRR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TMP6C4.tmp\GRR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TMP6C4.tmp\GRR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TMP6C4.tmp\GRR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TMP6C4.tmp\GRR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TMP6C4.tmp\GRR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TMP6C4.tmp\GRR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TMP6C4.tmp\GRR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TMP6C4.tmp\GRR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TMP6C4.tmp\GRR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TMP6C4.tmp\GRR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TMP6C4.tmp\GRR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TMP6C4.tmp\GRR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TMP6C4.tmp\GRR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TMP6C4.tmp\GRR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TMP6C4.tmp\GRR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TMP6C4.tmp\GRR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TMP6C4.tmp\GRR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TMP6C4.tmp\GRR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TMP6C4.tmp\GRR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TMP6C4.tmp\GRR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TMP6C4.tmp\GRR.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\logfiles\GRR.log C:\Users\Admin\AppData\Local\Temp\TMP6C4.tmp\GRR.exe N/A
File created C:\Windows\System32\logfiles\GRR_installer.txt C:\Users\Admin\AppData\Local\Temp\TMP6C4.tmp\GRR.exe N/A

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\TMP6C4.tmp\GRR.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-26_44d0e7753e5e40231be7c7902fc7657d_mafia.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-26_44d0e7753e5e40231be7c7902fc7657d_mafia.exe"

C:\Users\Admin\AppData\Local\Temp\TMP6C4.tmp\GRR.exe

GRR.exe --install --config GRR.exe.yaml

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\TMP6C4.tmp\GRR.exe

MD5 b17d3655a157899fd2904d991d02872c
SHA1 3f482357be09118a90864037596b05c8729b0681
SHA256 42baea9e58961737c95cefbd1fe30248bc508f9390b27cf39bff84819e5963e5
SHA512 c9cf68db26f508fa1a5a8c8d98211810fca2ca3494b91b474a99fe108c2a6446c6a2b94ee6e6926ec65a6898fd0e7c5596b793b7f80f07ce177c9651818bcfca

C:\Users\Admin\AppData\Local\Temp\TMP6C4.tmp\python27.dll

MD5 038882449b3b9e60f126e690a4a7bb20
SHA1 9671b9de5a0b2d52bd425476cdb76e1d8f830ce0
SHA256 1a138f57f163b61dda4c4e162351c6b29d64be774555bf734fa5c4ab064ea4a9
SHA512 f64dff3d3b6ae063ffc547e61ecfdb8d5f9d53997ef9b1076f81ec10a6ae8a068dad13c80776df0e649f972e802c7864a8004a67b873b3cf11ddfdceecee7537

\Users\Admin\AppData\Local\Temp\TMP6C4.tmp\msvcr90.dll

MD5 31d858c6f1c453af516343758a4b2c69
SHA1 ec9fafdb7333df42e3a8fb25f6f0f30ffe36b795
SHA256 12abcf99dd28bf35b3c224accfe2587ba5f4199d163224b344cdc770eed36130
SHA512 92923ca2f4be8fab82a5104cbc39ce84ce60000d4e825b5ccc0b44ba7f7090f7967b491350adf2f0c4ef9ce63ba93241030245e730f1a77c055b0257e64cbc45

C:\Users\Admin\AppData\Local\Temp\TMP6C4.tmp\_ctypes.pyd

MD5 9e6c48ec9508423d0ce6b6e4d4a10d90
SHA1 82548d0cfcd99bc11ecee670dc0c1c9538aa6ade
SHA256 b700441351b3a24a1ec392376984d3d95a541ea548c77f0df55d7af579ea9c1a
SHA512 37fc511610e5ab06a78f276bf0f4b7335a37d40fdf0158f674ecf1b029fe3298e0667230d3f8840258b8e5413108e1e6aeaaff090b3cca6eef007ca5a1f8d926

C:\Users\Admin\AppData\Local\Temp\TMP6C4.tmp\_multiprocessing.pyd

MD5 06c8615f66abdd6c2d986d40339d1410
SHA1 5db9e634bff65d33ff0ee6aa95182f8291b5afcc
SHA256 df9fe9289d591f0891f321f8aae5b7ba7e7c4e8b0ffd5db9766ce90934a202cf
SHA512 fc085f5db97f41b0d62bd584d24c68e57e508f225ad55839b0680bb10398b3d6364c88dcc925cb4427e311d9d2631d5d21836419e4a02f3c7d2e9c33e59d6e97

C:\Users\Admin\AppData\Local\Temp\TMP6C4.tmp\_hashlib.pyd

MD5 b1dbd52e5da083e5b5613a2b4c17a4ef
SHA1 0ed87f9e0b572f88e102739daab54db03fade416
SHA256 fa57bf3173f2d636984305401c06f1618b8119fea2c311d1173566ea236fa0c6
SHA512 dbe14802ff53e8fb9f35baa1c1bd0dc55c1073e0f96b59b5cc3783760e23c645cd453a39b2b4d0ab79ee871ba1cb81154a4cf5c54b67dde7ea14008d72dd2cae

C:\Users\Admin\AppData\Local\Temp\TMP6C4.tmp\_socket.pyd

MD5 600de8a82e2204e88df27714687f88b9
SHA1 dac20e0bf5482a6f09648648bc4d38562473c89e
SHA256 a24422d519e5a9283a0887d4be09be2ac89797886d8f45151cab5e9fef8db1e1
SHA512 3d82eb600bd358a019dcde1f4a337d87f29c9a22937989dddfe697c433f58ba9e4a836752998a542e7df179adafa8c89c99aa18b51b100f7a57aa5b47a456460

C:\Users\Admin\AppData\Local\Temp\TMP6C4.tmp\_ssl.pyd

MD5 9b59be1fa8427368c4e0e763f578d74c
SHA1 7287fe431a0a67aa41e9952906759746ddcffad1
SHA256 4ba198e7f53a37b3a825ff2ce4d3e6ca00ad96e62852f0127a46c57a9a4a3026
SHA512 6905c5f80ff723ff79863332dd8d20d4cbbe224d355ba9b824a6f29ead62ebec16fa96ec664bdb56a2688847881a53c34459311c156f35aa887b2a808a6e9032

C:\Users\Admin\AppData\Local\Temp\TMP6C4.tmp\pywintypes27.dll

MD5 1ec8d89e992d8f04cb0042e2122ca95c
SHA1 e26c4b2e038d85cc979b1278e918619f95ad3613
SHA256 25b66cefd9a6c8b401c10451668516adc5f11eab9246a19780f59554f12f43c5
SHA512 8a52fc4aa73ba2b7e05a8404a9a7c8892829074540374d5c5c6aee3776ab1d2d52cab92fd8fe7572d68d3acd3899ea4fd2504e60f412bbb85a6fcea915da1821

\Users\Admin\AppData\Local\Temp\TMP6C4.tmp\pythoncom27.dll

MD5 01c89fb05232c8310f6a8b4975297963
SHA1 e03d1c9df87e0e6f98f16aae5ebd9fa51d696e35
SHA256 dbec592da6dd2a4d653def499e22865246f1f6441172fadf1a15db498f11781a
SHA512 c5df838814f4747f3ba192e39265fadf83295762d3a1f5cf37fcad22c88b0157297a5bd3b5667c394d534f22ca1b680780ff1be12c443d2265dfc674ccdc4b42

\Users\Admin\AppData\Local\Temp\TMP6C4.tmp\win32api.pyd

MD5 f4612401995a7c88c278716bf9440b44
SHA1 33af801b819ac279831836ad9cc706ba4ebad186
SHA256 196115722d774a84c84fa51cc1f1bdffabeee3cd1c6c1e33822d88fe4d4bea37
SHA512 60d1ff88017c5b7279aef894a0f56dc8d6c20bca1c96cdaf1a1ba2dc953a62d52ccf0084d4fe62b88fca530361343725ffd61fbefa7052f8d92bc4563b7a7daf

C:\Users\Admin\AppData\Local\Temp\TMP6C4.tmp\psutil._psutil_windows.pyd

MD5 8bbb1c5fd910a301ba470730a86796f1
SHA1 d4e5a20e275c13bf14b080e75f8ed3ffc901fa90
SHA256 b884b18c4842963e476f4f8c8dcd4408d600e3ba411d17ccbeedb1739f6eef31
SHA512 2ea4d341ce86f7b5aab513687e7dc9b667b0be2d9c6cdb3047344bb510db02a21bb78e88e7e0b3da5f92286316ef3262580b124a1fd0529d21412cd540e39586

C:\Users\Admin\AppData\Local\Temp\TMP6C4.tmp\lib2to3\Grammar2.7.16.final.0.pickle

MD5 b7883beb25b0e80e8d6dd9c26a097176
SHA1 31c08ec757ae27bbe0983fff0ef11da5c6d521f9
SHA256 ae5bdfddedf6924ed453e07d2a5ab7cb9d1dc7cc550ab355cb0de061705c9951
SHA512 a26fadabac0872a43b747358621316b246db51ca833fa48ad6b16c232535928f311666952ce27f5f37f157e6d0df22675d2d3aa4c5d18820297057c09e73961c

C:\Users\Admin\AppData\Local\Temp\TMP6C4.tmp\lib2to3\PatternGrammar2.7.16.final.0.pickle

MD5 53349ff0e74e480ccb368417e0e97688
SHA1 98991a25e0e0bf4f72e9d117caef6382554e5e75
SHA256 ba3648277040cbefd390d06d3c49e630c480d48f42edd98e66b3247260d9cf6a
SHA512 7b712d14c8c1774465e63ac4a15d6443c4ee88f95b9797894881973e7411de2799c4e600a5739d1fcda8b5c76b7329274055046eda505c51f9e3e12e49159b50

C:\Users\Admin\AppData\Local\Temp\TMP6C4.tmp\_yaml.pyd

MD5 5c78e849e57910f9c9c3aa7dd30407fc
SHA1 21a4a2db35ccfcd5efcb5b0912c776238a2940d6
SHA256 e00f3b812b7d67d86b8eed34abd5b86adfcd08904b2a1c59ec9b516205be63a8
SHA512 442c091fe2d259c2de42c1922cc2fb4e11c1317a10a68d06b0781878cb6c1beaa616a96b0f5ed06a05b8f5d5ff71a2291eff3ed23720a1b3e8bdef08626b7817

memory/2384-182-0x0000000000280000-0x00000000002B8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TMP6C4.tmp\select.pyd

MD5 efb6435cb9fb6462132181738c729885
SHA1 0931e3aa2682fdf676b9b6009e8ca8f92f014e7e
SHA256 039981e17c2eb88cb2d08e50f2d323027e27683a7b3b3bc042e76fba40d34ab2
SHA512 6d7ad34390579e98cba75dfdbd3ace5af26ddf7f62675e33a29322911e94d1382ea84c8483265644866384ead64ffa55a1a0dd7c6d0787524fa972735f44f015

C:\Users\Admin\AppData\Local\Temp\TMP6C4.tmp\unicodedata.pyd

MD5 a13020f231b588d46aaf82fe9314efdc
SHA1 fa43858266fbfa564e98fba78f7e8634659f2dfe
SHA256 426d241e6480cecaf55a23ac686311a362548377edcfbfc920ac4cfbe3ea479c
SHA512 ed759afde4cf4960f059162b945c5de0e8270780004309c85093684ebfba93cfbb6e642e9db667ed852e8ceaa8c7c4386ff303db08713af4b31a4eeee45955f0

C:\Users\Admin\AppData\Local\Temp\TMP6C4.tmp\_cffi_backend.pyd

MD5 891fb059049987c6cf148f4b93cda09f
SHA1 5a154ede87b7a72556f46e63cb65b794bc200f52
SHA256 dd673ed74e624384c8c9541a799844c0ba95e81c1f67c51971433c7223b6c616
SHA512 ff4cc9f33b38bd6af51141c93ee988bb139743e8d2e5be956b971b20b350b7248db9fdd3e83414a92ea5377d4abd8b77f362d7889bf3dc31185d76b90ac19807

\Users\Admin\AppData\Local\Temp\TMP6C4.tmp\cryptography.hazmat.bindings._constant_time.pyd

MD5 1fccc08819ac663d36e1c567e34e8451
SHA1 9218d2a68454828e1fe5f06faf3a14139bd3f494
SHA256 7318b66e5ea1348e6875b1e0217e450e22c3fb9c96739d746be19c01be69073d
SHA512 e744708102cc6bb57dd65e28fa29471c75784dbbb64b1d29ff06ef4ae1d1b84d62abc3da9bec6645f079b4900ee95981755d3e2b9cdf1bb005c589877478a7c9

memory/2384-191-0x0000000000360000-0x0000000000383000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TMP6C4.tmp\cryptography.hazmat.bindings._openssl.pyd

MD5 1f30b7cc98dfcfe314c570d1fe8a0b1a
SHA1 9ad798c634679150ff14995c1deeb658cc9abf53
SHA256 0b602cca491f17f3d55cc1b760bb1ebe48d96e4ca68cb6769c46960add08b67c
SHA512 f6cd07c59df110c95ff699dbc3ef0c1ad14a7edfa64b5534228bc0587898cf7866d9ebba0c5dc2759e187f90b50cdfa706f633a2e32f1d460c652cb7a84a560d

\Users\Admin\AppData\Local\Temp\TMP6C4.tmp\cryptography.hazmat.bindings._padding.pyd

MD5 7db9c7461c4f2f5883f86af789f81413
SHA1 e71b8a9266a82c28219ae2ab6eb2144ad1731fb6
SHA256 11e625062add39e8ea1386fd28965cd4f2e52fcb6825f7bd1607db576a09f7ca
SHA512 0421952ad1365486147e9232fb966b62d2551d098568579bd103a9df4a7c0a04ad2c889e6c7e9d6318a7a7215a08af89449ea645373f07ec9041865f82d49ba4

C:\Users\Admin\AppData\Local\Temp\TMP6C4.tmp\win32file.pyd

MD5 11d8deea5b29cc172f04bc746edae3bc
SHA1 2825675d0aca5bcb1c22873b042195094480842f
SHA256 4214600d7beb51376a0dbc60c2b77f589368e5ef46ca401fe43b62f7342fdaa5
SHA512 c870f7f49fbb027e72d1a1827b99452ed6f2ddf914ac7f1505554379b6f2c815549ef570d4e834fab0ee4f0686903359f1d8982b87768fd5189f4e15ad7805ed

C:\Users\Admin\AppData\Local\Temp\TMP6C4.tmp\win32security.pyd

MD5 cf1a15ceadd7622af49253ce824df047
SHA1 d95323410495cfd425ad30750ea58cfd95df11a7
SHA256 e170fa57c18fe6f244265e3adf4df0fbe332da7ba25285ac8692843a57af0c79
SHA512 8117a2692ff97f6cd85a33d4839f4ec65ebd11c87eeb9ef6b70f75e7db29906cc6d10cc8a8e5c68a9129f49fcf0464d58e19cf4d886f84d385bfe4738aa5349c

C:\Users\Admin\AppData\Local\Temp\TMP6C4.tmp\yara.pyd

MD5 9832a3353831eb90bd2e84cff5553cde
SHA1 cc95073dc09cb89400a6503032649d6ea2caee29
SHA256 0c1f24d87a4c2b84dd0c020677285819e02b1e1a504f754f1d0748463ef938c8
SHA512 1653f9c7ad78232f9e031bc2b307020eee45aed1fe86c1b66779bd64af2f72bb704518efa8ad1b7a6f59d6080d6409f9774a65764549f48f1f479863b3877f16

C:\Users\Admin\AppData\Local\Temp\TMP6C4.tmp\pytsk3.pyd

MD5 8caa66fd7f2ec899f84a8d53a9504fb5
SHA1 93990d481c6daf1b868be0a2dc2a097227022138
SHA256 5bb18adf33b709e919fceb167d3380be9df9080e5187d5b77ce0ddd2223c4cf3
SHA512 938c62586a8af258a0e3567df3763f053429a927d3a3bbf7c074b38f2ced90d695829507d822a0cd8a29b56a8559af0286bd1f678042e5143b7bf13cb653718d

C:\Users\Admin\AppData\Local\Temp\TMP6C4.tmp\version.ini

MD5 4ec3c6681b6d291b4bc3be02e4a03d1c
SHA1 7282cd03e6d067f6c72276616587ead46e7474b2
SHA256 1a56961c193467380707879716021826f59d8e3385b2e1dc4b33e292d6b4d8c7
SHA512 a8b270827009db3aed65d8395039c40a2dcc5bb48e5b7bb55896c77e127206d406c7d63c16de3a746eb2e2c4800a9d3ee5acfd17e32ee51c2b56b7bd3fa0e2a0

C:\Users\Admin\AppData\Local\Temp\TMP6C4.tmp\MSVCP90.dll

MD5 5433ee6ee9ad64b8d45729815221866b
SHA1 01e1edd421c8a4983c4d4d9650d379d0692df7aa
SHA256 664a55f1acae07aefc32eddfd20bcb3efd76df7f78743ecacdf9500a08f630fd
SHA512 0e06456fd749dc2ede8b2f76c40d7efc68f9d6d72d724e7e9f2723db0752ac9b0100e43d6f9442375d9f4f9c4fe8eaa78b86949a0a6bccd5e1cd24604aaca75e

C:\Users\Admin\AppData\Local\Temp\TMP6C4.tmp\win32service.pyd

MD5 3352fc767f212d8ef1a19bc0d7ab0bef
SHA1 5db7fb6cfa4cdb43c345b83d2fbb0bd046affba5
SHA256 47030c14ced591b9e410c0f62e58872d041635c4dcbe15762e95505a52eb6113
SHA512 786f89e46273b2548e3ecf7ce247244f92c3cced269867dd9077c916a4cc154b6b43167ab4f67f354bb7c150fe7ac2e21427cbd9e04e4ff3683304ba2ab81ddd

C:\Users\Admin\AppData\Local\Temp\TMP6C4.tmp\_sqlite3.pyd

MD5 961525a34aa5c6dee1d3d14d112a699c
SHA1 874f2b08555803711d4f5176812baf160eae8c5c
SHA256 547b23fc7c82cf95f013223f2164b553e494f7fbb41c0e317069b2fe79d81057
SHA512 ae09946b42f7b72e959c5b47b13a6158a955fe194f4145b7569df7c0c47a32024c4f0ab6ee943b34a4b8a2fad2ae65ce3baa852306d09ef4f52ec439d51016d1

C:\Users\Admin\AppData\Local\Temp\TMP6C4.tmp\sqlite3.dll

MD5 f5bcd111686505634bbabe8296ec90b0
SHA1 6a04860c586807f9f0ae46db837f96b5af6b0023
SHA256 0175346fd25c6cc528fe7e74bf8d0c742eaa2ccada519d1e37f00e8e8d5951f5
SHA512 5b1f8f39174e88c54456f8752d98361fcc616608e3b18b7bdf8613e4d2195b3189de3a1ecf901f9a40694ff73f9f46fc37561f31344f6bdb369979e07955c108

C:\Users\Admin\AppData\Local\Temp\TMP6C4.tmp\win32process.pyd

MD5 f80982c6045a71bb289955a63c2cab28
SHA1 9b1193d5c43f55726ce6b195ca12c00e36a0a159
SHA256 a30a13aed206b0090545a509ee0a1d5470650c849f28e22b7d97cccc0e42c3e8
SHA512 966b1c4305b50703e775d961710654daabd08e26bae9e4ebba39f38450802dc6df899b8b7ea481cdf5da33e40b728318de3138aeb5a87429b8c9d0df78868b68

C:\Users\Admin\AppData\Local\Temp\TMP6C4.tmp\win32evtlog.pyd

MD5 e5dc7f98f0019fe551eb1a12c95601f5
SHA1 9d2e34688311f77349dacb748f811500865236c7
SHA256 67c7926e596fb521e0f0fd8e9119c5b354ce754903f15cee64d32a214e32bf84
SHA512 d664456904ad8cc8e1b47d11aeea0adf4e72e9818d244e3cc72cb2328a093329eeb1d4680c48111e1d0efd588306a7c1d42335e26853be639afb4e94745526a9

C:\Users\Admin\AppData\Local\Temp\TMP6C4.tmp\build.yaml

MD5 6c200db311716cc01e9affaf1698b2e3
SHA1 458a0b48439407b973a6b378dd296c5d768a0ce4
SHA256 c6d7ab6f03f19d5c05cbd5a21bd37d1537147b3d040e7f0cd934c067e97f0144
SHA512 f2eb13a554a98d4b94c86d3924650895ae5c881f6da44414f69fcb9f5d317692782763ba15cd48a226d0e288ac47bb2734d9a7f54ad8f0d8128ef6860f9a4fb2

C:\Users\Admin\AppData\Local\Temp\TMP6C4.tmp\GRR.exe.yaml

MD5 4532472edcf3a07465f94e43ef4afe1d
SHA1 4b54318181d746c7f169edf5060ffed7299b07ef
SHA256 e905ffaefd78cec4fd0b282823d3c50eaa11292f59ac1297dc3c1e90ef838832
SHA512 a9d7369744191a6cbe690497f2cc98dab86a51b262f7bcc5a40dce0d7b1e59bff2b9b9bd6d17d244d19989adde888a9f5590ff6c429d0715c4fb1fa2418e07e8

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-26 13:22

Reported

2024-06-26 13:25

Platform

win10v2004-20240508-en

Max time kernel

130s

Max time network

135s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-26_44d0e7753e5e40231be7c7902fc7657d_mafia.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\TMPDFC1.tmp\GRR.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\TMPDFC1.tmp\GRR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TMPDFC1.tmp\GRR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TMPDFC1.tmp\GRR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TMPDFC1.tmp\GRR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TMPDFC1.tmp\GRR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TMPDFC1.tmp\GRR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TMPDFC1.tmp\GRR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TMPDFC1.tmp\GRR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TMPDFC1.tmp\GRR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TMPDFC1.tmp\GRR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TMPDFC1.tmp\GRR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TMPDFC1.tmp\GRR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TMPDFC1.tmp\GRR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TMPDFC1.tmp\GRR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TMPDFC1.tmp\GRR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TMPDFC1.tmp\GRR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TMPDFC1.tmp\GRR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TMPDFC1.tmp\GRR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TMPDFC1.tmp\GRR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TMPDFC1.tmp\GRR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TMPDFC1.tmp\GRR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TMPDFC1.tmp\GRR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TMPDFC1.tmp\GRR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TMPDFC1.tmp\GRR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TMPDFC1.tmp\GRR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TMPDFC1.tmp\GRR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TMPDFC1.tmp\GRR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TMPDFC1.tmp\GRR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TMPDFC1.tmp\GRR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TMPDFC1.tmp\GRR.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\logfiles\GRR.log C:\Users\Admin\AppData\Local\Temp\TMPDFC1.tmp\GRR.exe N/A
File created C:\Windows\System32\logfiles\GRR_installer.txt C:\Users\Admin\AppData\Local\Temp\TMPDFC1.tmp\GRR.exe N/A

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\TMPDFC1.tmp\GRR.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-26_44d0e7753e5e40231be7c7902fc7657d_mafia.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-26_44d0e7753e5e40231be7c7902fc7657d_mafia.exe"

C:\Users\Admin\AppData\Local\Temp\TMPDFC1.tmp\GRR.exe

GRR.exe --install --config GRR.exe.yaml

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3468,i,6166776566165096562,4582328833313060853,262144 --variations-seed-version --mojo-platform-channel-handle=4108 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 101.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\TMPDFC1.tmp\GRR.exe

MD5 b17d3655a157899fd2904d991d02872c
SHA1 3f482357be09118a90864037596b05c8729b0681
SHA256 42baea9e58961737c95cefbd1fe30248bc508f9390b27cf39bff84819e5963e5
SHA512 c9cf68db26f508fa1a5a8c8d98211810fca2ca3494b91b474a99fe108c2a6446c6a2b94ee6e6926ec65a6898fd0e7c5596b793b7f80f07ce177c9651818bcfca

C:\Users\Admin\AppData\Local\Temp\TMPDFC1.tmp\python27.dll

MD5 038882449b3b9e60f126e690a4a7bb20
SHA1 9671b9de5a0b2d52bd425476cdb76e1d8f830ce0
SHA256 1a138f57f163b61dda4c4e162351c6b29d64be774555bf734fa5c4ab064ea4a9
SHA512 f64dff3d3b6ae063ffc547e61ecfdb8d5f9d53997ef9b1076f81ec10a6ae8a068dad13c80776df0e649f972e802c7864a8004a67b873b3cf11ddfdceecee7537

C:\Users\Admin\AppData\Local\Temp\TMPDFC1.tmp\pywintypes27.dll

MD5 1ec8d89e992d8f04cb0042e2122ca95c
SHA1 e26c4b2e038d85cc979b1278e918619f95ad3613
SHA256 25b66cefd9a6c8b401c10451668516adc5f11eab9246a19780f59554f12f43c5
SHA512 8a52fc4aa73ba2b7e05a8404a9a7c8892829074540374d5c5c6aee3776ab1d2d52cab92fd8fe7572d68d3acd3899ea4fd2504e60f412bbb85a6fcea915da1821

C:\Users\Admin\AppData\Local\Temp\TMPDFC1.tmp\win32api.pyd

MD5 f4612401995a7c88c278716bf9440b44
SHA1 33af801b819ac279831836ad9cc706ba4ebad186
SHA256 196115722d774a84c84fa51cc1f1bdffabeee3cd1c6c1e33822d88fe4d4bea37
SHA512 60d1ff88017c5b7279aef894a0f56dc8d6c20bca1c96cdaf1a1ba2dc953a62d52ccf0084d4fe62b88fca530361343725ffd61fbefa7052f8d92bc4563b7a7daf

C:\Users\Admin\AppData\Local\Temp\TMPDFC1.tmp\_ssl.pyd

MD5 9b59be1fa8427368c4e0e763f578d74c
SHA1 7287fe431a0a67aa41e9952906759746ddcffad1
SHA256 4ba198e7f53a37b3a825ff2ce4d3e6ca00ad96e62852f0127a46c57a9a4a3026
SHA512 6905c5f80ff723ff79863332dd8d20d4cbbe224d355ba9b824a6f29ead62ebec16fa96ec664bdb56a2688847881a53c34459311c156f35aa887b2a808a6e9032

C:\Users\Admin\AppData\Local\Temp\TMPDFC1.tmp\_socket.pyd

MD5 600de8a82e2204e88df27714687f88b9
SHA1 dac20e0bf5482a6f09648648bc4d38562473c89e
SHA256 a24422d519e5a9283a0887d4be09be2ac89797886d8f45151cab5e9fef8db1e1
SHA512 3d82eb600bd358a019dcde1f4a337d87f29c9a22937989dddfe697c433f58ba9e4a836752998a542e7df179adafa8c89c99aa18b51b100f7a57aa5b47a456460

C:\Users\Admin\AppData\Local\Temp\TMPDFC1.tmp\_hashlib.pyd

MD5 b1dbd52e5da083e5b5613a2b4c17a4ef
SHA1 0ed87f9e0b572f88e102739daab54db03fade416
SHA256 fa57bf3173f2d636984305401c06f1618b8119fea2c311d1173566ea236fa0c6
SHA512 dbe14802ff53e8fb9f35baa1c1bd0dc55c1073e0f96b59b5cc3783760e23c645cd453a39b2b4d0ab79ee871ba1cb81154a4cf5c54b67dde7ea14008d72dd2cae

C:\Users\Admin\AppData\Local\Temp\TMPDFC1.tmp\_multiprocessing.pyd

MD5 06c8615f66abdd6c2d986d40339d1410
SHA1 5db9e634bff65d33ff0ee6aa95182f8291b5afcc
SHA256 df9fe9289d591f0891f321f8aae5b7ba7e7c4e8b0ffd5db9766ce90934a202cf
SHA512 fc085f5db97f41b0d62bd584d24c68e57e508f225ad55839b0680bb10398b3d6364c88dcc925cb4427e311d9d2631d5d21836419e4a02f3c7d2e9c33e59d6e97

C:\Users\Admin\AppData\Local\Temp\TMPDFC1.tmp\pythoncom27.dll

MD5 01c89fb05232c8310f6a8b4975297963
SHA1 e03d1c9df87e0e6f98f16aae5ebd9fa51d696e35
SHA256 dbec592da6dd2a4d653def499e22865246f1f6441172fadf1a15db498f11781a
SHA512 c5df838814f4747f3ba192e39265fadf83295762d3a1f5cf37fcad22c88b0157297a5bd3b5667c394d534f22ca1b680780ff1be12c443d2265dfc674ccdc4b42

C:\Users\Admin\AppData\Local\Temp\TMPDFC1.tmp\psutil._psutil_windows.pyd

MD5 8bbb1c5fd910a301ba470730a86796f1
SHA1 d4e5a20e275c13bf14b080e75f8ed3ffc901fa90
SHA256 b884b18c4842963e476f4f8c8dcd4408d600e3ba411d17ccbeedb1739f6eef31
SHA512 2ea4d341ce86f7b5aab513687e7dc9b667b0be2d9c6cdb3047344bb510db02a21bb78e88e7e0b3da5f92286316ef3262580b124a1fd0529d21412cd540e39586

C:\Users\Admin\AppData\Local\Temp\TMPDFC1.tmp\lib2to3\PatternGrammar2.7.16.final.0.pickle

MD5 53349ff0e74e480ccb368417e0e97688
SHA1 98991a25e0e0bf4f72e9d117caef6382554e5e75
SHA256 ba3648277040cbefd390d06d3c49e630c480d48f42edd98e66b3247260d9cf6a
SHA512 7b712d14c8c1774465e63ac4a15d6443c4ee88f95b9797894881973e7411de2799c4e600a5739d1fcda8b5c76b7329274055046eda505c51f9e3e12e49159b50

C:\Users\Admin\AppData\Local\Temp\TMPDFC1.tmp\lib2to3\Grammar2.7.16.final.0.pickle

MD5 b7883beb25b0e80e8d6dd9c26a097176
SHA1 31c08ec757ae27bbe0983fff0ef11da5c6d521f9
SHA256 ae5bdfddedf6924ed453e07d2a5ab7cb9d1dc7cc550ab355cb0de061705c9951
SHA512 a26fadabac0872a43b747358621316b246db51ca833fa48ad6b16c232535928f311666952ce27f5f37f157e6d0df22675d2d3aa4c5d18820297057c09e73961c

C:\Users\Admin\AppData\Local\Temp\TMPDFC1.tmp\select.pyd

MD5 efb6435cb9fb6462132181738c729885
SHA1 0931e3aa2682fdf676b9b6009e8ca8f92f014e7e
SHA256 039981e17c2eb88cb2d08e50f2d323027e27683a7b3b3bc042e76fba40d34ab2
SHA512 6d7ad34390579e98cba75dfdbd3ace5af26ddf7f62675e33a29322911e94d1382ea84c8483265644866384ead64ffa55a1a0dd7c6d0787524fa972735f44f015

C:\Users\Admin\AppData\Local\Temp\TMPDFC1.tmp\unicodedata.pyd

MD5 a13020f231b588d46aaf82fe9314efdc
SHA1 fa43858266fbfa564e98fba78f7e8634659f2dfe
SHA256 426d241e6480cecaf55a23ac686311a362548377edcfbfc920ac4cfbe3ea479c
SHA512 ed759afde4cf4960f059162b945c5de0e8270780004309c85093684ebfba93cfbb6e642e9db667ed852e8ceaa8c7c4386ff303db08713af4b31a4eeee45955f0

C:\Users\Admin\AppData\Local\Temp\TMPDFC1.tmp\cryptography.hazmat.bindings._openssl.pyd

MD5 1f30b7cc98dfcfe314c570d1fe8a0b1a
SHA1 9ad798c634679150ff14995c1deeb658cc9abf53
SHA256 0b602cca491f17f3d55cc1b760bb1ebe48d96e4ca68cb6769c46960add08b67c
SHA512 f6cd07c59df110c95ff699dbc3ef0c1ad14a7edfa64b5534228bc0587898cf7866d9ebba0c5dc2759e187f90b50cdfa706f633a2e32f1d460c652cb7a84a560d

C:\Users\Admin\AppData\Local\Temp\TMPDFC1.tmp\cryptography.hazmat.bindings._padding.pyd

MD5 7db9c7461c4f2f5883f86af789f81413
SHA1 e71b8a9266a82c28219ae2ab6eb2144ad1731fb6
SHA256 11e625062add39e8ea1386fd28965cd4f2e52fcb6825f7bd1607db576a09f7ca
SHA512 0421952ad1365486147e9232fb966b62d2551d098568579bd103a9df4a7c0a04ad2c889e6c7e9d6318a7a7215a08af89449ea645373f07ec9041865f82d49ba4

C:\Users\Admin\AppData\Local\Temp\TMPDFC1.tmp\yara.pyd

MD5 9832a3353831eb90bd2e84cff5553cde
SHA1 cc95073dc09cb89400a6503032649d6ea2caee29
SHA256 0c1f24d87a4c2b84dd0c020677285819e02b1e1a504f754f1d0748463ef938c8
SHA512 1653f9c7ad78232f9e031bc2b307020eee45aed1fe86c1b66779bd64af2f72bb704518efa8ad1b7a6f59d6080d6409f9774a65764549f48f1f479863b3877f16

memory/4104-198-0x0000000005070000-0x00000000051A4000-memory.dmp

memory/4104-204-0x00000000051B0000-0x000000000530C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TMPDFC1.tmp\win32service.pyd

MD5 3352fc767f212d8ef1a19bc0d7ab0bef
SHA1 5db7fb6cfa4cdb43c345b83d2fbb0bd046affba5
SHA256 47030c14ced591b9e410c0f62e58872d041635c4dcbe15762e95505a52eb6113
SHA512 786f89e46273b2548e3ecf7ce247244f92c3cced269867dd9077c916a4cc154b6b43167ab4f67f354bb7c150fe7ac2e21427cbd9e04e4ff3683304ba2ab81ddd

C:\Users\Admin\AppData\Local\Temp\TMPDFC1.tmp\pytsk3.pyd

MD5 8caa66fd7f2ec899f84a8d53a9504fb5
SHA1 93990d481c6daf1b868be0a2dc2a097227022138
SHA256 5bb18adf33b709e919fceb167d3380be9df9080e5187d5b77ce0ddd2223c4cf3
SHA512 938c62586a8af258a0e3567df3763f053429a927d3a3bbf7c074b38f2ced90d695829507d822a0cd8a29b56a8559af0286bd1f678042e5143b7bf13cb653718d

C:\Users\Admin\AppData\Local\Temp\TMPDFC1.tmp\version.ini

MD5 4ec3c6681b6d291b4bc3be02e4a03d1c
SHA1 7282cd03e6d067f6c72276616587ead46e7474b2
SHA256 1a56961c193467380707879716021826f59d8e3385b2e1dc4b33e292d6b4d8c7
SHA512 a8b270827009db3aed65d8395039c40a2dcc5bb48e5b7bb55896c77e127206d406c7d63c16de3a746eb2e2c4800a9d3ee5acfd17e32ee51c2b56b7bd3fa0e2a0

C:\Users\Admin\AppData\Local\Temp\TMPDFC1.tmp\win32security.pyd

MD5 cf1a15ceadd7622af49253ce824df047
SHA1 d95323410495cfd425ad30750ea58cfd95df11a7
SHA256 e170fa57c18fe6f244265e3adf4df0fbe332da7ba25285ac8692843a57af0c79
SHA512 8117a2692ff97f6cd85a33d4839f4ec65ebd11c87eeb9ef6b70f75e7db29906cc6d10cc8a8e5c68a9129f49fcf0464d58e19cf4d886f84d385bfe4738aa5349c

C:\Users\Admin\AppData\Local\Temp\TMPDFC1.tmp\win32file.pyd

MD5 11d8deea5b29cc172f04bc746edae3bc
SHA1 2825675d0aca5bcb1c22873b042195094480842f
SHA256 4214600d7beb51376a0dbc60c2b77f589368e5ef46ca401fe43b62f7342fdaa5
SHA512 c870f7f49fbb027e72d1a1827b99452ed6f2ddf914ac7f1505554379b6f2c815549ef570d4e834fab0ee4f0686903359f1d8982b87768fd5189f4e15ad7805ed

memory/4104-186-0x00000000035A0000-0x00000000035C3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TMPDFC1.tmp\_cffi_backend.pyd

MD5 891fb059049987c6cf148f4b93cda09f
SHA1 5a154ede87b7a72556f46e63cb65b794bc200f52
SHA256 dd673ed74e624384c8c9541a799844c0ba95e81c1f67c51971433c7223b6c616
SHA512 ff4cc9f33b38bd6af51141c93ee988bb139743e8d2e5be956b971b20b350b7248db9fdd3e83414a92ea5377d4abd8b77f362d7889bf3dc31185d76b90ac19807

C:\Users\Admin\AppData\Local\Temp\TMPDFC1.tmp\cryptography.hazmat.bindings._constant_time.pyd

MD5 1fccc08819ac663d36e1c567e34e8451
SHA1 9218d2a68454828e1fe5f06faf3a14139bd3f494
SHA256 7318b66e5ea1348e6875b1e0217e450e22c3fb9c96739d746be19c01be69073d
SHA512 e744708102cc6bb57dd65e28fa29471c75784dbbb64b1d29ff06ef4ae1d1b84d62abc3da9bec6645f079b4900ee95981755d3e2b9cdf1bb005c589877478a7c9

memory/4104-176-0x0000000003560000-0x0000000003598000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TMPDFC1.tmp\_yaml.pyd

MD5 5c78e849e57910f9c9c3aa7dd30407fc
SHA1 21a4a2db35ccfcd5efcb5b0912c776238a2940d6
SHA256 e00f3b812b7d67d86b8eed34abd5b86adfcd08904b2a1c59ec9b516205be63a8
SHA512 442c091fe2d259c2de42c1922cc2fb4e11c1317a10a68d06b0781878cb6c1beaa616a96b0f5ed06a05b8f5d5ff71a2291eff3ed23720a1b3e8bdef08626b7817

C:\Users\Admin\AppData\Local\Temp\TMPDFC1.tmp\_ctypes.pyd

MD5 9e6c48ec9508423d0ce6b6e4d4a10d90
SHA1 82548d0cfcd99bc11ecee670dc0c1c9538aa6ade
SHA256 b700441351b3a24a1ec392376984d3d95a541ea548c77f0df55d7af579ea9c1a
SHA512 37fc511610e5ab06a78f276bf0f4b7335a37d40fdf0158f674ecf1b029fe3298e0667230d3f8840258b8e5413108e1e6aeaaff090b3cca6eef007ca5a1f8d926

C:\Users\Admin\AppData\Local\Temp\TMPDFC1.tmp\_sqlite3.pyd

MD5 961525a34aa5c6dee1d3d14d112a699c
SHA1 874f2b08555803711d4f5176812baf160eae8c5c
SHA256 547b23fc7c82cf95f013223f2164b553e494f7fbb41c0e317069b2fe79d81057
SHA512 ae09946b42f7b72e959c5b47b13a6158a955fe194f4145b7569df7c0c47a32024c4f0ab6ee943b34a4b8a2fad2ae65ce3baa852306d09ef4f52ec439d51016d1

C:\Users\Admin\AppData\Local\Temp\TMPDFC1.tmp\sqlite3.dll

MD5 f5bcd111686505634bbabe8296ec90b0
SHA1 6a04860c586807f9f0ae46db837f96b5af6b0023
SHA256 0175346fd25c6cc528fe7e74bf8d0c742eaa2ccada519d1e37f00e8e8d5951f5
SHA512 5b1f8f39174e88c54456f8752d98361fcc616608e3b18b7bdf8613e4d2195b3189de3a1ecf901f9a40694ff73f9f46fc37561f31344f6bdb369979e07955c108

C:\Users\Admin\AppData\Local\Temp\TMPDFC1.tmp\win32process.pyd

MD5 f80982c6045a71bb289955a63c2cab28
SHA1 9b1193d5c43f55726ce6b195ca12c00e36a0a159
SHA256 a30a13aed206b0090545a509ee0a1d5470650c849f28e22b7d97cccc0e42c3e8
SHA512 966b1c4305b50703e775d961710654daabd08e26bae9e4ebba39f38450802dc6df899b8b7ea481cdf5da33e40b728318de3138aeb5a87429b8c9d0df78868b68

C:\Users\Admin\AppData\Local\Temp\TMPDFC1.tmp\GRR.exe.yaml

MD5 4532472edcf3a07465f94e43ef4afe1d
SHA1 4b54318181d746c7f169edf5060ffed7299b07ef
SHA256 e905ffaefd78cec4fd0b282823d3c50eaa11292f59ac1297dc3c1e90ef838832
SHA512 a9d7369744191a6cbe690497f2cc98dab86a51b262f7bcc5a40dce0d7b1e59bff2b9b9bd6d17d244d19989adde888a9f5590ff6c429d0715c4fb1fa2418e07e8

C:\Users\Admin\AppData\Local\Temp\TMPDFC1.tmp\build.yaml

MD5 6c200db311716cc01e9affaf1698b2e3
SHA1 458a0b48439407b973a6b378dd296c5d768a0ce4
SHA256 c6d7ab6f03f19d5c05cbd5a21bd37d1537147b3d040e7f0cd934c067e97f0144
SHA512 f2eb13a554a98d4b94c86d3924650895ae5c881f6da44414f69fcb9f5d317692782763ba15cd48a226d0e288ac47bb2734d9a7f54ad8f0d8128ef6860f9a4fb2

C:\Users\Admin\AppData\Local\Temp\TMPDFC1.tmp\win32evtlog.pyd

MD5 e5dc7f98f0019fe551eb1a12c95601f5
SHA1 9d2e34688311f77349dacb748f811500865236c7
SHA256 67c7926e596fb521e0f0fd8e9119c5b354ce754903f15cee64d32a214e32bf84
SHA512 d664456904ad8cc8e1b47d11aeea0adf4e72e9818d244e3cc72cb2328a093329eeb1d4680c48111e1d0efd588306a7c1d42335e26853be639afb4e94745526a9