de3e7309a038212864c3f1d717e29cbc3528390f1a8a99b5aee924f1fddc2508

Analysis

max time kernel
140s
max time network
142s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
23/03/2023, 02:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

install-antimalware-fix.exe
Size

884KB
MD5

d4bc14d79adb65d8a03c1043f0c2ff07
SHA1

d454154fe8241eecf2a53f658aaeed805d25fecc
SHA256

de3e7309a038212864c3f1d717e29cbc3528390f1a8a99b5aee924f1fddc2508
SHA512

71f04ad3d96e5d83839cb9effb71ac826cb9ea6e4701c0e744b7d9f80fe029669f8ce06b6080e0c97a94abe1be44f81b09dbd0b57758cd11249ab1e39fc30a29
SSDEEP

24576:n9HmIVL1Tvp/MdafdwXCK0W8R/XJe0oYbdVRcTjCPJrIklTG0Z:RmIVXCafdjJDM0oYbTRejCxrIklTG0Z

Score

8^/10

discovery persistence upx

Malware Config

Signatures

Downloads MZ/PE file

Drops file in Drivers directory 7 IoCs

description	ioc	Process
File created	C:\Windows\system32\DRIVERS\SET95AC.tmp	RUNDLL32.EXE
File opened for modification	C:\Windows\system32\DRIVERS\gsInetSecurity.sys	RUNDLL32.EXE
File opened for modification	C:\Windows\system32\DRIVERS\GSDriver64.sys	RUNDLL32.EXE
File opened for modification	C:\Windows\system32\DRIVERS\SET7649.tmp	RUNDLL32.EXE
File created	C:\Windows\system32\DRIVERS\SET7649.tmp	RUNDLL32.EXE
File opened for modification	C:\Windows\system32\DRIVERS\GSDriver64.sys	RUNDLL32.EXE
File opened for modification	C:\Windows\system32\DRIVERS\SET95AC.tmp	RUNDLL32.EXE

Executes dropped EXE 1 IoCs

pid	Process
1624	Zkl64zju.9F4

Loads dropped DLL 16 IoCs

pid	Process
1956	install-antimalware-fix.exe
1624	Zkl64zju.9F4
1624	Zkl64zju.9F4
1624	Zkl64zju.9F4
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1572	regsvr32.exe
2024	regsvr32.exe

Registers COM server for autorun 1 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F77F27A6-89F3-471A-AFA8-3B280940A10C}\InprocServer32\ = "C:\\PROGRA~1\\GRIDIN~1\\shellext.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F77F27A6-89F3-471A-AFA8-3B280940A10C}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F77F27A6-89F3-471A-AFA8-3B280940A10C}\InprocServer32	regsvr32.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1956-54-0x0000000000400000-0x0000000000655000-memory.dmp	upx
behavioral1/memory/1956-59-0x0000000000400000-0x0000000000655000-memory.dmp	upx
behavioral1/memory/1956-143-0x0000000000400000-0x0000000000655000-memory.dmp	upx
behavioral1/memory/1956-152-0x0000000000400000-0x0000000000655000-memory.dmp	upx
behavioral1/memory/1956-275-0x0000000000400000-0x0000000000655000-memory.dmp	upx
behavioral1/memory/1956-295-0x0000000000400000-0x0000000000655000-memory.dmp	upx

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	RUNDLL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	RUNDLL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	RUNDLL32.EXE

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\GridinSoft Anti-Malware\Languages\italian.lng	Zkl64zju.9F4
File created	C:\Program Files\GridinSoft Anti-Malware\Languages\japanese.lng	Zkl64zju.9F4
File created	C:\Program Files\GridinSoft Anti-Malware\NSS\libnspr4.dll	Zkl64zju.9F4
File created	C:\Program Files\GridinSoft Anti-Malware\NSS\sqlite3.dll	Zkl64zju.9F4
File created	C:\Program Files\GridinSoft Anti-Malware\Languages\greek.lng	Zkl64zju.9F4
File created	C:\Program Files\GridinSoft Anti-Malware\Driver\GSDriver64.sys	Zkl64zju.9F4
File created	C:\Program Files\GridinSoft Anti-Malware\Driver\gsInetSecurity.sys	Zkl64zju.9F4
File created	C:\Program Files\GridinSoft Anti-Malware\NSS\nspr4.dll	Zkl64zju.9F4
File created	C:\Program Files\GridinSoft Anti-Malware\NSS\plds4.dll	Zkl64zju.9F4
File created	C:\Program Files\GridinSoft Anti-Malware\Languages\swedish.lng	Zkl64zju.9F4
File created	C:\Program Files\GridinSoft Anti-Malware\Languages\polish.lng	Zkl64zju.9F4
File created	C:\Program Files\GridinSoft Anti-Malware\ssleay32.dll	Zkl64zju.9F4
File created	C:\Program Files\GridinSoft Anti-Malware\NSS\smime3.dll	Zkl64zju.9F4
File created	C:\Program Files\GridinSoft Anti-Malware\NSS\libplds4.dll	Zkl64zju.9F4
File created	C:\Program Files\GridinSoft Anti-Malware\NSS\nss3.dll	Zkl64zju.9F4
File created	C:\Program Files\GridinSoft Anti-Malware\Languages\arabic.lng	Zkl64zju.9F4
File created	C:\Program Files\GridinSoft Anti-Malware\Languages\czech.lng	Zkl64zju.9F4
File created	C:\Program Files\GridinSoft Anti-Malware\sqlite3.dll	Zkl64zju.9F4
File created	C:\Program Files\GridinSoft Anti-Malware\gsInetSecurity.dll	Zkl64zju.9F4
File created	C:\Program Files\GridinSoft Anti-Malware\NSS\certutil.exe	Zkl64zju.9F4
File created	C:\Program Files\GridinSoft Anti-Malware\Languages\hungarian.lng	Zkl64zju.9F4
File created	C:\Program Files\GridinSoft Anti-Malware\gtkmgmt.dll	Zkl64zju.9F4
File created	C:\Program Files\GridinSoft Anti-Malware\shellext.dll	Zkl64zju.9F4
File created	C:\Program Files\GridinSoft Anti-Malware\Languages\bulgarian.lng	Zkl64zju.9F4
File created	C:\Program Files\GridinSoft Anti-Malware\tkcon.exe	Zkl64zju.9F4
File created	C:\Program Files\GridinSoft Anti-Malware\Languages\ukrainian.lng	Zkl64zju.9F4
File created	C:\Program Files\GridinSoft Anti-Malware\Languages\hebrew.lng	Zkl64zju.9F4
File created	C:\Program Files\GridinSoft Anti-Malware\libmem.dll	Zkl64zju.9F4
File created	C:\Program Files\GridinSoft Anti-Malware\NSS\nssutil3.dll	Zkl64zju.9F4
File created	C:\Program Files\GridinSoft Anti-Malware\Languages\french.lng	Zkl64zju.9F4
File created	C:\Program Files\GridinSoft Anti-Malware\pFilters.dll	Zkl64zju.9F4
File created	C:\Program Files\GridinSoft Anti-Malware\Languages\croatian.lng	Zkl64zju.9F4
File created	C:\Program Files\GridinSoft Anti-Malware\Languages\thai.lng	Zkl64zju.9F4
File created	C:\Program Files\GridinSoft Anti-Malware\Languages\chinese (Simplified).lng	Zkl64zju.9F4
File created	C:\Program Files\GridinSoft Anti-Malware\Driver\GSDriver.inf	Zkl64zju.9F4
File created	C:\Program Files\GridinSoft Anti-Malware\7z.dll	Zkl64zju.9F4
File created	C:\Program Files\GridinSoft Anti-Malware\libeay32.dll	Zkl64zju.9F4
File created	C:\Program Files\GridinSoft Anti-Malware\Languages\chinese (traditional).lng	Zkl64zju.9F4
File created	C:\Program Files\GridinSoft Anti-Malware\Languages\turkish.lng	Zkl64zju.9F4
File created	C:\Program Files\GridinSoft Anti-Malware\Driver\GSDriver86.sys	Zkl64zju.9F4
File created	C:\Program Files\GridinSoft Anti-Malware\Driver\gsInetSecurity.inf	Zkl64zju.9F4
File created	C:\Program Files\GridinSoft Anti-Malware\NSS\freebl3.dll	Zkl64zju.9F4
File created	C:\Program Files\GridinSoft Anti-Malware\NSS\libplc4.dll	Zkl64zju.9F4
File created	C:\Program Files\GridinSoft Anti-Malware\Languages\azerbaijani.lng	Zkl64zju.9F4
File created	C:\Program Files\GridinSoft Anti-Malware\Languages\persian.lng	Zkl64zju.9F4
File created	C:\Program Files\GridinSoft Anti-Malware\gsam.exe	Zkl64zju.9F4
File created	C:\Program Files\GridinSoft Anti-Malware\offreg.dll	Zkl64zju.9F4
File created	C:\Program Files\GridinSoft Anti-Malware\Languages\german.lng	Zkl64zju.9F4
File created	C:\Program Files\GridinSoft Anti-Malware\NSS\nssdbm3.dll	Zkl64zju.9F4
File created	C:\Program Files\GridinSoft Anti-Malware\Languages\korean.lng	Zkl64zju.9F4
File created	C:\Program Files\GridinSoft Anti-Malware\Driver\gsinetsecurity.cat	Zkl64zju.9F4
File created	C:\Program Files\GridinSoft Anti-Malware\uninst.exe	Zkl64zju.9F4
File created	C:\Program Files\GridinSoft Anti-Malware\gtkmgmtc.exe	Zkl64zju.9F4
File created	C:\Program Files\GridinSoft Anti-Malware\whatsnew.dat	Zkl64zju.9F4
File created	C:\Program Files\GridinSoft Anti-Malware\sciter.dll	Zkl64zju.9F4
File created	C:\Program Files\GridinSoft Anti-Malware\Languages\russian.lng	Zkl64zju.9F4
File created	C:\Program Files\GridinSoft Anti-Malware\Languages\spanish.lng	Zkl64zju.9F4
File created	C:\Program Files\GridinSoft Anti-Malware\Languages\brazilian portuguese.lng	Zkl64zju.9F4
File created	C:\Program Files\GridinSoft Anti-Malware\Languages\dutch.lng	Zkl64zju.9F4
File created	C:\Program Files\GridinSoft Anti-Malware\Languages\english.lng	Zkl64zju.9F4
File created	C:\Program Files\GridinSoft Anti-Malware\NSS\mozcrt19.dll	Zkl64zju.9F4
File created	C:\Program Files\GridinSoft Anti-Malware\NSS\softokn3.dll	Zkl64zju.9F4
File created	C:\Program Files\GridinSoft Anti-Malware\NSS\nssckbi.dll	Zkl64zju.9F4
File created	C:\Program Files\GridinSoft Anti-Malware\Languages\slovenian.lng	Zkl64zju.9F4

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.app.log	RUNDLL32.EXE
File opened for modification	C:\Windows\INF\setupapi.app.log	RUNDLL32.EXE
File opened for modification	C:\Windows\INF\setupapi.app.log	RUNDLL32.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	install-antimalware-fix.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	install-antimalware-fix.exe

Modifies registry class 19 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F77F27A6-89F3-471A-AFA8-3B280940A10C}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\shellext.Gridinsoft Anti-Malware\Clsid	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F77F27A6-89F3-471A-AFA8-3B280940A10C}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Gridinsoft Anti-Malware\ = "{F77F27A6-89F3-471A-AFA8-3B280940A10C}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\Gridinsoft Anti-Malware\ = "{F77F27A6-89F3-471A-AFA8-3B280940A10C}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\ContextMenuHandlers\Gridinsoft Anti-Malware	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F77F27A6-89F3-471A-AFA8-3B280940A10C}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F77F27A6-89F3-471A-AFA8-3B280940A10C}\ProgID\ = "shellext.Gridinsoft Anti-Malware"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\ShellEx\ContextMenuHandlers\Gridinsoft Anti-Malware	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\ContextMenuHandlers\Gridinsoft Anti-Malware\ = "{F77F27A6-89F3-471A-AFA8-3B280940A10C}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F77F27A6-89F3-471A-AFA8-3B280940A10C}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\shellext.Gridinsoft Anti-Malware	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\shellext.Gridinsoft Anti-Malware\Clsid\ = "{F77F27A6-89F3-471A-AFA8-3B280940A10C}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\ShellEx\ContextMenuHandlers\Gridinsoft Anti-Malware	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F77F27A6-89F3-471A-AFA8-3B280940A10C}\InprocServer32\ = "C:\\PROGRA~1\\GRIDIN~1\\shellext.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\shellext.Gridinsoft Anti-Malware\ = "Gridinsoft Anti-Malware"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\Gridinsoft Anti-Malware\ = "{F77F27A6-89F3-471A-AFA8-3B280940A10C}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\ShellEx\ContextMenuHandlers\Gridinsoft Anti-Malware	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F77F27A6-89F3-471A-AFA8-3B280940A10C}\ = "Gridinsoft Anti-Malware"	regsvr32.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	install-antimalware-fix.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	install-antimalware-fix.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	install-antimalware-fix.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	install-antimalware-fix.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	install-antimalware-fix.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	install-antimalware-fix.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	install-antimalware-fix.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	install-antimalware-fix.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeRestorePrivilege	1272	RUNDLL32.EXE
Token: SeRestorePrivilege	1272	RUNDLL32.EXE
Token: SeRestorePrivilege	1272	RUNDLL32.EXE
Token: SeRestorePrivilege	1272	RUNDLL32.EXE
Token: SeRestorePrivilege	1272	RUNDLL32.EXE
Token: SeRestorePrivilege	1272	RUNDLL32.EXE
Token: SeRestorePrivilege	1272	RUNDLL32.EXE
Token: SeRestorePrivilege	456	RUNDLL32.EXE
Token: SeRestorePrivilege	456	RUNDLL32.EXE
Token: SeRestorePrivilege	456	RUNDLL32.EXE
Token: SeRestorePrivilege	456	RUNDLL32.EXE
Token: SeRestorePrivilege	456	RUNDLL32.EXE
Token: SeRestorePrivilege	456	RUNDLL32.EXE
Token: SeRestorePrivilege	456	RUNDLL32.EXE
Token: SeRestorePrivilege	1924	RUNDLL32.EXE
Token: SeRestorePrivilege	1924	RUNDLL32.EXE
Token: SeRestorePrivilege	1924	RUNDLL32.EXE
Token: SeRestorePrivilege	1924	RUNDLL32.EXE
Token: SeRestorePrivilege	1924	RUNDLL32.EXE
Token: SeRestorePrivilege	1924	RUNDLL32.EXE
Token: SeRestorePrivilege	1924	RUNDLL32.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1956	install-antimalware-fix.exe

Suspicious use of WriteProcessMemory 58 IoCs

description	pid	Process	procid_target
PID 1956 wrote to memory of 1624	1956	install-antimalware-fix.exe	30
PID 1956 wrote to memory of 1624	1956	install-antimalware-fix.exe	30
PID 1956 wrote to memory of 1624	1956	install-antimalware-fix.exe	30
PID 1956 wrote to memory of 1624	1956	install-antimalware-fix.exe	30
PID 1956 wrote to memory of 1624	1956	install-antimalware-fix.exe	30
PID 1956 wrote to memory of 1624	1956	install-antimalware-fix.exe	30
PID 1956 wrote to memory of 1624	1956	install-antimalware-fix.exe	30
PID 1624 wrote to memory of 1960	1624	Zkl64zju.9F4	31
PID 1624 wrote to memory of 1960	1624	Zkl64zju.9F4	31
PID 1624 wrote to memory of 1960	1624	Zkl64zju.9F4	31
PID 1624 wrote to memory of 1960	1624	Zkl64zju.9F4	31
PID 1624 wrote to memory of 1960	1624	Zkl64zju.9F4	31
PID 1624 wrote to memory of 1960	1624	Zkl64zju.9F4	31
PID 1624 wrote to memory of 1960	1624	Zkl64zju.9F4	31
PID 1624 wrote to memory of 1272	1624	Zkl64zju.9F4	32
PID 1624 wrote to memory of 1272	1624	Zkl64zju.9F4	32
PID 1624 wrote to memory of 1272	1624	Zkl64zju.9F4	32
PID 1624 wrote to memory of 1272	1624	Zkl64zju.9F4	32
PID 1272 wrote to memory of 292	1272	RUNDLL32.EXE	34
PID 1272 wrote to memory of 292	1272	RUNDLL32.EXE	34
PID 1272 wrote to memory of 292	1272	RUNDLL32.EXE	34
PID 292 wrote to memory of 572	292	runonce.exe	35
PID 292 wrote to memory of 572	292	runonce.exe	35
PID 292 wrote to memory of 572	292	runonce.exe	35
PID 1624 wrote to memory of 456	1624	Zkl64zju.9F4	36
PID 1624 wrote to memory of 456	1624	Zkl64zju.9F4	36
PID 1624 wrote to memory of 456	1624	Zkl64zju.9F4	36
PID 1624 wrote to memory of 456	1624	Zkl64zju.9F4	36
PID 456 wrote to memory of 1456	456	RUNDLL32.EXE	37
PID 456 wrote to memory of 1456	456	RUNDLL32.EXE	37
PID 456 wrote to memory of 1456	456	RUNDLL32.EXE	37
PID 1456 wrote to memory of 1212	1456	runonce.exe	38
PID 1456 wrote to memory of 1212	1456	runonce.exe	38
PID 1456 wrote to memory of 1212	1456	runonce.exe	38
PID 1624 wrote to memory of 1924	1624	Zkl64zju.9F4	39
PID 1624 wrote to memory of 1924	1624	Zkl64zju.9F4	39
PID 1624 wrote to memory of 1924	1624	Zkl64zju.9F4	39
PID 1624 wrote to memory of 1924	1624	Zkl64zju.9F4	39
PID 1924 wrote to memory of 1876	1924	RUNDLL32.EXE	40
PID 1924 wrote to memory of 1876	1924	RUNDLL32.EXE	40
PID 1924 wrote to memory of 1876	1924	RUNDLL32.EXE	40
PID 1876 wrote to memory of 996	1876	runonce.exe	41
PID 1876 wrote to memory of 996	1876	runonce.exe	41
PID 1876 wrote to memory of 996	1876	runonce.exe	41
PID 1624 wrote to memory of 1572	1624	Zkl64zju.9F4	42
PID 1624 wrote to memory of 1572	1624	Zkl64zju.9F4	42
PID 1624 wrote to memory of 1572	1624	Zkl64zju.9F4	42
PID 1624 wrote to memory of 1572	1624	Zkl64zju.9F4	42
PID 1624 wrote to memory of 1572	1624	Zkl64zju.9F4	42
PID 1624 wrote to memory of 1572	1624	Zkl64zju.9F4	42
PID 1624 wrote to memory of 1572	1624	Zkl64zju.9F4	42
PID 1572 wrote to memory of 2024	1572	regsvr32.exe	43
PID 1572 wrote to memory of 2024	1572	regsvr32.exe	43
PID 1572 wrote to memory of 2024	1572	regsvr32.exe	43
PID 1572 wrote to memory of 2024	1572	regsvr32.exe	43
PID 1572 wrote to memory of 2024	1572	regsvr32.exe	43
PID 1572 wrote to memory of 2024	1572	regsvr32.exe	43
PID 1572 wrote to memory of 2024	1572	regsvr32.exe	43

C:\Users\Admin\AppData\Local\Temp\install-antimalware-fix.exe
"C:\Users\Admin\AppData\Local\Temp\install-antimalware-fix.exe"
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1956
- C:\Users\Admin\AppData\Local\Temp\Zkl64zju.9F4
  C:\Users\Admin\AppData\Local\Temp\Zkl64zju.9F4 /S /I /D=C:\Program Files\GridinSoft Anti-Malware\
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:1624
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s /u "C:\Program Files\GridinSoft Anti-Malware\shellext.dll"
    3⤵
    PID:1960
- - C:\Windows\system32\RUNDLL32.EXE
    C:\Windows\system32\RUNDLL32.EXE SETUPAPI.DLL,InstallHinfSection DefaultUninstall 128 C:\Program Files\GridinSoft Anti-Malware\Driver\GSDriver.inf
    3⤵
    - Drops file in Drivers directory
    - Adds Run key to start application
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1272
  - - C:\Windows\system32\runonce.exe
      "C:\Windows\system32\runonce.exe" -r
      4⤵
      Checks processor information in registry
      Suspicious use of WriteProcessMemory
      PID:292
    - - C:\Windows\System32\grpconv.exe
        
        "C:\Windows\System32\grpconv.exe" -o
        5⤵
        
        PID:572
- - C:\Windows\system32\RUNDLL32.EXE
    C:\Windows\system32\RUNDLL32.EXE SETUPAPI.DLL,InstallHinfSection DefaultInstall 132 C:\Program Files\GridinSoft Anti-Malware\Driver\GSDriver.inf
    3⤵
    - Drops file in Drivers directory
    - Adds Run key to start application
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:456
  - - C:\Windows\system32\runonce.exe
      "C:\Windows\system32\runonce.exe" -r
      4⤵
      Checks processor information in registry
      Suspicious use of WriteProcessMemory
      PID:1456
    - - C:\Windows\System32\grpconv.exe
        
        "C:\Windows\System32\grpconv.exe" -o
        5⤵
        
        PID:1212
- - C:\Windows\system32\RUNDLL32.EXE
    C:\Windows\system32\RUNDLL32.EXE SETUPAPI.DLL,InstallHinfSection DefaultInstall 132 C:\Program Files\GridinSoft Anti-Malware\Driver\gsInetSecurity.inf
    3⤵
    - Drops file in Drivers directory
    - Adds Run key to start application
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1924
  - - C:\Windows\system32\runonce.exe
      "C:\Windows\system32\runonce.exe" -r
      4⤵
      Checks processor information in registry
      Suspicious use of WriteProcessMemory
      PID:1876
    - - C:\Windows\System32\grpconv.exe
        
        "C:\Windows\System32\grpconv.exe" -o
        5⤵
        
        PID:996
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\GridinSoft Anti-Malware\shellext.dll"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1572
  - - C:\Windows\system32\regsvr32.exe
      /s "C:\Program Files\GridinSoft Anti-Malware\shellext.dll"
      4⤵
      Loads dropped DLL
      Registers COM server for autorun
      Modifies registry class
      PID:2024

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~1\GRIDIN~1\Driver\GSDriver64.sys

Filesize
54KB

MD5
5b9839e88655fc22923952eefd14387b

SHA1
3a47805ddaa9bb6060a6be90ba3d8974e235dc6b

SHA256
06ef34bb12349cff3f2989f8f7e406d6723e6dfc5ce51a3d9c30f93d8a994453

SHA512
ec77d2771481f441a541d38aec143a1a67af771c6481e737661f42eb0dc5d004ed84ae1b3bfcb8f19688147797a28d5b726ec8794c6b5d30f5b712734ed01007

Download Submit
C:\PROGRA~1\GRIDIN~1\Driver\gsInetSecurity.sys

Filesize
105KB

MD5
a384315061610b658efef84b2098c3ee

SHA1
f04b467e0090789b236bafa5e5d52f361d2dcf0a

SHA256
649bf07dbaee1faaed9fe45334fd5a007ec1b93042254604bd6c1f8742e01f37

SHA512
f48842a25da1e9d3ba43158ad2ac3c68b7f25437125b270b7ccd28515bceec4b1bbe4ffc389f1663f40e00449a4b08fc82e44ba997920299cc05d00b75e850fd

Download Submit
C:\Program Files\GridinSoft Anti-Malware\Driver\GSDriver.inf

Filesize
2KB

MD5
8735aa35328a538c3184bd14ee15426a

SHA1
3409029a5d4fda513eca0bd9950e9c11ed371024

SHA256
4d726efb201ea421b9a08b3a9bdad17fc2016084fb8ac4b2120cf81f62386848

SHA512
27b7cf0bf1692e4829eeadc8333c7e4c3c7d6e5b280bcfc44fa952550de4aec4c5f7ca4caf9732373275b39692afa206956f0cdc64728db7913b423c06b8be78

Download Submit
C:\Program Files\GridinSoft Anti-Malware\Driver\gsInetSecurity.inf

Filesize
1KB

MD5
88d3fdf585816a72d90ad1e2b78ef3a3

SHA1
18fe9c3d1e7916cc23f2638ee7327d44202a8464

SHA256
89173c7324696d2d38c3e425b3d5b36355be14ac4604dbad7fb4d6479db599f9

SHA512
9c4070bb42f5211b6aff85ecdaa2bd0f24002e0ddaa7958e76f9888e8cab61656b033ac7b32c442e6484cd58d45ca9b4185656749368d937e973b041082cf959

Download Submit
C:\Program Files\GridinSoft Anti-Malware\gsam.exe

Filesize
25.3MB

MD5
48d792d2592439c987642c898de5ee86

SHA1
0063f952cac58f5c9efeb57f2af38d12a39a0c02

SHA256
7ed0fe4c0816d0bdfde603c3c34a8ee18aa091ab6c40a4cc0d3c231443f72d3b

SHA512
f6ba6ed8d7d33b44c28122242c5e2c9368c5cc54c68c762c31bd3c7468195bd7624d2a448536743fea12e91bf28cef8c6b389aa1d43c7001966170414df8545e

Download Submit
C:\Program Files\GridinSoft Anti-Malware\shellext.dll

Filesize
1.9MB

MD5
609a9e60a9eb6d3bdbddfa569f460010

SHA1
c31a95141e8124a0fe66b99aedfe9f35c81cf579

SHA256
5246db8448b93b4fabe779cab6744616126e8cc9a88c987dcadb33ae05a332c4

SHA512
b58dd37c3cf4b3f9b52bc599fa5518e54da5fd6e05a372f4f1d73c4318cd0cb78348d64f02746acd516580867dc7721be1817635b0c5a7e0179d89cb68f9ca50

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
61KB

MD5
e71c8443ae0bc2e282c73faead0a6dd3

SHA1
0c110c1b01e68edfacaeae64781a37b1995fa94b

SHA256
95b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72

SHA512
b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
aa869d009a3f7e334090f44c21458c91

SHA1
4d779fe1196f98e9e88c1a7675a4aa100d7b4383

SHA256
d14f905f63612684d3a47cd3e5e1a26628b0e044e0a1782534f6269523b985eb

SHA512
15ef0b66b2b15c93728940f4318cae80f021ec4797caddbec4b1f65bd3b45e1c415ddacadc5c4b5ae9a9ca37ab76be2293f517c8964542017146128f1ca66c90

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\ExplorerStartupLog_RunOnce.etl

Filesize
16KB

MD5
816e0c904d43298bc4019561a272254d

SHA1
0673dcf66609e3078c943a4432fe9fb92c91ab00

SHA256
795154f5bcc0e4cf9847e0172988fb4bd1670d403e79bd92ca7b58d20a634659

SHA512
914c190ee9fa68c1f74f09ecaade67726e9dbcbe32d3d5cf5ce6d4391da3e717cfcd5c90e567c1b7a9553eb8c9820bbd9831158851decd3b0c31b4d55cd6400c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\ExplorerStartupLog_RunOnce.etl

Filesize
8KB

MD5
18a571b78b7250154ec3afe4850abc88

SHA1
7b0d0793b598932161fc773e1029d3fdba69a666

SHA256
acc2475b9af38976c5caa6677980b5173020715fd888538e1d57424201026fdd

SHA512
d2c9b8097c6f2aa5ca9e993aa0388f28f98067b5bc1f52654ef980a51d55ae771f282e5d61a00a2dd5a4cd7c1a31132e983783d18f411ad39ec6575419286027

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabA844.tmp

Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarACBD.tmp

Filesize
161KB

MD5
be2bec6e8c5653136d3e72fe53c98aa3

SHA1
a8182d6db17c14671c3d5766c72e58d87c0810de

SHA256
1919aab2a820642490169bdc4e88bd1189e22f83e7498bf8ebdfb62ec7d843fd

SHA512
0d1424ccdf0d53faf3f4e13d534e12f22388648aa4c23edbc503801e3c96b7f73c7999b760b5bef4b5e9dd923dffe21a21889b1ce836dd428420bf0f4f5327ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zkl64zju.9F4

Filesize
114.8MB

MD5
e0a7759aaf2ff3eb16dc222dbe843992

SHA1
956bac4221474ed443e6d5c48f2dda2b6e33896f

SHA256
092c784357d68cc56206ddf2fbd910453fca655b13d0d642278df4327bcae030

SHA512
96efadac95e0487152c753ec6a21733691fa2ed214e71d677e7d4680a90180b92d753f9c1f00e4408f7615e79a52d1a4c87783b5a742ce0d09284be4c621db75

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zkl64zju.9F4

Filesize
114.8MB

MD5
e0a7759aaf2ff3eb16dc222dbe843992

SHA1
956bac4221474ed443e6d5c48f2dda2b6e33896f

SHA256
092c784357d68cc56206ddf2fbd910453fca655b13d0d642278df4327bcae030

SHA512
96efadac95e0487152c753ec6a21733691fa2ed214e71d677e7d4680a90180b92d753f9c1f00e4408f7615e79a52d1a4c87783b5a742ce0d09284be4c621db75

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zkl64zju.9F4

Filesize
114.8MB

MD5
e0a7759aaf2ff3eb16dc222dbe843992

SHA1
956bac4221474ed443e6d5c48f2dda2b6e33896f

SHA256
092c784357d68cc56206ddf2fbd910453fca655b13d0d642278df4327bcae030

SHA512
96efadac95e0487152c753ec6a21733691fa2ed214e71d677e7d4680a90180b92d753f9c1f00e4408f7615e79a52d1a4c87783b5a742ce0d09284be4c621db75

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoF45F.tmp\System.dll

Filesize
11KB

MD5
9625d5b1754bc4ff29281d415d27a0fd

SHA1
80e85afc5cccd4c0a3775edbb90595a1a59f5ce0

SHA256
c2f405d7402f815d0c3fadd9a50f0bbbb1bab9aa38fe347823478a2587299448

SHA512
dce52b640897c2e8dbfd0a1472d5377fa91fb9cf1aeff62604d014bccbe5b56af1378f173132abeb0edd18c225b9f8f5e3d3e72434aed946661e036c779f165b

Download Submit
\Program Files\GridinSoft Anti-Malware\gsam.exe

Filesize
25.3MB

MD5
48d792d2592439c987642c898de5ee86

SHA1
0063f952cac58f5c9efeb57f2af38d12a39a0c02

SHA256
7ed0fe4c0816d0bdfde603c3c34a8ee18aa091ab6c40a4cc0d3c231443f72d3b

SHA512
f6ba6ed8d7d33b44c28122242c5e2c9368c5cc54c68c762c31bd3c7468195bd7624d2a448536743fea12e91bf28cef8c6b389aa1d43c7001966170414df8545e

Download Submit
\Program Files\GridinSoft Anti-Malware\gsam.exe

Filesize
25.3MB

MD5
48d792d2592439c987642c898de5ee86

SHA1
0063f952cac58f5c9efeb57f2af38d12a39a0c02

SHA256
7ed0fe4c0816d0bdfde603c3c34a8ee18aa091ab6c40a4cc0d3c231443f72d3b

SHA512
f6ba6ed8d7d33b44c28122242c5e2c9368c5cc54c68c762c31bd3c7468195bd7624d2a448536743fea12e91bf28cef8c6b389aa1d43c7001966170414df8545e

Download Submit
\Program Files\GridinSoft Anti-Malware\gsam.exe

Filesize
25.3MB

MD5
48d792d2592439c987642c898de5ee86

SHA1
0063f952cac58f5c9efeb57f2af38d12a39a0c02

SHA256
7ed0fe4c0816d0bdfde603c3c34a8ee18aa091ab6c40a4cc0d3c231443f72d3b

SHA512
f6ba6ed8d7d33b44c28122242c5e2c9368c5cc54c68c762c31bd3c7468195bd7624d2a448536743fea12e91bf28cef8c6b389aa1d43c7001966170414df8545e

Download Submit
\Program Files\GridinSoft Anti-Malware\gsam.exe

Filesize
25.3MB

MD5
48d792d2592439c987642c898de5ee86

SHA1
0063f952cac58f5c9efeb57f2af38d12a39a0c02

SHA256
7ed0fe4c0816d0bdfde603c3c34a8ee18aa091ab6c40a4cc0d3c231443f72d3b

SHA512
f6ba6ed8d7d33b44c28122242c5e2c9368c5cc54c68c762c31bd3c7468195bd7624d2a448536743fea12e91bf28cef8c6b389aa1d43c7001966170414df8545e

Download Submit
\Program Files\GridinSoft Anti-Malware\gsam.exe

Filesize
25.3MB

MD5
48d792d2592439c987642c898de5ee86

SHA1
0063f952cac58f5c9efeb57f2af38d12a39a0c02

SHA256
7ed0fe4c0816d0bdfde603c3c34a8ee18aa091ab6c40a4cc0d3c231443f72d3b

SHA512
f6ba6ed8d7d33b44c28122242c5e2c9368c5cc54c68c762c31bd3c7468195bd7624d2a448536743fea12e91bf28cef8c6b389aa1d43c7001966170414df8545e

Download Submit
\Program Files\GridinSoft Anti-Malware\gsam.exe

Filesize
25.3MB

MD5
48d792d2592439c987642c898de5ee86

SHA1
0063f952cac58f5c9efeb57f2af38d12a39a0c02

SHA256
7ed0fe4c0816d0bdfde603c3c34a8ee18aa091ab6c40a4cc0d3c231443f72d3b

SHA512
f6ba6ed8d7d33b44c28122242c5e2c9368c5cc54c68c762c31bd3c7468195bd7624d2a448536743fea12e91bf28cef8c6b389aa1d43c7001966170414df8545e

Download Submit
\Program Files\GridinSoft Anti-Malware\gsam.exe

Filesize
25.3MB

MD5
48d792d2592439c987642c898de5ee86

SHA1
0063f952cac58f5c9efeb57f2af38d12a39a0c02

SHA256
7ed0fe4c0816d0bdfde603c3c34a8ee18aa091ab6c40a4cc0d3c231443f72d3b

SHA512
f6ba6ed8d7d33b44c28122242c5e2c9368c5cc54c68c762c31bd3c7468195bd7624d2a448536743fea12e91bf28cef8c6b389aa1d43c7001966170414df8545e

Download Submit
\Program Files\GridinSoft Anti-Malware\gsam.exe

Filesize
25.3MB

MD5
48d792d2592439c987642c898de5ee86

SHA1
0063f952cac58f5c9efeb57f2af38d12a39a0c02

SHA256
7ed0fe4c0816d0bdfde603c3c34a8ee18aa091ab6c40a4cc0d3c231443f72d3b

SHA512
f6ba6ed8d7d33b44c28122242c5e2c9368c5cc54c68c762c31bd3c7468195bd7624d2a448536743fea12e91bf28cef8c6b389aa1d43c7001966170414df8545e

Download Submit
\Program Files\GridinSoft Anti-Malware\gsam.exe

Filesize
25.3MB

MD5
48d792d2592439c987642c898de5ee86

SHA1
0063f952cac58f5c9efeb57f2af38d12a39a0c02

SHA256
7ed0fe4c0816d0bdfde603c3c34a8ee18aa091ab6c40a4cc0d3c231443f72d3b

SHA512
f6ba6ed8d7d33b44c28122242c5e2c9368c5cc54c68c762c31bd3c7468195bd7624d2a448536743fea12e91bf28cef8c6b389aa1d43c7001966170414df8545e

Download Submit
\Program Files\GridinSoft Anti-Malware\gsam.exe

Filesize
25.3MB

MD5
48d792d2592439c987642c898de5ee86

SHA1
0063f952cac58f5c9efeb57f2af38d12a39a0c02

SHA256
7ed0fe4c0816d0bdfde603c3c34a8ee18aa091ab6c40a4cc0d3c231443f72d3b

SHA512
f6ba6ed8d7d33b44c28122242c5e2c9368c5cc54c68c762c31bd3c7468195bd7624d2a448536743fea12e91bf28cef8c6b389aa1d43c7001966170414df8545e

Download Submit
\Program Files\GridinSoft Anti-Malware\gsam.exe

Filesize
25.3MB

MD5
48d792d2592439c987642c898de5ee86

SHA1
0063f952cac58f5c9efeb57f2af38d12a39a0c02

SHA256
7ed0fe4c0816d0bdfde603c3c34a8ee18aa091ab6c40a4cc0d3c231443f72d3b

SHA512
f6ba6ed8d7d33b44c28122242c5e2c9368c5cc54c68c762c31bd3c7468195bd7624d2a448536743fea12e91bf28cef8c6b389aa1d43c7001966170414df8545e

Download Submit
\Program Files\GridinSoft Anti-Malware\gsam.exe

Filesize
25.3MB

MD5
48d792d2592439c987642c898de5ee86

SHA1
0063f952cac58f5c9efeb57f2af38d12a39a0c02

SHA256
7ed0fe4c0816d0bdfde603c3c34a8ee18aa091ab6c40a4cc0d3c231443f72d3b

SHA512
f6ba6ed8d7d33b44c28122242c5e2c9368c5cc54c68c762c31bd3c7468195bd7624d2a448536743fea12e91bf28cef8c6b389aa1d43c7001966170414df8545e

Download Submit
\Program Files\GridinSoft Anti-Malware\shellext.dll

Filesize
1.9MB

MD5
609a9e60a9eb6d3bdbddfa569f460010

SHA1
c31a95141e8124a0fe66b99aedfe9f35c81cf579

SHA256
5246db8448b93b4fabe779cab6744616126e8cc9a88c987dcadb33ae05a332c4

SHA512
b58dd37c3cf4b3f9b52bc599fa5518e54da5fd6e05a372f4f1d73c4318cd0cb78348d64f02746acd516580867dc7721be1817635b0c5a7e0179d89cb68f9ca50

Download Submit
\Program Files\GridinSoft Anti-Malware\shellext.dll

Filesize
1.9MB

MD5
609a9e60a9eb6d3bdbddfa569f460010

SHA1
c31a95141e8124a0fe66b99aedfe9f35c81cf579

SHA256
5246db8448b93b4fabe779cab6744616126e8cc9a88c987dcadb33ae05a332c4

SHA512
b58dd37c3cf4b3f9b52bc599fa5518e54da5fd6e05a372f4f1d73c4318cd0cb78348d64f02746acd516580867dc7721be1817635b0c5a7e0179d89cb68f9ca50

Download Submit
\Users\Admin\AppData\Local\Temp\Zkl64zju.9F4

Filesize
114.8MB

MD5
e0a7759aaf2ff3eb16dc222dbe843992

SHA1
956bac4221474ed443e6d5c48f2dda2b6e33896f

SHA256
092c784357d68cc56206ddf2fbd910453fca655b13d0d642278df4327bcae030

SHA512
96efadac95e0487152c753ec6a21733691fa2ed214e71d677e7d4680a90180b92d753f9c1f00e4408f7615e79a52d1a4c87783b5a742ce0d09284be4c621db75

Download Submit
\Users\Admin\AppData\Local\Temp\nsoF45F.tmp\System.dll

Filesize
11KB

MD5
9625d5b1754bc4ff29281d415d27a0fd

SHA1
80e85afc5cccd4c0a3775edbb90595a1a59f5ce0

SHA256
c2f405d7402f815d0c3fadd9a50f0bbbb1bab9aa38fe347823478a2587299448

SHA512
dce52b640897c2e8dbfd0a1472d5377fa91fb9cf1aeff62604d014bccbe5b56af1378f173132abeb0edd18c225b9f8f5e3d3e72434aed946661e036c779f165b

Download Submit
memory/1956-54-0x0000000000400000-0x0000000000655000-memory.dmp

Filesize
2.3MB

Download
memory/1956-143-0x0000000000400000-0x0000000000655000-memory.dmp

Filesize
2.3MB

Download
memory/1956-59-0x0000000000400000-0x0000000000655000-memory.dmp

Filesize
2.3MB

Download
memory/1956-275-0x0000000000400000-0x0000000000655000-memory.dmp

Filesize
2.3MB

Download
memory/1956-152-0x0000000000400000-0x0000000000655000-memory.dmp

Filesize
2.3MB

Download
memory/1956-55-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/1956-295-0x0000000000400000-0x0000000000655000-memory.dmp

Filesize
2.3MB

Download
memory/2024-292-0x0000000001DD0000-0x0000000001FC3000-memory.dmp

Filesize
1.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads