de3e7309a038212864c3f1d717e29cbc3528390f1a8a99b5aee924f1fddc2508

Analysis

max time kernel
263s
max time network
261s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
27/03/2025, 20:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Install-Anti-Malware-ti.exe
Size

884KB
MD5

d4bc14d79adb65d8a03c1043f0c2ff07
SHA1

d454154fe8241eecf2a53f658aaeed805d25fecc
SHA256

de3e7309a038212864c3f1d717e29cbc3528390f1a8a99b5aee924f1fddc2508
SHA512

71f04ad3d96e5d83839cb9effb71ac826cb9ea6e4701c0e744b7d9f80fe029669f8ce06b6080e0c97a94abe1be44f81b09dbd0b57758cd11249ab1e39fc30a29
SSDEEP

24576:n9HmIVL1Tvp/MdafdwXCK0W8R/XJe0oYbdVRcTjCPJrIklTG0Z:RmIVXCafdjJDM0oYbTRejCxrIklTG0Z

Score

8^/10

discovery persistence upx

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\DRIVERS\GSDriver64.sys	RUNDLL32.EXE

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	RUNDLL32.EXE

Downloads MZ/PE file 1 IoCs

flow	pid	Process
5	2536	Install-Anti-Malware-ti.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2536-0-0x0000000000400000-0x0000000000655000-memory.dmp	upx
behavioral1/memory/2536-12-0x0000000000400000-0x0000000000655000-memory.dmp	upx
behavioral1/memory/2536-15-0x0000000000400000-0x0000000000655000-memory.dmp	upx
behavioral1/memory/2536-24-0x0000000000400000-0x0000000000655000-memory.dmp	upx
behavioral1/memory/2536-27-0x0000000000400000-0x0000000000655000-memory.dmp	upx
behavioral1/memory/2536-28-0x0000000000400000-0x0000000000655000-memory.dmp	upx
behavioral1/memory/2536-54-0x0000000000400000-0x0000000000655000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\GridinSoft Anti-Malware\Languages\kazakh.lng	11193cqZ.3ZA
File created	C:\Program Files\GridinSoft Anti-Malware\Languages\urdu.lng	11193cqZ.3ZA
File created	C:\Program Files\GridinSoft Anti-Malware\gsInetSecurity.dll	11193cqZ.3ZA
File created	C:\Program Files\GridinSoft Anti-Malware\NSS\freebl3.dll	11193cqZ.3ZA
File created	C:\Program Files\GridinSoft Anti-Malware\Languages\brazilian portuguese.lng	11193cqZ.3ZA
File created	C:\Program Files\GridinSoft Anti-Malware\Languages\chinese (traditional).lng	11193cqZ.3ZA
File created	C:\Program Files\GridinSoft Anti-Malware\Languages\polish.lng	11193cqZ.3ZA
File created	C:\Program Files\GridinSoft Anti-Malware\Driver\GSDriver.inf	11193cqZ.3ZA
File created	C:\Program Files\GridinSoft Anti-Malware\NSS\sqlite3.dll	11193cqZ.3ZA
File created	C:\Program Files\GridinSoft Anti-Malware\Languages\bulgarian.lng	11193cqZ.3ZA
File created	C:\Program Files\GridinSoft Anti-Malware\Languages\chinese (Simplified).lng	11193cqZ.3ZA
File created	C:\Program Files\GridinSoft Anti-Malware\Languages\georgian.lng	11193cqZ.3ZA
File created	C:\Program Files\GridinSoft Anti-Malware\Languages\hungarian.lng	11193cqZ.3ZA
File created	C:\Program Files\GridinSoft Anti-Malware\Languages\romanian.lng	11193cqZ.3ZA
File created	C:\Program Files\GridinSoft Anti-Malware\Languages\swedish.lng	11193cqZ.3ZA
File created	C:\Program Files\GridinSoft Anti-Malware\Driver\GSDriver64.sys	11193cqZ.3ZA
File created	C:\Program Files\GridinSoft Anti-Malware\Driver\gsInetSecurity.sys	11193cqZ.3ZA
File created	C:\Program Files\GridinSoft Anti-Malware\NSS\softokn3.dll	11193cqZ.3ZA
File created	C:\Program Files\GridinSoft Anti-Malware\uninst.exe	11193cqZ.3ZA
File created	C:\Program Files\GridinSoft Anti-Malware\gsam.exe	11193cqZ.3ZA
File created	C:\Program Files\GridinSoft Anti-Malware\NSS\plc4.dll	11193cqZ.3ZA
File created	C:\Program Files\GridinSoft Anti-Malware\Languages\azerbaijani.lng	11193cqZ.3ZA
File created	C:\Program Files\GridinSoft Anti-Malware\Languages\finnish.lng	11193cqZ.3ZA
File created	C:\Program Files\GridinSoft Anti-Malware\Languages\slovenian.lng	11193cqZ.3ZA
File created	C:\Program Files\GridinSoft Anti-Malware\ssleay32.dll	11193cqZ.3ZA
File created	C:\Program Files\GridinSoft Anti-Malware\NSS\libnspr4.dll	11193cqZ.3ZA
File created	C:\Program Files\GridinSoft Anti-Malware\Languages\french.lng	11193cqZ.3ZA
File created	C:\Program Files\GridinSoft Anti-Malware\Languages\persian.lng	11193cqZ.3ZA
File created	C:\Program Files\GridinSoft Anti-Malware\Languages\serbian.lng	11193cqZ.3ZA
File created	C:\Program Files\GridinSoft Anti-Malware\Languages\turkish.lng	11193cqZ.3ZA
File created	C:\Program Files\GridinSoft Anti-Malware\Driver\gsdriver.cat	11193cqZ.3ZA
File created	C:\Program Files\GridinSoft Anti-Malware\NSS\nss3.dll	11193cqZ.3ZA
File created	C:\Program Files\GridinSoft Anti-Malware\NSS\nssdbm3.dll	11193cqZ.3ZA
File created	C:\Program Files\GridinSoft Anti-Malware\Languages\portuguese.lng	11193cqZ.3ZA
File created	C:\Program Files\GridinSoft Anti-Malware\NSS\plds4.dll	11193cqZ.3ZA
File created	C:\Program Files\GridinSoft Anti-Malware\Languages\afrikaans.lng	11193cqZ.3ZA
File created	C:\Program Files\GridinSoft Anti-Malware\Languages\arabic.lng	11193cqZ.3ZA
File created	C:\Program Files\GridinSoft Anti-Malware\Languages\czech.lng	11193cqZ.3ZA
File created	C:\Program Files\GridinSoft Anti-Malware\Languages\filipino.lng	11193cqZ.3ZA
File created	C:\Program Files\GridinSoft Anti-Malware\Languages\lithuanian.lng	11193cqZ.3ZA
File created	C:\Program Files\GridinSoft Anti-Malware\Languages\slovak.lng	11193cqZ.3ZA
File created	C:\Program Files\GridinSoft Anti-Malware\Languages\vietnamese.lng	11193cqZ.3ZA
File created	C:\Program Files\GridinSoft Anti-Malware\tkcon.exe	11193cqZ.3ZA
File created	C:\Program Files\GridinSoft Anti-Malware\7z.dll	11193cqZ.3ZA
File created	C:\Program Files\GridinSoft Anti-Malware\NSS\nssutil3.dll	11193cqZ.3ZA
File created	C:\Program Files\GridinSoft Anti-Malware\Languages\amharic.lng	11193cqZ.3ZA
File created	C:\Program Files\GridinSoft Anti-Malware\Languages\danish.lng	11193cqZ.3ZA
File created	C:\Program Files\GridinSoft Anti-Malware\Languages\japanese.lng	11193cqZ.3ZA
File created	C:\Program Files\GridinSoft Anti-Malware\Languages\nepali.lng	11193cqZ.3ZA
File created	C:\Program Files\GridinSoft Anti-Malware\Languages\spanish.lng	11193cqZ.3ZA
File created	C:\Program Files\GridinSoft Anti-Malware\gtkmgmt.dll	11193cqZ.3ZA
File created	C:\Program Files\GridinSoft Anti-Malware\whatsnew.dat	11193cqZ.3ZA
File created	C:\Program Files\GridinSoft Anti-Malware\NSS\nspr4.dll	11193cqZ.3ZA
File created	C:\Program Files\GridinSoft Anti-Malware\NSS\nssckbi.dll	11193cqZ.3ZA
File created	C:\Program Files\GridinSoft Anti-Malware\Languages\croatian.lng	11193cqZ.3ZA
File created	C:\Program Files\GridinSoft Anti-Malware\Languages\hindi.lng	11193cqZ.3ZA
File created	C:\Program Files\GridinSoft Anti-Malware\pFilters.dll	11193cqZ.3ZA
File created	C:\Program Files\GridinSoft Anti-Malware\Languages\indonesian.lng	11193cqZ.3ZA
File created	C:\Program Files\GridinSoft Anti-Malware\Languages\korean.lng	11193cqZ.3ZA
File created	C:\Program Files\GridinSoft Anti-Malware\Languages\latvian.lng	11193cqZ.3ZA
File created	C:\Program Files\GridinSoft Anti-Malware\Languages\russian.lng	11193cqZ.3ZA
File created	C:\Program Files\GridinSoft Anti-Malware\Driver\gsInetSecurity.inf	11193cqZ.3ZA
File created	C:\Program Files\GridinSoft Anti-Malware\libmem.dll	11193cqZ.3ZA
File created	C:\Program Files\GridinSoft Anti-Malware\Languages\malaysian.lng	11193cqZ.3ZA

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.app.log	RUNDLL32.EXE

Executes dropped EXE 1 IoCs

pid	Process
2952	11193cqZ.3ZA

Loads dropped DLL 8 IoCs

pid	Process
2536	Install-Anti-Malware-ti.exe
2952	11193cqZ.3ZA
2952	11193cqZ.3ZA
2952	11193cqZ.3ZA
1176	Process not Found
1176	Process not Found
1176	Process not Found
1176	Process not Found

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Install-Anti-Malware-ti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	11193cqZ.3ZA
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Install-Anti-Malware-ti.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Install-Anti-Malware-ti.exe

Modifies system certificate store 2 TTPs 2 IoCs

defense_evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	Install-Anti-Malware-ti.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	Install-Anti-Malware-ti.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeRestorePrivilege	1564	RUNDLL32.EXE
Token: SeRestorePrivilege	1564	RUNDLL32.EXE
Token: SeRestorePrivilege	1564	RUNDLL32.EXE
Token: SeRestorePrivilege	1564	RUNDLL32.EXE
Token: SeRestorePrivilege	1564	RUNDLL32.EXE
Token: SeRestorePrivilege	1564	RUNDLL32.EXE
Token: SeRestorePrivilege	1564	RUNDLL32.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2536	Install-Anti-Malware-ti.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2536 wrote to memory of 2952	2536	Install-Anti-Malware-ti.exe	33
PID 2536 wrote to memory of 2952	2536	Install-Anti-Malware-ti.exe	33
PID 2536 wrote to memory of 2952	2536	Install-Anti-Malware-ti.exe	33
PID 2536 wrote to memory of 2952	2536	Install-Anti-Malware-ti.exe	33
PID 2536 wrote to memory of 2952	2536	Install-Anti-Malware-ti.exe	33
PID 2536 wrote to memory of 2952	2536	Install-Anti-Malware-ti.exe	33
PID 2536 wrote to memory of 2952	2536	Install-Anti-Malware-ti.exe	33
PID 2952 wrote to memory of 2840	2952	11193cqZ.3ZA	34
PID 2952 wrote to memory of 2840	2952	11193cqZ.3ZA	34
PID 2952 wrote to memory of 2840	2952	11193cqZ.3ZA	34
PID 2952 wrote to memory of 2840	2952	11193cqZ.3ZA	34
PID 2952 wrote to memory of 2840	2952	11193cqZ.3ZA	34
PID 2952 wrote to memory of 2840	2952	11193cqZ.3ZA	34
PID 2952 wrote to memory of 2840	2952	11193cqZ.3ZA	34
PID 2952 wrote to memory of 1564	2952	11193cqZ.3ZA	35
PID 2952 wrote to memory of 1564	2952	11193cqZ.3ZA	35
PID 2952 wrote to memory of 1564	2952	11193cqZ.3ZA	35
PID 2952 wrote to memory of 1564	2952	11193cqZ.3ZA	35
PID 1564 wrote to memory of 2152	1564	RUNDLL32.EXE	37
PID 1564 wrote to memory of 2152	1564	RUNDLL32.EXE	37
PID 1564 wrote to memory of 2152	1564	RUNDLL32.EXE	37

C:\Users\Admin\AppData\Local\Temp\Install-Anti-Malware-ti.exe
"C:\Users\Admin\AppData\Local\Temp\Install-Anti-Malware-ti.exe"
1⤵
- Downloads MZ/PE file
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2536
- C:\Users\Admin\AppData\Local\Temp\11193cqZ.3ZA
  C:\Users\Admin\AppData\Local\Temp\11193cqZ.3ZA /S /I /D=C:\Program Files\GridinSoft Anti-Malware\
  2⤵
  - Drops file in Program Files directory
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2952
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s /u "C:\Program Files\GridinSoft Anti-Malware\shellext.dll"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2840
- - C:\Windows\system32\RUNDLL32.EXE
    C:\Windows\system32\RUNDLL32.EXE SETUPAPI.DLL,InstallHinfSection DefaultUninstall 128 C:\Program Files\GridinSoft Anti-Malware\Driver\GSDriver.inf
    3⤵
    - Drops file in Drivers directory
    - Adds Run key to start application
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1564
  - - C:\Windows\system32\runonce.exe
      "C:\Windows\system32\runonce.exe" -r
      4⤵
      PID:2152
    - - C:\Windows\System32\grpconv.exe
        
        "C:\Windows\System32\grpconv.exe" -o
        5⤵
        
        PID:2292

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\GridinSoft Anti-Malware\Driver\GSDriver.inf

Filesize
2KB

MD5
8735aa35328a538c3184bd14ee15426a

SHA1
3409029a5d4fda513eca0bd9950e9c11ed371024

SHA256
4d726efb201ea421b9a08b3a9bdad17fc2016084fb8ac4b2120cf81f62386848

SHA512
27b7cf0bf1692e4829eeadc8333c7e4c3c7d6e5b280bcfc44fa952550de4aec4c5f7ca4caf9732373275b39692afa206956f0cdc64728db7913b423c06b8be78

Download Submit
C:\Program Files\GridinSoft Anti-Malware\gsam.exe

Filesize
25.8MB

MD5
650ce0ef25d8e761d48a5a1430d100b5

SHA1
57f9976d6902ec9ec84c2c895560d0111dbf7bcf

SHA256
09980ff88c3a43bdf4462fb473573f3fc9da9af2b1cd19d8d1927e37934b59b9

SHA512
3c3f7753c2a0d6f29f4418d347e7a14a3134f8281b83a8b73ec3aa2fbf95f26126c38dbf458b644b9bd73b31d48319e7455ac2bd9ecd543d8044e8e48078f3f2

Download Submit
\Program Files\GridinSoft Anti-Malware\gsam.exe

Filesize
22.7MB

MD5
c0da1081c5522ed144ef5d4aa5c0daf3

SHA1
332dbc56578a50ea4ac2568b814a359541c4dd6c

SHA256
64a0f043657af937ffd1c0d1d8ea5305df53462b9dffbf067c8030213fcaaa73

SHA512
69297fd7f2bfbaeefb43b2c1007a3a5367c5ecdc572f1e3ca4a00bc365d3a7f52cec37cc91a573faa9a0a77deb452440f8ea1694c4b3f13d0d09cdcbb21a0395

Download Submit
\Program Files\GridinSoft Anti-Malware\gsam.exe

Filesize
22.8MB

MD5
6e22b0c27e466dc9314c5ffc1bcc7838

SHA1
7d4acd51101997f636c07fcb6770901bf1f0d542

SHA256
a4152ad0b1102277bb80a282dae6962551de7460e70375ff646b34badc275c2c

SHA512
80eb4dc428636ff562509bbf481553153acda6a7abe9fa00da9d543af88bb7cf8ff876b2cd29aa65a643074100f6e854a736aec74b52bd9aaf5048cf88aebe60

Download Submit
\Program Files\GridinSoft Anti-Malware\gsam.exe

Filesize
22.7MB

MD5
1c641534c170c3b571c66e79da1b190e

SHA1
f0c3bc41185e565d4c7f26516e8d1483801019cc

SHA256
eebdb0bcdc853380c4fa6e155173239af876ab61cb17eecf4ee58dd729f0ff98

SHA512
7cf3174b083feb5615857072eafff982c64d780d71299f80994232c5f0a98e9db44883b5a4f78c7b818d22cbd437a4552083a55161c3791497cc1a5da34318fd

Download Submit
\Users\Admin\AppData\Local\Temp\nsqD9CD.tmp\System.dll

Filesize
11KB

MD5
9625d5b1754bc4ff29281d415d27a0fd

SHA1
80e85afc5cccd4c0a3775edbb90595a1a59f5ce0

SHA256
c2f405d7402f815d0c3fadd9a50f0bbbb1bab9aa38fe347823478a2587299448

SHA512
dce52b640897c2e8dbfd0a1472d5377fa91fb9cf1aeff62604d014bccbe5b56af1378f173132abeb0edd18c225b9f8f5e3d3e72434aed946661e036c779f165b

Download Submit
memory/2536-27-0x0000000000400000-0x0000000000655000-memory.dmp

Filesize
2.3MB

Download
memory/2536-28-0x0000000000400000-0x0000000000655000-memory.dmp

Filesize
2.3MB

Download
memory/2536-0-0x0000000000400000-0x0000000000655000-memory.dmp

Filesize
2.3MB

Download
memory/2536-54-0x0000000000400000-0x0000000000655000-memory.dmp

Filesize
2.3MB

Download
memory/2536-24-0x0000000000400000-0x0000000000655000-memory.dmp

Filesize
2.3MB

Download
memory/2536-15-0x0000000000400000-0x0000000000655000-memory.dmp

Filesize
2.3MB

Download
memory/2536-14-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2536-12-0x0000000000400000-0x0000000000655000-memory.dmp

Filesize
2.3MB

Download
memory/2536-1-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads