69a38c4eb697c9275bf7e847e5eb90365d7b7862f26e82286a71b18947c902ff

Analysis

max time kernel
45s
max time network
17s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
11-05-2024 10:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Mod Organizer 2-6194-2-5-0-1701057391.exe
Size

134.2MB
MD5

ffebbce45ad4ab2ec509f6f1fe7470ed
SHA1

0a4bae0b161920cb3bab57db7063d02071f1ea15
SHA256

69a38c4eb697c9275bf7e847e5eb90365d7b7862f26e82286a71b18947c902ff
SHA512

d4fc61759f0a9c135a1d2a63ab068d0e52ad4721e3a5d15be974f10ee6500a2f5f6291da6d4ea8e1deb07e8ff423a669e8b2cbcd4c09df34d5ff53a702d9aebb
SSDEEP

3145728:xzNk496Nvt60nwjCAtxUIk0Z1NY5ORZ6RaQTi:xWnvt60iDkki+Z6RU

Score

8^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid process

1756 powershell.exe
2440 powershell.exe
1944 powershell.exe
3024 powershell.exe
2760 powershell.exe
2736 powershell.exe
Executes dropped EXE 2 IoCs

Processes:

Mod Organizer 2-6194-2-5-0-1701057391.tmpModOrganizer.exe

pid process

2956 Mod Organizer 2-6194-2-5-0-1701057391.tmp
916 ModOrganizer.exe

pid	process
1756	powershell.exe
2440	powershell.exe
1944	powershell.exe
3024	powershell.exe
2760	powershell.exe
2736	powershell.exe

pid	process
2956	Mod Organizer 2-6194-2-5-0-1701057391.tmp
916	ModOrganizer.exe

Loads dropped DLL 12 IoCs

Processes:

Mod Organizer 2-6194-2-5-0-1701057391.exeMod Organizer 2-6194-2-5-0-1701057391.tmpModOrganizer.exe

pid	process
2152	Mod Organizer 2-6194-2-5-0-1701057391.exe
2956	Mod Organizer 2-6194-2-5-0-1701057391.tmp
2956	Mod Organizer 2-6194-2-5-0-1701057391.tmp
2956	Mod Organizer 2-6194-2-5-0-1701057391.tmp
2956	Mod Organizer 2-6194-2-5-0-1701057391.tmp
916	ModOrganizer.exe
916	ModOrganizer.exe
916	ModOrganizer.exe
916	ModOrganizer.exe
916	ModOrganizer.exe
916	ModOrganizer.exe
916	ModOrganizer.exe

Drops file in System32 directory 6 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeMod Organizer 2-6194-2-5-0-1701057391.tmp

pid	process
2760	powershell.exe
2736	powershell.exe
1756	powershell.exe
2440	powershell.exe
1944	powershell.exe
3024	powershell.exe
2956	Mod Organizer 2-6194-2-5-0-1701057391.tmp
2956	Mod Organizer 2-6194-2-5-0-1701057391.tmp

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2760	powershell.exe
Token: SeDebugPrivilege	2736	powershell.exe
Token: SeDebugPrivilege	1756	powershell.exe
Token: SeDebugPrivilege	2440	powershell.exe
Token: SeDebugPrivilege	1944	powershell.exe
Token: SeDebugPrivilege	3024	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

Mod Organizer 2-6194-2-5-0-1701057391.tmp

pid process

2956 Mod Organizer 2-6194-2-5-0-1701057391.tmp

pid	process
2956	Mod Organizer 2-6194-2-5-0-1701057391.tmp

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

Mod Organizer 2-6194-2-5-0-1701057391.exeMod Organizer 2-6194-2-5-0-1701057391.tmp

description	pid	process	target process
PID 2152 wrote to memory of 2956	2152	Mod Organizer 2-6194-2-5-0-1701057391.exe	Mod Organizer 2-6194-2-5-0-1701057391.tmp
PID 2152 wrote to memory of 2956	2152	Mod Organizer 2-6194-2-5-0-1701057391.exe	Mod Organizer 2-6194-2-5-0-1701057391.tmp
PID 2152 wrote to memory of 2956	2152	Mod Organizer 2-6194-2-5-0-1701057391.exe	Mod Organizer 2-6194-2-5-0-1701057391.tmp
PID 2152 wrote to memory of 2956	2152	Mod Organizer 2-6194-2-5-0-1701057391.exe	Mod Organizer 2-6194-2-5-0-1701057391.tmp
PID 2152 wrote to memory of 2956	2152	Mod Organizer 2-6194-2-5-0-1701057391.exe	Mod Organizer 2-6194-2-5-0-1701057391.tmp
PID 2152 wrote to memory of 2956	2152	Mod Organizer 2-6194-2-5-0-1701057391.exe	Mod Organizer 2-6194-2-5-0-1701057391.tmp
PID 2152 wrote to memory of 2956	2152	Mod Organizer 2-6194-2-5-0-1701057391.exe	Mod Organizer 2-6194-2-5-0-1701057391.tmp
PID 2956 wrote to memory of 2760	2956	Mod Organizer 2-6194-2-5-0-1701057391.tmp	powershell.exe
PID 2956 wrote to memory of 2760	2956	Mod Organizer 2-6194-2-5-0-1701057391.tmp	powershell.exe
PID 2956 wrote to memory of 2760	2956	Mod Organizer 2-6194-2-5-0-1701057391.tmp	powershell.exe
PID 2956 wrote to memory of 2760	2956	Mod Organizer 2-6194-2-5-0-1701057391.tmp	powershell.exe
PID 2956 wrote to memory of 2736	2956	Mod Organizer 2-6194-2-5-0-1701057391.tmp	powershell.exe
PID 2956 wrote to memory of 2736	2956	Mod Organizer 2-6194-2-5-0-1701057391.tmp	powershell.exe
PID 2956 wrote to memory of 2736	2956	Mod Organizer 2-6194-2-5-0-1701057391.tmp	powershell.exe
PID 2956 wrote to memory of 2736	2956	Mod Organizer 2-6194-2-5-0-1701057391.tmp	powershell.exe
PID 2956 wrote to memory of 1756	2956	Mod Organizer 2-6194-2-5-0-1701057391.tmp	powershell.exe
PID 2956 wrote to memory of 1756	2956	Mod Organizer 2-6194-2-5-0-1701057391.tmp	powershell.exe
PID 2956 wrote to memory of 1756	2956	Mod Organizer 2-6194-2-5-0-1701057391.tmp	powershell.exe
PID 2956 wrote to memory of 1756	2956	Mod Organizer 2-6194-2-5-0-1701057391.tmp	powershell.exe
PID 2956 wrote to memory of 2440	2956	Mod Organizer 2-6194-2-5-0-1701057391.tmp	powershell.exe
PID 2956 wrote to memory of 2440	2956	Mod Organizer 2-6194-2-5-0-1701057391.tmp	powershell.exe
PID 2956 wrote to memory of 2440	2956	Mod Organizer 2-6194-2-5-0-1701057391.tmp	powershell.exe
PID 2956 wrote to memory of 2440	2956	Mod Organizer 2-6194-2-5-0-1701057391.tmp	powershell.exe
PID 2956 wrote to memory of 1944	2956	Mod Organizer 2-6194-2-5-0-1701057391.tmp	powershell.exe
PID 2956 wrote to memory of 1944	2956	Mod Organizer 2-6194-2-5-0-1701057391.tmp	powershell.exe
PID 2956 wrote to memory of 1944	2956	Mod Organizer 2-6194-2-5-0-1701057391.tmp	powershell.exe
PID 2956 wrote to memory of 1944	2956	Mod Organizer 2-6194-2-5-0-1701057391.tmp	powershell.exe
PID 2956 wrote to memory of 3024	2956	Mod Organizer 2-6194-2-5-0-1701057391.tmp	powershell.exe
PID 2956 wrote to memory of 3024	2956	Mod Organizer 2-6194-2-5-0-1701057391.tmp	powershell.exe
PID 2956 wrote to memory of 3024	2956	Mod Organizer 2-6194-2-5-0-1701057391.tmp	powershell.exe
PID 2956 wrote to memory of 3024	2956	Mod Organizer 2-6194-2-5-0-1701057391.tmp	powershell.exe
PID 2956 wrote to memory of 916	2956	Mod Organizer 2-6194-2-5-0-1701057391.tmp	ModOrganizer.exe
PID 2956 wrote to memory of 916	2956	Mod Organizer 2-6194-2-5-0-1701057391.tmp	ModOrganizer.exe
PID 2956 wrote to memory of 916	2956	Mod Organizer 2-6194-2-5-0-1701057391.tmp	ModOrganizer.exe
PID 2956 wrote to memory of 916	2956	Mod Organizer 2-6194-2-5-0-1701057391.tmp	ModOrganizer.exe

C:\Users\Admin\AppData\Local\Temp\Mod Organizer 2-6194-2-5-0-1701057391.exe
"C:\Users\Admin\AppData\Local\Temp\Mod Organizer 2-6194-2-5-0-1701057391.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2152

C:\Users\Admin\AppData\Local\Temp\is-8VFA5.tmp\Mod Organizer 2-6194-2-5-0-1701057391.tmp
"C:\Users\Admin\AppData\Local\Temp\is-8VFA5.tmp\Mod Organizer 2-6194-2-5-0-1701057391.tmp" /SL5="$3013A,139785235,822784,C:\Users\Admin\AppData\Local\Temp\Mod Organizer 2-6194-2-5-0-1701057391.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2956

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Add-MpPreference -ExclusionPath "\"C:\Modding\MO2\""
3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2760

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Add-MpPreference -ExclusionPath "\"C:\Users\Admin\AppData\Local\ModOrganizer\""
3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2736

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Add-MpPreference -ExclusionProcess "ModOrganizer.exe"
3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1756

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Add-MpPreference -ExclusionProcess "usvfs_proxy_x86.exe"
3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2440

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Add-MpPreference -ExclusionProcess "usvfs_proxy_x64.exe"
3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1944

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Add-MpPreference -ExclusionProcess "nxmhandler.exe"
3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3024

C:\Modding\MO2\ModOrganizer.exe
"C:\Modding\MO2\ModOrganizer.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:916

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Modding\MO2\dlls\opengl32sw.dll
Filesize
19.7MB

MD5
22be32c27456eff9117b84b751608bf1

SHA1
bebf0c129a041a6a2cc24d3e55acf6bad2a896ea

SHA256
bca15d37fdd6dcec34a01459f7710a572b9eb7f6f8b5d382a8d66c65d65b16d5

SHA512
3b6b1f715e618c973e452c94beb0a8963fcc0c587edd3790c6dcb9c10cbd240857665b4cea419713879df07e886a6b0ff9199497f494df4855586e42a63877de

Download Submit
C:\Modding\MO2\plugins\installer_wizard\lib\antlr4\error\is-AIIBE.tmp
Filesize
28B

MD5
5025560e7b6aaf7da18be5c9eaafddb8

SHA1
9852553fb683d73b97fc0793d45ac981822d2338

SHA256
82c9d076d4c7f085200a2554a507f3871c76a4546f92c5bbe928f0224ddf6129

SHA512
f6c7f92d5cc88956d8d384f97d7d9c51f07c8968977edca894d706104112b1a60eb5c2abc1a6a0846a8e1ae935ad2ef2682a9a0709c29a4c257ab7b72ad2d286

Download Submit
C:\Modding\MO2\plugins\installer_wizard\lib\chardet-5.2.0.dist-info\is-VDO5T.tmp
Filesize
4B

MD5
365c9bfeb7d89244f2ce01c1de44cb85

SHA1
d7a03141d5d6b1e88b6b59ef08b6681df212c599

SHA256
ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508

SHA512
d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1

Download Submit
C:\Modding\MO2\qml\QtQuick\Controls\Universal\is-FI9TV.tmp
Filesize
1KB

MD5
63340c8fcb71734ce4bbac29a86821b5

SHA1
0cfd02b3e95fa482cbd4bd83b0f2d9214acc9709

SHA256
78b5fc58e6d881d16351e92d32b8cadea6b14fbf8c20c1bc7e56d02946467ae8

SHA512
fe035bb77a32d0fe9d4983d90c65d4c2600a019ac20743dbec409f29ffbfbecd8bca2d15abfffb2e71b77e3c105e248627a176942cdf9d7b98ed9113e6f73ba0

Download Submit
C:\Modding\MO2\qml\QtQuick\Controls\Windows\is-QQ6UP.tmp
Filesize
215B

MD5
2006d4b7d0da455aa4c7414653c0018a

SHA1
6685b8360b97799aa4d6b18789bf84a343e9e891

SHA256
a96c7bf5832767bdc9d91e2290a3920aec3abfbf2e3814bce38b49483f16f84a

SHA512
703804e6fab0cf44317b7292c547a1348e2e7395e4b71367c32c3b097bcfb3344d3296179bf4ba33a4c752ae58a3873af57d8cdef35a34564205356bb4e6fd84

Download Submit
C:\Modding\MO2\stylesheets\Paper\Light\Toolbar\is-OOP8O.tmp
Filesize
6KB

MD5
76babafdbbcaf4fc7678d13734c6abeb

SHA1
de88aff436509f1f9adaef52b74c9ceded5e4434

SHA256
c705366459c6d7f78e1f88286aba0d06b2734db8fc9d7ae91b3d32034879b440

SHA512
eab9cc976780137c0381981b08e6300ef3a2c1aa97d57c7294ae2d6756002bdfbeb94518f05204d5e8e4d20e112fa4e66fc8faec57d3bed1326c921e811b32c5

Download Submit
C:\Modding\MO2\stylesheets\Transparent-Style\Starfield\is-5LBGB.tmp
Filesize
217B

MD5
dd54c7493117a47005abab57cf0462b4

SHA1
a108be01c4e8ad09dccf0ec19ad9317a859df38d

SHA256
eb5085354f04df39f56fa1b0adf2ce3fac5fbcd0bcb22624bbb78730f93bb7d4

SHA512
7d1fe9b7c856cdc40dd3afd44283fe98adb47c870eaaee6ed69af2b07b278d4c43c1f6feba8a6c9a7fb67df6bcff2cda84e572871c647df736336a3bcbc9af91

Download Submit
C:\Modding\MO2\stylesheets\Transparent-Style\Starfield\is-AHND9.tmp
Filesize
226B

MD5
efe7e95bc3aa955e45d093239525d321

SHA1
6fc2a76b0e0a7efd8ce3bc926fd077fc3839361c

SHA256
484225e6610f9fdab1f7c217ed2a98567c5287785f1dbf264cc9bf55f990acac

SHA512
d9582fb34cba1e3cf31cb91e5e33487271df710336141ec31c5c0c8e17abac66f6bcdd121b3caa50680ec50a8c85d988565deec7f7adf06fe971218d43094037

Download Submit
C:\Modding\MO2\stylesheets\Transparent-Style\Starfield\is-EFUGH.tmp
Filesize
218B

MD5
9a36c217d63cb84cfe10dc76c5f2df68

SHA1
ecc9cbec26bfa08b4d1e8e5be58403588a7f19b2

SHA256
95a45b41ebe19f5f3e4ddcbf9ce5c595ada45cd3eaa22a07ec3209fc037481a7

SHA512
c73290fe3deb589b8e856af864c0723b239d3cebe7908054669ed8129a85ab1d687280f0f077b886892b98ebae8d4ca54f3448be4b85571ad0b60e573afd11a6

Download Submit
C:\Modding\MO2\stylesheets\Transparent-Style\Starfield\is-M8DVR.tmp
Filesize
219B

MD5
8ed1109e1ca16283d5fd6d6f0b6b2154

SHA1
43a36180306b12cc89df8a30e8cff910140a8741

SHA256
2214bcafe812565643824ca4df6cecf763279cffa84dab02bc2d62a1bac21d06

SHA512
b83a4219c78cb49bdf20959467cfc7cffb790f0116b4c3a31475aba23bda18ce42e0a9f7829f92ade4f750ed3aa89aaa23d639451cfeba1f83c1c3b33ad67295

Download Submit
C:\Modding\MO2\translations\is-HG2HB.tmp
Filesize
33B

MD5
aaea7ba475c961f941d0a23488457beb

SHA1
2bf0054002c8f7d85dd080df332553bf9b3a8e26

SHA256
494ac9a2b2cb2fdeced353f4a9f898ed8dcf616e9bc667438c62681e3f7f79cf

SHA512
5b408c36c8f93f71e73e3d3b1c0c2ad699e92a6088604b8adf8e588e8a75fc3fc92828199b7f00f5b05b224ae819220d07e56d610a76a267594870bec77172be

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\KKTCZ3QY137QB6BT4G7D.temp
Filesize
7KB

MD5
49d348d846d7f90c7b825cd29624c90e

SHA1
c8f3eed24ab7078a41f6eb239f0102cdaf474ffc

SHA256
26495f01c56618a1b7ee04bbcd245926a1c534e09df0a61879c1cc30980aba97

SHA512
41a9009b22f883fb9f7975e86cb69b7b12bb5ef1a226cf725bb7f88c65676be951c6bc500e63430f31e905e4b79fbb093fed3643c894e26aa7e877dc4c7b0ad5

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Modding\MO2\ModOrganizer.exe
Filesize
4.7MB

MD5
ad741539da7f8528c4b7f8ddd9f34834

SHA1
8dd5b5330706e22e3c9aa0f18857abe5a015d6f8

SHA256
80ac43549d7e15249a5cba2f1e8509612b229ffc0e949a6b940137d87c27c226

SHA512
9a9899df9f2064ee21f0134c1d8ae3b7dbe8a57dbc20511da95be3f086c4420b97ea620c98d26d467449539b0dbf5ed8f43429e523b1b32990121a7f619ca814

Download Submit
\Modding\MO2\dlls\Qt6Core.dll
Filesize
5.5MB

MD5
a42d8142092885a83fc779f660466a0c

SHA1
106232efdb591364a78638f27fc2067717a65868

SHA256
abf826a5763c4b3517258f07060a7a93f4d47ae14f79253304dc2a4dbe0d98a2

SHA512
8ffbb942f996bb89b871b73494c0a9b913316e6440e263b3416604ac294cf987039db979f55aa61c34869a101cbc6a9db0323aee71a847840ace4e652639f98c

Download Submit
\Modding\MO2\dlls\Qt6Network.dll
Filesize
1.3MB

MD5
4d101c62f1b454b432e66b29683b684a

SHA1
af7d8a756eaa146f8284f71a09a06a8f3f0fb0d0

SHA256
ad92ea3b43d4602b554a50d18d739ee2ee9fcaf47ac82f30aa8143f82fbea932

SHA512
681c80fa9388b8f4dafb5db651dda853bf7031b4ad3442d19d5c18946a90269c691fe9a36e89236c285d1a5f4f3bc44e8d52a0ccb0c459afc24203d4a5a88f20

Download Submit
\Modding\MO2\dlls\Qt6Qml.dll
Filesize
4.4MB

MD5
78eb120c81df5606e8c753cc2fc13a04

SHA1
e4ed29d8ba4a10fe7b04f549d425f80a530cc8f4

SHA256
7f15ebaf44115ac977f6424356a4bb227efc1069779a949c21dba6b4fb770a0c

SHA512
74b0b19c1ef518b692ba90dc93bcd9b4a2830686e8a85c7cf3585fe384501dc5ceb639fda80ae104e7467583928926170251388b071d1334f074ced30f8ef0f4

Download Submit
\Modding\MO2\dlls\Qt6QmlModels.dll
Filesize
667KB

MD5
69534773867ec67b7f9878c98381c4ae

SHA1
a80ebe1aace97c9bef9e8e889c40716f126d63ea

SHA256
0d093f7a794d9690e68123efa1294757a1c04a4d528cb043bf6b2e14ab2fd507

SHA512
70268390676ef29ea6fe0d6366e140efdd4f592216df101bb0c25746ae50c7d424ad7fa89546ae6ec59d6550ef6dffc580a6da1d469f52b4655ed5ca8975609a

Download Submit
\Modding\MO2\dlls\Qt6Quick.dll
Filesize
5.0MB

MD5
447f2ce51fe0c0e7a4c593f87186723c

SHA1
7a9feaa055534994efae4f14c07909a799c95415

SHA256
bd6fdfb8f64e1273397b8985e9b538fffbb840360ebf9b01be6e20a76f71f73d

SHA512
00dcce8851065e123a68482d9b975a9bd561a0ab9ed012bfe55ca95c6ad8cb5cdb7ad543ccfa6bb363ee335fbcbaeff1e5466b6930f30cca8c4c73bd3bca714a

Download Submit
\Modding\MO2\dlls\Qt6QuickWidgets.dll
Filesize
110KB

MD5
efa460e18dbbd4856e7a8386349a0d8c

SHA1
602fa67d8d27770a7d9b866a04b15c523b9f21b2

SHA256
036bb47ac43441eb419662c7ccf509a994f673db1e2ff8a758e1367aa3d7ba37

SHA512
c8588c8bbf24495ee7a45a637e7955c19ba385e88cebcc2f3d8ed7af379b4572d30a8eafa8a3f95c8c977d57980a32149ee6bb0568f920bb72797b3ca2fd10ec

Download Submit
\Modding\MO2\uibase.dll
Filesize
958KB

MD5
bf8ee1801e96290cadd22cd229ab2a8b

SHA1
83586fd54e0d22deff8d5e3bb07c6e43ceb1b65b

SHA256
b52ff121ab23e0e6a4cf4d12722b3447579047fdcd42582bbfcda94be7bc7c07

SHA512
4079147474e0205fcd0c84f6f7fba7b90177f9b4ee37355548681cf833367f48a32c4b215dd114ccf956c1661f0c62dd6bbed970520ae4290d8d5c96d26b772c

Download Submit
\Modding\MO2\unins000.exe
Filesize
3.0MB

MD5
0bbadf6a804590cab4df238802005f0e

SHA1
4bec2332292ca90ad393f5b9ce3b536b5fb34e1b

SHA256
fa0d9efa3d1b4c06442f37382fef46f20e4980744c54e204e663bc38568d2ea3

SHA512
bb7b8bbf7ccc9fdf27b347e5b86409231ab13a048ea2928aff1207c5a9e42e2bc675b1d4a753725afd9648caa0ff092379b39fff9ccc07be51aac45743558366

Download Submit
\Users\Admin\AppData\Local\Temp\is-41UUD.tmp\isxdl.dll
Filesize
121KB

MD5
48ad1a1c893ce7bf456277a0a085ed01

SHA1
803997ef17eedf50969115c529a2bf8de585dc91

SHA256
b0cc4697b2fd1b4163fddca2050fc62a9e7d221864f1bd11e739144c90b685b3

SHA512
7c9e7fe9f00c62cccb5921cb55ba0dd96a0077ad52962473c1e79cda1fd9aa101129637043955703121443e1f8b6b2860cd4dfdb71052b20a322e05deed101a4

Download Submit
\Users\Admin\AppData\Local\Temp\is-8VFA5.tmp\Mod Organizer 2-6194-2-5-0-1701057391.tmp
Filesize
3.0MB

MD5
2358bc3d6a1e649694f23d8426278b3a

SHA1
f505fad0e1159bd07244a811256e8b64af23e35c

SHA256
94e4c45cc6a333d645489ee5094a693bb7f0d83fb6881200197f128a9c580281

SHA512
d1bb45c83a73e4971a28c1fe85abe2369b9865bb4428019a112c843b0b9d4713bc8da654a118b0d765602294936e7df3a146f1ea674266a16d34e836f1b10a68

Download Submit
memory/2152-0-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/2152-2-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/2152-4291-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/2152-14-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/2736-28-0x0000000002860000-0x0000000002868000-memory.dmp

Filesize
32KB

Download
memory/2736-27-0x000000001B5D0000-0x000000001B8B2000-memory.dmp

Filesize
2.9MB

Download
memory/2760-21-0x0000000001E80000-0x0000000001E88000-memory.dmp

Filesize
32KB

Download
memory/2760-20-0x000000001B6A0000-0x000000001B982000-memory.dmp

Filesize
2.9MB

Download
memory/2956-8-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/2956-1139-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/2956-1056-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/2956-15-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/2956-4290-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/2956-4189-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads