1cf9ec2552601e941f5e85ded72aa606ad442d488ffffc9b90e8afd2ad011cf8

Analysis

max time kernel
92s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
31/05/2024, 01:55

Target

Garrys_Mod.exe
Size

221KB
MD5

927704d046ed22bda464917ba0cf8f47
SHA1

1a4a42a19b37198439c14a9685eaed46d8a73c21
SHA256

1cf9ec2552601e941f5e85ded72aa606ad442d488ffffc9b90e8afd2ad011cf8
SHA512

47a30ec07890ce0e2f4874efa4ca05bc908017e78efd80df22e539063cec39e246c636ea527595ffcbe3323d235b387149301c331ea9be28252ba1c1d184edc9
SSDEEP

3072:LaW+rTUnoRyS6AgJvVR/p4p0OkK/1o8TBziXMjvgXCCHYnfsb7KhFnJf98G:eVTUnObwq5V9

Score

7^/10

Executes dropped EXE 1 IoCs

pid	Process
448	revLoader.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2640 wrote to memory of 448	2640	Garrys_Mod.exe	84
PID 2640 wrote to memory of 448	2640	Garrys_Mod.exe	84
PID 2640 wrote to memory of 448	2640	Garrys_Mod.exe	84

C:\Users\Admin\AppData\Local\Temp\Garrys_Mod.exe
"C:\Users\Admin\AppData\Local\Temp\Garrys_Mod.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2640
- C:\Users\Admin\AppData\Local\Temp\revLoader.exe
  revLoader.exe -launch hl2.exe -steam -game garrysmod -appid 4000 -silent -novid -noworkshop
  2⤵
  - Executes dropped EXE
  PID:448

C:\Users\Admin\AppData\Local\Temp\revLoader.exe

Filesize
33KB

MD5
3289557dda56ebe91f377e0663ede5b6

SHA1
ec0ad6e72cec1975e9302becd272c6ebe25a25e0

SHA256
562d03c97644c0229b2981d7cd4a0d1f61c2ca08d2c6d4e7b6710337c3063628

SHA512
6334af32494d6c590c5eec8ffe28585fc15e2df03de30e8bb674b38585a347c83eeb33648f56e036c8fa6e4c38eaaeb8d7b8f3db9ae66ce34be043fd8c1adb3d

Download Submit
memory/2640-5-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download