377ffa3727bf6698fc1367d0c2b6709b134628d59e5bb709fa00ad17fffd3fbb

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
07-09-2022 03:37

Target

单板换肤防封v12.16.2.exe
Size

3.1MB
MD5

3ae306a3a586a657eeeb859770338ef3
SHA1

226463704acb747f2d20aa7e53ce59f3eba75515
SHA256

b18cb3772871adce4c9b468785bd9b48be12a263260643169b804b18a7774d71
SHA512

046c03f4fe5b8992d93d5574a10da1e99887521a83a56696747b50a20303157127d1aabf53f5be8d0399c2366680a2ec79a072c6b33f0771c8f77e286c67856e
SSDEEP

49152:C3rLEs9B9egpZI9oa1DdJ9/NxzFaXCN7VlcYAeXlmPqBH1bPnZ09Uk:C3r3tp+9vvhIXeXBPcU

Score

8^/10

vmprotect

VMProtect packed file 4 IoCs

Detects executables packed with VMProtect commercial packer.

resource	yara_rule
behavioral2/memory/5080-132-0x0000000000400000-0x0000000000C00000-memory.dmp	vmprotect
behavioral2/memory/5080-133-0x0000000000400000-0x0000000000C00000-memory.dmp	vmprotect
behavioral2/memory/5080-137-0x0000000000400000-0x0000000000C00000-memory.dmp	vmprotect
behavioral2/memory/5080-140-0x0000000000400000-0x0000000000C00000-memory.dmp	vmprotect

Suspicious behavior: EnumeratesProcesses 22 IoCs

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
5080	单板换肤防封v12.16.2.exe
5080	单板换肤防封v12.16.2.exe

memory/5080-132-0x0000000000400000-0x0000000000C00000-memory.dmp

Filesize
8.0MB

Download
memory/5080-133-0x0000000000400000-0x0000000000C00000-memory.dmp

Filesize
8.0MB

Download
memory/5080-135-0x0000000010000000-0x0000000010114000-memory.dmp

Filesize
1.1MB

Download
memory/5080-137-0x0000000000400000-0x0000000000C00000-memory.dmp

Filesize
8.0MB

Download
memory/5080-140-0x0000000000400000-0x0000000000C00000-memory.dmp

Filesize
8.0MB

Download