32c25f32973977f55948bcd9896964b98a948ff4a9af600fd0a3cb280993e307

Analysis

max time kernel
93s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2022 18:59

Target

六六辅助免费版1.0/Jsy66.dll
Size

156KB
MD5

d401c0a925e0f4a775e53908401182d4
SHA1

23f0f9cc11a20b38d78b15d9934798f77381ad14
SHA256

cc7bdf67d938aa2c24d9e01e41aff793045496371ae0df105a83250b77d35225
SHA512

d771a011701de1261b15b1ef7bc9c27e999e51faf719559d238f0fae23c45321953283276b930c3f6a356df69dabc4a84db7b2967fed8151a40cd458d320188d
SSDEEP

3072:jxDlLWcsv6rf3gaqDynFycRwfGv0Tkk1H1oxWyBury9NX0r26pGSyj4:jxxLWcsgqDyFycRwxTZoxWybiw

Score

8^/10

vmprotect

VMProtect packed file 2 IoCs

Detects executables packed with VMProtect commercial packer.

resource	yara_rule
behavioral2/memory/3960-133-0x0000000010000000-0x000000001002B000-memory.dmp	vmprotect
behavioral2/memory/3960-134-0x0000000010000000-0x000000001002B000-memory.dmp	vmprotect

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1656 wrote to memory of 3960	1656	rundll32.exe	73
PID 1656 wrote to memory of 3960	1656	rundll32.exe	73
PID 1656 wrote to memory of 3960	1656	rundll32.exe	73

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\六六辅助免费版1.0\Jsy66.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1656
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\六六辅助免费版1.0\Jsy66.dll,#1
  2⤵
  PID:3960

memory/3960-133-0x0000000010000000-0x000000001002B000-memory.dmp

Filesize
172KB

Download
memory/3960-134-0x0000000010000000-0x000000001002B000-memory.dmp

Filesize
172KB

Download