Loading... Additional Content is being loaded

Windows Analysis Report
plushvcionattkingstoreff6.exe

Overview

General Information

Sample name:	plushvcionattkingstoreff6.exe
Analysis ID:	1592711
MD5:	d9749e4fa68401f4b2d20943afac12f5
SHA1:	3c64398f709e8120aa7a50eaa1722488b9fe4207
SHA256:	8dd72abe3c57869b49ecc71848acedac62ddc8ab0a02332f7c48324935aa0e30
Tags:	exemalwaretrojanuser-Joker
Infos:

Detection

Score:	56
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Machine Learning detection for sample

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

AV process strings found (often used to terminate AV products)

Program does not show much activity (idle)

Sample execution stops while process was sleeping (likely an evasion)

Classification

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: plushvcionattkingstoreff6.exe	Virustotal: Detection: 58%			Perma Link
Source: plushvcionattkingstoreff6.exe	ReversingLabs: Detection: 57%

Machine Learning detection for sample

Source: plushvcionattkingstoreff6.exe

Joe Sandbox ML: detected

Source: plushvcionattkingstoreff6.exe, 00000000.00000000.1661809317.00007FF7AEAF1000.00000002.00000001.01000000.00000003.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_de443b5c-0

Source: plushvcionattkingstoreff6.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: <^D:\BRONKZ BACKUP 16 02 2024\Loaders C# Bronkz Private Store\Revendedores Painel\KingStore\HVCI ON VALORANT\plus\x64\Release\Google Chrome.pdb source: plushvcionattkingstoreff6.exe
Source:	Binary string: D:\BRONKZ BACKUP 16 02 2024\Loaders C# Bronkz Private Store\Revendedores Painel\KingStore\HVCI ON VALORANT\plus\x64\Release\Google Chrome.pdb source: plushvcionattkingstoreff6.exe

Source: plushvcionattkingstoreff6.exe	String found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
Source: plushvcionattkingstoreff6.exe	String found in binary or memory: https://github.com/googlefonts/lexend)6_ju
Source: plushvcionattkingstoreff6.exe	String found in binary or memory: https://scripts.sil.org/OFLThis
Source: plushvcionattkingstoreff6.exe	String found in binary or memory: https://scripts.sil.org/OFLhttps://www.lexend.comBonnie

Source: plushvcionattkingstoreff6.exe

Binary string: 8\Device\microsoftAudioDriver\DosDevices\microsoftAudioDriverKmdfLibraryDriverEntry failed 0x%x for driver %wZ

Source: classification engine

Classification label: mal56.evad.winEXE@2/0@0/0

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3616:120:WilError_03

Source: plushvcionattkingstoreff6.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\plushvcionattkingstoreff6.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: plushvcionattkingstoreff6.exe	Virustotal: Detection: 58%
Source: plushvcionattkingstoreff6.exe	ReversingLabs: Detection: 57%

Source: plushvcionattkingstoreff6.exe

String found in binary or memory: iphlpapi.dllif_nametoindexkernel32LoadLibraryExA\/AddDllDirectory

Source: unknown	Process created: C:\Users\user\Desktop\plushvcionattkingstoreff6.exe "C:\Users\user\Desktop\plushvcionattkingstoreff6.exe"
Source: C:\Users\user\Desktop\plushvcionattkingstoreff6.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: C:\Users\user\Desktop\plushvcionattkingstoreff6.exe	Section loaded: apphelp.dll			Jump to behavior
Source: C:\Users\user\Desktop\plushvcionattkingstoreff6.exe	Section loaded: d3dx11_43.dll			Jump to behavior
Source: C:\Users\user\Desktop\plushvcionattkingstoreff6.exe	Section loaded: d3d11.dll			Jump to behavior
Source: C:\Users\user\Desktop\plushvcionattkingstoreff6.exe	Section loaded: d3dcompiler_43.dll			Jump to behavior
Source: C:\Users\user\Desktop\plushvcionattkingstoreff6.exe	Section loaded: msvcp140.dll			Jump to behavior
Source: C:\Users\user\Desktop\plushvcionattkingstoreff6.exe	Section loaded: dwmapi.dll			Jump to behavior
Source: C:\Users\user\Desktop\plushvcionattkingstoreff6.exe	Section loaded: winhttp.dll			Jump to behavior
Source: C:\Users\user\Desktop\plushvcionattkingstoreff6.exe	Section loaded: userenv.dll			Jump to behavior
Source: C:\Users\user\Desktop\plushvcionattkingstoreff6.exe	Section loaded: vcruntime140_1.dll			Jump to behavior
Source: C:\Users\user\Desktop\plushvcionattkingstoreff6.exe	Section loaded: vcruntime140.dll			Jump to behavior
Source: C:\Users\user\Desktop\plushvcionattkingstoreff6.exe	Section loaded: dxgi.dll			Jump to behavior
Source: C:\Users\user\Desktop\plushvcionattkingstoreff6.exe	Section loaded: vcruntime140.dll			Jump to behavior
Source: C:\Users\user\Desktop\plushvcionattkingstoreff6.exe	Section loaded: vcruntime140_1.dll			Jump to behavior
Source: C:\Users\user\Desktop\plushvcionattkingstoreff6.exe	Section loaded: vcruntime140.dll			Jump to behavior

Source: plushvcionattkingstoreff6.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: plushvcionattkingstoreff6.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: plushvcionattkingstoreff6.exe

Static file information: File size 4224512 > 1048576

Source: plushvcionattkingstoreff6.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x11f800
Source: plushvcionattkingstoreff6.exe	Static PE information: Raw size of .data is bigger than: 0x100000 < 0x28e200

Source: plushvcionattkingstoreff6.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: plushvcionattkingstoreff6.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: plushvcionattkingstoreff6.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: plushvcionattkingstoreff6.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: plushvcionattkingstoreff6.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: plushvcionattkingstoreff6.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: plushvcionattkingstoreff6.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: plushvcionattkingstoreff6.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: <^D:\BRONKZ BACKUP 16 02 2024\Loaders C# Bronkz Private Store\Revendedores Painel\KingStore\HVCI ON VALORANT\plus\x64\Release\Google Chrome.pdb source: plushvcionattkingstoreff6.exe
Source:	Binary string: D:\BRONKZ BACKUP 16 02 2024\Loaders C# Bronkz Private Store\Revendedores Painel\KingStore\HVCI ON VALORANT\plus\x64\Release\Google Chrome.pdb source: plushvcionattkingstoreff6.exe

Source: plushvcionattkingstoreff6.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: plushvcionattkingstoreff6.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: plushvcionattkingstoreff6.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: plushvcionattkingstoreff6.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: plushvcionattkingstoreff6.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Malware Analysis System Evasion

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: plushvcionattkingstoreff6.exe	Binary or memory string: PROCESSHACKER.EXE
Source: plushvcionattkingstoreff6.exe	Binary or memory string: PROCMON.EXE
Source: plushvcionattkingstoreff6.exe	Binary or memory string: OLLYDBG.EXE
Source: plushvcionattkingstoreff6.exe	Binary or memory string: X64DBG.EXE
Source: plushvcionattkingstoreff6.exe	Binary or memory string: REGMON.EXE
Source: plushvcionattkingstoreff6.exe	Binary or memory string: [ %.FM ] HEALTH RENDERED][ CR][VALORANT PLUS] - FPS: %.1FCPLUSPLUSEXAMPLE/1.0GETKEYAUTH.WIN980C8DE97FFFFAD4C5E27B1E48A37561DDA18BD70D38E6D40AE0AC84529DAB4FSYSTEM\CURRENTCONTROLSET\CONTROL\DEVICEGUARD\SCENARIOS\HYPERVISORENFORCEDCODEINTEGRITYENABLEDDIEC.EXEDWNEJFE.EXEWIN64.EXESYSTEMINFORMER.EXEPROCESSHACKER.EXEFILEALYZER2.EXERESOURCEHACKER.EXEDEPENDS.EXEPEXPLORER.EXEDIEL.EXEDIE.EXEPE-BEAR.EXELORDPE.EXEWIRESHARK.EXETCPVIEW.EXEPROCEXP64.EXEPROCEXP.EXEREGMON.EXEFILEMON.EXEPROCMON.EXESCYLLA_X86.EXESCYLLA_X64.EXEOLLYDUMPEX_SA64.EXEOLLYDUMPEX_SA32.EXEHXD.EXEIMMUNITYDEBUGGER.EXEWINDBG.EXEX96DBG.EXEX64DBG.EXEX32DBG.EXEOLLYDBG.EXEIDA64.EXEDOTPEEK64.EXEIDA32.EXEIDA.EXERECLASS.NET.EXERECLASS.EXEHEYRAYS.EXELIGHTHOUSE.EXECHEATENGINE-X86_64.EXECLASSINFORMER.EXEIDA-X86EMU.EXECFFEXPLORER.EXEWINHEX.EXEHIEW.EXEFIDDLER.EXEHTTPDEBUGGER.EXEHTTPDEBUGGERPRO.EXESCYLLA.EXECHEAT ENGINE.EXEDNSPY.EXEDNSPY.CONSOLE.EXECLS
Source: plushvcionattkingstoreff6.exe	Binary or memory string: WINDBG.EXE
Source: plushvcionattkingstoreff6.exe	Binary or memory string: FIDDLER.EXE
Source: plushvcionattkingstoreff6.exe	Binary or memory string: IDAQ.EXEH
Source: plushvcionattkingstoreff6.exe	Binary or memory string: PEID.EXEH
Source: plushvcionattkingstoreff6.exe	Binary or memory string: IDAG.EXEH
Source: plushvcionattkingstoreff6.exe	Binary or memory string: WIRESHARK.EXE
Source: plushvcionattkingstoreff6.exe	Binary or memory string: FILEMON.EXE

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\plushvcionattkingstoreff6.exe

Code function: 0_2_00007FF7AEAEDF30 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FF7AEAEDF30

AV process strings found (often used to terminate AV products)

Source: plushvcionattkingstoreff6.exe, 00000000.00000000.1661809317.00007FF7AEAF1000.00000002.00000001.01000000.00000003.sdmp, plushvcionattkingstoreff6.exe, 00000000.00000002.2926561794.00007FF7AEAF2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: procmon.exe
Source: plushvcionattkingstoreff6.exe, 00000000.00000000.1661809317.00007FF7AEAF1000.00000002.00000001.01000000.00000003.sdmp, plushvcionattkingstoreff6.exe, 00000000.00000002.2926561794.00007FF7AEAF2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OLLYDBG.exe
Source: plushvcionattkingstoreff6.exe, 00000000.00000000.1661809317.00007FF7AEAF1000.00000002.00000001.01000000.00000003.sdmp, plushvcionattkingstoreff6.exe, 00000000.00000002.2926561794.00007FF7AEAF2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: wireshark.exe
Source: plushvcionattkingstoreff6.exe, 00000000.00000000.1661809317.00007FF7AEAF1000.00000002.00000001.01000000.00000003.sdmp, plushvcionattkingstoreff6.exe, 00000000.00000002.2926561794.00007FF7AEAF2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: procexp.exe
Source: plushvcionattkingstoreff6.exe, 00000000.00000000.1661809317.00007FF7AEAF1000.00000002.00000001.01000000.00000003.sdmp, plushvcionattkingstoreff6.exe, 00000000.00000002.2926561794.00007FF7AEAF2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: LordPE.exe
Source: plushvcionattkingstoreff6.exe, 00000000.00000000.1661809317.00007FF7AEAF1000.00000002.00000001.01000000.00000003.sdmp, plushvcionattkingstoreff6.exe, 00000000.00000002.2926561794.00007FF7AEAF2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: Tcpview.exe
Source: plushvcionattkingstoreff6.exe, 00000000.00000000.1661809317.00007FF7AEAF1000.00000002.00000001.01000000.00000003.sdmp, plushvcionattkingstoreff6.exe, 00000000.00000002.2926561794.00007FF7AEAF2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: regmon.exe

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

Name	Type	MD5	SHA1	SHA256

AV Detection

Multi AV Scanner detection for submitted file

Source: plushvcionattkingstoreff6.exe	Virustotal: Detection: 58%			Perma Link
Source: plushvcionattkingstoreff6.exe	ReversingLabs: Detection: 57%

Machine Learning detection for sample

Source: plushvcionattkingstoreff6.exe

Joe Sandbox ML: detected

Source: plushvcionattkingstoreff6.exe, 00000000.00000000.1661809317.00007FF7AEAF1000.00000002.00000001.01000000.00000003.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_de443b5c-0

Source: plushvcionattkingstoreff6.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: <^D:\BRONKZ BACKUP 16 02 2024\Loaders C# Bronkz Private Store\Revendedores Painel\KingStore\HVCI ON VALORANT\plus\x64\Release\Google Chrome.pdb source: plushvcionattkingstoreff6.exe
Source:	Binary string: D:\BRONKZ BACKUP 16 02 2024\Loaders C# Bronkz Private Store\Revendedores Painel\KingStore\HVCI ON VALORANT\plus\x64\Release\Google Chrome.pdb source: plushvcionattkingstoreff6.exe

Source: plushvcionattkingstoreff6.exe	String found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
Source: plushvcionattkingstoreff6.exe	String found in binary or memory: https://github.com/googlefonts/lexend)6_ju
Source: plushvcionattkingstoreff6.exe	String found in binary or memory: https://scripts.sil.org/OFLThis
Source: plushvcionattkingstoreff6.exe	String found in binary or memory: https://scripts.sil.org/OFLhttps://www.lexend.comBonnie

Source: plushvcionattkingstoreff6.exe

Binary string: 8\Device\microsoftAudioDriver\DosDevices\microsoftAudioDriverKmdfLibraryDriverEntry failed 0x%x for driver %wZ

Source: classification engine

Classification label: mal56.evad.winEXE@2/0@0/0

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3616:120:WilError_03

Source: plushvcionattkingstoreff6.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\plushvcionattkingstoreff6.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: plushvcionattkingstoreff6.exe	Virustotal: Detection: 58%
Source: plushvcionattkingstoreff6.exe	ReversingLabs: Detection: 57%

Source: plushvcionattkingstoreff6.exe

String found in binary or memory: iphlpapi.dllif_nametoindexkernel32LoadLibraryExA\/AddDllDirectory

Source: unknown	Process created: C:\Users\user\Desktop\plushvcionattkingstoreff6.exe "C:\Users\user\Desktop\plushvcionattkingstoreff6.exe"
Source: C:\Users\user\Desktop\plushvcionattkingstoreff6.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: C:\Users\user\Desktop\plushvcionattkingstoreff6.exe	Section loaded: apphelp.dll			Jump to behavior
Source: C:\Users\user\Desktop\plushvcionattkingstoreff6.exe	Section loaded: d3dx11_43.dll			Jump to behavior
Source: C:\Users\user\Desktop\plushvcionattkingstoreff6.exe	Section loaded: d3d11.dll			Jump to behavior
Source: C:\Users\user\Desktop\plushvcionattkingstoreff6.exe	Section loaded: d3dcompiler_43.dll			Jump to behavior
Source: C:\Users\user\Desktop\plushvcionattkingstoreff6.exe	Section loaded: msvcp140.dll			Jump to behavior
Source: C:\Users\user\Desktop\plushvcionattkingstoreff6.exe	Section loaded: dwmapi.dll			Jump to behavior
Source: C:\Users\user\Desktop\plushvcionattkingstoreff6.exe	Section loaded: winhttp.dll			Jump to behavior
Source: C:\Users\user\Desktop\plushvcionattkingstoreff6.exe	Section loaded: userenv.dll			Jump to behavior
Source: C:\Users\user\Desktop\plushvcionattkingstoreff6.exe	Section loaded: vcruntime140_1.dll			Jump to behavior
Source: C:\Users\user\Desktop\plushvcionattkingstoreff6.exe	Section loaded: vcruntime140.dll			Jump to behavior
Source: C:\Users\user\Desktop\plushvcionattkingstoreff6.exe	Section loaded: dxgi.dll			Jump to behavior
Source: C:\Users\user\Desktop\plushvcionattkingstoreff6.exe	Section loaded: vcruntime140.dll			Jump to behavior
Source: C:\Users\user\Desktop\plushvcionattkingstoreff6.exe	Section loaded: vcruntime140_1.dll			Jump to behavior
Source: C:\Users\user\Desktop\plushvcionattkingstoreff6.exe	Section loaded: vcruntime140.dll			Jump to behavior

Source: plushvcionattkingstoreff6.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: plushvcionattkingstoreff6.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: plushvcionattkingstoreff6.exe

Static file information: File size 4224512 > 1048576

Source: plushvcionattkingstoreff6.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x11f800
Source: plushvcionattkingstoreff6.exe	Static PE information: Raw size of .data is bigger than: 0x100000 < 0x28e200

Source: plushvcionattkingstoreff6.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: plushvcionattkingstoreff6.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: plushvcionattkingstoreff6.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: plushvcionattkingstoreff6.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: plushvcionattkingstoreff6.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: plushvcionattkingstoreff6.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: plushvcionattkingstoreff6.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: plushvcionattkingstoreff6.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: <^D:\BRONKZ BACKUP 16 02 2024\Loaders C# Bronkz Private Store\Revendedores Painel\KingStore\HVCI ON VALORANT\plus\x64\Release\Google Chrome.pdb source: plushvcionattkingstoreff6.exe
Source:	Binary string: D:\BRONKZ BACKUP 16 02 2024\Loaders C# Bronkz Private Store\Revendedores Painel\KingStore\HVCI ON VALORANT\plus\x64\Release\Google Chrome.pdb source: plushvcionattkingstoreff6.exe

Source: plushvcionattkingstoreff6.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: plushvcionattkingstoreff6.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: plushvcionattkingstoreff6.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: plushvcionattkingstoreff6.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: plushvcionattkingstoreff6.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Malware Analysis System Evasion

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: plushvcionattkingstoreff6.exe	Binary or memory string: PROCESSHACKER.EXE
Source: plushvcionattkingstoreff6.exe	Binary or memory string: PROCMON.EXE
Source: plushvcionattkingstoreff6.exe	Binary or memory string: OLLYDBG.EXE
Source: plushvcionattkingstoreff6.exe	Binary or memory string: X64DBG.EXE
Source: plushvcionattkingstoreff6.exe	Binary or memory string: REGMON.EXE
Source: plushvcionattkingstoreff6.exe	Binary or memory string: [ %.FM ] HEALTH RENDERED][ CR][VALORANT PLUS] - FPS: %.1FCPLUSPLUSEXAMPLE/1.0GETKEYAUTH.WIN980C8DE97FFFFAD4C5E27B1E48A37561DDA18BD70D38E6D40AE0AC84529DAB4FSYSTEM\CURRENTCONTROLSET\CONTROL\DEVICEGUARD\SCENARIOS\HYPERVISORENFORCEDCODEINTEGRITYENABLEDDIEC.EXEDWNEJFE.EXEWIN64.EXESYSTEMINFORMER.EXEPROCESSHACKER.EXEFILEALYZER2.EXERESOURCEHACKER.EXEDEPENDS.EXEPEXPLORER.EXEDIEL.EXEDIE.EXEPE-BEAR.EXELORDPE.EXEWIRESHARK.EXETCPVIEW.EXEPROCEXP64.EXEPROCEXP.EXEREGMON.EXEFILEMON.EXEPROCMON.EXESCYLLA_X86.EXESCYLLA_X64.EXEOLLYDUMPEX_SA64.EXEOLLYDUMPEX_SA32.EXEHXD.EXEIMMUNITYDEBUGGER.EXEWINDBG.EXEX96DBG.EXEX64DBG.EXEX32DBG.EXEOLLYDBG.EXEIDA64.EXEDOTPEEK64.EXEIDA32.EXEIDA.EXERECLASS.NET.EXERECLASS.EXEHEYRAYS.EXELIGHTHOUSE.EXECHEATENGINE-X86_64.EXECLASSINFORMER.EXEIDA-X86EMU.EXECFFEXPLORER.EXEWINHEX.EXEHIEW.EXEFIDDLER.EXEHTTPDEBUGGER.EXEHTTPDEBUGGERPRO.EXESCYLLA.EXECHEAT ENGINE.EXEDNSPY.EXEDNSPY.CONSOLE.EXECLS
Source: plushvcionattkingstoreff6.exe	Binary or memory string: WINDBG.EXE
Source: plushvcionattkingstoreff6.exe	Binary or memory string: FIDDLER.EXE
Source: plushvcionattkingstoreff6.exe	Binary or memory string: IDAQ.EXEH
Source: plushvcionattkingstoreff6.exe	Binary or memory string: PEID.EXEH
Source: plushvcionattkingstoreff6.exe	Binary or memory string: IDAG.EXEH
Source: plushvcionattkingstoreff6.exe	Binary or memory string: WIRESHARK.EXE
Source: plushvcionattkingstoreff6.exe	Binary or memory string: FILEMON.EXE

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\plushvcionattkingstoreff6.exe

Code function: 0_2_00007FF7AEAEDF30 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FF7AEAEDF30

AV process strings found (often used to terminate AV products)

Source: plushvcionattkingstoreff6.exe, 00000000.00000000.1661809317.00007FF7AEAF1000.00000002.00000001.01000000.00000003.sdmp, plushvcionattkingstoreff6.exe, 00000000.00000002.2926561794.00007FF7AEAF2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: procmon.exe
Source: plushvcionattkingstoreff6.exe, 00000000.00000000.1661809317.00007FF7AEAF1000.00000002.00000001.01000000.00000003.sdmp, plushvcionattkingstoreff6.exe, 00000000.00000002.2926561794.00007FF7AEAF2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OLLYDBG.exe
Source: plushvcionattkingstoreff6.exe, 00000000.00000000.1661809317.00007FF7AEAF1000.00000002.00000001.01000000.00000003.sdmp, plushvcionattkingstoreff6.exe, 00000000.00000002.2926561794.00007FF7AEAF2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: wireshark.exe
Source: plushvcionattkingstoreff6.exe, 00000000.00000000.1661809317.00007FF7AEAF1000.00000002.00000001.01000000.00000003.sdmp, plushvcionattkingstoreff6.exe, 00000000.00000002.2926561794.00007FF7AEAF2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: procexp.exe
Source: plushvcionattkingstoreff6.exe, 00000000.00000000.1661809317.00007FF7AEAF1000.00000002.00000001.01000000.00000003.sdmp, plushvcionattkingstoreff6.exe, 00000000.00000002.2926561794.00007FF7AEAF2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: LordPE.exe
Source: plushvcionattkingstoreff6.exe, 00000000.00000000.1661809317.00007FF7AEAF1000.00000002.00000001.01000000.00000003.sdmp, plushvcionattkingstoreff6.exe, 00000000.00000002.2926561794.00007FF7AEAF2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: Tcpview.exe
Source: plushvcionattkingstoreff6.exe, 00000000.00000000.1661809317.00007FF7AEAF1000.00000002.00000001.01000000.00000003.sdmp, plushvcionattkingstoreff6.exe, 00000000.00000002.2926561794.00007FF7AEAF2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: regmon.exe