| Source: plushvcioffattkingstore17774t85.exe |
ReversingLabs: Detection: 55% |
| Source: plushvcioffattkingstore17774t85.exe |
Virustotal: Detection: 70% |
Perma Link |
| Source: plushvcioffattkingstore17774t85.exe |
Joe Sandbox ML: detected |
| Source: plushvcioffattkingstore17774t85.exe, 00000000.00000002.2649353507.00007FF60F102000.00000002.00000001.01000000.00000003.sdmp |
Binary or memory string: -----BEGIN PUBLIC KEY----- |
memstr_726da286-3 |
| Source: plushvcioffattkingstore17774t85.exe |
Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
| Source: |
Binary string: D:\BRONKZ BACKUP 16 02 2024\Loaders C# Bronkz Private Store\Revendedores Painel\KingStore\HVCI OFF VALORANT\plus\x64\Release\Google Chrome.pdb source: plushvcioffattkingstore17774t85.exe |
| Source: |
Binary string: <qD:\BRONKZ BACKUP 16 02 2024\Loaders C# Bronkz Private Store\Revendedores Painel\KingStore\HVCI OFF VALORANT\plus\x64\Release\Google Chrome.pdb source: plushvcioffattkingstore17774t85.exe |
| Source: plushvcioffattkingstore17774t85.exe |
String found in binary or memory: https://curl.haxx.se/docs/http-cookies.html |
| Source: plushvcioffattkingstore17774t85.exe |
String found in binary or memory: https://github.com/googlefonts/lexend)6_ju |
| Source: plushvcioffattkingstore17774t85.exe |
String found in binary or memory: https://scripts.sil.org/OFLThis |
| Source: plushvcioffattkingstore17774t85.exe |
String found in binary or memory: https://scripts.sil.org/OFLhttps://www.lexend.comBonnie |
| Source: plushvcioffattkingstore17774t85.exe |
Binary string: 8\Device\microsoftAudioDriver\DosDevices\microsoftAudioDriverKmdfLibraryDriverEntry failed 0x%x for driver %wZ |
| Source: classification engine |
Classification label: mal56.evad.winEXE@2/0@0/0 |
| Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7624:120:WilError_03 |
| Source: plushvcioffattkingstore17774t85.exe |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| Source: C:\Users\user\Desktop\plushvcioffattkingstore17774t85.exe |
Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
| Source: plushvcioffattkingstore17774t85.exe |
ReversingLabs: Detection: 55% |
| Source: plushvcioffattkingstore17774t85.exe |
Virustotal: Detection: 70% |
| Source: plushvcioffattkingstore17774t85.exe |
String found in binary or memory: iphlpapi.dllif_nametoindexkernel32LoadLibraryExA\/AddDllDirectory |
| Source: unknown |
Process created: C:\Users\user\Desktop\plushvcioffattkingstore17774t85.exe "C:\Users\user\Desktop\plushvcioffattkingstore17774t85.exe" |
| Source: C:\Users\user\Desktop\plushvcioffattkingstore17774t85.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
| Source: C:\Users\user\Desktop\plushvcioffattkingstore17774t85.exe |
Section loaded: apphelp.dll |
Jump to behavior |
| Source: C:\Users\user\Desktop\plushvcioffattkingstore17774t85.exe |
Section loaded: d3dx11_43.dll |
Jump to behavior |
| Source: C:\Users\user\Desktop\plushvcioffattkingstore17774t85.exe |
Section loaded: d3d11.dll |
Jump to behavior |
| Source: C:\Users\user\Desktop\plushvcioffattkingstore17774t85.exe |
Section loaded: d3dcompiler_43.dll |
Jump to behavior |
| Source: C:\Users\user\Desktop\plushvcioffattkingstore17774t85.exe |
Section loaded: msvcp140.dll |
Jump to behavior |
| Source: C:\Users\user\Desktop\plushvcioffattkingstore17774t85.exe |
Section loaded: dwmapi.dll |
Jump to behavior |
| Source: C:\Users\user\Desktop\plushvcioffattkingstore17774t85.exe |
Section loaded: winhttp.dll |
Jump to behavior |
| Source: C:\Users\user\Desktop\plushvcioffattkingstore17774t85.exe |
Section loaded: userenv.dll |
Jump to behavior |
| Source: C:\Users\user\Desktop\plushvcioffattkingstore17774t85.exe |
Section loaded: vcruntime140_1.dll |
Jump to behavior |
| Source: C:\Users\user\Desktop\plushvcioffattkingstore17774t85.exe |
Section loaded: vcruntime140.dll |
Jump to behavior |
| Source: C:\Users\user\Desktop\plushvcioffattkingstore17774t85.exe |
Section loaded: dxgi.dll |
Jump to behavior |
| Source: C:\Users\user\Desktop\plushvcioffattkingstore17774t85.exe |
Section loaded: vcruntime140.dll |
Jump to behavior |
| Source: C:\Users\user\Desktop\plushvcioffattkingstore17774t85.exe |
Section loaded: vcruntime140_1.dll |
Jump to behavior |
| Source: C:\Users\user\Desktop\plushvcioffattkingstore17774t85.exe |
Section loaded: vcruntime140.dll |
Jump to behavior |
| Source: plushvcioffattkingstore17774t85.exe |
Static PE information: Virtual size of .text is bigger than: 0x100000 |
| Source: plushvcioffattkingstore17774t85.exe |
Static PE information: Image base 0x140000000 > 0x60000000 |
| Source: plushvcioffattkingstore17774t85.exe |
Static file information: File size 4222976 > 1048576 |
| Source: plushvcioffattkingstore17774t85.exe |
Static PE information: Raw size of .text is bigger than: 0x100000 < 0x11f400 |
| Source: plushvcioffattkingstore17774t85.exe |
Static PE information: Raw size of .data is bigger than: 0x100000 < 0x28e200 |
| Source: plushvcioffattkingstore17774t85.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT |
| Source: plushvcioffattkingstore17774t85.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE |
| Source: plushvcioffattkingstore17774t85.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC |
| Source: plushvcioffattkingstore17774t85.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
| Source: plushvcioffattkingstore17774t85.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG |
| Source: plushvcioffattkingstore17774t85.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT |
| Source: plushvcioffattkingstore17774t85.exe |
Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
| Source: plushvcioffattkingstore17774t85.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
| Source: |
Binary string: D:\BRONKZ BACKUP 16 02 2024\Loaders C# Bronkz Private Store\Revendedores Painel\KingStore\HVCI OFF VALORANT\plus\x64\Release\Google Chrome.pdb source: plushvcioffattkingstore17774t85.exe |
| Source: |
Binary string: <qD:\BRONKZ BACKUP 16 02 2024\Loaders C# Bronkz Private Store\Revendedores Painel\KingStore\HVCI OFF VALORANT\plus\x64\Release\Google Chrome.pdb source: plushvcioffattkingstore17774t85.exe |
| Source: plushvcioffattkingstore17774t85.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata |
| Source: plushvcioffattkingstore17774t85.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc |
| Source: plushvcioffattkingstore17774t85.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc |
| Source: plushvcioffattkingstore17774t85.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata |
| Source: plushvcioffattkingstore17774t85.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata |
| Source: plushvcioffattkingstore17774t85.exe |
Binary or memory string: PROCESSHACKER.EXE |
| Source: plushvcioffattkingstore17774t85.exe |
Binary or memory string: PROCMON.EXE |
| Source: plushvcioffattkingstore17774t85.exe |
Binary or memory string: OLLYDBG.EXE |
| Source: plushvcioffattkingstore17774t85.exe |
Binary or memory string: [ %.FM ] HEALTH RENDERED][ CR][VALORANT PLUS] - FPS: %.1FCPLUSPLUSEXAMPLE/1.0GETKEYAUTH.WIN980C8DE97FFFFAD4C5E27B1E48A37561DDA18BD70D38E6D40AE0AC84529DAB4FDIEC.EXEDWNEJFE.EXEWIN64.EXESYSTEMINFORMER.EXEPROCESSHACKER.EXEFILEALYZER2.EXERESOURCEHACKER.EXEDEPENDS.EXEPEXPLORER.EXEDIEL.EXEDIE.EXEPE-BEAR.EXELORDPE.EXEWIRESHARK.EXETCPVIEW.EXEPROCEXP64.EXEPROCEXP.EXEREGMON.EXEFILEMON.EXEPROCMON.EXESCYLLA_X86.EXESCYLLA_X64.EXEOLLYDUMPEX_SA64.EXEOLLYDUMPEX_SA32.EXEHXD.EXEIMMUNITYDEBUGGER.EXEWINDBG.EXEX96DBG.EXEX64DBG.EXEX32DBG.EXEOLLYDBG.EXEIDA64.EXEDOTPEEK64.EXEIDA32.EXEIDA.EXERECLASS.NET.EXERECLASS.EXEHEYRAYS.EXELIGHTHOUSE.EXECHEATENGINE-X86_64.EXECLASSINFORMER.EXEIDA-X86EMU.EXECFFEXPLORER.EXEWINHEX.EXEHIEW.EXEFIDDLER.EXEHTTPDEBUGGER.EXEHTTPDEBUGGERPRO.EXESCYLLA.EXECHEAT ENGINE.EXEDNSPY.EXEDNSPY.CONSOLE.EXECLS |
| Source: plushvcioffattkingstore17774t85.exe |
Binary or memory string: X64DBG.EXE |
| Source: plushvcioffattkingstore17774t85.exe |
Binary or memory string: REGMON.EXE |
| Source: plushvcioffattkingstore17774t85.exe |
Binary or memory string: WINDBG.EXE |
| Source: plushvcioffattkingstore17774t85.exe |
Binary or memory string: IDAQ.EXEH |
| Source: plushvcioffattkingstore17774t85.exe |
Binary or memory string: FIDDLER.EXE |
| Source: plushvcioffattkingstore17774t85.exe |
Binary or memory string: PEID.EXEH |
| Source: plushvcioffattkingstore17774t85.exe |
Binary or memory string: IDAG.EXEH |
| Source: plushvcioffattkingstore17774t85.exe |
Binary or memory string: WIRESHARK.EXE |
| Source: plushvcioffattkingstore17774t85.exe |
Binary or memory string: FILEMON.EXE |
| Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
| Source: C:\Windows\System32\conhost.exe |
Last function: Thread delayed |
| Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
| Source: C:\Users\user\Desktop\plushvcioffattkingstore17774t85.exe |
Code function: 0_2_00007FF60F0FDC50 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, |
0_2_00007FF60F0FDC50 |
| Source: plushvcioffattkingstore17774t85.exe, 00000000.00000002.2649353507.00007FF60F102000.00000002.00000001.01000000.00000003.sdmp, plushvcioffattkingstore17774t85.exe, 00000000.00000000.1406924301.00007FF60F101000.00000002.00000001.01000000.00000003.sdmp |
Binary or memory string: procmon.exe |
| Source: plushvcioffattkingstore17774t85.exe, 00000000.00000002.2649353507.00007FF60F102000.00000002.00000001.01000000.00000003.sdmp, plushvcioffattkingstore17774t85.exe, 00000000.00000000.1406924301.00007FF60F101000.00000002.00000001.01000000.00000003.sdmp |
Binary or memory string: OLLYDBG.exe |
| Source: plushvcioffattkingstore17774t85.exe, 00000000.00000002.2649353507.00007FF60F102000.00000002.00000001.01000000.00000003.sdmp, plushvcioffattkingstore17774t85.exe, 00000000.00000000.1406924301.00007FF60F101000.00000002.00000001.01000000.00000003.sdmp |
Binary or memory string: wireshark.exe |
| Source: plushvcioffattkingstore17774t85.exe, 00000000.00000002.2649353507.00007FF60F102000.00000002.00000001.01000000.00000003.sdmp, plushvcioffattkingstore17774t85.exe, 00000000.00000000.1406924301.00007FF60F101000.00000002.00000001.01000000.00000003.sdmp |
Binary or memory string: procexp.exe |
| Source: plushvcioffattkingstore17774t85.exe, 00000000.00000002.2649353507.00007FF60F102000.00000002.00000001.01000000.00000003.sdmp, plushvcioffattkingstore17774t85.exe, 00000000.00000000.1406924301.00007FF60F101000.00000002.00000001.01000000.00000003.sdmp |
Binary or memory string: LordPE.exe |
| Source: plushvcioffattkingstore17774t85.exe, 00000000.00000002.2649353507.00007FF60F102000.00000002.00000001.01000000.00000003.sdmp, plushvcioffattkingstore17774t85.exe, 00000000.00000000.1406924301.00007FF60F101000.00000002.00000001.01000000.00000003.sdmp |
Binary or memory string: Tcpview.exe |
| Source: plushvcioffattkingstore17774t85.exe, 00000000.00000002.2649353507.00007FF60F102000.00000002.00000001.01000000.00000003.sdmp, plushvcioffattkingstore17774t85.exe, 00000000.00000000.1406924301.00007FF60F101000.00000002.00000001.01000000.00000003.sdmp |
Binary or memory string: regmon.exe |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet