Windows Analysis Report
esphvcioffattkingstore444d7.exe

Overview

General Information

Sample name: esphvcioffattkingstore444d7.exe
Analysis ID: 1592718
MD5: b9c7dff0cf35f581d4f922c835762246
SHA1: 728aa2cd04b2c028c269389c5361e3fd4f6d8c03
SHA256: 9022cdebf7bda58adf55b7203c4d7665c5def2c34a0590f503f0ad993feaf93a
Tags: exemalwaretrojanuser-Joker
Infos:

Detection

Score: 68
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
AV process strings found (often used to terminate AV products)
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: esphvcioffattkingstore444d7.exe Avira: detected
Multi AV Scanner detection for submitted file
Source: esphvcioffattkingstore444d7.exe Virustotal: Detection: 43% Perma Link
Source: esphvcioffattkingstore444d7.exe ReversingLabs: Detection: 55%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 82.5% probability
Machine Learning detection for sample
Source: esphvcioffattkingstore444d7.exe Joe Sandbox ML: detected
Source: esphvcioffattkingstore444d7.exe, 00000000.00000000.1319601308.00007FF739FDE000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: -----BEGIN PUBLIC KEY----- memstr_fd9ca4cd-f
Source: esphvcioffattkingstore444d7.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: <sD:\BRONKZ BACKUP 16 02 2024\Loaders C# Bronkz Private Store\Revendedores Painel\KingStore\HVCI OFF VALORANT\esp\x64\Release\Google Chrome.pdb source: esphvcioffattkingstore444d7.exe
Source: Binary string: D:\BRONKZ BACKUP 16 02 2024\Loaders C# Bronkz Private Store\Revendedores Painel\KingStore\HVCI OFF VALORANT\esp\x64\Release\Google Chrome.pdb source: esphvcioffattkingstore444d7.exe
Source: esphvcioffattkingstore444d7.exe String found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
Source: esphvcioffattkingstore444d7.exe String found in binary or memory: https://github.com/googlefonts/lexend)6_ju
Source: esphvcioffattkingstore444d7.exe String found in binary or memory: https://scripts.sil.org/OFLThis
Source: esphvcioffattkingstore444d7.exe String found in binary or memory: https://scripts.sil.org/OFLhttps://www.lexend.comBonnie
Source: esphvcioffattkingstore444d7.exe Binary string: 8\Device\microsoftAudioDriver\DosDevices\microsoftAudioDriverKmdfLibraryDriverEntry failed 0x%x for driver %wZ
Source: classification engine Classification label: mal68.evad.winEXE@2/0@0/0
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7424:120:WilError_03
Source: esphvcioffattkingstore444d7.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\esphvcioffattkingstore444d7.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: esphvcioffattkingstore444d7.exe Virustotal: Detection: 43%
Source: esphvcioffattkingstore444d7.exe ReversingLabs: Detection: 55%
Source: esphvcioffattkingstore444d7.exe String found in binary or memory: iphlpapi.dllif_nametoindexkernel32LoadLibraryExA\/AddDllDirectoryx/
Source: unknown Process created: C:\Users\user\Desktop\esphvcioffattkingstore444d7.exe "C:\Users\user\Desktop\esphvcioffattkingstore444d7.exe"
Source: C:\Users\user\Desktop\esphvcioffattkingstore444d7.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\esphvcioffattkingstore444d7.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\esphvcioffattkingstore444d7.exe Section loaded: d3dx11_43.dll Jump to behavior
Source: C:\Users\user\Desktop\esphvcioffattkingstore444d7.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\Users\user\Desktop\esphvcioffattkingstore444d7.exe Section loaded: d3dcompiler_43.dll Jump to behavior
Source: C:\Users\user\Desktop\esphvcioffattkingstore444d7.exe Section loaded: msvcp140.dll Jump to behavior
Source: C:\Users\user\Desktop\esphvcioffattkingstore444d7.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\Desktop\esphvcioffattkingstore444d7.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\esphvcioffattkingstore444d7.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\esphvcioffattkingstore444d7.exe Section loaded: vcruntime140_1.dll Jump to behavior
Source: C:\Users\user\Desktop\esphvcioffattkingstore444d7.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\Desktop\esphvcioffattkingstore444d7.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Users\user\Desktop\esphvcioffattkingstore444d7.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\Desktop\esphvcioffattkingstore444d7.exe Section loaded: vcruntime140_1.dll Jump to behavior
Source: C:\Users\user\Desktop\esphvcioffattkingstore444d7.exe Section loaded: vcruntime140.dll Jump to behavior
Source: esphvcioffattkingstore444d7.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: esphvcioffattkingstore444d7.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: esphvcioffattkingstore444d7.exe Static file information: File size 4211712 > 1048576
Source: esphvcioffattkingstore444d7.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x11d000
Source: esphvcioffattkingstore444d7.exe Static PE information: Raw size of .data is bigger than: 0x100000 < 0x28de00
Source: esphvcioffattkingstore444d7.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: esphvcioffattkingstore444d7.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: esphvcioffattkingstore444d7.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: esphvcioffattkingstore444d7.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: esphvcioffattkingstore444d7.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: esphvcioffattkingstore444d7.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: esphvcioffattkingstore444d7.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: esphvcioffattkingstore444d7.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: <sD:\BRONKZ BACKUP 16 02 2024\Loaders C# Bronkz Private Store\Revendedores Painel\KingStore\HVCI OFF VALORANT\esp\x64\Release\Google Chrome.pdb source: esphvcioffattkingstore444d7.exe
Source: Binary string: D:\BRONKZ BACKUP 16 02 2024\Loaders C# Bronkz Private Store\Revendedores Painel\KingStore\HVCI OFF VALORANT\esp\x64\Release\Google Chrome.pdb source: esphvcioffattkingstore444d7.exe
Source: esphvcioffattkingstore444d7.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: esphvcioffattkingstore444d7.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: esphvcioffattkingstore444d7.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: esphvcioffattkingstore444d7.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: esphvcioffattkingstore444d7.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Malware Analysis System Evasion
barindex
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: esphvcioffattkingstore444d7.exe Binary or memory string: PROCESSHACKER.EXE
Source: esphvcioffattkingstore444d7.exe Binary or memory string: PROCMON.EXE
Source: esphvcioffattkingstore444d7.exe Binary or memory string: OLLYDBG.EXE
Source: esphvcioffattkingstore444d7.exe Binary or memory string: [ %.FM ] HEALTH RENDERED][ CR][VALORANT PLUS] - FPS: %.1FCPLUSPLUSEXAMPLE/1.0GETKEYAUTH.WIN980C8DE97FFFFAD4C5E27B1E48A37561DDA18BD70D38E6D40AE0AC84529DAB4FDIEC.EXEDWNEJFE.EXEWIN64.EXESYSTEMINFORMER.EXEPROCESSHACKER.EXEFILEALYZER2.EXERESOURCEHACKER.EXEDEPENDS.EXEPEXPLORER.EXEDIEL.EXEDIE.EXEPE-BEAR.EXELORDPE.EXEWIRESHARK.EXETCPVIEW.EXEPROCEXP64.EXEPROCEXP.EXEREGMON.EXEFILEMON.EXEPROCMON.EXESCYLLA_X86.EXESCYLLA_X64.EXEOLLYDUMPEX_SA64.EXEOLLYDUMPEX_SA32.EXEHXD.EXEIMMUNITYDEBUGGER.EXEWINDBG.EXEX96DBG.EXEX64DBG.EXEX32DBG.EXEOLLYDBG.EXEIDA64.EXEDOTPEEK64.EXEIDA32.EXEIDA.EXERECLASS.NET.EXERECLASS.EXEHEYRAYS.EXELIGHTHOUSE.EXECHEATENGINE-X86_64.EXECLASSINFORMER.EXEIDA-X86EMU.EXECFFEXPLORER.EXEWINHEX.EXEHIEW.EXEFIDDLER.EXEHTTPDEBUGGER.EXEHTTPDEBUGGERPRO.EXESCYLLA.EXECHEAT ENGINE.EXEDNSPY.EXEDNSPY.CONSOLE.EXECLS
Source: esphvcioffattkingstore444d7.exe Binary or memory string: X64DBG.EXE
Source: esphvcioffattkingstore444d7.exe Binary or memory string: REGMON.EXE
Source: esphvcioffattkingstore444d7.exe Binary or memory string: WINDBG.EXE
Source: esphvcioffattkingstore444d7.exe Binary or memory string: FIDDLER.EXE
Source: esphvcioffattkingstore444d7.exe Binary or memory string: IDAQ.EXEH
Source: esphvcioffattkingstore444d7.exe Binary or memory string: PEID.EXEH
Source: esphvcioffattkingstore444d7.exe Binary or memory string: IDAG.EXEH
Source: esphvcioffattkingstore444d7.exe Binary or memory string: WIRESHARK.EXE
Source: esphvcioffattkingstore444d7.exe Binary or memory string: FILEMON.EXE
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\esphvcioffattkingstore444d7.exe Code function: 0_2_00007FF739FDB8F0 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_00007FF739FDB8F0
AV process strings found (often used to terminate AV products)
Source: esphvcioffattkingstore444d7.exe, 00000000.00000000.1319601308.00007FF739FDE000.00000002.00000001.01000000.00000003.sdmp, esphvcioffattkingstore444d7.exe, 00000000.00000002.2571785383.00007FF739FDF000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: procmon.exe
Source: esphvcioffattkingstore444d7.exe, 00000000.00000000.1319601308.00007FF739FDE000.00000002.00000001.01000000.00000003.sdmp, esphvcioffattkingstore444d7.exe, 00000000.00000002.2571785383.00007FF739FDF000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OLLYDBG.exe
Source: esphvcioffattkingstore444d7.exe, 00000000.00000000.1319601308.00007FF739FDE000.00000002.00000001.01000000.00000003.sdmp, esphvcioffattkingstore444d7.exe, 00000000.00000002.2571785383.00007FF739FDF000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: wireshark.exe
Source: esphvcioffattkingstore444d7.exe, 00000000.00000000.1319601308.00007FF739FDE000.00000002.00000001.01000000.00000003.sdmp, esphvcioffattkingstore444d7.exe, 00000000.00000002.2571785383.00007FF739FDF000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: procexp.exe
Source: esphvcioffattkingstore444d7.exe, 00000000.00000000.1319601308.00007FF739FDE000.00000002.00000001.01000000.00000003.sdmp, esphvcioffattkingstore444d7.exe, 00000000.00000002.2571785383.00007FF739FDF000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: LordPE.exe
Source: esphvcioffattkingstore444d7.exe, 00000000.00000000.1319601308.00007FF739FDE000.00000002.00000001.01000000.00000003.sdmp, esphvcioffattkingstore444d7.exe, 00000000.00000002.2571785383.00007FF739FDF000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: Tcpview.exe
Source: esphvcioffattkingstore444d7.exe, 00000000.00000000.1319601308.00007FF739FDE000.00000002.00000001.01000000.00000003.sdmp, esphvcioffattkingstore444d7.exe, 00000000.00000002.2571785383.00007FF739FDF000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: regmon.exe
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1592718 Sample: esphvcioffattkingstore444d7.exe Startdate: 16/01/2025 Architecture: WINDOWS Score: 68 10 Antivirus / Scanner detection for submitted sample 2->10 12 Multi AV Scanner detection for submitted file 2->12 14 Machine Learning detection for sample 2->14 16 2 other signatures 2->16 6 esphvcioffattkingstore444d7.exe 1 2->6         started        process3 process4 8 conhost.exe 6->8         started       
No contacted IP infos