Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
valorant_ESP_aimbot.exe

Overview

General Information

Sample name:valorant_ESP_aimbot.exe
Analysis ID:1632000
MD5:5d43f5bb6521b71f084afe8f3eab201a
SHA1:e4fab1d3fc8d69c0a9eed0d1eb3a2ea735767914
SHA256:5e4fcbbd458a244fcf2dc879ffabdbc6feba611a5934887e6eefc5b42d5ca37d
Tags:exeXWormuser-aachum
Infos:

Detection

Score:60
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Uses the Telegram API (likely for C&C communication)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to create an SMB header
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query locales information (e.g. system language)
Detected potential crypto function
Found decision node followed by non-executed suspicious APIs
Found evasive API chain (date check)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Sample file is different than original file name gathered from version info
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • valorant_ESP_aimbot.exe (PID: 7512 cmdline: "C:\Users\user\Desktop\valorant_ESP_aimbot.exe" MD5: 5D43F5BB6521B71F084AFE8F3EAB201A)
    • conhost.exe (PID: 7544 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: valorant_ESP_aimbot.exeAvira: detected
Multi AV Scanner detection for submitted file
Source: valorant_ESP_aimbot.exeReversingLabs: Detection: 57%
Source: valorant_ESP_aimbot.exeVirustotal: Detection: 62%Perma Link
Source: C:\Users\user\Desktop\valorant_ESP_aimbot.exeCode function: 0_2_00007FF7536AEC80 BCryptGenRandom,0_2_00007FF7536AEC80
Source: C:\Users\user\Desktop\valorant_ESP_aimbot.exeCode function: 0_2_00007FF7536AEAC0 BCryptGenRandom,0_2_00007FF7536AEAC0
Source: C:\Users\user\Desktop\valorant_ESP_aimbot.exeCode function: 0_2_00007FF7536DD4F0 CryptAcquireContextA,CryptImportKey,CryptReleaseContext,CryptEncrypt,CryptDestroyKey,CryptReleaseContext,0_2_00007FF7536DD4F0
Source: C:\Users\user\Desktop\valorant_ESP_aimbot.exeCode function: 0_2_00007FF7536D7410 CertGetNameStringA,CertFindExtension,CryptDecodeObjectEx,0_2_00007FF7536D7410
Source: C:\Users\user\Desktop\valorant_ESP_aimbot.exeCode function: 0_2_00007FF7536AF8D0 CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,0_2_00007FF7536AF8D0
Source: C:\Users\user\Desktop\valorant_ESP_aimbot.exeCode function: 0_2_00007FF7536DFE00 CryptAcquireContextA,CryptCreateHash,CryptReleaseContext,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,0_2_00007FF7536DFE00
Source: C:\Users\user\Desktop\valorant_ESP_aimbot.exeCode function: 0_2_00007FF7536D6AD0 CertGetNameStringA,CertFindExtension,CryptDecodeObjectEx,CertFreeCertificateContext,0_2_00007FF7536D6AD0
Source: C:\Users\user\Desktop\valorant_ESP_aimbot.exeCode function: 0_2_00007FF7536DCF70 CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,0_2_00007FF7536DCF70
Source: C:\Users\user\Desktop\valorant_ESP_aimbot.exeCode function: 0_2_00007FF7536DCF60 CryptHashData,0_2_00007FF7536DCF60
Source: C:\Users\user\Desktop\valorant_ESP_aimbot.exeCode function: 0_2_00007FF7536DEE30 CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,0_2_00007FF7536DEE30
Source: C:\Users\user\Desktop\valorant_ESP_aimbot.exeCode function: 0_2_00007FF7536D6EF0 CryptQueryObject,CertAddCertificateContextToStore,CertFreeCertificateContext,GetLastError,GetLastError,0_2_00007FF7536D6EF0
Source: C:\Users\user\Desktop\valorant_ESP_aimbot.exeCode function: 0_2_00007FF7536DCEE0 CryptAcquireContextA,CryptCreateHash,CryptReleaseContext,0_2_00007FF7536DCEE0
Source: C:\Users\user\Desktop\valorant_ESP_aimbot.exeCode function: 0_2_00007FF7536DEEC0 CryptAcquireContextA,CryptCreateHash,CryptReleaseContext,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,0_2_00007FF7536DEEC0
Source: C:\Users\user\Desktop\valorant_ESP_aimbot.exeCode function: 0_2_00007FF7536DEDB0 CryptAcquireContextA,CryptCreateHash,CryptReleaseContext,0_2_00007FF7536DEDB0
Source: C:\Users\user\Desktop\valorant_ESP_aimbot.exeCode function: -----BEGIN PUBLIC KEY-----0_2_00007FF753691060
Source: valorant_ESP_aimbot.exeBinary or memory string: -----BEGIN PUBLIC KEY-----
Source: C:\Users\user\Desktop\valorant_ESP_aimbot.exeCode function: mov dword ptr [rbp+04h], 424D53FFh0_2_00007FF7536C46A0
Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49698 version: TLS 1.2
Source: valorant_ESP_aimbot.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: c:\users\Administrator\Desktop\crypter\crypter\x64\Release\crypter.pdb source: valorant_ESP_aimbot.exe

Networking

barindex
Uses the Telegram API (likely for C&C communication)
Source: unknownDNS query: name: api.telegram.org
Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox ViewJA3 fingerprint: bd0bf25947d4a37404f0424edf4db9ad
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\Desktop\valorant_ESP_aimbot.exeCode function: 0_2_00007FF7536AE0E0 socket,htonl,setsockopt,bind,getsockname,listen,socket,connect,accept,send,recv,WSAGetLastError,closesocket,closesocket,closesocket,closesocket,0_2_00007FF7536AE0E0
Source: global trafficDNS traffic detected: DNS query: api.telegram.org
Source: valorant_ESP_aimbot.exeString found in binary or memory: https://api.telegram.org/bot
Source: valorant_ESP_aimbot.exe, 00000000.00000002.1348853793.0000013F51C6C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot7446828960:AAEkc-o_ddrGi8YykO2bp5LRB5CeoyXbG8w/getFile?file_id=BQACAgQAA
Source: valorant_ESP_aimbot.exeString found in binary or memory: https://api.telegram.org/botokresultfile_path/https://api.telegram.org/file/bot7446828960:AAEkc-o_dd
Source: valorant_ESP_aimbot.exeString found in binary or memory: https://api.telegram.org/file/bot
Source: valorant_ESP_aimbot.exeString found in binary or memory: https://curl.se/docs/alt-svc.html
Source: valorant_ESP_aimbot.exeString found in binary or memory: https://curl.se/docs/alt-svc.html#
Source: valorant_ESP_aimbot.exeString found in binary or memory: https://curl.se/docs/hsts.html
Source: valorant_ESP_aimbot.exeString found in binary or memory: https://curl.se/docs/hsts.html#
Source: valorant_ESP_aimbot.exeString found in binary or memory: https://curl.se/docs/http-cookies.html
Source: valorant_ESP_aimbot.exeString found in binary or memory: https://curl.se/docs/http-cookies.html#
Source: unknownNetwork traffic detected: HTTP traffic on port 49698 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49698
Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49698 version: TLS 1.2
Source: C:\Users\user\Desktop\valorant_ESP_aimbot.exeCode function: 0_2_00007FF7536DD4F0 CryptAcquireContextA,CryptImportKey,CryptReleaseContext,CryptEncrypt,CryptDestroyKey,CryptReleaseContext,0_2_00007FF7536DD4F0
Source: C:\Users\user\Desktop\valorant_ESP_aimbot.exeCode function: 0_2_00007FF7536813220_2_00007FF753681322
Source: C:\Users\user\Desktop\valorant_ESP_aimbot.exeCode function: 0_2_00007FF7536CF8E00_2_00007FF7536CF8E0
Source: C:\Users\user\Desktop\valorant_ESP_aimbot.exeCode function: 0_2_00007FF75369BA500_2_00007FF75369BA50
Source: C:\Users\user\Desktop\valorant_ESP_aimbot.exeCode function: 0_2_00007FF753688B600_2_00007FF753688B60
Source: C:\Users\user\Desktop\valorant_ESP_aimbot.exeCode function: 0_2_00007FF753694A700_2_00007FF753694A70
Source: C:\Users\user\Desktop\valorant_ESP_aimbot.exeCode function: 0_2_00007FF7537094D80_2_00007FF7537094D8
Source: C:\Users\user\Desktop\valorant_ESP_aimbot.exeCode function: 0_2_00007FF7536955100_2_00007FF753695510
Source: C:\Users\user\Desktop\valorant_ESP_aimbot.exeCode function: 0_2_00007FF7536DD4F00_2_00007FF7536DD4F0
Source: C:\Users\user\Desktop\valorant_ESP_aimbot.exeCode function: 0_2_00007FF7537173980_2_00007FF753717398
Source: C:\Users\user\Desktop\valorant_ESP_aimbot.exeCode function: 0_2_00007FF7536FF3780_2_00007FF7536FF378
Source: C:\Users\user\Desktop\valorant_ESP_aimbot.exeCode function: 0_2_00007FF7536ED1300_2_00007FF7536ED130
Source: C:\Users\user\Desktop\valorant_ESP_aimbot.exeCode function: 0_2_00007FF75371711C0_2_00007FF75371711C
Source: C:\Users\user\Desktop\valorant_ESP_aimbot.exeCode function: 0_2_00007FF7537032080_2_00007FF753703208
Source: C:\Users\user\Desktop\valorant_ESP_aimbot.exeCode function: 0_2_00007FF7537011A00_2_00007FF7537011A0
Source: C:\Users\user\Desktop\valorant_ESP_aimbot.exeCode function: 0_2_00007FF7536DD7600_2_00007FF7536DD760
Source: C:\Users\user\Desktop\valorant_ESP_aimbot.exeCode function: 0_2_00007FF7537016A80_2_00007FF7537016A8
Source: C:\Users\user\Desktop\valorant_ESP_aimbot.exeCode function: 0_2_00007FF753689A900_2_00007FF753689A90
Source: C:\Users\user\Desktop\valorant_ESP_aimbot.exeCode function: 0_2_00007FF75370DA700_2_00007FF75370DA70
Source: C:\Users\user\Desktop\valorant_ESP_aimbot.exeCode function: 0_2_00007FF7536B19C00_2_00007FF7536B19C0
Source: C:\Users\user\Desktop\valorant_ESP_aimbot.exeCode function: 0_2_00007FF7536C00B00_2_00007FF7536C00B0
Source: C:\Users\user\Desktop\valorant_ESP_aimbot.exeCode function: 0_2_00007FF7536E9F400_2_00007FF7536E9F40
Source: C:\Users\user\Desktop\valorant_ESP_aimbot.exeCode function: 0_2_00007FF7536A3E600_2_00007FF7536A3E60
Source: C:\Users\user\Desktop\valorant_ESP_aimbot.exeCode function: 0_2_00007FF753705EDA0_2_00007FF753705EDA
Source: C:\Users\user\Desktop\valorant_ESP_aimbot.exeCode function: 0_2_00007FF7536DFD900_2_00007FF7536DFD90
Source: C:\Users\user\Desktop\valorant_ESP_aimbot.exeCode function: 0_2_00007FF7536DFE000_2_00007FF7536DFE00
Source: C:\Users\user\Desktop\valorant_ESP_aimbot.exeCode function: 0_2_00007FF753687E010_2_00007FF753687E01
Source: C:\Users\user\Desktop\valorant_ESP_aimbot.exeCode function: 0_2_00007FF75371249C0_2_00007FF75371249C
Source: C:\Users\user\Desktop\valorant_ESP_aimbot.exeCode function: 0_2_00007FF75370A5140_2_00007FF75370A514
Source: C:\Users\user\Desktop\valorant_ESP_aimbot.exeCode function: 0_2_00007FF7536C85000_2_00007FF7536C8500
Source: C:\Users\user\Desktop\valorant_ESP_aimbot.exeCode function: 0_2_00007FF75369E4B00_2_00007FF75369E4B0
Source: C:\Users\user\Desktop\valorant_ESP_aimbot.exeCode function: 0_2_00007FF7536E63D10_2_00007FF7536E63D1
Source: C:\Users\user\Desktop\valorant_ESP_aimbot.exeCode function: 0_2_00007FF7536FC8F40_2_00007FF7536FC8F4
Source: C:\Users\user\Desktop\valorant_ESP_aimbot.exeCode function: 0_2_00007FF7536968C00_2_00007FF7536968C0
Source: C:\Users\user\Desktop\valorant_ESP_aimbot.exeCode function: 0_2_00007FF7536A68B00_2_00007FF7536A68B0
Source: C:\Users\user\Desktop\valorant_ESP_aimbot.exeCode function: 0_2_00007FF75369E8B00_2_00007FF75369E8B0
Source: C:\Users\user\Desktop\valorant_ESP_aimbot.exeCode function: 0_2_00007FF7537007540_2_00007FF753700754
Source: C:\Users\user\Desktop\valorant_ESP_aimbot.exeCode function: 0_2_00007FF7536D07C00_2_00007FF7536D07C0
Source: C:\Users\user\Desktop\valorant_ESP_aimbot.exeCode function: 0_2_00007FF75370C77C0_2_00007FF75370C77C
Source: C:\Users\user\Desktop\valorant_ESP_aimbot.exeCode function: 0_2_00007FF7537085740_2_00007FF753708574
Source: C:\Users\user\Desktop\valorant_ESP_aimbot.exeCode function: 0_2_00007FF753700B5C0_2_00007FF753700B5C
Source: C:\Users\user\Desktop\valorant_ESP_aimbot.exeCode function: 0_2_00007FF753702B480_2_00007FF753702B48
Source: C:\Users\user\Desktop\valorant_ESP_aimbot.exeCode function: 0_2_00007FF7536ECC000_2_00007FF7536ECC00
Source: C:\Users\user\Desktop\valorant_ESP_aimbot.exeCode function: 0_2_00007FF7536B2AF00_2_00007FF7536B2AF0
Source: C:\Users\user\Desktop\valorant_ESP_aimbot.exeCode function: 0_2_00007FF7537009580_2_00007FF753700958
Source: C:\Users\user\Desktop\valorant_ESP_aimbot.exeCode function: 0_2_00007FF7537129300_2_00007FF753712930
Source: C:\Users\user\Desktop\valorant_ESP_aimbot.exeCode function: 0_2_00007FF7536EE9D00_2_00007FF7536EE9D0
Source: C:\Users\user\Desktop\valorant_ESP_aimbot.exeCode function: 0_2_00007FF7536E50600_2_00007FF7536E5060
Source: C:\Users\user\Desktop\valorant_ESP_aimbot.exeCode function: 0_2_00007FF7536A10400_2_00007FF7536A1040
Source: C:\Users\user\Desktop\valorant_ESP_aimbot.exeCode function: 0_2_00007FF753712FB00_2_00007FF753712FB0
Source: C:\Users\user\Desktop\valorant_ESP_aimbot.exeCode function: 0_2_00007FF75371D00C0_2_00007FF75371D00C
Source: C:\Users\user\Desktop\valorant_ESP_aimbot.exeCode function: 0_2_00007FF7536AAEB00_2_00007FF7536AAEB0
Source: C:\Users\user\Desktop\valorant_ESP_aimbot.exeCode function: 0_2_00007FF753714E8C0_2_00007FF753714E8C
Source: C:\Users\user\Desktop\valorant_ESP_aimbot.exeCode function: 0_2_00007FF7536FED300_2_00007FF7536FED30
Source: C:\Users\user\Desktop\valorant_ESP_aimbot.exeCode function: 0_2_00007FF7536FCE000_2_00007FF7536FCE00
Source: C:\Users\user\Desktop\valorant_ESP_aimbot.exeCode function: String function: 00007FF753698C40 appears 328 times
Source: C:\Users\user\Desktop\valorant_ESP_aimbot.exeCode function: String function: 00007FF753698CE0 appears 44 times
Source: C:\Users\user\Desktop\valorant_ESP_aimbot.exeCode function: String function: 00007FF7536A05C0 appears 34 times
Source: C:\Users\user\Desktop\valorant_ESP_aimbot.exeCode function: String function: 00007FF75369E420 appears 33 times
Source: C:\Users\user\Desktop\valorant_ESP_aimbot.exeCode function: String function: 00007FF753698B50 appears 408 times
Source: C:\Users\user\Desktop\valorant_ESP_aimbot.exeCode function: String function: 00007FF7536F87B0 appears 47 times
Source: C:\Users\user\Desktop\valorant_ESP_aimbot.exeCode function: String function: 00007FF7536A04F0 appears 52 times
Source: C:\Users\user\Desktop\valorant_ESP_aimbot.exeCode function: String function: 00007FF75369DE20 appears 76 times
Source: C:\Users\user\Desktop\valorant_ESP_aimbot.exeCode function: String function: 00007FF753683310 appears 48 times
Source: C:\Users\user\Desktop\valorant_ESP_aimbot.exeCode function: String function: 00007FF75369DDB0 appears 38 times
Source: valorant_ESP_aimbot.exeBinary or memory string: OriginalFilename vs valorant_ESP_aimbot.exe
Source: valorant_ESP_aimbot.exe, 00000000.00000002.1349163453.00007FF753753000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameUnreal Console Host< vs valorant_ESP_aimbot.exe
Source: valorant_ESP_aimbot.exeBinary or memory string: OriginalFilenameUnreal Console Host< vs valorant_ESP_aimbot.exe
Source: classification engineClassification label: mal60.troj.winEXE@2/0@1/2
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7544:120:WilError_03
Source: valorant_ESP_aimbot.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\valorant_ESP_aimbot.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: valorant_ESP_aimbot.exeReversingLabs: Detection: 57%
Source: valorant_ESP_aimbot.exeVirustotal: Detection: 62%
Source: valorant_ESP_aimbot.exeString found in binary or memory: iphlpapi.dllif_nametoindexkernel32LoadLibraryExA\/AddDllDirectoryh1h2h3%10s %512s %u %10s %512s %u "%64[^"]" %u %urt%s %s%s%s %u %s %s%s%s %u "%d%02d%02d %02d:%02d:%02d" %u %d
Source: unknownProcess created: C:\Users\user\Desktop\valorant_ESP_aimbot.exe "C:\Users\user\Desktop\valorant_ESP_aimbot.exe"
Source: C:\Users\user\Desktop\valorant_ESP_aimbot.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\valorant_ESP_aimbot.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\valorant_ESP_aimbot.exeSection loaded: secur32.dllJump to behavior
Source: C:\Users\user\Desktop\valorant_ESP_aimbot.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\valorant_ESP_aimbot.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\valorant_ESP_aimbot.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\Desktop\valorant_ESP_aimbot.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\valorant_ESP_aimbot.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\Desktop\valorant_ESP_aimbot.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Users\user\Desktop\valorant_ESP_aimbot.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Users\user\Desktop\valorant_ESP_aimbot.exeSection loaded: schannel.dllJump to behavior
Source: valorant_ESP_aimbot.exeStatic PE information: Image base 0x140000000 > 0x60000000
Source: valorant_ESP_aimbot.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: valorant_ESP_aimbot.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: valorant_ESP_aimbot.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: valorant_ESP_aimbot.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: valorant_ESP_aimbot.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: valorant_ESP_aimbot.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: valorant_ESP_aimbot.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: valorant_ESP_aimbot.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: c:\users\Administrator\Desktop\crypter\crypter\x64\Release\crypter.pdb source: valorant_ESP_aimbot.exe
Source: valorant_ESP_aimbot.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: valorant_ESP_aimbot.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: valorant_ESP_aimbot.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: valorant_ESP_aimbot.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: valorant_ESP_aimbot.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: C:\Users\user\Desktop\valorant_ESP_aimbot.exeCode function: 0_2_00007FF75369B860 GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryExA,GetSystemDirectoryA,GetSystemDirectoryA,LoadLibraryA,0_2_00007FF75369B860
Source: C:\Users\user\Desktop\valorant_ESP_aimbot.exeCode function: 0_2_00007FF7536AC55F push rsp; ret 0_2_00007FF7536AC565
Source: C:\Users\user\Desktop\valorant_ESP_aimbot.exeCode function: 0_2_00007FF7536ACC8A push rdi; retf 0002h0_2_00007FF7536ACC8D
Source: C:\Users\user\Desktop\valorant_ESP_aimbot.exeCode function: 0_2_00007FF7536BCBE4 push rbx; retf 0_2_00007FF7536BCBE9
Source: C:\Users\user\Desktop\valorant_ESP_aimbot.exeCode function: 0_2_00007FF7536BCBD2 push rbx; retf 0003h0_2_00007FF7536BCBE1
Source: C:\Users\user\Desktop\valorant_ESP_aimbot.exeCode function: 0_2_00007FF7536ACD1E push rdi; retf 0_2_00007FF7536ACD25
Source: C:\Users\user\Desktop\valorant_ESP_aimbot.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_0-71600
Source: C:\Users\user\Desktop\valorant_ESP_aimbot.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-70501
Source: valorant_ESP_aimbot.exe, 00000000.00000003.1348569265.0000013F51C83000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllII
Source: C:\Users\user\Desktop\valorant_ESP_aimbot.exeCode function: 0_2_00007FF7536F16C0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF7536F16C0
Source: C:\Users\user\Desktop\valorant_ESP_aimbot.exeCode function: 0_2_00007FF75369B860 GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryExA,GetSystemDirectoryA,GetSystemDirectoryA,LoadLibraryA,0_2_00007FF75369B860
Source: C:\Users\user\Desktop\valorant_ESP_aimbot.exeCode function: 0_2_00007FF7536F1864 SetUnhandledExceptionFilter,0_2_00007FF7536F1864
Source: C:\Users\user\Desktop\valorant_ESP_aimbot.exeCode function: 0_2_00007FF7536F16C0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF7536F16C0
Source: C:\Users\user\Desktop\valorant_ESP_aimbot.exeCode function: 0_2_00007FF7536F68A8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF7536F68A8
Source: C:\Users\user\Desktop\valorant_ESP_aimbot.exeCode function: 0_2_00007FF7536F0A50 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00007FF7536F0A50
Source: C:\Users\user\Desktop\valorant_ESP_aimbot.exeCode function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW,0_2_00007FF75371B450
Source: C:\Users\user\Desktop\valorant_ESP_aimbot.exeCode function: EnumSystemLocalesW,0_2_00007FF75371B87C
Source: C:\Users\user\Desktop\valorant_ESP_aimbot.exeCode function: EnumSystemLocalesW,0_2_00007FF75371B7AC
Source: C:\Users\user\Desktop\valorant_ESP_aimbot.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_00007FF75371BCB4
Source: C:\Users\user\Desktop\valorant_ESP_aimbot.exeCode function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_00007FF75371BE98
Source: C:\Users\user\Desktop\valorant_ESP_aimbot.exeCode function: EnumSystemLocalesW,0_2_00007FF7537107F0
Source: C:\Users\user\Desktop\valorant_ESP_aimbot.exeCode function: GetLocaleInfoW,0_2_00007FF753710D88
Source: C:\Users\user\Desktop\valorant_ESP_aimbot.exeCode function: 0_2_00007FF7536F15B0 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00007FF7536F15B0
Source: C:\Users\user\Desktop\valorant_ESP_aimbot.exeCode function: 0_2_00007FF753717398 _get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation,0_2_00007FF753717398
Source: C:\Users\user\Desktop\valorant_ESP_aimbot.exeCode function: 0_2_00007FF7536AE0E0 socket,htonl,setsockopt,bind,getsockname,listen,socket,connect,accept,send,recv,WSAGetLastError,closesocket,closesocket,closesocket,closesocket,0_2_00007FF7536AE0E0
Source: C:\Users\user\Desktop\valorant_ESP_aimbot.exeCode function: 0_2_00007FF7536CF2C0 htons,htons,htons,bind,htons,bind,getsockname,WSAGetLastError,WSAGetLastError,0_2_00007FF7536CF2C0
Source: C:\Users\user\Desktop\valorant_ESP_aimbot.exeCode function: 0_2_00007FF7536C00B0 getsockname,WSAGetLastError,WSAGetLastError,htons,bind,WSAGetLastError,getsockname,getsockname,WSAGetLastError,listen,WSAGetLastError,htons,0_2_00007FF7536C00B0
Source: C:\Users\user\Desktop\valorant_ESP_aimbot.exeCode function: 0_2_00007FF7536B4859 bind,WSAGetLastError,0_2_00007FF7536B4859
Source: C:\Users\user\Desktop\valorant_ESP_aimbot.exeCode function: 0_2_00007FF7536B4AD0 bind,WSAGetLastError,0_2_00007FF7536B4AD0

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		1
DLL Side-Loading		1
Process Injection		1
Process Injection		OS Credential Dumping2
System Time Discovery		1
Exploitation of Remote Services		12
Archive Collected Data		1
Web Service		Exfiltration Over Other Network Medium1
Data Encrypted for Impact
CredentialsDomainsDefault Accounts2
Native API		Boot or Logon Initialization Scripts1
DLL Side-Loading		1
Deobfuscate/Decode Files or Information		LSASS Memory11
Security Software Discovery		Remote Desktop ProtocolData from Removable Media22
Encrypted Channel		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)2
Obfuscated Files or Information		Security Account Manager12
System Information Discovery		SMB/Windows Admin SharesData from Network Shared Drive1
Ingress Tool Transfer		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
DLL Side-Loading		NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput Capture1
Non-Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA SecretsInternet Connection DiscoverySSHKeylogging2
Application Layer Protocol		Scheduled TransferData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
valorant_ESP_aimbot.exe58%ReversingLabsWin64.Trojan.Amadey
valorant_ESP_aimbot.exe62%VirustotalBrowse
valorant_ESP_aimbot.exe100%AviraTR/Dldr.Agent.fgtqd

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
api.telegram.org
149.154.167.220
truefalse
    		high

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    https://curl.se/docs/hsts.htmlvalorant_ESP_aimbot.exefalse
      		high
      https://api.telegram.org/botokresultfile_path/https://api.telegram.org/file/bot7446828960:AAEkc-o_ddvalorant_ESP_aimbot.exefalse
        		high
        https://curl.se/docs/alt-svc.html#valorant_ESP_aimbot.exefalse
          		high
          https://curl.se/docs/http-cookies.html#valorant_ESP_aimbot.exefalse
            		high
            https://api.telegram.org/file/botvalorant_ESP_aimbot.exefalse
              		high
              https://curl.se/docs/alt-svc.htmlvalorant_ESP_aimbot.exefalse
                		high
                https://api.telegram.org/botvalorant_ESP_aimbot.exefalse
                  		high
                  https://curl.se/docs/http-cookies.htmlvalorant_ESP_aimbot.exefalse
                    		high
                    https://curl.se/docs/hsts.html#valorant_ESP_aimbot.exefalse
                      		high
                      https://api.telegram.org/bot7446828960:AAEkc-o_ddrGi8YykO2bp5LRB5CeoyXbG8w/getFile?file_id=BQACAgQAAvalorant_ESP_aimbot.exe, 00000000.00000002.1348853793.0000013F51C6C000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high

                        World Map of Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public IPs

                        IPDomainCountryFlagASNASN NameMalicious
                        149.154.167.220
                        		api.telegram.orgUnited Kingdom
                        		62041TELEGRAMRUfalse

                        Private

                        IP
                        127.0.0.1

                        General Information

                        Joe Sandbox version:42.0.0 Malachite
                        Analysis ID:1632000
                        Start date and time:2025-03-07 18:23:01 +01:00
                        Joe Sandbox product:CloudBasic
                        Overall analysis duration:0h 2m 41s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                        Number of analysed new started processes analysed:2
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Sample name:valorant_ESP_aimbot.exe
                        Detection:MAL
                        Classification:mal60.troj.winEXE@2/0@1/2
                        EGA Information:
                        • Successful, ratio: 100%
                        HCA Information:
                        • Successful, ratio: 96%
                        • Number of executed functions: 66
                        • Number of non-executed functions: 158
                        Cookbook Comments:
                        • Found application associated with file extension: .exe
                        • Stop behavior analysis, all processes terminated

                        Warnings

                        • Excluded IPs from analysis (whitelisted): 23.199.214.10
                        • Excluded domains from analysis (whitelisted): fs.microsoft.com, e16604.f.akamaiedge.net, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net
                        • Not all processes where analyzed, report is missing behavior information

                        Simulations

                        Behavior and APIs

                        No simulations

                        Joe Sandbox View / Context

                        IPs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        149.154.167.220georgefloyd.batGet hashmaliciousXWormBrowse
                          ZTEIhNCtP3.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                            uPDwUy9ewY.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                              OeM750ajqm.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                UFOiZapHGS.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                  x8ggp1u7V8.exeGet hashmaliciousAgentTeslaBrowse
                                    mKRflLn5sx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                      UOEAjWmusE.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                        nGI2U2r41E.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                          ckHregxJIq.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse

                                            Domains

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            api.telegram.orggeorgefloyd.batGet hashmaliciousXWormBrowse
                                            • 149.154.167.220
                                            ZTEIhNCtP3.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                            • 149.154.167.220
                                            uPDwUy9ewY.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                            • 149.154.167.220
                                            OeM750ajqm.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                            • 149.154.167.220
                                            UFOiZapHGS.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                            • 149.154.167.220
                                            x8ggp1u7V8.exeGet hashmaliciousAgentTeslaBrowse
                                            • 149.154.167.220
                                            mKRflLn5sx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                            • 149.154.167.220
                                            UOEAjWmusE.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                            • 149.154.167.220
                                            nGI2U2r41E.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                            • 149.154.167.220
                                            ckHregxJIq.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                            • 149.154.167.220

                                            ASNs

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            TELEGRAMRUgeorgefloyd.batGet hashmaliciousXWormBrowse
                                            • 149.154.167.220
                                            ZTEIhNCtP3.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                            • 149.154.167.220
                                            uPDwUy9ewY.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                            • 149.154.167.220
                                            OeM750ajqm.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                            • 149.154.167.220
                                            UFOiZapHGS.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                            • 149.154.167.220
                                            x8ggp1u7V8.exeGet hashmaliciousAgentTeslaBrowse
                                            • 149.154.167.220
                                            mKRflLn5sx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                            • 149.154.167.220
                                            UOEAjWmusE.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                            • 149.154.167.220
                                            nGI2U2r41E.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                            • 149.154.167.220
                                            ckHregxJIq.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                            • 149.154.167.220

                                            JA3 Fingerprints

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            bd0bf25947d4a37404f0424edf4db9adsetup.exeGet hashmaliciousUnknownBrowse
                                            • 149.154.167.220
                                            Cb523jmji0.exeGet hashmaliciousUnknownBrowse
                                            • 149.154.167.220
                                            leFhB1aYaW.exeGet hashmaliciousDCRatBrowse
                                            • 149.154.167.220
                                            Loader.exeGet hashmaliciousUnknownBrowse
                                            • 149.154.167.220
                                            1.exeGet hashmaliciousUnknownBrowse
                                            • 149.154.167.220
                                            setup.msiGet hashmaliciousUnknownBrowse
                                            • 149.154.167.220
                                            5bf784.msiGet hashmaliciousUnknownBrowse
                                            • 149.154.167.220
                                            34.exeGet hashmaliciousUnknownBrowse
                                            • 149.154.167.220
                                            11.exeGet hashmaliciousUnknownBrowse
                                            • 149.154.167.220
                                            BundleInstaller.dll.exeGet hashmaliciousUnknownBrowse
                                            • 149.154.167.220

                                            Dropped Files

                                            No context

                                            Created / dropped Files

                                            No created / dropped files found

                                            Static File Info

                                            General

                                            File type:PE32+ executable (console) x86-64, for MS Windows
                                            Entropy (8bit):6.273459948144112
                                            TrID:
                                            • Win64 Executable Console (202006/5) 92.65%
                                            • Win64 Executable (generic) (12005/4) 5.51%
                                            • Generic Win/DOS Executable (2004/3) 0.92%
                                            • DOS Executable Generic (2002/1) 0.92%
                                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                            File name:valorant_ESP_aimbot.exe
                                            File size:991'744 bytes
                                            MD5:5d43f5bb6521b71f084afe8f3eab201a
                                            SHA1:e4fab1d3fc8d69c0a9eed0d1eb3a2ea735767914
                                            SHA256:5e4fcbbd458a244fcf2dc879ffabdbc6feba611a5934887e6eefc5b42d5ca37d
                                            SHA512:5829a227c0ac7645706e4a3a8ec976947a31f9fd610fb0c600d8ef3efa7e6133c9e640843c35b274ed322dbfd9ddd33b6774ed5d3738aae47214e3ee305ee49a
                                            SSDEEP:24576:ulBq4/QlK9/CqNzb5lgV6tZVPKilGRx1D:ulBj/V6QtGile
                                            TLSH:88257D5E63A830F9D56790F8C5DA5203D7B2B4D61330A7DB22A08F693F236E55E3A311
                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......)...m...m...m...&...a...&.......&...q...|E@.j...|E..g...|E......|E..8...&...|...m.......t...n...t........E..l....EB.l...m.*.l..

                                            File Icon

                                            Icon Hash:0f33a8b286230f8c

                                            Static PE Info

                                            General

                                            Entrypoint:0x1400709c0
                                            Entrypoint Section:.text
                                            Digitally signed:false
                                            Imagebase:0x140000000
                                            Subsystem:windows cui
                                            Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                            DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                            Time Stamp:0x67B517CA [Tue Feb 18 23:29:14 2025 UTC]
                                            TLS Callbacks:
                                            CLR (.Net) Version:
                                            OS Version Major:6
                                            OS Version Minor:0
                                            File Version Major:6
                                            File Version Minor:0
                                            Subsystem Version Major:6
                                            Subsystem Version Minor:0
                                            Import Hash:cfca4a34c112c1814d56edc0be75de3a

                                            Entrypoint Preview

                                            Instruction
                                            dec eax
                                            sub esp, 28h
                                            call 00007F8DAD0A77CCh
                                            dec eax
                                            add esp, 28h
                                            jmp 00007F8DAD0A6A57h
                                            int3
                                            int3
                                            dec eax
                                            sub esp, 28h
                                            dec ebp
                                            mov eax, dword ptr [ecx+38h]
                                            dec eax
                                            mov ecx, edx
                                            dec ecx
                                            mov edx, ecx
                                            call 00007F8DAD0A6BF2h
                                            mov eax, 00000001h
                                            dec eax
                                            add esp, 28h
                                            ret
                                            int3
                                            int3
                                            int3
                                            inc eax
                                            push ebx
                                            inc ebp
                                            mov ebx, dword ptr [eax]
                                            dec eax
                                            mov ebx, edx
                                            inc ecx
                                            and ebx, FFFFFFF8h
                                            dec esp
                                            mov ecx, ecx
                                            inc ecx
                                            test byte ptr [eax], 00000004h
                                            dec esp
                                            mov edx, ecx
                                            je 00007F8DAD0A6BF5h
                                            inc ecx
                                            mov eax, dword ptr [eax+08h]
                                            dec ebp
                                            arpl word ptr [eax+04h], dx
                                            neg eax
                                            dec esp
                                            add edx, ecx
                                            dec eax
                                            arpl ax, cx
                                            dec esp
                                            and edx, ecx
                                            dec ecx
                                            arpl bx, ax
                                            dec edx
                                            mov edx, dword ptr [eax+edx]
                                            dec eax
                                            mov eax, dword ptr [ebx+10h]
                                            mov ecx, dword ptr [eax+08h]
                                            dec eax
                                            mov eax, dword ptr [ebx+08h]
                                            test byte ptr [ecx+eax+03h], 0000000Fh
                                            je 00007F8DAD0A6BEDh
                                            movzx eax, byte ptr [ecx+eax+03h]
                                            and eax, FFFFFFF0h
                                            dec esp
                                            add ecx, eax
                                            dec esp
                                            xor ecx, edx
                                            dec ecx
                                            mov ecx, ecx
                                            pop ebx
                                            jmp 00007F8DAD0A6856h
                                            int3
                                            inc eax
                                            push ebx
                                            dec eax
                                            sub esp, 20h
                                            dec eax
                                            mov ebx, ecx
                                            xor ecx, ecx
                                            call dword ptr [000329AFh]
                                            dec eax
                                            mov ecx, ebx
                                            call dword ptr [0003299Eh]
                                            call dword ptr [000329A8h]
                                            dec eax
                                            mov ecx, eax
                                            mov edx, C0000409h
                                            dec eax
                                            add esp, 20h
                                            pop ebx
                                            dec eax
                                            jmp dword ptr [0003299Ch]
                                            dec eax
                                            mov dword ptr [esp+00h], ecx

                                            Data Directories

                                            NameVirtual AddressVirtual Size Is in Section
                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IMPORT0xcd1ac0xb4.rdata
                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0xdb0000x1a545.rsrc
                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0xd30000x7adc.pdata
                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0xf60000x10a0.reloc
                                            IMAGE_DIRECTORY_ENTRY_DEBUG0xc23800x70.rdata
                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                            IMAGE_DIRECTORY_ENTRY_TLS0xc25800x28.rdata
                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xc22400x140.rdata
                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IAT0xa30000x690.rdata
                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                            Sections

                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                            .text0x10000xa17f40xa18004f6b662288f8f9f3dbd922c8299fa8d4False0.5467011537345201data6.438675539507798IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                            .rdata0xa30000x2b5880x2b600ebd0aa9fb3db2c3a7ecd662981161eb4False0.4128692363112392data5.5884978015444275IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                            .data0xcf0000x33280x1c00228b18e03f2261837a64219ebbe98b80False0.17243303571428573data3.2196114885132823IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                            .pdata0xd30000x7adc0x7c00efba14f94c2015f75219dd1bb212f61eFalse0.48541456653225806data5.889107770612065IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                            .rsrc0xdb0000x1a5450x1a600f6b39914894a877a09a2543cf04c7860False0.1270827162322275data3.0758373490775797IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                            .reloc0xf60000x10a00x1200987e9c2e166aa7ab4284815ed94d80b3False0.4233940972222222data5.282973197899523IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                            Resources

                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                            RT_ICON0xdb2200x1945PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9799041582933993
                                            RT_ICON0xdcb680x10828Device independent bitmap graphic, 128 x 256 x 32, image size 65536EnglishUnited States0.040547734532118775
                                            RT_ICON0xed3900x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16384EnglishUnited States0.08650212564950402
                                            RT_ICON0xf15b80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216EnglishUnited States0.1204356846473029
                                            RT_ICON0xf3b600x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096EnglishUnited States0.174718574108818
                                            RT_ICON0xf4c080x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024EnglishUnited States0.3333333333333333
                                            RT_GROUP_ICON0xf50700x5adataEnglishUnited States0.7666666666666667
                                            RT_VERSION0xf50cc0x2fcdataEnglishUnited States0.4816753926701571
                                            RT_MANIFEST0xf53c80x17dXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.5931758530183727

                                            Imports

                                            DLLImport
                                            KERNEL32.dllGetFileType, ReadFile, PeekNamedPipe, WaitForMultipleObjects, GetCurrentProcessId, SleepEx, VerSetConditionMask, VerifyVersionInfoW, CreateFileA, GetFileSizeEx, WriteConsoleW, HeapSize, DeleteFileW, GetStdHandle, GetEnvironmentVariableA, WaitForSingleObjectEx, CloseHandle, MoveFileExA, FormatMessageW, SetLastError, GetLastError, WideCharToMultiByte, MultiByteToWideChar, GetProcessHeap, Sleep, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetOEMCP, GetACP, IsValidCodePage, FindNextFileW, FindFirstFileExW, FindClose, GetTimeZoneInformation, GetFullPathNameW, GetCurrentDirectoryW, SetEndOfFile, SetStdHandle, GetFileAttributesExW, FlushFileBuffers, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, GetLocaleInfoW, LCMapStringW, CompareStringW, GetTimeFormatW, GetDateFormatW, FlsFree, FlsSetValue, FlsGetValue, FlsAlloc, HeapReAlloc, HeapFree, HeapAlloc, LoadLibraryA, GetProcAddress, GetModuleHandleA, FreeLibrary, GetSystemDirectoryA, QueryPerformanceFrequency, DeleteCriticalSection, InitializeCriticalSectionEx, LeaveCriticalSection, EnterCriticalSection, GetTickCount, QueryPerformanceCounter, AcquireSRWLockExclusive, ReleaseSRWLockExclusive, GetConsoleWindow, SetEnvironmentVariableW, VirtualAlloc, GetConsoleOutputCP, ReadConsoleW, GetConsoleMode, GetCommandLineW, GetCommandLineA, ExitProcess, GetModuleFileNameW, RtlUnwind, WriteFile, SetFilePointerEx, GetModuleHandleExW, FreeLibraryAndExitThread, ExitThread, CreateThread, FileTimeToSystemTime, SystemTimeToTzSpecificLocalTime, GetFileInformationByHandle, GetDriveTypeW, CreateFileW, LoadLibraryExW, TlsFree, TlsSetValue, EncodePointer, DecodePointer, LCMapStringEx, GetStringTypeW, GetCPInfo, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, WakeAllConditionVariable, SleepConditionVariableSRW, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, GetModuleHandleW, RtlUnwindEx, RtlPcToFileHeader, RaiseException, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue
                                            USER32.dllShowWindow
                                            ADVAPI32.dllCryptAcquireContextA, CryptCreateHash, CryptHashData, CryptDestroyHash, CryptDestroyKey, CryptImportKey, CryptEncrypt, CryptReleaseContext, CryptGetHashParam
                                            WS2_32.dllgetpeername, sendto, recvfrom, freeaddrinfo, ioctlsocket, gethostname, recv, listen, htonl, getsockname, connect, bind, accept, select, __WSAFDIsSet, socket, htons, WSAIoctl, setsockopt, WSACleanup, WSAStartup, WSASetLastError, ntohs, WSAGetLastError, closesocket, WSAWaitForMultipleEvents, WSAResetEvent, WSAEventSelect, WSAEnumNetworkEvents, WSACreateEvent, WSACloseEvent, send, getsockopt, getaddrinfo
                                            CRYPT32.dllCryptStringToBinaryA, CertFreeCertificateContext, CryptDecodeObjectEx, CertEnumCertificatesInStore, CertCloseStore, CertOpenStore, CertAddCertificateContextToStore, PFXImportCertStore, CertFindExtension, CertGetNameStringA, CryptQueryObject, CertCreateCertificateChainEngine, CertFreeCertificateChainEngine, CertGetCertificateChain, CertFindCertificateInStore, CertFreeCertificateChain
                                            WLDAP32.dll
                                            Normaliz.dllIdnToUnicode, IdnToAscii
                                            bcrypt.dllBCryptGenRandom

                                            Version Infos

                                            DescriptionData
                                            CompanyNameEpic Games Studio
                                            FileDescriptionEpic Game Studio Console Host
                                            FileVersion1.2.9.0
                                            InternalNameEpic Studios
                                            LegalCopyrightCopyright (C) 2025
                                            OriginalFilenameUnreal Console Host
                                            ProductNameUNREAL ENGINE
                                            ProductVersion1.2.6.3
                                            Translation0x0409 0x04b0

                                            Possible Origin

                                            Language of compilation systemCountry where language is spokenMap
                                            EnglishUnited States

                                            Network Behavior

                                            Network Port Distribution

                                            TCP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            Mar 7, 2025 18:23:57.674983978 CET49698443192.168.2.5149.154.167.220
                                            Mar 7, 2025 18:23:57.675030947 CET44349698149.154.167.220192.168.2.5
                                            Mar 7, 2025 18:23:57.675228119 CET49698443192.168.2.5149.154.167.220
                                            Mar 7, 2025 18:23:57.689826012 CET49698443192.168.2.5149.154.167.220
                                            Mar 7, 2025 18:23:57.689853907 CET44349698149.154.167.220192.168.2.5
                                            Mar 7, 2025 18:23:59.854893923 CET44349698149.154.167.220192.168.2.5
                                            Mar 7, 2025 18:23:59.855005026 CET49698443192.168.2.5149.154.167.220
                                            Mar 7, 2025 18:23:59.866293907 CET49698443192.168.2.5149.154.167.220
                                            Mar 7, 2025 18:23:59.866314888 CET44349698149.154.167.220192.168.2.5
                                            Mar 7, 2025 18:23:59.866403103 CET49698443192.168.2.5149.154.167.220
                                            Mar 7, 2025 18:23:59.866602898 CET44349698149.154.167.220192.168.2.5
                                            Mar 7, 2025 18:23:59.866664886 CET49698443192.168.2.5149.154.167.220

                                            UDP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            Mar 7, 2025 18:23:57.662523985 CET5395953192.168.2.51.1.1.1
                                            Mar 7, 2025 18:23:57.670250893 CET53539591.1.1.1192.168.2.5

                                            DNS Queries

                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                            Mar 7, 2025 18:23:57.662523985 CET192.168.2.51.1.1.10x445bStandard query (0)api.telegram.orgA (IP address)IN (0x0001)false

                                            DNS Answers

                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                            Mar 7, 2025 18:23:57.670250893 CET1.1.1.1192.168.2.50x445bNo error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false

                                            Statistics

                                            CPU Usage

                                            Click to jump to process

                                            Memory Usage

                                            Click to jump to process

                                            High Level Behavior Distribution

                                            Click to dive into process behavior distribution

                                            Behavior

                                            Click to jump to process

                                            System Behavior

                                            General

                                            Target ID:0
                                            Start time:12:23:56
                                            Start date:07/03/2025
                                            Path:C:\Users\user\Desktop\valorant_ESP_aimbot.exe
                                            Wow64 process (32bit):false
                                            Commandline:"C:\Users\user\Desktop\valorant_ESP_aimbot.exe"
                                            Imagebase:0x7ff753680000
                                            File size:991'744 bytes
                                            MD5 hash:5D43F5BB6521B71F084AFE8F3EAB201A
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:low
                                            Has exited:true

                                            General

                                            Target ID:1
                                            Start time:12:23:56
                                            Start date:07/03/2025
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7e2000000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            Disassembly

                                            Reset < >