Overview

overview

9

Static

static

5

SHADOW BP ...IP.exe

windows11-21h2-x64

3

SHADOW BP ...op.bat

windows11-21h2-x64

1

SHADOW BP ...it.exe

windows11-21h2-x64

9

SHADOW BP ...op.bat

windows11-21h2-x64

1

Windows De...ol.exe

windows11-21h2-x64

5

Analysis

  • max time kernel
    1466s
  • max time network
    1478s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    03-11-2024 00:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SHADOW BP + HAX 3.4/SETUP/Clean_Gameloop.bat

  • Size

    7KB

  • MD5

    08e7d6aa12dd9e5326c95d48a39fc78c

  • SHA1

    4cea4dc3fb778210b40ce7dda1f6d40184417155

  • SHA256

    8f10f13dc60a2389ba5777932e9ed8ba746fad54231054cc5c91344c95f4dee2

  • SHA512

    9ef6b53ac16e8f4b743d848b5e99a9f10eb16072569f04799ea69f1d7f20ff634e78b360ada717483a2c458638e3ed78acede7ac6ad87dd7dfd7165d275e17cc

  • SSDEEP

    96:CSZyzyd6fHlzcZRcZocZ3cZOcZEcZVcZ6cZTcZXcZ8cZlcZCcZocZLcZ+cZC:ZcWJ

Score
1/10

Malware Config

Signatures

  • Kills process with taskkill 50 IoCs
    evasion
  • Modifies registry class 1 IoCs
  • Runs net.exe
  • Suspicious use of AdjustPrivilegeToken 50 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\SHADOW BP + HAX 3.4\SETUP\Clean_Gameloop.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2460
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im cef_frame_demo.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:4828
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im cef_frame_render.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:5008
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im appmarket.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:4672
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im androidemulator.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:4772
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im aow_exe.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:992
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im QMEmulatorService.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:5512
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im RuntimeBroker.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:6076
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im adb.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:5872
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im GameLoader.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:5772
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im TSettingCenter.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:6028
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im AndroidEmulatorEn.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:832
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im AndroidEmulatorEx.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:6084
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im AndroidRenderer.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:3916
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im syzs_dl_svr.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:5740
    • C:\Windows\system32\net.exe
      net stop aow_drv
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4332
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop aow_drv
        3⤵
          PID:2204
      • C:\Windows\system32\net.exe
        net stop Tensafe
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4716
        • C:\Windows\system32\net1.exe
          C:\Windows\system32\net1 stop Tensafe
          3⤵
            PID:32
        • C:\Windows\system32\taskkill.exe
          taskkill /IM "Synaptics.exe" /F
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:240
        • C:\Windows\system32\taskkill.exe
          taskkill /f /im dnf.exe
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:988
        • C:\Windows\system32\taskkill.exe
          taskkill /f /im tensafe_1.exe
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:5172
        • C:\Windows\system32\taskkill.exe
          taskkill /f /im tensafe_2.exe
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1612
        • C:\Windows\system32\taskkill.exe
          taskkill /f /im tencentdl.exe
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:4356
        • C:\Windows\system32\taskkill.exe
          taskkill /f /im conime.exe
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:6064
        • C:\Windows\system32\taskkill.exe
          taskkill /f /im TBSWebRenderer.exe
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:3384
        • C:\Windows\system32\taskkill.exe
          taskkill /f /im qqlogin.exe
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2144
        • C:\Windows\system32\taskkill.exe
          taskkill /f /im dnfchina.exe
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:3620
        • C:\Windows\system32\taskkill.exe
          taskkill /f /im dnfchinatest.exe
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:5676
        • C:\Windows\system32\taskkill.exe
          taskkill /f /im txplatform.exe
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:6020
        • C:\Windows\system32\taskkill.exe
          taskkill /f /im aow_exe.exe
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1164
        • C:\Windows\system32\taskkill.exe
          taskkill /F /IM TitanService.exe
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1872
        • C:\Windows\system32\taskkill.exe
          taskkill /F /IM ProjectTitan.exe
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:4480
        • C:\Windows\system32\taskkill.exe
          taskkill /F /IM Auxillary.exe
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2512
        • C:\Windows\system32\taskkill.exe
          taskkill /F /IM TP3Helper.exe
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2756
        • C:\Windows\system32\taskkill.exe
          taskkill /F /IM tp3helper.dat
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2372
        • C:\Windows\system32\taskkill.exe
          TaskKill /F /IM androidemulator.exe
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:3316
        • C:\Windows\system32\taskkill.exe
          TaskKill /F /IM aow_exe.exe
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2076
        • C:\Windows\system32\taskkill.exe
          TaskKill /F /IM QMEmulatorService.exe
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2320
        • C:\Windows\system32\taskkill.exe
          TaskKill /F /IM RuntimeBroker.exe
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:4952
        • C:\Windows\system32\taskkill.exe
          taskkill /F /im adb.exe
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:4972
        • C:\Windows\system32\taskkill.exe
          taskkill /F /im GameLoader.exe
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1712
        • C:\Windows\system32\taskkill.exe
          taskkill /F /im TBSWebRenderer.exe
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:5804
        • C:\Windows\system32\taskkill.exe
          taskkill /F /im AppMarket.exe
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2456
        • C:\Windows\system32\taskkill.exe
          taskkill /F /im AndroidEmulator.exe
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1036
        • C:\Windows\system32\taskkill.exe
          taskkill /F /im syzs_dl_svr.exe
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:4760
        • C:\Windows\system32\taskkill.exe
          taskkill /F /im QMEmulatorService.exe
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2808
        • C:\Windows\system32\taskkill.exe
          TaskKill /F /IM appmarket.exe
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2352
        • C:\Windows\system32\taskkill.exe
          TaskKill /F /IM androidemulator.exe
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:5316
        • C:\Windows\system32\taskkill.exe
          TaskKill /F /IM aow_exe.exe
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:668
        • C:\Windows\system32\taskkill.exe
          TaskKill /F /IM QMEmulatorService.exe
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:3976
        • C:\Windows\system32\taskkill.exe
          TaskKill /F /IM RuntimeBroker.exe
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:3968
        • C:\Windows\system32\taskkill.exe
          taskkill /F /IM adb.exe
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:5596
        • C:\Windows\system32\taskkill.exe
          taskkill /F /IM GameLoader.exe
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:3668
        • C:\Windows\system32\taskkill.exe
          taskkill /F /IM TSettingCenter.exe
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:3068
        • C:\Windows\system32\net.exe
          net stop aow_drv
          2⤵
            PID:5616
            • C:\Windows\system32\net1.exe
              C:\Windows\system32\net1 stop aow_drv
              3⤵
                PID:3112
            • C:\Windows\system32\net.exe
              net stop Tensafe
              2⤵
                PID:3176
                • C:\Windows\system32\net1.exe
                  C:\Windows\system32\net1 stop Tensafe
                  3⤵
                    PID:5604
                • C:\Windows\system32\reg.exe
                  reg delete "HKEY_CURRENT_USER\Software\Tencent" /f
                  2⤵
                    PID:1528
                  • C:\Windows\system32\reg.exe
                    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Tencent" /f
                    2⤵
                      PID:5624
                    • C:\Windows\system32\reg.exe
                      reg delete "HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache" /f
                      2⤵
                      • Modifies registry class
                      PID:2136
                    • C:\Windows\system32\reg.exe
                      reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TencentMobileGameAssistant" /f
                      2⤵
                        PID:1352
                      • C:\Windows\system32\reg.exe
                        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileGamePC" /f
                        2⤵
                          PID:4500
                        • C:\Windows\system32\reg.exe
                          reg delete "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\MobileGamePC" /f
                          2⤵
                            PID:4536
                          • C:\Windows\system32\reg.exe
                            reg delete "HKEY_USERS\S-1-5-21-1684716338-1731825245-2802686541-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.apk\OpenWithList" /f
                            2⤵
                              PID:3812
                            • C:\Windows\system32\reg.exe
                              reg delete "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\QMEmulatorService" /f
                              2⤵
                                PID:4476
                              • C:\Windows\system32\reg.exe
                                reg delete "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\aow_drv" /f
                                2⤵
                                  PID:104
                                • C:\Windows\system32\reg.exe
                                  reg delete "HKEY_USERS\S-1-5-21-1684716338-1731825245-2802686541-500\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store" /v "C:\Program Files\txgameassistant\appmarket\AppMarket.exe" /f
                                  2⤵
                                    PID:5728
                                  • C:\Windows\system32\reg.exe
                                    reg delete "HKEY_USERS\S-1-5-21-1684716338-1731825245-2802686541-500\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store" /v "D:\Program Files\txgameassistant\appmarket\AppMarket.exe" /f
                                    2⤵
                                      PID:4652
                                    • C:\Windows\system32\reg.exe
                                      reg delete "HKEY_USERS\S-1-5-21-1684716338-1731825245-2802686541-500\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store" /v "E:\Program Files\txgameassistant\appmarket\AppMarket.exe" /f
                                      2⤵
                                        PID:5456
                                      • C:\Windows\system32\reg.exe
                                        reg delete "HKEY_USERS\S-1-5-21-1684716338-1731825245-2802686541-500\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store" /v "F:\Program Files\txgameassistant\appmarket\AppMarket.exe" /f
                                        2⤵
                                          PID:5092
                                        • C:\Windows\system32\reg.exe
                                          reg delete "HKEY_USERS\S-1-5-21-1684716338-1731825245-2802686541-500\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store" /v "C:\Program Files\program files\txgameassistant\appmarket\AppMarket.exe" /f
                                          2⤵
                                            PID:5252
                                          • C:\Windows\system32\reg.exe
                                            reg delete "HKEY_USERS\S-1-5-21-1684716338-1731825245-2802686541-500\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store" /v "D:\Program Files\program files\txgameassistant\appmarket\AppMarket.exe" /f
                                            2⤵
                                              PID:5152
                                            • C:\Windows\system32\reg.exe
                                              reg delete "HKEY_USERS\S-1-5-21-1684716338-1731825245-2802686541-500\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store" /v "E:\Program Files\program files\txgameassistant\appmarket\AppMarket.exe" /f
                                              2⤵
                                                PID:4520
                                              • C:\Windows\system32\reg.exe
                                                reg delete "HKEY_USERS\S-1-5-21-1684716338-1731825245-2802686541-500\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store" /v "F:\Program Files\program files\txgameassistant\appmarket\AppMarket.exe" /f
                                                2⤵
                                                  PID:4816
                                                • C:\Windows\system32\reg.exe
                                                  reg delete "HKEY_USERS\S-1-5-21-1684716338-1731825245-2802686541-500\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store" /v "C:\Program Files\txgameassistant\ui\AndroidEmulator.exe" /f
                                                  2⤵
                                                    PID:5496
                                                  • C:\Windows\system32\reg.exe
                                                    reg delete "HKEY_USERS\S-1-5-21-1684716338-1731825245-2802686541-500\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store" /v "D:\Program Files\txgameassistant\ui\AndroidEmulator.exe" /f
                                                    2⤵
                                                      PID:5208
                                                    • C:\Windows\system32\reg.exe
                                                      reg delete "HKEY_USERS\S-1-5-21-1684716338-1731825245-2802686541-500\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store" /v "E:\Program Files\txgameassistant\ui\AndroidEmulator.exe" /f
                                                      2⤵
                                                        PID:1096
                                                      • C:\Windows\system32\reg.exe
                                                        reg delete "HKEY_USERS\S-1-5-21-1684716338-1731825245-2802686541-500\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store" /v "F:\Program Files\txgameassistant\ui\AndroidEmulator.exe" /f
                                                        2⤵
                                                          PID:6040
                                                        • C:\Windows\system32\reg.exe
                                                          reg delete "HKEY_USERS\S-1-5-21-1684716338-1731825245-2802686541-500\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store" /v "C:\Program Files\program files\txgameassistant\ui\AndroidEmulator.exe" /f
                                                          2⤵
                                                            PID:2764
                                                          • C:\Windows\system32\reg.exe
                                                            reg delete "HKEY_USERS\S-1-5-21-1684716338-1731825245-2802686541-500\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store" /v "D:\Program Files\program files\txgameassistant\ui\AndroidEmulator.exe" /f
                                                            2⤵
                                                              PID:3956
                                                            • C:\Windows\system32\reg.exe
                                                              reg delete "HKEY_USERS\S-1-5-21-1684716338-1731825245-2802686541-500\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store" /v "E:\Program Files\program files\txgameassistant\ui\AndroidEmulator.exe" /f
                                                              2⤵
                                                                PID:5272
                                                              • C:\Windows\system32\reg.exe
                                                                reg delete "HKEY_USERS\S-1-5-21-1684716338-1731825245-2802686541-500\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store" /v "F:\Program Files\program files\txgameassistant\ui\AndroidEmulator.exe" /f
                                                                2⤵
                                                                  PID:4988

                                                              Network

                                                              MITRE ATT&CK Matrix

                                                              Replay Monitor

                                                              Loading Replay Monitor...

                                                              Downloads