Overview

overview

10

Static

static

5

SHADOW BP ...IP.exe

windows7-x64

3

SHADOW BP ...IP.exe

windows10-2004-x64

3

SHADOW BP ...op.bat

windows7-x64

7

SHADOW BP ...op.bat

windows10-2004-x64

1

SHADOW BP ...it.exe

windows7-x64

7

SHADOW BP ...it.exe

windows10-2004-x64

7

SHADOW BP ...op.bat

windows7-x64

1

SHADOW BP ...op.bat

windows10-2004-x64

1

Windows De...ol.exe

windows7-x64

10

Windows De...ol.exe

windows10-2004-x64

5

Analysis

  • max time kernel
    119s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    03-11-2024 01:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SHADOW BP + HAX 3.4/SETUP/Clean_Gameloop.bat

  • Size

    7KB

  • MD5

    08e7d6aa12dd9e5326c95d48a39fc78c

  • SHA1

    4cea4dc3fb778210b40ce7dda1f6d40184417155

  • SHA256

    8f10f13dc60a2389ba5777932e9ed8ba746fad54231054cc5c91344c95f4dee2

  • SHA512

    9ef6b53ac16e8f4b743d848b5e99a9f10eb16072569f04799ea69f1d7f20ff634e78b360ada717483a2c458638e3ed78acede7ac6ad87dd7dfd7165d275e17cc

  • SSDEEP

    96:CSZyzyd6fHlzcZRcZocZ3cZOcZEcZVcZ6cZTcZXcZ8cZlcZCcZocZLcZ+cZC:ZcWJ

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Kills process with taskkill 50 IoCs
    evasion
  • Modifies registry class 1 IoCs
  • Runs net.exe
  • Suspicious use of AdjustPrivilegeToken 50 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\SHADOW BP + HAX 3.4\SETUP\Clean_Gameloop.bat"
    1⤵
    • Deletes itself
    • Suspicious use of WriteProcessMemory
    PID:2660
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im cef_frame_demo.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2776
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im cef_frame_render.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2552
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im appmarket.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2712
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im androidemulator.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2736
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im aow_exe.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2716
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im QMEmulatorService.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2600
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im RuntimeBroker.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2588
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im adb.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2720
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im GameLoader.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2604
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im TSettingCenter.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2560
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im AndroidEmulatorEn.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1716
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im AndroidEmulatorEx.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1868
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im AndroidRenderer.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2368
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im syzs_dl_svr.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1952
    • C:\Windows\system32\net.exe
      net stop aow_drv
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:308
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop aow_drv
        3⤵
          PID:708
      • C:\Windows\system32\net.exe
        net stop Tensafe
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1700
        • C:\Windows\system32\net1.exe
          C:\Windows\system32\net1 stop Tensafe
          3⤵
            PID:896
        • C:\Windows\system32\taskkill.exe
          taskkill /IM "Synaptics.exe" /F
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1884
        • C:\Windows\system32\taskkill.exe
          taskkill /f /im dnf.exe
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1500
        • C:\Windows\system32\taskkill.exe
          taskkill /f /im tensafe_1.exe
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2652
        • C:\Windows\system32\taskkill.exe
          taskkill /f /im tensafe_2.exe
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2852
        • C:\Windows\system32\taskkill.exe
          taskkill /f /im tencentdl.exe
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1760
        • C:\Windows\system32\taskkill.exe
          taskkill /f /im conime.exe
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1928
        • C:\Windows\system32\taskkill.exe
          taskkill /f /im TBSWebRenderer.exe
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1372
        • C:\Windows\system32\taskkill.exe
          taskkill /f /im qqlogin.exe
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2528
        • C:\Windows\system32\taskkill.exe
          taskkill /f /im dnfchina.exe
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2140
        • C:\Windows\system32\taskkill.exe
          taskkill /f /im dnfchinatest.exe
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2204
        • C:\Windows\system32\taskkill.exe
          taskkill /f /im txplatform.exe
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2424
        • C:\Windows\system32\taskkill.exe
          taskkill /f /im aow_exe.exe
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2236
        • C:\Windows\system32\taskkill.exe
          taskkill /F /IM TitanService.exe
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1656
        • C:\Windows\system32\taskkill.exe
          taskkill /F /IM ProjectTitan.exe
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2220
        • C:\Windows\system32\taskkill.exe
          taskkill /F /IM Auxillary.exe
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1152
        • C:\Windows\system32\taskkill.exe
          taskkill /F /IM TP3Helper.exe
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2228
        • C:\Windows\system32\taskkill.exe
          taskkill /F /IM tp3helper.dat
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1296
        • C:\Windows\system32\taskkill.exe
          TaskKill /F /IM androidemulator.exe
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1880
        • C:\Windows\system32\taskkill.exe
          TaskKill /F /IM aow_exe.exe
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:916
        • C:\Windows\system32\taskkill.exe
          TaskKill /F /IM QMEmulatorService.exe
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:280
        • C:\Windows\system32\taskkill.exe
          TaskKill /F /IM RuntimeBroker.exe
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2432
        • C:\Windows\system32\taskkill.exe
          taskkill /F /im adb.exe
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2732
        • C:\Windows\system32\taskkill.exe
          taskkill /F /im GameLoader.exe
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2136
        • C:\Windows\system32\taskkill.exe
          taskkill /F /im TBSWebRenderer.exe
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1980
        • C:\Windows\system32\taskkill.exe
          taskkill /F /im AppMarket.exe
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2464
        • C:\Windows\system32\taskkill.exe
          taskkill /F /im AndroidEmulator.exe
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2092
        • C:\Windows\system32\taskkill.exe
          taskkill /F /im syzs_dl_svr.exe
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2332
        • C:\Windows\system32\taskkill.exe
          taskkill /F /im QMEmulatorService.exe
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:3024
        • C:\Windows\system32\taskkill.exe
          TaskKill /F /IM appmarket.exe
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1756
        • C:\Windows\system32\taskkill.exe
          TaskKill /F /IM androidemulator.exe
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2116
        • C:\Windows\system32\taskkill.exe
          TaskKill /F /IM aow_exe.exe
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2516
        • C:\Windows\system32\taskkill.exe
          TaskKill /F /IM QMEmulatorService.exe
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2356
        • C:\Windows\system32\taskkill.exe
          TaskKill /F /IM RuntimeBroker.exe
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1772
        • C:\Windows\system32\taskkill.exe
          taskkill /F /IM adb.exe
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2344
        • C:\Windows\system32\taskkill.exe
          taskkill /F /IM GameLoader.exe
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1560
        • C:\Windows\system32\taskkill.exe
          taskkill /F /IM TSettingCenter.exe
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2800
        • C:\Windows\system32\net.exe
          net stop aow_drv
          2⤵
            PID:2772
            • C:\Windows\system32\net1.exe
              C:\Windows\system32\net1 stop aow_drv
              3⤵
                PID:2820
            • C:\Windows\system32\net.exe
              net stop Tensafe
              2⤵
                PID:2904
                • C:\Windows\system32\net1.exe
                  C:\Windows\system32\net1 stop Tensafe
                  3⤵
                    PID:2552
                • C:\Windows\system32\reg.exe
                  reg delete "HKEY_CURRENT_USER\Software\Tencent" /f
                  2⤵
                    PID:2580
                  • C:\Windows\system32\reg.exe
                    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Tencent" /f
                    2⤵
                      PID:2376
                    • C:\Windows\system32\reg.exe
                      reg delete "HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache" /f
                      2⤵
                      • Modifies registry class
                      PID:2744
                    • C:\Windows\system32\reg.exe
                      reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TencentMobileGameAssistant" /f
                      2⤵
                        PID:1336
                      • C:\Windows\system32\reg.exe
                        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileGamePC" /f
                        2⤵
                          PID:2568
                        • C:\Windows\system32\reg.exe
                          reg delete "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\MobileGamePC" /f
                          2⤵
                            PID:3016
                          • C:\Windows\system32\reg.exe
                            reg delete "HKEY_USERS\S-1-5-21-1684716338-1731825245-2802686541-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.apk\OpenWithList" /f
                            2⤵
                              PID:2736
                            • C:\Windows\system32\reg.exe
                              reg delete "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\QMEmulatorService" /f
                              2⤵
                                PID:1732
                              • C:\Windows\system32\reg.exe
                                reg delete "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\aow_drv" /f
                                2⤵
                                  PID:2724
                                • C:\Windows\system32\reg.exe
                                  reg delete "HKEY_USERS\S-1-5-21-1684716338-1731825245-2802686541-500\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store" /v "C:\Program Files\txgameassistant\appmarket\AppMarket.exe" /f
                                  2⤵
                                    PID:2768
                                  • C:\Windows\system32\reg.exe
                                    reg delete "HKEY_USERS\S-1-5-21-1684716338-1731825245-2802686541-500\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store" /v "D:\Program Files\txgameassistant\appmarket\AppMarket.exe" /f
                                    2⤵
                                      PID:2564
                                    • C:\Windows\system32\reg.exe
                                      reg delete "HKEY_USERS\S-1-5-21-1684716338-1731825245-2802686541-500\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store" /v "E:\Program Files\txgameassistant\appmarket\AppMarket.exe" /f
                                      2⤵
                                        PID:2556
                                      • C:\Windows\system32\reg.exe
                                        reg delete "HKEY_USERS\S-1-5-21-1684716338-1731825245-2802686541-500\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store" /v "F:\Program Files\txgameassistant\appmarket\AppMarket.exe" /f
                                        2⤵
                                          PID:2548
                                        • C:\Windows\system32\reg.exe
                                          reg delete "HKEY_USERS\S-1-5-21-1684716338-1731825245-2802686541-500\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store" /v "C:\Program Files\program files\txgameassistant\appmarket\AppMarket.exe" /f
                                          2⤵
                                            PID:2600
                                          • C:\Windows\system32\reg.exe
                                            reg delete "HKEY_USERS\S-1-5-21-1684716338-1731825245-2802686541-500\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store" /v "D:\Program Files\program files\txgameassistant\appmarket\AppMarket.exe" /f
                                            2⤵
                                              PID:2672
                                            • C:\Windows\system32\reg.exe
                                              reg delete "HKEY_USERS\S-1-5-21-1684716338-1731825245-2802686541-500\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store" /v "E:\Program Files\program files\txgameassistant\appmarket\AppMarket.exe" /f
                                              2⤵
                                                PID:2596
                                              • C:\Windows\system32\reg.exe
                                                reg delete "HKEY_USERS\S-1-5-21-1684716338-1731825245-2802686541-500\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store" /v "F:\Program Files\program files\txgameassistant\appmarket\AppMarket.exe" /f
                                                2⤵
                                                  PID:2576
                                                • C:\Windows\system32\reg.exe
                                                  reg delete "HKEY_USERS\S-1-5-21-1684716338-1731825245-2802686541-500\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store" /v "C:\Program Files\txgameassistant\ui\AndroidEmulator.exe" /f
                                                  2⤵
                                                    PID:2988
                                                  • C:\Windows\system32\reg.exe
                                                    reg delete "HKEY_USERS\S-1-5-21-1684716338-1731825245-2802686541-500\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store" /v "D:\Program Files\txgameassistant\ui\AndroidEmulator.exe" /f
                                                    2⤵
                                                      PID:1516
                                                    • C:\Windows\system32\reg.exe
                                                      reg delete "HKEY_USERS\S-1-5-21-1684716338-1731825245-2802686541-500\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store" /v "E:\Program Files\txgameassistant\ui\AndroidEmulator.exe" /f
                                                      2⤵
                                                        PID:2984
                                                      • C:\Windows\system32\reg.exe
                                                        reg delete "HKEY_USERS\S-1-5-21-1684716338-1731825245-2802686541-500\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store" /v "F:\Program Files\txgameassistant\ui\AndroidEmulator.exe" /f
                                                        2⤵
                                                          PID:2720
                                                        • C:\Windows\system32\reg.exe
                                                          reg delete "HKEY_USERS\S-1-5-21-1684716338-1731825245-2802686541-500\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store" /v "C:\Program Files\program files\txgameassistant\ui\AndroidEmulator.exe" /f
                                                          2⤵
                                                            PID:2996
                                                          • C:\Windows\system32\reg.exe
                                                            reg delete "HKEY_USERS\S-1-5-21-1684716338-1731825245-2802686541-500\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store" /v "D:\Program Files\program files\txgameassistant\ui\AndroidEmulator.exe" /f
                                                            2⤵
                                                              PID:1640
                                                            • C:\Windows\system32\reg.exe
                                                              reg delete "HKEY_USERS\S-1-5-21-1684716338-1731825245-2802686541-500\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store" /v "E:\Program Files\program files\txgameassistant\ui\AndroidEmulator.exe" /f
                                                              2⤵
                                                                PID:2008
                                                              • C:\Windows\system32\reg.exe
                                                                reg delete "HKEY_USERS\S-1-5-21-1684716338-1731825245-2802686541-500\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store" /v "F:\Program Files\program files\txgameassistant\ui\AndroidEmulator.exe" /f
                                                                2⤵
                                                                  PID:2012

                                                              Network

                                                              MITRE ATT&CK Matrix

                                                              Replay Monitor

                                                              Loading Replay Monitor...

                                                              Downloads