Overview

overview

10

Static

static

5

SHADOW BP ...IP.exe

windows7-x64

3

SHADOW BP ...IP.exe

windows10-2004-x64

3

SHADOW BP ...op.bat

windows7-x64

7

SHADOW BP ...op.bat

windows10-2004-x64

1

SHADOW BP ...it.exe

windows7-x64

7

SHADOW BP ...it.exe

windows10-2004-x64

7

SHADOW BP ...op.bat

windows7-x64

1

SHADOW BP ...op.bat

windows10-2004-x64

1

Windows De...ol.exe

windows7-x64

10

Windows De...ol.exe

windows10-2004-x64

5

Analysis

  • max time kernel
    138s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-11-2024 01:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SHADOW BP + HAX 3.4/SETUP/Clean_Gameloop.bat

  • Size

    7KB

  • MD5

    08e7d6aa12dd9e5326c95d48a39fc78c

  • SHA1

    4cea4dc3fb778210b40ce7dda1f6d40184417155

  • SHA256

    8f10f13dc60a2389ba5777932e9ed8ba746fad54231054cc5c91344c95f4dee2

  • SHA512

    9ef6b53ac16e8f4b743d848b5e99a9f10eb16072569f04799ea69f1d7f20ff634e78b360ada717483a2c458638e3ed78acede7ac6ad87dd7dfd7165d275e17cc

  • SSDEEP

    96:CSZyzyd6fHlzcZRcZocZ3cZOcZEcZVcZ6cZTcZXcZ8cZlcZCcZocZLcZ+cZC:ZcWJ

Score
1/10

Malware Config

Signatures

  • Kills process with taskkill 50 IoCs
    evasion
  • Modifies registry class 1 IoCs
  • Runs net.exe
  • Suspicious use of AdjustPrivilegeToken 49 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\SHADOW BP + HAX 3.4\SETUP\Clean_Gameloop.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1772
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im cef_frame_demo.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2724
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im cef_frame_render.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1188
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im appmarket.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:4840
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im androidemulator.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1436
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im aow_exe.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2636
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im QMEmulatorService.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2624
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im RuntimeBroker.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2104
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im adb.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2632
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im GameLoader.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:628
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im TSettingCenter.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:3056
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im AndroidEmulatorEn.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2480
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im AndroidEmulatorEx.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:3528
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im AndroidRenderer.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:4812
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im syzs_dl_svr.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:3536
    • C:\Windows\system32\net.exe
      net stop aow_drv
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:636
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop aow_drv
        3⤵
          PID:4012
      • C:\Windows\system32\net.exe
        net stop Tensafe
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4044
        • C:\Windows\system32\net1.exe
          C:\Windows\system32\net1 stop Tensafe
          3⤵
            PID:3836
        • C:\Windows\system32\taskkill.exe
          taskkill /IM "Synaptics.exe" /F
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2732
        • C:\Windows\system32\taskkill.exe
          taskkill /f /im dnf.exe
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:3640
        • C:\Windows\system32\taskkill.exe
          taskkill /f /im tensafe_1.exe
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:3448
        • C:\Windows\system32\taskkill.exe
          taskkill /f /im tensafe_2.exe
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:4644
        • C:\Windows\system32\taskkill.exe
          taskkill /f /im tencentdl.exe
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2780
        • C:\Windows\system32\taskkill.exe
          taskkill /f /im conime.exe
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:4132
        • C:\Windows\system32\taskkill.exe
          taskkill /f /im TBSWebRenderer.exe
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1220
        • C:\Windows\system32\taskkill.exe
          taskkill /f /im qqlogin.exe
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:4000
        • C:\Windows\system32\taskkill.exe
          taskkill /f /im dnfchina.exe
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:4008
        • C:\Windows\system32\taskkill.exe
          taskkill /f /im dnfchinatest.exe
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1812
        • C:\Windows\system32\taskkill.exe
          taskkill /f /im txplatform.exe
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1388
        • C:\Windows\system32\taskkill.exe
          taskkill /f /im aow_exe.exe
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:780
        • C:\Windows\system32\taskkill.exe
          taskkill /F /IM TitanService.exe
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1432
        • C:\Windows\system32\taskkill.exe
          taskkill /F /IM ProjectTitan.exe
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:3996
        • C:\Windows\system32\taskkill.exe
          taskkill /F /IM Auxillary.exe
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:4848
        • C:\Windows\system32\taskkill.exe
          taskkill /F /IM TP3Helper.exe
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2232
        • C:\Windows\system32\taskkill.exe
          taskkill /F /IM tp3helper.dat
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2468
        • C:\Windows\system32\taskkill.exe
          TaskKill /F /IM androidemulator.exe
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1808
        • C:\Windows\system32\taskkill.exe
          TaskKill /F /IM aow_exe.exe
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2116
        • C:\Windows\system32\taskkill.exe
          TaskKill /F /IM QMEmulatorService.exe
          2⤵
          • Kills process with taskkill
          PID:352
        • C:\Windows\system32\taskkill.exe
          TaskKill /F /IM RuntimeBroker.exe
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2748
        • C:\Windows\system32\taskkill.exe
          taskkill /F /im adb.exe
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2064
        • C:\Windows\system32\taskkill.exe
          taskkill /F /im GameLoader.exe
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:3852
        • C:\Windows\system32\taskkill.exe
          taskkill /F /im TBSWebRenderer.exe
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:4956
        • C:\Windows\system32\taskkill.exe
          taskkill /F /im AppMarket.exe
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:596
        • C:\Windows\system32\taskkill.exe
          taskkill /F /im AndroidEmulator.exe
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:228
        • C:\Windows\system32\taskkill.exe
          taskkill /F /im syzs_dl_svr.exe
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:4900
        • C:\Windows\system32\taskkill.exe
          taskkill /F /im QMEmulatorService.exe
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:4248
        • C:\Windows\system32\taskkill.exe
          TaskKill /F /IM appmarket.exe
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2024
        • C:\Windows\system32\taskkill.exe
          TaskKill /F /IM androidemulator.exe
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2588
        • C:\Windows\system32\taskkill.exe
          TaskKill /F /IM aow_exe.exe
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1284
        • C:\Windows\system32\taskkill.exe
          TaskKill /F /IM QMEmulatorService.exe
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:4316
        • C:\Windows\system32\taskkill.exe
          TaskKill /F /IM RuntimeBroker.exe
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2940
        • C:\Windows\system32\taskkill.exe
          taskkill /F /IM adb.exe
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:3148
        • C:\Windows\system32\taskkill.exe
          taskkill /F /IM GameLoader.exe
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:5032
        • C:\Windows\system32\taskkill.exe
          taskkill /F /IM TSettingCenter.exe
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:756
        • C:\Windows\system32\net.exe
          net stop aow_drv
          2⤵
            PID:4228
            • C:\Windows\system32\net1.exe
              C:\Windows\system32\net1 stop aow_drv
              3⤵
                PID:1232
            • C:\Windows\system32\net.exe
              net stop Tensafe
              2⤵
                PID:5036
                • C:\Windows\system32\net1.exe
                  C:\Windows\system32\net1 stop Tensafe
                  3⤵
                    PID:3076
                • C:\Windows\system32\reg.exe
                  reg delete "HKEY_CURRENT_USER\Software\Tencent" /f
                  2⤵
                    PID:3836
                  • C:\Windows\system32\reg.exe
                    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Tencent" /f
                    2⤵
                      PID:4044
                    • C:\Windows\system32\reg.exe
                      reg delete "HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache" /f
                      2⤵
                      • Modifies registry class
                      PID:4668
                    • C:\Windows\system32\reg.exe
                      reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TencentMobileGameAssistant" /f
                      2⤵
                        PID:2732
                      • C:\Windows\system32\reg.exe
                        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileGamePC" /f
                        2⤵
                          PID:3340
                        • C:\Windows\system32\reg.exe
                          reg delete "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\MobileGamePC" /f
                          2⤵
                            PID:3640
                          • C:\Windows\system32\reg.exe
                            reg delete "HKEY_USERS\S-1-5-21-1684716338-1731825245-2802686541-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.apk\OpenWithList" /f
                            2⤵
                              PID:1892
                            • C:\Windows\system32\reg.exe
                              reg delete "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\QMEmulatorService" /f
                              2⤵
                                PID:3448
                              • C:\Windows\system32\reg.exe
                                reg delete "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\aow_drv" /f
                                2⤵
                                  PID:2056
                                • C:\Windows\system32\reg.exe
                                  reg delete "HKEY_USERS\S-1-5-21-1684716338-1731825245-2802686541-500\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store" /v "C:\Program Files\txgameassistant\appmarket\AppMarket.exe" /f
                                  2⤵
                                    PID:4156
                                  • C:\Windows\system32\reg.exe
                                    reg delete "HKEY_USERS\S-1-5-21-1684716338-1731825245-2802686541-500\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store" /v "D:\Program Files\txgameassistant\appmarket\AppMarket.exe" /f
                                    2⤵
                                      PID:4988
                                    • C:\Windows\system32\reg.exe
                                      reg delete "HKEY_USERS\S-1-5-21-1684716338-1731825245-2802686541-500\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store" /v "E:\Program Files\txgameassistant\appmarket\AppMarket.exe" /f
                                      2⤵
                                        PID:4256
                                      • C:\Windows\system32\reg.exe
                                        reg delete "HKEY_USERS\S-1-5-21-1684716338-1731825245-2802686541-500\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store" /v "F:\Program Files\txgameassistant\appmarket\AppMarket.exe" /f
                                        2⤵
                                          PID:3540
                                        • C:\Windows\system32\reg.exe
                                          reg delete "HKEY_USERS\S-1-5-21-1684716338-1731825245-2802686541-500\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store" /v "C:\Program Files\program files\txgameassistant\appmarket\AppMarket.exe" /f
                                          2⤵
                                            PID:1656
                                          • C:\Windows\system32\reg.exe
                                            reg delete "HKEY_USERS\S-1-5-21-1684716338-1731825245-2802686541-500\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store" /v "D:\Program Files\program files\txgameassistant\appmarket\AppMarket.exe" /f
                                            2⤵
                                              PID:5100
                                            • C:\Windows\system32\reg.exe
                                              reg delete "HKEY_USERS\S-1-5-21-1684716338-1731825245-2802686541-500\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store" /v "E:\Program Files\program files\txgameassistant\appmarket\AppMarket.exe" /f
                                              2⤵
                                                PID:3476
                                              • C:\Windows\system32\reg.exe
                                                reg delete "HKEY_USERS\S-1-5-21-1684716338-1731825245-2802686541-500\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store" /v "F:\Program Files\program files\txgameassistant\appmarket\AppMarket.exe" /f
                                                2⤵
                                                  PID:4000
                                                • C:\Windows\system32\reg.exe
                                                  reg delete "HKEY_USERS\S-1-5-21-1684716338-1731825245-2802686541-500\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store" /v "C:\Program Files\txgameassistant\ui\AndroidEmulator.exe" /f
                                                  2⤵
                                                    PID:3320
                                                  • C:\Windows\system32\reg.exe
                                                    reg delete "HKEY_USERS\S-1-5-21-1684716338-1731825245-2802686541-500\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store" /v "D:\Program Files\txgameassistant\ui\AndroidEmulator.exe" /f
                                                    2⤵
                                                      PID:4008
                                                    • C:\Windows\system32\reg.exe
                                                      reg delete "HKEY_USERS\S-1-5-21-1684716338-1731825245-2802686541-500\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store" /v "E:\Program Files\txgameassistant\ui\AndroidEmulator.exe" /f
                                                      2⤵
                                                        PID:5080
                                                      • C:\Windows\system32\reg.exe
                                                        reg delete "HKEY_USERS\S-1-5-21-1684716338-1731825245-2802686541-500\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store" /v "F:\Program Files\txgameassistant\ui\AndroidEmulator.exe" /f
                                                        2⤵
                                                          PID:4432
                                                        • C:\Windows\system32\reg.exe
                                                          reg delete "HKEY_USERS\S-1-5-21-1684716338-1731825245-2802686541-500\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store" /v "C:\Program Files\program files\txgameassistant\ui\AndroidEmulator.exe" /f
                                                          2⤵
                                                            PID:4872
                                                          • C:\Windows\system32\reg.exe
                                                            reg delete "HKEY_USERS\S-1-5-21-1684716338-1731825245-2802686541-500\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store" /v "D:\Program Files\program files\txgameassistant\ui\AndroidEmulator.exe" /f
                                                            2⤵
                                                              PID:4884
                                                            • C:\Windows\system32\reg.exe
                                                              reg delete "HKEY_USERS\S-1-5-21-1684716338-1731825245-2802686541-500\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store" /v "E:\Program Files\program files\txgameassistant\ui\AndroidEmulator.exe" /f
                                                              2⤵
                                                                PID:3980
                                                              • C:\Windows\system32\reg.exe
                                                                reg delete "HKEY_USERS\S-1-5-21-1684716338-1731825245-2802686541-500\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store" /v "F:\Program Files\program files\txgameassistant\ui\AndroidEmulator.exe" /f
                                                                2⤵
                                                                  PID:1776

                                                              Network

                                                              MITRE ATT&CK Matrix

                                                              Replay Monitor

                                                              Loading Replay Monitor...

                                                              Downloads