Overview
overview
10Static
static
5SHADOW BP ...IP.exe
windows7-x64
3SHADOW BP ...IP.exe
windows10-2004-x64
3SHADOW BP ...op.bat
windows7-x64
7SHADOW BP ...op.bat
windows10-2004-x64
1SHADOW BP ...it.exe
windows7-x64
7SHADOW BP ...it.exe
windows10-2004-x64
7SHADOW BP ...op.bat
windows7-x64
1SHADOW BP ...op.bat
windows10-2004-x64
1Windows De...ol.exe
windows7-x64
10Windows De...ol.exe
windows10-2004-x64
5Analysis
-
max time kernel
117s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
03-11-2024 01:24
Behavioral task
behavioral1
Sample
SHADOW BP + HAX 3.4/BYPASS/Release/txn54kjdcy1#SHADOW VIP.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral2
Sample
SHADOW BP + HAX 3.4/BYPASS/Release/txn54kjdcy1#SHADOW VIP.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
SHADOW BP + HAX 3.4/SETUP/Clean_Gameloop.bat
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral4
Sample
SHADOW BP + HAX 3.4/SETUP/Clean_Gameloop.bat
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
SHADOW BP + HAX 3.4/SETUP/Gameloop 32 Bit.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral6
Sample
SHADOW BP + HAX 3.4/SETUP/Gameloop 32 Bit.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
SHADOW BP + HAX 3.4/SETUP/Kill_Gameloop.bat
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral8
Sample
SHADOW BP + HAX 3.4/SETUP/Kill_Gameloop.bat
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
Windows Defender Control/dControl.exe
Resource
win7-20241010-en
windows7-x64
General
-
Target
SHADOW BP + HAX 3.4/SETUP/Kill_Gameloop.bat
-
Size
507B
-
MD5
9b1141afa4c3fa4711363995f50293f9
-
SHA1
a42e270c2c3d42626607ede069ddbc88a62efee0
-
SHA256
3fc915854738ccfa1e5340a353fb11627c9a02fe956dcf29807b8e7b2dc4550c
-
SHA512
d57915a1df776ea0d3b1a6d4e285387d396f0c232f810a8b8be9c51737a0c90a2dac7b22224327fc60470b5d435f060f3bceacff75b1aadbf07167bdd130b198
Malware Config
Signatures
-
Kills process with taskkill 12 IoCs
pid Process 2616 taskkill.exe 3044 taskkill.exe 2212 taskkill.exe 2760 taskkill.exe 2908 taskkill.exe 2424 taskkill.exe 2848 taskkill.exe 2756 taskkill.exe 2592 taskkill.exe 1668 taskkill.exe 2792 taskkill.exe 2844 taskkill.exe -
Runs net.exe
-
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeDebugPrivilege 1668 taskkill.exe Token: SeDebugPrivilege 2212 taskkill.exe Token: SeDebugPrivilege 2792 taskkill.exe Token: SeDebugPrivilege 2844 taskkill.exe Token: SeDebugPrivilege 2760 taskkill.exe Token: SeDebugPrivilege 2424 taskkill.exe Token: SeDebugPrivilege 2848 taskkill.exe Token: SeDebugPrivilege 2908 taskkill.exe Token: SeDebugPrivilege 2756 taskkill.exe Token: SeDebugPrivilege 2616 taskkill.exe Token: SeDebugPrivilege 2592 taskkill.exe Token: SeDebugPrivilege 3044 taskkill.exe -
Suspicious use of WriteProcessMemory 60 IoCs
description pid Process procid_target PID 2492 wrote to memory of 2360 2492 cmd.exe 31 PID 2492 wrote to memory of 2360 2492 cmd.exe 31 PID 2492 wrote to memory of 2360 2492 cmd.exe 31 PID 2360 wrote to memory of 2824 2360 net.exe 32 PID 2360 wrote to memory of 2824 2360 net.exe 32 PID 2360 wrote to memory of 2824 2360 net.exe 32 PID 2492 wrote to memory of 1988 2492 cmd.exe 33 PID 2492 wrote to memory of 1988 2492 cmd.exe 33 PID 2492 wrote to memory of 1988 2492 cmd.exe 33 PID 1988 wrote to memory of 1688 1988 net.exe 34 PID 1988 wrote to memory of 1688 1988 net.exe 34 PID 1988 wrote to memory of 1688 1988 net.exe 34 PID 2492 wrote to memory of 1668 2492 cmd.exe 35 PID 2492 wrote to memory of 1668 2492 cmd.exe 35 PID 2492 wrote to memory of 1668 2492 cmd.exe 35 PID 2492 wrote to memory of 2212 2492 cmd.exe 37 PID 2492 wrote to memory of 2212 2492 cmd.exe 37 PID 2492 wrote to memory of 2212 2492 cmd.exe 37 PID 2492 wrote to memory of 2792 2492 cmd.exe 38 PID 2492 wrote to memory of 2792 2492 cmd.exe 38 PID 2492 wrote to memory of 2792 2492 cmd.exe 38 PID 2492 wrote to memory of 2844 2492 cmd.exe 39 PID 2492 wrote to memory of 2844 2492 cmd.exe 39 PID 2492 wrote to memory of 2844 2492 cmd.exe 39 PID 2492 wrote to memory of 2760 2492 cmd.exe 40 PID 2492 wrote to memory of 2760 2492 cmd.exe 40 PID 2492 wrote to memory of 2760 2492 cmd.exe 40 PID 2492 wrote to memory of 2424 2492 cmd.exe 41 PID 2492 wrote to memory of 2424 2492 cmd.exe 41 PID 2492 wrote to memory of 2424 2492 cmd.exe 41 PID 2492 wrote to memory of 2848 2492 cmd.exe 42 PID 2492 wrote to memory of 2848 2492 cmd.exe 42 PID 2492 wrote to memory of 2848 2492 cmd.exe 42 PID 2492 wrote to memory of 2908 2492 cmd.exe 43 PID 2492 wrote to memory of 2908 2492 cmd.exe 43 PID 2492 wrote to memory of 2908 2492 cmd.exe 43 PID 2492 wrote to memory of 2756 2492 cmd.exe 44 PID 2492 wrote to memory of 2756 2492 cmd.exe 44 PID 2492 wrote to memory of 2756 2492 cmd.exe 44 PID 2492 wrote to memory of 2616 2492 cmd.exe 45 PID 2492 wrote to memory of 2616 2492 cmd.exe 45 PID 2492 wrote to memory of 2616 2492 cmd.exe 45 PID 2492 wrote to memory of 2592 2492 cmd.exe 46 PID 2492 wrote to memory of 2592 2492 cmd.exe 46 PID 2492 wrote to memory of 2592 2492 cmd.exe 46 PID 2492 wrote to memory of 3044 2492 cmd.exe 47 PID 2492 wrote to memory of 3044 2492 cmd.exe 47 PID 2492 wrote to memory of 3044 2492 cmd.exe 47 PID 2492 wrote to memory of 2396 2492 cmd.exe 48 PID 2492 wrote to memory of 2396 2492 cmd.exe 48 PID 2492 wrote to memory of 2396 2492 cmd.exe 48 PID 2396 wrote to memory of 3056 2396 net.exe 49 PID 2396 wrote to memory of 3056 2396 net.exe 49 PID 2396 wrote to memory of 3056 2396 net.exe 49 PID 2492 wrote to memory of 3060 2492 cmd.exe 50 PID 2492 wrote to memory of 3060 2492 cmd.exe 50 PID 2492 wrote to memory of 3060 2492 cmd.exe 50 PID 3060 wrote to memory of 832 3060 net.exe 51 PID 3060 wrote to memory of 832 3060 net.exe 51 PID 3060 wrote to memory of 832 3060 net.exe 51
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\SHADOW BP + HAX 3.4\SETUP\Kill_Gameloop.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\Windows\system32\net.exenet stop aow_drv2⤵
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop aow_drv3⤵PID:2824
-
-
-
C:\Windows\system32\net.exenet stop Tensafe2⤵
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop Tensafe3⤵PID:1688
-
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im appmarket.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1668
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im androidemulator.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2212
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im aow_exe.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2792
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im QMEmulatorService.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2844
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im RuntimeBroker.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2760
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im adb.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2424
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im GameLoader.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2848
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im TSettingCenter.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2908
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im syzs_dl_svr.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2756
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im AndroidEmulator.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2616
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im AndroidEmulatorEn.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2592
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im AndroidEmulatorEx.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3044
-
-
C:\Windows\system32\net.exenet stop aow_drv2⤵
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop aow_drv3⤵PID:3056
-
-
-
C:\Windows\system32\net.exenet stop Tensafe2⤵
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop Tensafe3⤵PID:832
-
-