6722db26bb76c7b4f3ed4824f792005c8633dda2987f78440bf6be3bdea4807c

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
03-11-2024 01:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SHADOW BP + HAX 3.4/SETUP/Kill_Gameloop.bat
Size

507B
MD5

9b1141afa4c3fa4711363995f50293f9
SHA1

a42e270c2c3d42626607ede069ddbc88a62efee0
SHA256

3fc915854738ccfa1e5340a353fb11627c9a02fe956dcf29807b8e7b2dc4550c
SHA512

d57915a1df776ea0d3b1a6d4e285387d396f0c232f810a8b8be9c51737a0c90a2dac7b22224327fc60470b5d435f060f3bceacff75b1aadbf07167bdd130b198

Score

1^/10

Malware Config

Signatures

Kills process with taskkill 12 IoCs

evasion

pid	Process
3428	taskkill.exe
2296	taskkill.exe
4980	taskkill.exe
5068	taskkill.exe
3952	taskkill.exe
1788	taskkill.exe
4288	taskkill.exe
2320	taskkill.exe
4872	taskkill.exe
3528	taskkill.exe
1172	taskkill.exe
1196	taskkill.exe

Runs net.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeDebugPrivilege	2320	taskkill.exe
Token: SeDebugPrivilege	2296	taskkill.exe
Token: SeDebugPrivilege	4872	taskkill.exe
Token: SeDebugPrivilege	3528	taskkill.exe
Token: SeDebugPrivilege	4980	taskkill.exe
Token: SeDebugPrivilege	5068	taskkill.exe
Token: SeDebugPrivilege	1172	taskkill.exe
Token: SeDebugPrivilege	3952	taskkill.exe
Token: SeDebugPrivilege	1788	taskkill.exe
Token: SeDebugPrivilege	4288	taskkill.exe
Token: SeDebugPrivilege	1196	taskkill.exe
Token: SeDebugPrivilege	3428	taskkill.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 728 wrote to memory of 5052	728	cmd.exe	85
PID 728 wrote to memory of 5052	728	cmd.exe	85
PID 5052 wrote to memory of 1660	5052	net.exe	86
PID 5052 wrote to memory of 1660	5052	net.exe	86
PID 728 wrote to memory of 2860	728	cmd.exe	87
PID 728 wrote to memory of 2860	728	cmd.exe	87
PID 2860 wrote to memory of 3256	2860	net.exe	88
PID 2860 wrote to memory of 3256	2860	net.exe	88
PID 728 wrote to memory of 2320	728	cmd.exe	89
PID 728 wrote to memory of 2320	728	cmd.exe	89
PID 728 wrote to memory of 2296	728	cmd.exe	91
PID 728 wrote to memory of 2296	728	cmd.exe	91
PID 728 wrote to memory of 4872	728	cmd.exe	92
PID 728 wrote to memory of 4872	728	cmd.exe	92
PID 728 wrote to memory of 3528	728	cmd.exe	93
PID 728 wrote to memory of 3528	728	cmd.exe	93
PID 728 wrote to memory of 4980	728	cmd.exe	94
PID 728 wrote to memory of 4980	728	cmd.exe	94
PID 728 wrote to memory of 5068	728	cmd.exe	95
PID 728 wrote to memory of 5068	728	cmd.exe	95
PID 728 wrote to memory of 1172	728	cmd.exe	96
PID 728 wrote to memory of 1172	728	cmd.exe	96
PID 728 wrote to memory of 3952	728	cmd.exe	97
PID 728 wrote to memory of 3952	728	cmd.exe	97
PID 728 wrote to memory of 1788	728	cmd.exe	98
PID 728 wrote to memory of 1788	728	cmd.exe	98
PID 728 wrote to memory of 4288	728	cmd.exe	99
PID 728 wrote to memory of 4288	728	cmd.exe	99
PID 728 wrote to memory of 1196	728	cmd.exe	100
PID 728 wrote to memory of 1196	728	cmd.exe	100
PID 728 wrote to memory of 3428	728	cmd.exe	102
PID 728 wrote to memory of 3428	728	cmd.exe	102
PID 728 wrote to memory of 1328	728	cmd.exe	103
PID 728 wrote to memory of 1328	728	cmd.exe	103
PID 1328 wrote to memory of 4696	1328	net.exe	104
PID 1328 wrote to memory of 4696	1328	net.exe	104
PID 728 wrote to memory of 5100	728	cmd.exe	105
PID 728 wrote to memory of 5100	728	cmd.exe	105
PID 5100 wrote to memory of 4444	5100	net.exe	106
PID 5100 wrote to memory of 4444	5100	net.exe	106

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\SHADOW BP + HAX 3.4\SETUP\Kill_Gameloop.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:728
- C:\Windows\system32\net.exe
  net stop aow_drv
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5052
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop aow_drv
    3⤵
    PID:1660
- C:\Windows\system32\net.exe
  net stop Tensafe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2860
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop Tensafe
    3⤵
    PID:3256
- C:\Windows\system32\taskkill.exe
  taskkill /f /im appmarket.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2320
- C:\Windows\system32\taskkill.exe
  taskkill /f /im androidemulator.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2296
- C:\Windows\system32\taskkill.exe
  taskkill /f /im aow_exe.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4872
- C:\Windows\system32\taskkill.exe
  taskkill /f /im QMEmulatorService.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3528
- C:\Windows\system32\taskkill.exe
  taskkill /f /im RuntimeBroker.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4980
- C:\Windows\system32\taskkill.exe
  taskkill /f /im adb.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5068
- C:\Windows\system32\taskkill.exe
  taskkill /f /im GameLoader.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1172
- C:\Windows\system32\taskkill.exe
  taskkill /f /im TSettingCenter.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3952
- C:\Windows\system32\taskkill.exe
  taskkill /f /im syzs_dl_svr.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1788
- C:\Windows\system32\taskkill.exe
  taskkill /f /im AndroidEmulator.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4288
- C:\Windows\system32\taskkill.exe
  taskkill /f /im AndroidEmulatorEn.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1196
- C:\Windows\system32\taskkill.exe
  taskkill /f /im AndroidEmulatorEx.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3428
- C:\Windows\system32\net.exe
  net stop aow_drv
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1328
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop aow_drv
    3⤵
    PID:4696
- C:\Windows\system32\net.exe
  net stop Tensafe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5100
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop Tensafe
    3⤵
    PID:4444

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads