General Info

File name

GamezBDO.exe

Full analysis
https://app.any.run/tasks/f6625dfd-450d-4cfb-b121-2fdcb1fe1ba2
Verdict
Malicious activity
Analysis date
9/11/2019, 09:58:10
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:

MIME:
application/x-dosexec
File info:
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5

be40497054dd589e7cbec7f5dacfdccb

SHA1

8eafacedf876900ba5cbc4e003c3e7e39338458d

SHA256

21252cdd6c6b258e02b9b9da1d9fe16b932edda7df55c0be90ddf1f94f2e483c

SSDEEP

196608:izyEftidD/WCVAx4nT8SAd+94vDXEDXUwheEDLKlHsDFchBC+Bv:iFAD/WC84Yjd+94vDXEDXUwheEDLKlHj

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
300 seconds
Additional time used
240 seconds
Fakenet option
off
Heavy Evaision option
on
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (75.0.3770.100)
  • Google Update Helper (1.3.34.7)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.7.2 (4.7.03062)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
  • Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
  • Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
  • Mozilla Firefox 68.0.1 (x86 en-US) (68.0.1)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • Update for Microsoft .NET Framework 4.7.2 (KB4087364) (1)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB4019990
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Renames files like Ransomware
  • GamezBDO.exe (PID: 3732)
Changes settings of System certificates
  • GamezBDO.exe (PID: 3732)
Executable content was dropped or overwritten
  • GamezBDO.exe (PID: 3732)
Modifies the open verb of a shell class
  • GamezBDO.exe (PID: 3732)
Reads Environment values
  • GamezBDO.exe (PID: 3732)
Adds / modifies Windows certificates
  • GamezBDO.exe (PID: 3732)

No info indicators.

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.exe
|   Win32 EXE PECompact compressed (generic) (35.3%)
.exe
|   Win32 Executable MS Visual C++ (generic) (26.5%)
.exe
|   Win64 Executable (generic) (23.4%)
.dll
|   Win32 Dynamic Link Library (generic) (5.5%)
.exe
|   Win32 Executable (generic) (3.8%)
EXIF
EXE
MachineType:
Intel 386 or later, and compatibles
TimeStamp:
2019:08:08 23:58:41+02:00
PEType:
PE32
LinkerVersion:
48
CodeSize:
9022976
InitializedDataSize:
637440
UninitializedDataSize:
null
EntryPoint:
0x93e00a
OSVersion:
4
ImageVersion:
null
SubsystemVersion:
6
Subsystem:
Windows GUI
FileVersionNumber:
1.0.0.0
ProductVersionNumber:
1.0.0.0
FileFlagsMask:
0x003f
FileFlags:
(none)
FileOS:
Win32
ObjectFileType:
Executable application
FileSubtype:
null
LanguageCode:
Neutral
CharacterSet:
Unicode
Comments:
GamezBDO Game Launcher
CompanyName:
GamezBDO
FileDescription:
GamezBDO
FileVersion:
1.0.0.0
InternalName:
GamezBDO.exe
LegalCopyright:
Copyright GamezNetwork © 2019
LegalTrademarks:
null
OriginalFileName:
GamezBDO.exe
ProductName:
GamezBDO
ProductVersion:
1.0.0.0
AssemblyVersion:
1.0.7159.32360
Summary
Architecture:
IMAGE_FILE_MACHINE_I386
Subsystem:
IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date:
08-Aug-2019 21:58:41
Comments:
GamezBDO Game Launcher
CompanyName:
GamezBDO
FileDescription:
GamezBDO
FileVersion:
1.0.0.0
InternalName:
GamezBDO.exe
LegalCopyright:
Copyright GamezNetwork © 2019
LegalTrademarks:
null
OriginalFilename:
GamezBDO.exe
ProductName:
GamezBDO
ProductVersion:
1.0.0.0
Assembly Version:
1.0.7159.32360
DOS Header
Magic number:
MZ
Bytes on last page of file:
0x0090
Pages in file:
0x0003
Relocations:
0x0000
Size of header:
0x0004
Min extra paragraphs:
0x0000
Max extra paragraphs:
0xFFFF
Initial SS value:
0x0000
Initial SP value:
0x00B8
Checksum:
0x0000
Initial IP value:
0x0000
Initial CS value:
0x0000
Overlay number:
0x0000
OEM identifier:
0x0000
OEM information:
0x0000
Address of NE header:
0x00000080
PE Headers
Signature:
PE
Machine:
IMAGE_FILE_MACHINE_I386
Number of sections:
5
Time date stamp:
08-Aug-2019 21:58:41
Pointer to Symbol Table:
0x00000000
Number of symbols:
0
Size of Optional Header:
0x00E0
Characteristics
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
Sections
Name Virtual Address Virtual Size Raw Size Charateristics Entropy
=4f\x038vq/l$\x08 0x00002000 0x0008246C 0x00082600 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_EXECUTE,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 7.99965
.text 0x00086000 0x0089AB58 0x0089AC00 IMAGE_SCN_CNT_CODE,IMAGE_SCN_MEM_EXECUTE,IMAGE_SCN_MEM_READ 7.3266
.rsrc 0x00922000 0x00019038 0x00019200 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ 4.89264
.reloc 0x0093C000 0x0000000C 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_DISCARDABLE,IMAGE_SCN_MEM_READ 0.0980042
0x0093E000 0x00000010 0x00000200 IMAGE_SCN_CNT_CODE,IMAGE_SCN_MEM_EXECUTE,IMAGE_SCN_MEM_READ 0.142636
Resources
1

2

3

4

5

32512

Imports
    mscoree.dll

Exports

    No exports.

Screenshots

Processes

Total processes
43
Monitored processes
4
Malicious processes
1
Suspicious processes
0

Behavior graph

+
start gamezbdo.exe no specs gamezbdo.exe bcdedit.exe no specs bcdedit.exe no specs
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
2516
CMD
"C:\Users\admin\Desktop\GamezBDO.exe"
Path
C:\Users\admin\Desktop\GamezBDO.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
3221226540
Version:
Company
GamezBDO
Description
GamezBDO
Version
1.0.0.0
Modules
Image
c:\users\admin\desktop\gamezbdo.exe
c:\systemroot\system32\ntdll.dll

PID
3732
CMD
"C:\Users\admin\Desktop\GamezBDO.exe"
Path
C:\Users\admin\Desktop\GamezBDO.exe
Indicators
Parent process
––
User
admin
Integrity Level
HIGH
Version:
Company
GamezBDO
Description
GamezBDO
Version
1.0.0.0
Modules
Image
c:\users\admin\desktop\gamezbdo.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v4.0.30319\clr.dll
c:\windows\system32\msvcr120_clr0400.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\mscorlib\97e047cf68e9a7d90e196d072cd49cac\mscorlib.ni.dll
c:\windows\system32\ole32.dll
c:\windows\system32\cryptbase.dll
c:\windows\microsoft.net\framework\v4.0.30319\clrjit.dll
c:\windows\system32\oleaut32.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system\e071297bb06faa961bef045ae5f25fdc\system.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.core\21a1606b6c00f9abe7db55c02e0f87c9\system.core.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\windowsbase\0d5a8e6f89227cc5d954e65856f9cf1a\windowsbase.ni.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\presentationcore\e7873d3bd71f6122c2a954be1bb5bb28\presentationcore.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\presentatio5ae0f00f#\b34cda03a984c515b31faf410e5b7e39\presentationframework.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.xaml\4d290752f65a065fcde70178562c3383\system.xaml.ni.dll
c:\windows\system32\dwrite.dll
c:\windows\microsoft.net\framework\v4.0.30319\wpf\wpfgfx_v0400.dll
c:\windows\system32\msvcp120_clr0400.dll
c:\windows\microsoft.net\framework\v4.0.30319\wpf\presentationnative_v0400.dll
c:\windows\microsoft.net\framework\v4.0.30319\nlssorting.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.configuration\cd03f9386e02f56502e01a25ddd7e0a7\system.configuration.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.xml\7c8f75f367134a030cba4a127dc62a2f\system.xml.ni.dll
c:\windows\system32\shell32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\wintrust.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscorsecimpl.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\riched20.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\userenv.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\cryptnet.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\credssp.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshqos.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\cabinet.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\psapi.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.management\e588691224a17737f3a164cc2d46c156\system.management.ni.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\wbem\wmiutils.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\microsoft.net\framework\v4.0.30319\wminet_utils.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\d3d9.dll
c:\windows\system32\d3d8thk.dll
c:\windows\system32\vga.dll
c:\windows\system32\uxtheme.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\presentatiod51afaa5#\867cbe7462b04e2cf1ae39abb576ae2a\presentationframework.classic.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.drawing\61dfb69c9ad6ed96809170d54d80b8a6\system.drawing.ni.dll
c:\windows\system32\mscms.dll
c:\windows\system32\windowscodecsext.dll
c:\windows\system32\icm32.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\winsta.dll
c:\windows\system32\powrprof.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\presentatio49d6fefe#\f52bfe40c54917622ed3abb98db8f90a\presentationframework-systemxml.ni.dll
c:\windows\system32\msctfui.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\uiautomationtypes\1e1a1bd97e618bc4934ee967bea27ae8\uiautomationtypes.ni.dll
c:\windows\system32\uiautomationcore.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\winmm.dll

PID
2752
CMD
"bcdedit.exe" -set loadoptions ENABLE_INTEGRITY_CHECKS
Path
C:\Windows\system32\bcdedit.exe
Indicators
No indicators
Parent process
GamezBDO.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Microsoft Corporation
Description
Boot Configuration Data Editor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\bcdedit.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

PID
2840
CMD
"bcdedit.exe" -set TESTSIGNING OFF
Path
C:\Windows\system32\bcdedit.exe
Indicators
No indicators
Parent process
GamezBDO.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Microsoft Corporation
Description
Boot Configuration Data Editor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\bcdedit.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

Registry activity

Total events
103
Read events
68
Write events
35
Delete events
0

Modification events

PID
Process
Operation
Key
Name
Value
3732
GamezBDO.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3732
GamezBDO.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3732
GamezBDO.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\72\52C64B7E
LanguageList
en-US
3732
GamezBDO.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AFE5D244A8D1194230FF479FE2F897BBCD7A8CB4
Blob
0F0000000100000030000000761613F4CD8607508C3D520FBEFE68773735FC73746F42A9FD6254BA3B72F0047994E5AF57677CF6D2C1965984965DF1090000000100000054000000305206082B0601050507030106082B0601050507030206082B0601050507030406082B0601050507030306082B06010505070308060A2B0601040182370A030406082B0601050507030606082B060105050703070B000000010000003A0000005300650063007400690067006F002000280066006F0072006D00650072006C007900200043006F006D006F0064006F002000430041002900000053000000010000002600000030243022060C2B06010401B231010201050130123010060A2B0601040182373C0101030200C062000000010000002000000052F0E1C4E58EC629291B60317F074671B85D7EA80D5B07273463534B32B40234140000000100000014000000BBAF7E023DFAA6F13C848EADEE3898ECD93232D41D0000000100000010000000CB39C3D4272CDF63774E1DB810C5A89E030000000100000014000000AFE5D244A8D1194230FF479FE2F897BBCD7A8CB42000000001000000DC050000308205D8308203C0A00302010202104CAAF9CADB636FE01FF74ED85B03869D300D06092A864886F70D01010C0500308185310B3009060355040613024742311B30190603550408131247726561746572204D616E636865737465723110300E0603550407130753616C666F7264311A3018060355040A1311434F4D4F444F204341204C696D69746564312B302906035504031322434F4D4F444F205253412043657274696669636174696F6E20417574686F72697479301E170D3130303131393030303030305A170D3338303131383233353935395A308185310B3009060355040613024742311B30190603550408131247726561746572204D616E636865737465723110300E0603550407130753616C666F7264311A3018060355040A1311434F4D4F444F204341204C696D69746564312B302906035504031322434F4D4F444F205253412043657274696669636174696F6E20417574686F7269747930820222300D06092A864886F70D01010105000382020F003082020A028202010091E85492D20A56B1AC0D24DDC5CF446774992B37A37D23700071BC53DFC4FA2A128F4B7F1056BD9F7072B7617FC94B0F17A73DE3B00461EEFF1197C7F4863E0AFA3E5CF993E6347AD9146BE79CB385A0827A76AF7190D7ECFD0DFA9C6CFADFB082F4147EF9BEC4A62F4F7F997FB5FC674372BD0C00D689EB6B2CD3ED8F981C14AB7EE5E36EFCD8A8E49224DA436B62B855FDEAC1BC6CB68BF30E8D9AE49B6C6999F878483045D5ADE10D3C4560FC32965127BC67C3CA2EB66BEA46C7C720A0B11F65DE4808BAA44EA9F283463784EBE8CC814843674E722A9B5CBD4C1B288A5C227BB4AB98D9EEE05183C309464E6D3E99FA9517DA7C3357413C8D51ED0BB65CAF2C631ADF57C83FBCE95DC49BAF4599E2A35A24B4BAA9563DCF6FAAFF4958BEF0A8FFF4B8ADE937FBBAB8F40B3AF9E843421E89D884CB13F1D9BBE18960B88C2856AC141D9C0AE771EBCF0EDD3DA996A148BD3CF7AFB50D224CC01181EC563BF6D3A2E25BB7B204225295809369E88E4C65F191032D707402EA8B671529695202BBD7DF506A5546BFA0A328617F70D0C3A2AA2C21AA47CE289C064576BF821827B4D5AEB4CB50E66BF44C867130E9A6DF1686E0D8FF40DDFBD042887FA3333A2E5C1E41118163CE18716B2BECA68AB7315C3A6A47E0C37959D6201AAFF26A98AA72BC574AD24B9DBB10FCB04C41E5ED1D3D5E289D9CCCBFB351DAA747E584530203010001A3423040301D0603551D0E04160414BBAF7E023DFAA6F13C848EADEE3898ECD93232D4300E0603551D0F0101FF040403020106300F0603551D130101FF040530030101FF300D06092A864886F70D01010C050003820201000AF1D54684B7AE51BB6CB24D411400934C9CCBE5C054CFA0258E02F9FDB0A20DF520983C132DAC56A2B0D67E1192E92EBA9E2E9A72B1BD19446C6135A29AB41612695A8CE1D73EA41AE82F03F4AE611D101B2AA48B7AC5FE05A6E1C0D6C8FE9EAE8F2BBA3D99F8D8730958466EA69CF4D727D395DA3783721CD373E0A2479903385DD5497900291CC7EC9B201C0724695778B239FC3A84A0B59C7C8DBF2E936227B739DA1718AEBD3C0968FF849B3CD5D60B03E3579E14F7D1EB4FC8BD8723B7B6494379855CBAEB920BA1C6E868A84C16B11A990AE8532C92BBA10918750C65A87BCB23B71AC22885C31BFFD02B62EFA47B099198678C1401CD68066A6321750380888A6E81C685F2A9A42DE7F4A524104783CACDF48D7958B1069BE71A2AD99D01D7947DED034ACAF0DBE8A9013EF55699C91E8E493DBBE509B9E04F49923D168240CCCC59C6E63AED122E693C6C95B1FDAA1D7B7F86BE1E0E3246FBFB138F757F4C8B4B4663FE00344070C1C3B9A1DDA670E204B341BCE98091EA649C7AE12203A99C6E6F0E654F6C87875EF36EA0F975A59B40E853B2279D4AB9C077218DFF87F2DEBC8CEF17DFB7490BD1F26E300B1A0E4E76ED11FCF5E956B27DBFC76D0A938CA5D0C0B61DBE3A4E94A2D76E6C0BC28A7CFA20F3C4E4E5CD0DA8CB9192B17C85ECB51469660E82E7CDCEC82DA6517F21C1355385064A5D9FADBB1B5F74
3732
GamezBDO.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AFE5D244A8D1194230FF479FE2F897BBCD7A8CB4
Blob
19000000010000001000000082218FFB91733E64136BE5719F57C3A1030000000100000014000000AFE5D244A8D1194230FF479FE2F897BBCD7A8CB41D0000000100000010000000CB39C3D4272CDF63774E1DB810C5A89E140000000100000014000000BBAF7E023DFAA6F13C848EADEE3898ECD93232D462000000010000002000000052F0E1C4E58EC629291B60317F074671B85D7EA80D5B07273463534B32B4023453000000010000002600000030243022060C2B06010401B231010201050130123010060A2B0601040182373C0101030200C00B000000010000003A0000005300650063007400690067006F002000280066006F0072006D00650072006C007900200043006F006D006F0064006F0020004300410029000000090000000100000054000000305206082B0601050507030106082B0601050507030206082B0601050507030406082B0601050507030306082B06010505070308060A2B0601040182370A030406082B0601050507030606082B060105050703070F0000000100000030000000761613F4CD8607508C3D520FBEFE68773735FC73746F42A9FD6254BA3B72F0047994E5AF57677CF6D2C1965984965DF12000000001000000DC050000308205D8308203C0A00302010202104CAAF9CADB636FE01FF74ED85B03869D300D06092A864886F70D01010C0500308185310B3009060355040613024742311B30190603550408131247726561746572204D616E636865737465723110300E0603550407130753616C666F7264311A3018060355040A1311434F4D4F444F204341204C696D69746564312B302906035504031322434F4D4F444F205253412043657274696669636174696F6E20417574686F72697479301E170D3130303131393030303030305A170D3338303131383233353935395A308185310B3009060355040613024742311B30190603550408131247726561746572204D616E636865737465723110300E0603550407130753616C666F7264311A3018060355040A1311434F4D4F444F204341204C696D69746564312B302906035504031322434F4D4F444F205253412043657274696669636174696F6E20417574686F7269747930820222300D06092A864886F70D01010105000382020F003082020A028202010091E85492D20A56B1AC0D24DDC5CF446774992B37A37D23700071BC53DFC4FA2A128F4B7F1056BD9F7072B7617FC94B0F17A73DE3B00461EEFF1197C7F4863E0AFA3E5CF993E6347AD9146BE79CB385A0827A76AF7190D7ECFD0DFA9C6CFADFB082F4147EF9BEC4A62F4F7F997FB5FC674372BD0C00D689EB6B2CD3ED8F981C14AB7EE5E36EFCD8A8E49224DA436B62B855FDEAC1BC6CB68BF30E8D9AE49B6C6999F878483045D5ADE10D3C4560FC32965127BC67C3CA2EB66BEA46C7C720A0B11F65DE4808BAA44EA9F283463784EBE8CC814843674E722A9B5CBD4C1B288A5C227BB4AB98D9EEE05183C309464E6D3E99FA9517DA7C3357413C8D51ED0BB65CAF2C631ADF57C83FBCE95DC49BAF4599E2A35A24B4BAA9563DCF6FAAFF4958BEF0A8FFF4B8ADE937FBBAB8F40B3AF9E843421E89D884CB13F1D9BBE18960B88C2856AC141D9C0AE771EBCF0EDD3DA996A148BD3CF7AFB50D224CC01181EC563BF6D3A2E25BB7B204225295809369E88E4C65F191032D707402EA8B671529695202BBD7DF506A5546BFA0A328617F70D0C3A2AA2C21AA47CE289C064576BF821827B4D5AEB4CB50E66BF44C867130E9A6DF1686E0D8FF40DDFBD042887FA3333A2E5C1E41118163CE18716B2BECA68AB7315C3A6A47E0C37959D6201AAFF26A98AA72BC574AD24B9DBB10FCB04C41E5ED1D3D5E289D9CCCBFB351DAA747E584530203010001A3423040301D0603551D0E04160414BBAF7E023DFAA6F13C848EADEE3898ECD93232D4300E0603551D0F0101FF040403020106300F0603551D130101FF040530030101FF300D06092A864886F70D01010C050003820201000AF1D54684B7AE51BB6CB24D411400934C9CCBE5C054CFA0258E02F9FDB0A20DF520983C132DAC56A2B0D67E1192E92EBA9E2E9A72B1BD19446C6135A29AB41612695A8CE1D73EA41AE82F03F4AE611D101B2AA48B7AC5FE05A6E1C0D6C8FE9EAE8F2BBA3D99F8D8730958466EA69CF4D727D395DA3783721CD373E0A2479903385DD5497900291CC7EC9B201C0724695778B239FC3A84A0B59C7C8DBF2E936227B739DA1718AEBD3C0968FF849B3CD5D60B03E3579E14F7D1EB4FC8BD8723B7B6494379855CBAEB920BA1C6E868A84C16B11A990AE8532C92BBA10918750C65A87BCB23B71AC22885C31BFFD02B62EFA47B099198678C1401CD68066A6321750380888A6E81C685F2A9A42DE7F4A524104783CACDF48D7958B1069BE71A2AD99D01D7947DED034ACAF0DBE8A9013EF55699C91E8E493DBBE509B9E04F49923D168240CCCC59C6E63AED122E693C6C95B1FDAA1D7B7F86BE1E0E3246FBFB138F757F4C8B4B4663FE00344070C1C3B9A1DDA670E204B341BCE98091EA649C7AE12203A99C6E6F0E654F6C87875EF36EA0F975A59B40E853B2279D4AB9C077218DFF87F2DEBC8CEF17DFB7490BD1F26E300B1A0E4E76ED11FCF5E956B27DBFC76D0A938CA5D0C0B61DBE3A4E94A2D76E6C0BC28A7CFA20F3C4E4E5CD0DA8CB9192B17C85ECB51469660E82E7CDCEC82DA6517F21C1355385064A5D9FADBB1B5F74
3732
GamezBDO.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\GamezBDO_RASAPI32
EnableFileTracing
0
3732
GamezBDO.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\GamezBDO_RASAPI32
EnableConsoleTracing
0
3732
GamezBDO.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\GamezBDO_RASAPI32
FileTracingMask
4294901760
3732
GamezBDO.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\GamezBDO_RASAPI32
ConsoleTracingMask
4294901760
3732
GamezBDO.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\GamezBDO_RASAPI32
MaxFileSize
1048576
3732
GamezBDO.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\GamezBDO_RASAPI32
FileDirectory
%windir%\tracing
3732
GamezBDO.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\GamezBDO_RASMANCS
EnableFileTracing
0
3732
GamezBDO.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\GamezBDO_RASMANCS
EnableConsoleTracing
0
3732
GamezBDO.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\GamezBDO_RASMANCS
FileTracingMask
4294901760
3732
GamezBDO.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\GamezBDO_RASMANCS
ConsoleTracingMask
4294901760
3732
GamezBDO.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\GamezBDO_RASMANCS
MaxFileSize
1048576
3732
GamezBDO.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\GamezBDO_RASMANCS
FileDirectory
%windir%\tracing
3732
GamezBDO.exe
write
HKEY_CLASSES_ROOT\discord-480028110285176842
URL:Run game 480028110285176842 protocol
3732
GamezBDO.exe
write
HKEY_CLASSES_ROOT\discord-480028110285176842
URL Protocol
3732
GamezBDO.exe
write
HKEY_CLASSES_ROOT\discord-480028110285176842\DefaultIcon
C:\Users\admin\Desktop\GamezBDO.exe
3732
GamezBDO.exe
write
HKEY_CLASSES_ROOT\discord-480028110285176842\shell\open\command
C:\Users\admin\Desktop\GamezBDO.exe
3732
GamezBDO.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Direct3D\MostRecentApplication
Name
GamezBDO.exe
2752
bcdedit.exe
write
HKEY_LOCAL_MACHINE\BCD00000000\Objects\{345b46fd-a9f9-11e7-a83c-e8a4f72b1d33}\Elements\12000030
Element
ENABLE_INTEGRITY_CHECKS
2840
bcdedit.exe
write
HKEY_LOCAL_MACHINE\BCD00000000\Objects\{345b46fd-a9f9-11e7-a83c-e8a4f72b1d33}\Elements\16000049
Element
00

Files activity

Executable files
2
Suspicious files
4
Text files
23
Unknown types
0

Dropped files

PID
Process
Filename
Type
3732
GamezBDO.exe
C:\Users\admin\Desktop\GamezBDO.exe
executable
MD5: 09da379f6b243d937b9259421311a7a7
SHA256: 0d65b2b02c43035802af6b4fd577a13e8f563d07853c59d6f49c37bac6e13964
3732
GamezBDO.exe
C:\Users\admin\Desktop\GamezBDO.exe.old
executable
MD5: be40497054dd589e7cbec7f5dacfdccb
SHA256: 21252cdd6c6b258e02b9b9da1d9fe16b932edda7df55c0be90ddf1f94f2e483c
3732
GamezBDO.exe
C:\Users\admin\Desktop\Logs\2019-11-9_08-58-52.bdlog
text
MD5: f6e00e4229fcfbdcd1058f25ff2952f1
SHA256: 356bb398b0507533ea29f7bece325bd5e6f207d5ab8616ad6a8b3fac6675e518
3732
GamezBDO.exe
C:\Users\admin\AppData\Local\Temp\TarFA73.tmp
––
MD5:  ––
SHA256:  ––
3732
GamezBDO.exe
C:\Users\admin\AppData\Local\GamezBDO\update_cache.dat
text
MD5: f9dd90db35afd4382756e32491333149
SHA256: c9eeaa858117b433fa821a8a3bcf7fa10f6fae2ccdf2979e4678735e40298ebf
3732
GamezBDO.exe
C:\Users\admin\Desktop\Logs\2019-11-9_08-58-52.bdlog
text
MD5: 12aed1566aa382061b8b05b1d597eed4
SHA256: 4a7a74ffb51e873fa78122bc9155ac95f2221e885b448ed4d9147dd320055ca5
3732
GamezBDO.exe
C:\Users\admin\AppData\Local\GamezBDO\GamezBDO.exe_Url_ghlvvni3qwjtmpzwa01iqzt4jnz0nugr\1.0.7159.32360\user.config
xml
MD5: c95f4e7d3e9a19fe3acb27029a3a57c6
SHA256: 9485300e0ae245bf9a201f03c285867f2fac43ca8e896a716d6a6b21b2659be9
3732
GamezBDO.exe
C:\Users\admin\AppData\Local\GamezBDO\GamezBDO.exe_Url_ghlvvni3qwjtmpzwa01iqzt4jnz0nugr\1.0.7159.32360\e3q35oz2.newcfg
––
MD5:  ––
SHA256:  ––
3732
GamezBDO.exe
C:\Users\admin\AppData\Local\GamezBDO\GamezBDO.exe_Url_ghlvvni3qwjtmpzwa01iqzt4jnz0nugr\1.0.7159.32360\1ji5ppln.newcfg
––
MD5:  ––
SHA256:  ––
3732
GamezBDO.exe
C:\Users\admin\AppData\Local\GamezBDO\GamezBDO.exe_Url_ghlvvni3qwjtmpzwa01iqzt4jnz0nugr\1.0.7159.32360\10lqvc0u.newcfg
––
MD5:  ––
SHA256:  ––
3732
GamezBDO.exe
C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
binary
MD5: 8df6fc21707fd5749a6db6568bccd545
SHA256: 64d8b7dfa9e966bd6349322d753a87f445c8ef19fa13ac5c9df644d5447ad8c5
3732
GamezBDO.exe
C:\Users\admin\AppData\Local\Temp\TarFAF4.tmp
––
MD5:  ––
SHA256:  ––
3732
GamezBDO.exe
C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
compressed
MD5: 93871e1433144c58cab0deddd1d46925
SHA256: 3193f3035a4f457d66bab3048880aac2eb8557027f6373e606d4621609af1068
3732
GamezBDO.exe
C:\Users\admin\AppData\Local\Temp\CabFAF3.tmp
––
MD5:  ––
SHA256:  ––
3732
GamezBDO.exe
C:\Users\admin\AppData\Local\Temp\CabFA83.tmp
––
MD5:  ––
SHA256:  ––
3732
GamezBDO.exe
C:\Users\admin\AppData\Local\Temp\TarFA84.tmp
––
MD5:  ––
SHA256:  ––
3732
GamezBDO.exe
C:\Users\admin\AppData\Local\Temp\CabFA72.tmp
––
MD5:  ––
SHA256:  ––
3732
GamezBDO.exe
C:\Users\admin\Desktop\Logs\2019-11-9_08-58-52.bdlog
text
MD5: 1c0a91797cdf07ae1caad90610a26bf5
SHA256: 9d121bb34d6daf094a48382373f9ebb7d3bab2cfef0e55215af532557d6e816d

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
5
TCP/UDP connections
3
DNS requests
3
Threats
4

HTTP requests

PID Process Method HTTP Code IP URL CN Type Size Reputation
3732 GamezBDO.exe GET 200 93.184.221.240:80 http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab US
compressed
whitelisted
3732 GamezBDO.exe GET 200 93.184.221.240:80 http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/AFE5D244A8D1194230FF479FE2F897BBCD7A8CB4.crt US
der
whitelisted
3732 GamezBDO.exe GET 200 104.28.7.186:80 http://play.gamezbd.net/launcher/launcher.xml US
xml
suspicious
3732 GamezBDO.exe GET 200 104.28.7.186:80 http://play.gamezbd.net/launcher/update.xml US
xml
suspicious
3732 GamezBDO.exe GET –– 104.28.7.186:80 http://play.gamezbd.net/launcher/GamezBDO.exe US
––
––
suspicious

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID Process IP ASN CN Reputation
3732 GamezBDO.exe 91.199.212.52:80 Comodo CA Ltd GB unknown
3732 GamezBDO.exe 93.184.221.240:80 MCI Communications Services, Inc. d/b/a Verizon Business US whitelisted
3732 GamezBDO.exe 104.28.7.186:80 Cloudflare Inc US suspicious

DNS requests

Domain IP Reputation
crt.comodoca.com 91.199.212.52
whitelisted
www.download.windowsupdate.com 93.184.221.240
whitelisted
play.gamezbd.net 104.28.7.186
104.28.6.186
suspicious

Threats

PID Process Class Message
3732 GamezBDO.exe A Network Trojan was detected ET POLICY User-Agent (Launcher)
3732 GamezBDO.exe A Network Trojan was detected ET POLICY User-Agent (Launcher)
3732 GamezBDO.exe Potential Corporate Privacy Violation ET POLICY PE EXE or DLL Windows file download HTTP
3732 GamezBDO.exe Potentially Bad Traffic ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download

Debug output strings

No debug info.