| File name: | Shadowlogger.exe |
| Full analysis: | https://app.any.run/tasks/cbcdc4a1-9e5a-4d3c-92ce-60e38fd4cf85 |
| Verdict: | Malicious activity |
| Threats: | Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. |
| Analysis date: | December 18, 2024, 03:55:16 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/vnd.microsoft.portable-executable |
| File info: | PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections |
| MD5: | A368E4EAA4AA2A2627397E8E88D90015 |
| SHA1: | 6D20A034D881E8D405C10A39D7A613B7C8EC1114 |
| SHA256: | 50A22BBB97648162CFF1D5081797352B999D30C355F32A3D5EA576F36093EDD6 |
| SSDEEP: | 384:JVlXQkGnx2/swqW5xTEQglpK/S7pTlK/47dt31++JAAE2ADOAIvdAucWmK/VY5lU:tQkGx6sc7TEQgljTZyyAyZmK/Oo |
MALICIOUS
Changes settings for real-time protection
- powershell.exe (PID: 4536)
- powershell.exe (PID: 5256)
- powershell.exe (PID: 440)
- powershell.exe (PID: 5780)
- powershell.exe (PID: 6488)
- powershell.exe (PID: 424)
- powershell.exe (PID: 5256)
- powershell.exe (PID: 2148)
- powershell.exe (PID: 7100)
- powershell.exe (PID: 6584)
Changes powershell execution policy (Bypass)
- Shadowlogger.exe (PID: 3724)
- Shadowlogger.exe (PID: 5404)
- Shadowlogger.exe (PID: 5308)
- Shadowlogger.exe (PID: 6768)
- Shadowlogger.exe (PID: 3364)
Bypass execution policy to execute commands
- powershell.exe (PID: 4536)
- powershell.exe (PID: 5256)
- powershell.exe (PID: 440)
- powershell.exe (PID: 6880)
- powershell.exe (PID: 6924)
- powershell.exe (PID: 7008)
- powershell.exe (PID: 5780)
- powershell.exe (PID: 6488)
- powershell.exe (PID: 2148)
- powershell.exe (PID: 5256)
- powershell.exe (PID: 6448)
- powershell.exe (PID: 424)
- powershell.exe (PID: 6568)
- powershell.exe (PID: 5604)
- powershell.exe (PID: 6516)
- powershell.exe (PID: 4640)
- powershell.exe (PID: 6468)
- powershell.exe (PID: 7076)
- powershell.exe (PID: 6076)
- powershell.exe (PID: 6628)
- powershell.exe (PID: 6800)
- powershell.exe (PID: 7080)
- powershell.exe (PID: 7100)
- powershell.exe (PID: 6648)
- powershell.exe (PID: 6584)
- powershell.exe (PID: 6564)
- powershell.exe (PID: 6976)
- powershell.exe (PID: 6312)
- powershell.exe (PID: 6520)
- powershell.exe (PID: 6788)
- powershell.exe (PID: 1140)
- powershell.exe (PID: 6148)
- powershell.exe (PID: 5968)
- powershell.exe (PID: 6916)
- powershell.exe (PID: 3808)
- powershell.exe (PID: 4592)
- powershell.exe (PID: 6428)
- powershell.exe (PID: 7128)
- powershell.exe (PID: 6632)
- powershell.exe (PID: 6756)
- powershell.exe (PID: 1328)
- powershell.exe (PID: 6592)
- powershell.exe (PID: 6856)
- powershell.exe (PID: 6640)
- powershell.exe (PID: 3296)
- powershell.exe (PID: 6796)
- powershell.exe (PID: 6216)
- powershell.exe (PID: 6500)
- powershell.exe (PID: 6352)
- powershell.exe (PID: 6764)
- powershell.exe (PID: 6016)
- powershell.exe (PID: 6412)
- powershell.exe (PID: 7088)
- powershell.exe (PID: 7076)
- powershell.exe (PID: 6744)
- powershell.exe (PID: 6236)
- powershell.exe (PID: 6308)
- powershell.exe (PID: 6988)
- powershell.exe (PID: 6220)
- powershell.exe (PID: 6164)
- powershell.exe (PID: 6752)
- powershell.exe (PID: 4932)
- powershell.exe (PID: 1140)
- powershell.exe (PID: 6792)
- powershell.exe (PID: 6908)
- powershell.exe (PID: 768)
- powershell.exe (PID: 6616)
- powershell.exe (PID: 7144)
- powershell.exe (PID: 7100)
- powershell.exe (PID: 6964)
- powershell.exe (PID: 6892)
- powershell.exe (PID: 6936)
- powershell.exe (PID: 6416)
- powershell.exe (PID: 6168)
- powershell.exe (PID: 1228)
- powershell.exe (PID: 3876)
- powershell.exe (PID: 6988)
- powershell.exe (PID: 4136)
- powershell.exe (PID: 3296)
- powershell.exe (PID: 6964)
- powershell.exe (PID: 7044)
- powershell.exe (PID: 7060)
- powershell.exe (PID: 6948)
- powershell.exe (PID: 6924)
- powershell.exe (PID: 7288)
- powershell.exe (PID: 7600)
- powershell.exe (PID: 7368)
- powershell.exe (PID: 7516)
- powershell.exe (PID: 8008)
- powershell.exe (PID: 7908)
- powershell.exe (PID: 7284)
- powershell.exe (PID: 4264)
- powershell.exe (PID: 6384)
- powershell.exe (PID: 2040)
- powershell.exe (PID: 2432)
- powershell.exe (PID: 3692)
- powershell.exe (PID: 7892)
- powershell.exe (PID: 6416)
- powershell.exe (PID: 7456)
- powershell.exe (PID: 7472)
- powershell.exe (PID: 7536)
- powershell.exe (PID: 8048)
- powershell.exe (PID: 7508)
- powershell.exe (PID: 876)
- powershell.exe (PID: 1228)
- powershell.exe (PID: 5028)
- powershell.exe (PID: 7200)
- powershell.exe (PID: 7768)
- powershell.exe (PID: 8092)
- powershell.exe (PID: 8188)
Actions looks like stealing of personal data
- Shadowlogger.exe (PID: 5308)
- Shadowlogger.exe (PID: 6768)
Changes settings for protection against network attacks (IPS)
- powershell.exe (PID: 6924)
- powershell.exe (PID: 7008)
- powershell.exe (PID: 6880)
- powershell.exe (PID: 6468)
- powershell.exe (PID: 6516)
- powershell.exe (PID: 6800)
- powershell.exe (PID: 7076)
- powershell.exe (PID: 4640)
- powershell.exe (PID: 3808)
- powershell.exe (PID: 6916)
Changes antivirus protection settings for downloading files from the Internet (IOAVProtection)
- powershell.exe (PID: 6448)
- powershell.exe (PID: 6568)
- powershell.exe (PID: 5604)
- powershell.exe (PID: 6564)
- powershell.exe (PID: 6976)
- powershell.exe (PID: 6312)
- powershell.exe (PID: 6520)
- powershell.exe (PID: 6648)
- powershell.exe (PID: 6856)
- powershell.exe (PID: 6500)
Disables Windows Defender
- powershell.exe (PID: 6628)
- powershell.exe (PID: 6076)
- powershell.exe (PID: 1140)
- powershell.exe (PID: 6788)
- powershell.exe (PID: 6428)
- powershell.exe (PID: 6592)
- powershell.exe (PID: 1328)
- powershell.exe (PID: 6796)
- powershell.exe (PID: 6016)
- powershell.exe (PID: 6352)
- powershell.exe (PID: 6236)
- powershell.exe (PID: 6744)
- powershell.exe (PID: 7088)
- powershell.exe (PID: 7076)
- powershell.exe (PID: 6752)
- powershell.exe (PID: 4932)
- powershell.exe (PID: 7144)
- powershell.exe (PID: 6892)
- powershell.exe (PID: 6792)
Modifies registry (POWERSHELL)
- powershell.exe (PID: 7080)
- powershell.exe (PID: 6148)
- powershell.exe (PID: 4592)
- powershell.exe (PID: 6756)
- powershell.exe (PID: 3296)
- powershell.exe (PID: 6308)
- powershell.exe (PID: 6220)
- powershell.exe (PID: 6964)
Starts NET.EXE for service management
- Shadowlogger.exe (PID: 3724)
- Shadowlogger.exe (PID: 5308)
- net.exe (PID: 6800)
- net.exe (PID: 4536)
- Shadowlogger.exe (PID: 3364)
- Shadowlogger.exe (PID: 6768)
- net.exe (PID: 1292)
- net.exe (PID: 4120)
- net.exe (PID: 7136)
- net.exe (PID: 6068)
- net.exe (PID: 188)
- net.exe (PID: 6820)
- powershell.exe (PID: 7368)
- powershell.exe (PID: 4264)
- net.exe (PID: 7876)
- net.exe (PID: 7836)
- net.exe (PID: 8076)
- powershell.exe (PID: 6384)
- powershell.exe (PID: 6416)
- net.exe (PID: 2392)
- powershell.exe (PID: 7472)
- powershell.exe (PID: 7456)
- net.exe (PID: 6916)
- net.exe (PID: 8136)
- powershell.exe (PID: 876)
- net.exe (PID: 6984)
- net.exe (PID: 6648)
- powershell.exe (PID: 8092)
- powershell.exe (PID: 8188)
- net.exe (PID: 6068)
- powershell.exe (PID: 7768)
- net.exe (PID: 7856)
Uses NET.EXE to stop Windows Defender service
- powershell.exe (PID: 7368)
- powershell.exe (PID: 4264)
- net.exe (PID: 7836)
- powershell.exe (PID: 6384)
- net.exe (PID: 8076)
- net.exe (PID: 7876)
- powershell.exe (PID: 7472)
- net.exe (PID: 6916)
- powershell.exe (PID: 7456)
- net.exe (PID: 8136)
- powershell.exe (PID: 6416)
- net.exe (PID: 2392)
- powershell.exe (PID: 876)
- net.exe (PID: 6984)
- powershell.exe (PID: 8092)
- net.exe (PID: 6648)
- powershell.exe (PID: 8188)
- net.exe (PID: 6068)
- powershell.exe (PID: 7768)
- net.exe (PID: 7856)
Changes firewall settings
- Shadowlogger.exe (PID: 3364)
- Shadowlogger.exe (PID: 5308)
- Shadowlogger.exe (PID: 3724)
- Shadowlogger.exe (PID: 6768)
Attempting to use instant messaging service
- Shadowlogger.exe (PID: 3364)
Stealers network behavior
- Shadowlogger.exe (PID: 3364)
SUSPICIOUS
Reads security settings of Internet Explorer
- Shadowlogger.exe (PID: 5404)
Process uses IPCONFIG to get network configuration information
- Shadowlogger.exe (PID: 5404)
- Shadowlogger.exe (PID: 5308)
- Shadowlogger.exe (PID: 3724)
- Shadowlogger.exe (PID: 6768)
- Shadowlogger.exe (PID: 3364)
Application launched itself
- Shadowlogger.exe (PID: 5404)
The process bypasses the loading of PowerShell profile settings
- Shadowlogger.exe (PID: 3724)
- Shadowlogger.exe (PID: 5404)
- Shadowlogger.exe (PID: 5308)
- Shadowlogger.exe (PID: 6768)
- Shadowlogger.exe (PID: 3364)
Starts POWERSHELL.EXE for commands execution
- Shadowlogger.exe (PID: 3724)
- Shadowlogger.exe (PID: 5404)
- Shadowlogger.exe (PID: 5308)
- Shadowlogger.exe (PID: 6768)
- Shadowlogger.exe (PID: 3364)
Script disables Windows Defender's real-time protection
- Shadowlogger.exe (PID: 3724)
- Shadowlogger.exe (PID: 5404)
- Shadowlogger.exe (PID: 5308)
- Shadowlogger.exe (PID: 6768)
- Shadowlogger.exe (PID: 3364)
Query Microsoft Defender preferences
- Shadowlogger.exe (PID: 5404)
- Shadowlogger.exe (PID: 3724)
- Shadowlogger.exe (PID: 5308)
- Shadowlogger.exe (PID: 6768)
- Shadowlogger.exe (PID: 3364)
Possible usage of Discord/Telegram API has been detected (YARA)
- Shadowlogger.exe (PID: 5404)
- Shadowlogger.exe (PID: 3724)
- Shadowlogger.exe (PID: 5308)
- Shadowlogger.exe (PID: 6768)
Suspicious use of NETSH.EXE
- Shadowlogger.exe (PID: 5404)
- Shadowlogger.exe (PID: 3724)
- Shadowlogger.exe (PID: 5308)
- Shadowlogger.exe (PID: 6768)
- Shadowlogger.exe (PID: 3364)
Script disables Windows Defender's IPS
- Shadowlogger.exe (PID: 3724)
- Shadowlogger.exe (PID: 5404)
- Shadowlogger.exe (PID: 5308)
- Shadowlogger.exe (PID: 3364)
- Shadowlogger.exe (PID: 6768)
Creates new registry property (POWERSHELL)
- powershell.exe (PID: 6076)
- powershell.exe (PID: 6628)
- powershell.exe (PID: 7080)
- powershell.exe (PID: 1140)
- powershell.exe (PID: 6788)
- powershell.exe (PID: 6148)
- powershell.exe (PID: 4592)
- powershell.exe (PID: 5968)
- powershell.exe (PID: 6428)
- powershell.exe (PID: 6592)
- powershell.exe (PID: 6632)
- powershell.exe (PID: 7128)
- powershell.exe (PID: 1328)
- powershell.exe (PID: 6756)
- powershell.exe (PID: 6216)
- powershell.exe (PID: 3296)
- powershell.exe (PID: 6640)
- powershell.exe (PID: 6796)
- powershell.exe (PID: 6352)
- powershell.exe (PID: 6016)
- powershell.exe (PID: 6412)
- powershell.exe (PID: 7088)
- powershell.exe (PID: 6744)
- powershell.exe (PID: 6236)
- powershell.exe (PID: 6308)
- powershell.exe (PID: 6988)
- powershell.exe (PID: 6764)
- powershell.exe (PID: 6220)
- powershell.exe (PID: 7076)
- powershell.exe (PID: 4932)
- powershell.exe (PID: 6752)
- powershell.exe (PID: 7144)
- powershell.exe (PID: 6164)
- powershell.exe (PID: 7100)
- powershell.exe (PID: 6964)
- powershell.exe (PID: 6792)
- powershell.exe (PID: 6892)
- powershell.exe (PID: 6416)
- powershell.exe (PID: 6908)
- powershell.exe (PID: 6168)
Script disables Windows Defender's behavior monitoring
- Shadowlogger.exe (PID: 5308)
- Shadowlogger.exe (PID: 3724)
- Shadowlogger.exe (PID: 5404)
- Shadowlogger.exe (PID: 6768)
- Shadowlogger.exe (PID: 3364)
The process connected to a server suspected of theft
- Shadowlogger.exe (PID: 5404)
- Shadowlogger.exe (PID: 3724)
- Shadowlogger.exe (PID: 5308)
- Shadowlogger.exe (PID: 6768)
- Shadowlogger.exe (PID: 3364)
Uses NETSH.EXE to change the status of the firewall
- powershell.exe (PID: 4136)
- powershell.exe (PID: 7044)
- powershell.exe (PID: 3296)
- powershell.exe (PID: 7908)
- powershell.exe (PID: 7600)
- powershell.exe (PID: 7892)
- powershell.exe (PID: 8008)
- powershell.exe (PID: 8048)
- powershell.exe (PID: 7536)
- powershell.exe (PID: 7508)
INFO
Reads the machine GUID from the registry
- Shadowlogger.exe (PID: 3724)
- Shadowlogger.exe (PID: 5404)
- Shadowlogger.exe (PID: 5308)
- Shadowlogger.exe (PID: 3364)
- Shadowlogger.exe (PID: 6768)
Reads the computer name
- Shadowlogger.exe (PID: 3724)
- Shadowlogger.exe (PID: 5404)
- Shadowlogger.exe (PID: 5308)
- Shadowlogger.exe (PID: 6768)
- Shadowlogger.exe (PID: 3364)
Checks supported languages
- Shadowlogger.exe (PID: 3724)
- Shadowlogger.exe (PID: 5404)
- Shadowlogger.exe (PID: 5308)
- Shadowlogger.exe (PID: 6768)
- Shadowlogger.exe (PID: 3364)
Process checks computer location settings
- Shadowlogger.exe (PID: 5404)
The process uses the downloaded file
- Shadowlogger.exe (PID: 5404)
- powershell.exe (PID: 4536)
- powershell.exe (PID: 5256)
- powershell.exe (PID: 440)
- powershell.exe (PID: 6076)
- powershell.exe (PID: 6352)
- powershell.exe (PID: 6428)
- powershell.exe (PID: 7008)
- powershell.exe (PID: 6924)
- powershell.exe (PID: 5780)
- powershell.exe (PID: 6488)
- powershell.exe (PID: 2148)
- powershell.exe (PID: 5256)
- powershell.exe (PID: 424)
- powershell.exe (PID: 6448)
- powershell.exe (PID: 6516)
- powershell.exe (PID: 4640)
- powershell.exe (PID: 6800)
- powershell.exe (PID: 6948)
- powershell.exe (PID: 7100)
- powershell.exe (PID: 6564)
- powershell.exe (PID: 6584)
- powershell.exe (PID: 6312)
- powershell.exe (PID: 6976)
- powershell.exe (PID: 6648)
- powershell.exe (PID: 6520)
- powershell.exe (PID: 6916)
- powershell.exe (PID: 6616)
- powershell.exe (PID: 6924)
- powershell.exe (PID: 7060)
- powershell.exe (PID: 6948)
Checks if a key exists in the options dictionary (POWERSHELL)
- powershell.exe (PID: 6076)
- powershell.exe (PID: 5256)
- powershell.exe (PID: 4536)
- powershell.exe (PID: 440)
- powershell.exe (PID: 6352)
- powershell.exe (PID: 6428)
- powershell.exe (PID: 6924)
- powershell.exe (PID: 6880)
- powershell.exe (PID: 7008)
- powershell.exe (PID: 5780)
- powershell.exe (PID: 2148)
- powershell.exe (PID: 6488)
- powershell.exe (PID: 5256)
- powershell.exe (PID: 6448)
- powershell.exe (PID: 5604)
- powershell.exe (PID: 424)
- powershell.exe (PID: 6568)
- powershell.exe (PID: 6948)
- powershell.exe (PID: 4640)
- powershell.exe (PID: 6468)
- powershell.exe (PID: 6516)
- powershell.exe (PID: 6800)
- powershell.exe (PID: 6472)
- powershell.exe (PID: 7076)
- powershell.exe (PID: 6564)
- powershell.exe (PID: 6648)
- powershell.exe (PID: 7100)
- powershell.exe (PID: 6584)
- powershell.exe (PID: 6520)
- powershell.exe (PID: 6312)
- powershell.exe (PID: 6976)
- powershell.exe (PID: 3808)
- powershell.exe (PID: 6916)
- powershell.exe (PID: 6500)
- powershell.exe (PID: 6856)
- powershell.exe (PID: 1140)
- powershell.exe (PID: 768)
- powershell.exe (PID: 6616)
- powershell.exe (PID: 3876)
- powershell.exe (PID: 6988)
- powershell.exe (PID: 6924)
- powershell.exe (PID: 6936)
- powershell.exe (PID: 1228)
- powershell.exe (PID: 7060)
- powershell.exe (PID: 6948)
- powershell.exe (PID: 8096)
- powershell.exe (PID: 7644)
- powershell.exe (PID: 7280)
- powershell.exe (PID: 7504)
- powershell.exe (PID: 1744)
- powershell.exe (PID: 6404)
- powershell.exe (PID: 6412)
- powershell.exe (PID: 7224)
- powershell.exe (PID: 7544)
- powershell.exe (PID: 3420)
- powershell.exe (PID: 2484)
- powershell.exe (PID: 6676)
- powershell.exe (PID: 5200)
- powershell.exe (PID: 8168)
- powershell.exe (PID: 7100)
- powershell.exe (PID: 5916)
- powershell.exe (PID: 3524)
- powershell.exe (PID: 6612)
- powershell.exe (PID: 6844)
- powershell.exe (PID: 6212)
- powershell.exe (PID: 8004)
- powershell.exe (PID: 7968)
- powershell.exe (PID: 4520)
- powershell.exe (PID: 3848)
- powershell.exe (PID: 1876)
- powershell.exe (PID: 8144)
- powershell.exe (PID: 7124)
- powershell.exe (PID: 6560)
- powershell.exe (PID: 6592)
- powershell.exe (PID: 2132)
- powershell.exe (PID: 3864)
- powershell.exe (PID: 6976)
- powershell.exe (PID: 7440)
- powershell.exe (PID: 3828)
- powershell.exe (PID: 3420)
- powershell.exe (PID: 6796)
- powershell.exe (PID: 4648)
- powershell.exe (PID: 7652)
- powershell.exe (PID: 7296)
- powershell.exe (PID: 6936)
- powershell.exe (PID: 7728)
- powershell.exe (PID: 7748)
- powershell.exe (PID: 6536)
- powershell.exe (PID: 7552)
- powershell.exe (PID: 7844)
- powershell.exe (PID: 7768)
- powershell.exe (PID: 7500)
- powershell.exe (PID: 6456)
- powershell.exe (PID: 7312)
- powershell.exe (PID: 7508)
- powershell.exe (PID: 4516)
- powershell.exe (PID: 7956)
- powershell.exe (PID: 7388)
- powershell.exe (PID: 6316)
- powershell.exe (PID: 7988)
- powershell.exe (PID: 6488)
- powershell.exe (PID: 7180)
- powershell.exe (PID: 7712)
- powershell.exe (PID: 1796)
- powershell.exe (PID: 7260)
- powershell.exe (PID: 7240)
- powershell.exe (PID: 7632)
- powershell.exe (PID: 8084)
- powershell.exe (PID: 6588)
Script raised an exception (POWERSHELL)
- powershell.exe (PID: 4536)
- powershell.exe (PID: 5256)
- powershell.exe (PID: 440)
- powershell.exe (PID: 7008)
- powershell.exe (PID: 5256)
- powershell.exe (PID: 5780)
- powershell.exe (PID: 6488)
- powershell.exe (PID: 2148)
- powershell.exe (PID: 424)
- powershell.exe (PID: 6568)
- powershell.exe (PID: 6448)
- powershell.exe (PID: 5604)
- powershell.exe (PID: 6468)
- powershell.exe (PID: 7080)
- powershell.exe (PID: 6648)
- powershell.exe (PID: 6564)
- powershell.exe (PID: 6584)
- powershell.exe (PID: 7100)
- powershell.exe (PID: 6976)
- powershell.exe (PID: 6312)
- powershell.exe (PID: 6520)
- powershell.exe (PID: 6148)
- powershell.exe (PID: 4592)
- powershell.exe (PID: 6756)
- powershell.exe (PID: 3296)
- powershell.exe (PID: 6500)
- powershell.exe (PID: 6856)
- powershell.exe (PID: 6308)
- powershell.exe (PID: 6220)
- powershell.exe (PID: 6964)
- powershell.exe (PID: 6964)
- powershell.exe (PID: 7288)
- powershell.exe (PID: 7516)
- powershell.exe (PID: 7284)
- powershell.exe (PID: 2432)
- powershell.exe (PID: 2040)
- powershell.exe (PID: 3692)
- powershell.exe (PID: 1140)
- powershell.exe (PID: 1228)
- powershell.exe (PID: 7200)
- powershell.exe (PID: 5028)
Reads the software policy settings
- Shadowlogger.exe (PID: 5404)
- Shadowlogger.exe (PID: 3724)
- Shadowlogger.exe (PID: 6768)
Disables trace logs
- Shadowlogger.exe (PID: 5404)
- Shadowlogger.exe (PID: 3724)
- Shadowlogger.exe (PID: 5308)
Create files in a temporary directory
- Shadowlogger.exe (PID: 3724)
Checks proxy server information
- Shadowlogger.exe (PID: 3724)
- Shadowlogger.exe (PID: 6768)
Attempting to use instant messaging service
- Shadowlogger.exe (PID: 5308)
- Shadowlogger.exe (PID: 6768)
- Shadowlogger.exe (PID: 3364)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Generic CIL Executable (.NET, Mono, etc.) (56.7) |
|---|---|---|
| .exe | | | Win64 Executable (generic) (21.3) |
| .scr | | | Windows screen saver (10.1) |
| .dll | | | Win32 Dynamic Link Library (generic) (5) |
| .exe | | | Win32 Executable (generic) (3.4) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2086:04:21 12:39:16+00:00 |
| ImageFileCharacteristics: | Executable, Large address aware |
| PEType: | PE32 |
| LinkerVersion: | 48 |
| CodeSize: | 29184 |
| InitializedDataSize: | 2048 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x9132 |
| OSVersion: | 4 |
| ImageVersion: | - |
| SubsystemVersion: | 6 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 1.0.0.0 |
| ProductVersionNumber: | 1.0.0.0 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | Neutral |
| CharacterSet: | Unicode |
| Comments: | - |
| CompanyName: | - |
| FileDescription: | Shadow logger |
| FileVersion: | 1.0.0.0 |
| InternalName: | Shadow logger.exe |
| LegalCopyright: | Copyright © 2024 |
| LegalTrademarks: | - |
| OriginalFileName: | Shadow logger.exe |
| ProductName: | Shadow logger |
| ProductVersion: | 1.0.0.0 |
| AssemblyVersion: | 1.0.0.0 |
Total processes
694
Monitored processes
566
Malicious processes
56
Suspicious processes
30
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 188 | "net.exe" stop WinDefend | C:\Windows\SysWOW64\net.exe | — | Shadowlogger.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Net Command Exit code: 2 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 420 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | netsh.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 424 | "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Set-MpPreference -DisableRealtimeMonitoring $true" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | — | Shadowlogger.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows PowerShell Exit code: 1 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 432 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 432 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | netsh.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 440 | "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Set-MpPreference -DisableRealtimeMonitoring $true" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | — | Shadowlogger.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows PowerShell Exit code: 1 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 520 | "netsh" advfirewall show allprofiles state | C:\Windows\SysWOW64\netsh.exe | — | Shadowlogger.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Network Command Shell Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 732 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 736 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | ipconfig.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 736 | C:\WINDOWS\system32\net1 stop MpsSvc | C:\Windows\SysWOW64\net1.exe | — | net.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Net Command Exit code: 2 Version: 10.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
880 559
Read events
880 440
Write events
119
Delete events
0
Modification events
| (PID) Process: | (6628) powershell.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender |
| Operation: | write | Name: | DisableAntiSpyware |
Value: 1 | |||
| (PID) Process: | (6076) powershell.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender |
| Operation: | write | Name: | DisableAntiSpyware |
Value: 1 | |||
| (PID) Process: | (1140) powershell.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection |
| Operation: | write | Name: | DisableBehaviorMonitoring |
Value: 1 | |||
| (PID) Process: | (6788) powershell.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection |
| Operation: | write | Name: | DisableBehaviorMonitoring |
Value: 1 | |||
| (PID) Process: | (5968) powershell.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender |
| Operation: | write | Name: | DisableAntiSpyware |
Value: 1 | |||
| (PID) Process: | (6428) powershell.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection |
| Operation: | write | Name: | DisableOnAccessProtection |
Value: 1 | |||
| (PID) Process: | (6592) powershell.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender |
| Operation: | write | Name: | DisableAntiSpyware |
Value: 1 | |||
| (PID) Process: | (1328) powershell.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection |
| Operation: | write | Name: | DisableOnAccessProtection |
Value: 1 | |||
| (PID) Process: | (7128) powershell.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender |
| Operation: | write | Name: | DisableAntiSpyware |
Value: 1 | |||
| (PID) Process: | (6632) powershell.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender |
| Operation: | write | Name: | DisableAntiSpyware |
Value: 1 | |||
Executable files
0
Suspicious files
2
Text files
452
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 440 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_kzzhonwy.ffs.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 6076 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_gv4vhh5u.5ik.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 6076 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_4zf0kptf.qxo.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 440 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_0omf4dzw.1rh.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 5256 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_zmofti2h.zw2.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 4536 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_efhnddsg.lqp.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 4536 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_ewplixor.scu.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 6076 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_la1lrlse.g4j.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 5256 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_jrsrh1op.5n3.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 440 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_3e35cco0.j1c.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
17
TCP/UDP connections
33
DNS requests
9
Threats
17
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
4024 | svchost.exe | GET | 200 | 23.216.77.6:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
4712 | MoUsoCoreWorker.exe | GET | 200 | 23.216.77.6:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
4024 | svchost.exe | GET | 200 | 2.23.181.156:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
4712 | MoUsoCoreWorker.exe | GET | 200 | 2.23.181.156:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
— | — | POST | 404 | 162.159.137.232:443 | https://discord.com/api/webhooks/1318763585270321252/4f8YS-MHKUJ6cVc-UHxoJ5ISue6vWXh2RfXIikBqKwjcIoOt-JKshPKLferA7rIrNx_F | unknown | binary | 45 b | whitelisted |
— | — | POST | 404 | 162.159.138.232:443 | https://discord.com/api/webhooks/1318763585270321252/4f8YS-MHKUJ6cVc-UHxoJ5ISue6vWXh2RfXIikBqKwjcIoOt-JKshPKLferA7rIrNx_F | unknown | binary | 45 b | whitelisted |
— | — | POST | 404 | 162.159.138.232:443 | https://discord.com/api/webhooks/1318763585270321252/4f8YS-MHKUJ6cVc-UHxoJ5ISue6vWXh2RfXIikBqKwjcIoOt-JKshPKLferA7rIrNx_F | unknown | binary | 45 b | whitelisted |
— | — | POST | 404 | 162.159.136.232:443 | https://discord.com/api/webhooks/1318763585270321252/4f8YS-MHKUJ6cVc-UHxoJ5ISue6vWXh2RfXIikBqKwjcIoOt-JKshPKLferA7rIrNx_F | unknown | binary | 45 b | whitelisted |
— | — | POST | 404 | 162.159.135.232:443 | https://discord.com/api/webhooks/1318763585270321252/4f8YS-MHKUJ6cVc-UHxoJ5ISue6vWXh2RfXIikBqKwjcIoOt-JKshPKLferA7rIrNx_F | unknown | binary | 45 b | whitelisted |
— | — | POST | 404 | 162.159.135.232:443 | https://discord.com/api/webhooks/1318763585270321252/4f8YS-MHKUJ6cVc-UHxoJ5ISue6vWXh2RfXIikBqKwjcIoOt-JKshPKLferA7rIrNx_F | unknown | binary | 45 b | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4712 | MoUsoCoreWorker.exe | 20.73.194.208:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
— | — | 192.168.100.255:137 | — | — | — | whitelisted |
4024 | svchost.exe | 20.73.194.208:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
— | — | 20.73.194.208:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
4024 | svchost.exe | 23.216.77.6:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
4712 | MoUsoCoreWorker.exe | 23.216.77.6:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
4024 | svchost.exe | 2.23.181.156:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
4712 | MoUsoCoreWorker.exe | 2.23.181.156:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
4024 | svchost.exe | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
discord.com |
| whitelisted |
self.events.data.microsoft.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
2192 | svchost.exe | Misc activity | ET INFO Observed Discord Domain in DNS Lookup (discord .com) |
5404 | Shadowlogger.exe | Misc activity | ET INFO Observed Discord Domain (discord .com in TLS SNI) |
5404 | Shadowlogger.exe | Successful Credential Theft Detected | STEALER [ANY.RUN] Attempt to exfiltrate via Discord |
5308 | Shadowlogger.exe | Misc activity | ET INFO Observed Discord Domain (discord .com in TLS SNI) |
3724 | Shadowlogger.exe | Misc activity | ET INFO Observed Discord Domain (discord .com in TLS SNI) |
3724 | Shadowlogger.exe | Successful Credential Theft Detected | STEALER [ANY.RUN] Attempt to exfiltrate via Discord |
5308 | Shadowlogger.exe | Successful Credential Theft Detected | STEALER [ANY.RUN] Attempt to exfiltrate via Discord |
6768 | Shadowlogger.exe | Misc activity | ET INFO Observed Discord Domain (discord .com in TLS SNI) |
6768 | Shadowlogger.exe | Successful Credential Theft Detected | STEALER [ANY.RUN] Attempt to exfiltrate via Discord |
3364 | Shadowlogger.exe | Misc activity | ET INFO Observed Discord Domain (discord .com in TLS SNI) |