Edit tour

Windows Analysis Report
ShadowLoader.exe

Overview

General Information

Sample name:	ShadowLoader.exe
Analysis ID:	1635816
MD5:	77426a52b51ccd6684e2b3d1baab24d0
SHA1:	18e4feb56511bb29f2a857ec33a0c0ebcdbb4d0c
SHA256:	74c87f00f6a4752be3b17a9799d0e3df4187ff317e9735757c5d446f27d12a7d
Tags:	exeuser-BastianHein
Infos:

Detection

LummaC Stealer

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected LummaC Stealer

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to modify clipboard data

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Searches for user specific document files

Shows file infection / information gathering behavior (enumerates multiple directory for files)

Suricata IDS alerts with low severity for network traffic

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

ShadowLoader.exe (PID: 7660 cmdline: "C:\Users\user\Desktop\ShadowLoader.exe" MD5: 77426A52B51CCD6684E2B3D1BAAB24D0)

ShadowLoader.exe (PID: 7744 cmdline: "C:\Users\user\Desktop\ShadowLoader.exe" MD5: 77426A52B51CCD6684E2B3D1BAAB24D0)

WerFault.exe (PID: 7880 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7660 -s 788 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Configuration

Threatname: LummaC

{"C2 url": ["astralconnec.icu/DPowko", "begindecafer.world/QwdZdf", "garagedrootz.top/oPsoJAN", "modelshiverd.icu/bJhnsj", "arisechairedd.shop/JnsHY", "catterjur.run/boSnzhu", "orangemyther.live/IozZ", "fostinjec.today/LksNAz"], "Build id": "5de2dfd9707e99175a8227b8f37d09cb3d23f436cbcc486f9e91fcfa"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000003.00000002.2547626693.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
00000002.00000002.1425454940.0000000003429000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security

Unpacked PEs

Source	Rule	Description	Author
3.2.ShadowLoader.exe.400000.0.raw.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
3.2.ShadowLoader.exe.400000.0.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
2.2.ShadowLoader.exe.3429550.0.raw.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-12T02:09:20.214361+0100	2028371	3	Unknown Traffic	192.168.2.6	49697	149.154.167.99	443	TCP
2025-03-12T02:09:23.566807+0100	2028371	3	Unknown Traffic	192.168.2.6	49698	92.122.104.90	443	TCP
2025-03-12T02:09:26.431286+0100	2028371	3	Unknown Traffic	192.168.2.6	49701	104.21.64.1	443	TCP
2025-03-12T02:09:29.637397+0100	2028371	3	Unknown Traffic	192.168.2.6	49704	92.122.104.90	443	TCP
2025-03-12T02:09:32.462263+0100	2028371	3	Unknown Traffic	192.168.2.6	49705	92.122.104.90	443	TCP
2025-03-12T02:09:35.111756+0100	2028371	3	Unknown Traffic	192.168.2.6	49706	104.21.64.1	443	TCP
2025-03-12T02:09:37.859209+0100	2028371	3	Unknown Traffic	192.168.2.6	49707	92.122.104.90	443	TCP
2025-03-12T02:09:40.562907+0100	2028371	3	Unknown Traffic	192.168.2.6	49708	104.21.64.1	443	TCP
2025-03-12T02:09:41.885619+0100	2028371	3	Unknown Traffic	192.168.2.6	49709	23.197.127.21	443	TCP
2025-03-12T02:09:43.752627+0100	2028371	3	Unknown Traffic	192.168.2.6	49710	23.197.127.21	443	TCP
2025-03-12T02:09:46.410021+0100	2028371	3	Unknown Traffic	192.168.2.6	49711	104.21.64.1	443	TCP
2025-03-12T02:09:49.506873+0100	2028371	3	Unknown Traffic	192.168.2.6	49712	23.197.127.21	443	TCP
2025-03-12T02:09:52.388907+0100	2028371	3	Unknown Traffic	192.168.2.6	49713	104.21.64.1	443	TCP
2025-03-12T02:09:55.533499+0100	2028371	3	Unknown Traffic	192.168.2.6	49714	23.197.127.21	443	TCP
2025-03-12T02:09:58.398193+0100	2028371	3	Unknown Traffic	192.168.2.6	49715	104.21.64.1	443	TCP
2025-03-12T02:10:08.278936+0100	2028371	3	Unknown Traffic	192.168.2.6	49718	92.122.104.90	443	TCP
2025-03-12T02:10:11.340660+0100	2028371	3	Unknown Traffic	192.168.2.6	49719	104.21.64.1	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-12T02:09:06.211920+0100	2803274	2	Potentially Bad Traffic	192.168.2.6	49690	172.67.74.152	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: ShadowLoader.exe

Avira: detected

Antivirus detection for URL or domain

Source: begindecafer.world/QwdZdf	Avira URL Cloud: Label: malware
Source: fostinjec.today/LksNAz	Avira URL Cloud: Label: malware
Source: orangemyther.live/IozZ	Avira URL Cloud: Label: malware
Source: arisechairedd.shop/JnsHY	Avira URL Cloud: Label: malware
Source: garagedrootz.top/oPsoJAN	Avira URL Cloud: Label: malware
Source: astralconnec.icu/DPowko	Avira URL Cloud: Label: malware
Source: catterjur.run/boSnzhu	Avira URL Cloud: Label: malware
Source: modelshiverd.icu/bJhnsj	Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000002.00000002.1425454940.0000000003429000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: LummaC {"C2 url": ["astralconnec.icu/DPowko", "begindecafer.world/QwdZdf", "garagedrootz.top/oPsoJAN", "modelshiverd.icu/bJhnsj", "arisechairedd.shop/JnsHY", "catterjur.run/boSnzhu", "orangemyther.live/IozZ", "fostinjec.today/LksNAz"], "Build id": "5de2dfd9707e99175a8227b8f37d09cb3d23f436cbcc486f9e91fcfa"}

Multi AV Scanner detection for submitted file

Source: ShadowLoader.exe	ReversingLabs: Detection: 86%
Source: ShadowLoader.exe	Virustotal: Detection: 76%			Perma Link

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.1% probability

Sample uses string decryption to hide its real strings

Source: 00000002.00000002.1425454940.0000000003429000.00000004.00000800.00020000.00000000.sdmp	String decryptor: astralconnec.icu/DPowko
Source: 00000002.00000002.1425454940.0000000003429000.00000004.00000800.00020000.00000000.sdmp	String decryptor: begindecafer.world/QwdZdf
Source: 00000002.00000002.1425454940.0000000003429000.00000004.00000800.00020000.00000000.sdmp	String decryptor: garagedrootz.top/oPsoJAN
Source: 00000002.00000002.1425454940.0000000003429000.00000004.00000800.00020000.00000000.sdmp	String decryptor: modelshiverd.icu/bJhnsj
Source: 00000002.00000002.1425454940.0000000003429000.00000004.00000800.00020000.00000000.sdmp	String decryptor: arisechairedd.shop/JnsHY
Source: 00000002.00000002.1425454940.0000000003429000.00000004.00000800.00020000.00000000.sdmp	String decryptor: catterjur.run/boSnzhu
Source: 00000002.00000002.1425454940.0000000003429000.00000004.00000800.00020000.00000000.sdmp	String decryptor: orangemyther.live/IozZ
Source: 00000002.00000002.1425454940.0000000003429000.00000004.00000800.00020000.00000000.sdmp	String decryptor: fostinjec.today/LksNAz

Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 3_2_0041B889 CryptUnprotectData,		3_2_0041B889
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 3_2_00420C7F CryptUnprotectData,		3_2_00420C7F

Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.6:49697 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 92.122.104.90:443 -> 192.168.2.6:49698 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.6:49701 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 92.122.104.90:443 -> 192.168.2.6:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 92.122.104.90:443 -> 192.168.2.6:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.6:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 92.122.104.90:443 -> 192.168.2.6:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.6:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.197.127.21:443 -> 192.168.2.6:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.6:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.197.127.21:443 -> 192.168.2.6:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.6:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.197.127.21:443 -> 192.168.2.6:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.6:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 92.122.104.90:443 -> 192.168.2.6:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.6:49719 version: TLS 1.2

Source: ShadowLoader.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\Hand1\source\repos\Portals\Portals\obj\Release\Portals.pdb source: ShadowLoader.exe
Source:	Binary string: Portals.pdb source: WERE60.tmp.dmp.6.dr
Source:	Binary string: System.Windows.Forms.pdb source: WERE60.tmp.dmp.6.dr
Source:	Binary string: mscorlib.pdb source: WERE60.tmp.dmp.6.dr
Source:	Binary string: System.ni.pdbRSDS source: WERE60.tmp.dmp.6.dr
Source:	Binary string: mscorlib.ni.pdb source: WERE60.tmp.dmp.6.dr
Source:	Binary string: C:\Users\Hand1\source\repos\Portals\Portals\obj\Release\Portals.pdb<;V; H;_CorExeMainmscoree.dll source: ShadowLoader.exe
Source:	Binary string: mscorlib.ni.pdbRSDS source: WERE60.tmp.dmp.6.dr
Source:	Binary string: Portals.pdbSystem.ni.dlln= source: WERE60.tmp.dmp.6.dr
Source:	Binary string: System.ni.pdb source: WERE60.tmp.dmp.6.dr
Source:	Binary string: System.pdb source: WERE60.tmp.dmp.6.dr

Source: C:\Users\user\Desktop\ShadowLoader.exe

Directory queried: number of queries: 1001

Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 4x nop then push edi	3_2_00411055
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 4x nop then cmp word ptr [edi+ebx], 0000h	3_2_0044F0D0
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], esi	3_2_0044F1F0
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 4x nop then movzx ebp, byte ptr [esp+ecx-757A854Bh]	3_2_00450290
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 4x nop then mov word ptr [ecx], dx	3_2_004504E0
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax+1D023CB4h]	3_2_00450800
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 4x nop then mov word ptr [esi], dx	3_2_0041B889
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 4x nop then mov dword ptr [esp+04h], eax	3_2_0041B889
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-36F469BEh]	3_2_0041B889
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax+00000168h]	3_2_0041B889
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax+04h]	3_2_0041A8B0
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 4x nop then movzx ebx, byte ptr [ecx+edx]	3_2_0041292E
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+616B0082h]	3_2_0040EABE
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 4x nop then jmp ecx	3_2_0040EABE
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 4x nop then jmp ecx	3_2_0040EBE0
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax+10h]	3_2_00421C80
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], A566C0CEh	3_2_00421C80
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 4x nop then mov word ptr [eax], cx	3_2_0042DD7A
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 4x nop then movzx ecx, byte ptr [ebx+eax-3EBE6F0Ch]	3_2_0043806A
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 4x nop then mov word ptr [eax], cx	3_2_00434032
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 4x nop then movzx edi, byte ptr [esp+edx+10h]	3_2_00434032
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 4x nop then mov word ptr [eax], cx	3_2_00434032
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 4x nop then mov byte ptr [ecx], bl	3_2_00411151
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 4x nop then movzx edi, byte ptr [edx+eax+526739DEh]	3_2_00411151
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 4x nop then mov word ptr [edi], cx	3_2_0042B160
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 4x nop then mov byte ptr [ebx], cl	3_2_0043919E
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 4x nop then movzx ebx, bx	3_2_004301A3
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 4x nop then mov byte ptr [edi], dl	3_2_004371AD
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 4x nop then jmp eax	3_2_0041D25D
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	3_2_0040A200
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 4x nop then movzx ecx, word ptr [edi+esi*4]	3_2_0040A200
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 4x nop then jmp eax	3_2_004202DF
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 4x nop then mov byte ptr [edi], cl	3_2_004242A6
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 4x nop then mov word ptr [eax], dx	3_2_00420347
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 4x nop then movzx esi, byte ptr [eax]	3_2_0042137A
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 4x nop then movzx ecx, byte ptr [ebx]	3_2_0040C310
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 4x nop then mov eax, 31C91D1Eh	3_2_0044C3ED
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax]	3_2_00447390
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 4x nop then mov byte ptr [edx], al	3_2_0043A45B
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 4x nop then movzx eax, byte ptr [esp+ecx-0027707Ah]	3_2_004334F2
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+10h]	3_2_00434560
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	3_2_00435500
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 4x nop then cmp word ptr [edi+eax+02h], 0000h	3_2_0042A5C0
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 4x nop then mov byte ptr [ecx], dl	3_2_0042459C
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 4x nop then movzx ecx, byte ptr [edx+eax-2A3E6A48h]	3_2_0044C59B
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 4x nop then movzx ecx, word ptr [ebp+00h]	3_2_00448641
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax+04h]	3_2_00448641
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax]	3_2_00448641
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 4x nop then push ebx	3_2_0041264D
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 4x nop then mov byte ptr [edi], cl	3_2_0043765E
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], 743EDB10h	3_2_0044F670
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax+10h]	3_2_0041C6B9
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-62h]	3_2_0041C6B9
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 4x nop then mov dword ptr [esi], edx	3_2_004386BE
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 4x nop then mov word ptr [eax], dx	3_2_0041B700
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 4x nop then mov word ptr [eax], cx	3_2_0041F715
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 4x nop then movzx ecx, byte ptr [edx+eax-2A3E6A48h]	3_2_0044C712
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx-1005DACEh]	3_2_004107D3
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 4x nop then movsx eax, byte ptr [esi+ecx]	3_2_0041A7F0
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx-52h]	3_2_00433857
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+04h]	3_2_0044D850
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 4x nop then push dword ptr [esp+0Ch]	3_2_00434960
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-36F469BEh]	3_2_0041B912
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax+00000168h]	3_2_0041B912
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax+1D023CB4h]	3_2_004509A0
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-12797E7Eh]	3_2_0042EA52
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax+00000878h]	3_2_0042EA52
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	3_2_00442A50
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax-0Eh]	3_2_00410B5B
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 4x nop then mov esi, edx	3_2_0041DB0B
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-12797E7Eh]	3_2_0042FB11
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax+00000878h]	3_2_0042FB11
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 4x nop then cmp dword ptr [edx+ebx*8], 744E5843h	3_2_0044ABF0
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 4x nop then mov byte ptr [edi], al	3_2_00437BBF
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+1AC89368h]	3_2_0042AC40
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax]	3_2_0042AC40
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 4x nop then mov dword ptr [esp+08h], edx	3_2_0040FC90
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 4x nop then mov word ptr [eax], cx	3_2_00433C93
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-36F469BEh]	3_2_0041BD1D
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax+00000168h]	3_2_0041BD1D
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 4x nop then mov byte ptr [edi], al	3_2_00437EF0
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax]	3_2_00448F76
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax]	3_2_0044AF30
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], 720EEED4h	3_2_0044AFF0
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 4x nop then movzx ebx, byte ptr [eax+edx]	3_2_0044AFF0
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+465A9F5Ch]	3_2_00420F80
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 4x nop then mov word ptr [eax], cx	3_2_0041EECC

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: astralconnec.icu/DPowko
Source: Malware configuration extractor	URLs: begindecafer.world/QwdZdf
Source: Malware configuration extractor	URLs: garagedrootz.top/oPsoJAN
Source: Malware configuration extractor	URLs: modelshiverd.icu/bJhnsj
Source: Malware configuration extractor	URLs: arisechairedd.shop/JnsHY
Source: Malware configuration extractor	URLs: catterjur.run/boSnzhu
Source: Malware configuration extractor	URLs: orangemyther.live/IozZ
Source: Malware configuration extractor	URLs: fostinjec.today/LksNAz

Source: global traffic	HTTP traffic detected: GET /asdawfq HTTP/1.1Connection: Keep-AliveHost: t.me
Source: global traffic	HTTP traffic detected: GET /profiles/76561199822375128 HTTP/1.1Connection: Keep-AliveHost: steamcommunity.com
Source: global traffic	HTTP traffic detected: GET /profiles/76561199822375128 HTTP/1.1Connection: Keep-AliveHost: steamcommunity.com
Source: global traffic	HTTP traffic detected: GET /profiles/76561199822375128 HTTP/1.1Connection: Keep-AliveHost: steamcommunity.com
Source: global traffic	HTTP traffic detected: GET /profiles/76561199822375128 HTTP/1.1Connection: Keep-AliveHost: steamcommunity.com
Source: global traffic	HTTP traffic detected: GET /profiles/76561199822375128 HTTP/1.1Connection: Keep-AliveHost: steamcommunity.com
Source: global traffic	HTTP traffic detected: GET /profiles/76561199822375128 HTTP/1.1Connection: Keep-AliveHost: steamcommunity.com
Source: global traffic	HTTP traffic detected: GET /profiles/76561199822375128 HTTP/1.1Connection: Keep-AliveHost: steamcommunity.com
Source: global traffic	HTTP traffic detected: GET /profiles/76561199822375128 HTTP/1.1Connection: Keep-AliveHost: steamcommunity.com

Source: Joe Sandbox View	IP Address: 92.122.104.90 92.122.104.90
Source: Joe Sandbox View	IP Address: 23.197.127.21 23.197.127.21
Source: Joe Sandbox View	IP Address: 104.21.64.1 104.21.64.1
Source: Joe Sandbox View	IP Address: 104.21.64.1 104.21.64.1

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49710 -> 23.197.127.21:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49707 -> 92.122.104.90:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49697 -> 149.154.167.99:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49715 -> 104.21.64.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49708 -> 104.21.64.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49706 -> 104.21.64.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49704 -> 92.122.104.90:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49712 -> 23.197.127.21:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49713 -> 104.21.64.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49718 -> 92.122.104.90:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49701 -> 104.21.64.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49705 -> 92.122.104.90:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49719 -> 104.21.64.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49698 -> 92.122.104.90:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49714 -> 23.197.127.21:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49711 -> 104.21.64.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49709 -> 23.197.127.21:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49690 -> 172.67.74.152:443

Source: global traffic	HTTP traffic detected: POST /gJKDA HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 65Host: exploreth.shop
Source: global traffic	HTTP traffic detected: POST /gJKDA HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=xYs7KzOyzO8Bc4gioO5User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 14938Host: exploreth.shop
Source: global traffic	HTTP traffic detected: POST /gJKDA HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=s413IMd7NJ1PuUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15089Host: exploreth.shop
Source: global traffic	HTTP traffic detected: POST /gJKDA HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=r0na2G62zDYPryulhUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 19966Host: exploreth.shop
Source: global traffic	HTTP traffic detected: POST /gJKDA HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=7x2H155BWVhOqQpR1KUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 2627Host: exploreth.shop
Source: global traffic	HTTP traffic detected: POST /gJKDA HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=12O5Zh29User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 586182Host: exploreth.shop
Source: global traffic	HTTP traffic detected: POST /gJKDA HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 103Host: exploreth.shop

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /asdawfq HTTP/1.1Connection: Keep-AliveHost: t.me
Source: global traffic	HTTP traffic detected: GET /profiles/76561199822375128 HTTP/1.1Connection: Keep-AliveHost: steamcommunity.com
Source: global traffic	HTTP traffic detected: GET /profiles/76561199822375128 HTTP/1.1Connection: Keep-AliveHost: steamcommunity.com
Source: global traffic	HTTP traffic detected: GET /profiles/76561199822375128 HTTP/1.1Connection: Keep-AliveHost: steamcommunity.com
Source: global traffic	HTTP traffic detected: GET /profiles/76561199822375128 HTTP/1.1Connection: Keep-AliveHost: steamcommunity.com
Source: global traffic	HTTP traffic detected: GET /profiles/76561199822375128 HTTP/1.1Connection: Keep-AliveHost: steamcommunity.com
Source: global traffic	HTTP traffic detected: GET /profiles/76561199822375128 HTTP/1.1Connection: Keep-AliveHost: steamcommunity.com
Source: global traffic	HTTP traffic detected: GET /profiles/76561199822375128 HTTP/1.1Connection: Keep-AliveHost: steamcommunity.com
Source: global traffic	HTTP traffic detected: GET /profiles/76561199822375128 HTTP/1.1Connection: Keep-AliveHost: steamcommunity.com

Source: ShadowLoader.exe, 00000003.00000002.2549398607.0000000003B38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://steamloopback.host https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: ShadowLoader.exe, 00000003.00000002.2548722546.0000000001384000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://steamloopback.host https://store.steampowered.com/;X-Frame-OptionsSAMEORIGINPersistent-AuthWWW-AuthenticateVarysteamCountry=US%7C92a6885e6f9b14c4e43d76654e8007c1; path=/; secure; HttpOnly; SameSite=Nonesessionid=ada3a7da3dc8bdcb0d769d50; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type35720Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveWed, 12 Mar 2025 01:10:08 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-Controlu equals www.youtube.com (Youtube)
Source: ShadowLoader.exe, 00000003.00000002.2548722546.0000000001384000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://steamloopback.host https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: ShadowLoader.exe, 00000003.00000002.2549398607.0000000003B38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: m/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://steamloopback.host https://store.steampowered.com/; equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: t.me
Source: global traffic	DNS traffic detected: DNS query: astralconnec.icu
Source: global traffic	DNS traffic detected: DNS query: begindecafer.world
Source: global traffic	DNS traffic detected: DNS query: garagedrootz.top
Source: global traffic	DNS traffic detected: DNS query: modelshiverd.icu
Source: global traffic	DNS traffic detected: DNS query: arisechairedd.shop
Source: global traffic	DNS traffic detected: DNS query: catterjur.run
Source: global traffic	DNS traffic detected: DNS query: orangemyther.live
Source: global traffic	DNS traffic detected: DNS query: fostinjec.today
Source: global traffic	DNS traffic detected: DNS query: sterpickced.digital
Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic	DNS traffic detected: DNS query: exploreth.shop

Source: unknown

HTTP traffic detected: POST /gJKDA HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 65Host: exploreth.shop

Source: ShadowLoader.exe, 00000003.00000002.2548722546.0000000001384000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:27060
Source: ShadowLoader.exe, 00000003.00000002.2549193218.0000000003A9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: ShadowLoader.exe, 00000003.00000002.2549193218.0000000003A9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: ShadowLoader.exe, 00000003.00000002.2549193218.0000000003A9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: Amcache.hve.6.dr	String found in binary or memory: http://upx.sf.net
Source: ShadowLoader.exe, 00000003.00000002.2548722546.0000000001384000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.com/
Source: ShadowLoader.exe, 00000003.00000002.2549193218.0000000003A9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://avatars.fastly.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: ShadowLoader.exe, 00000003.00000002.2548722546.0000000001384000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: ShadowLoader.exe, 00000003.00000002.2548722546.0000000001384000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/
Source: ShadowLoader.exe, 00000003.00000002.2548722546.0000000001384000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://checkout.steampowered.com/
Source: ShadowLoader.exe, 00000003.00000002.2549398607.0000000003B2A000.00000004.00000800.00020000.00000000.sdmp, ShadowLoader.exe, 00000003.00000002.2549398607.0000000003B2D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fas
Source: ShadowLoader.exe, 00000003.00000002.2548722546.0000000001384000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/
Source: ShadowLoader.exe, 00000003.00000002.2549193218.0000000003A9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/applications/community/main.css?v=J1-T6FXbrr0Z&a
Source: ShadowLoader.exe, 00000003.00000002.2549398607.0000000003B2A000.00000004.00000800.00020000.00000000.sdmp, ShadowLoader.exe, 00000003.00000002.2549193218.0000000003A9B000.00000004.00000800.00020000.00000000.sdmp, ShadowLoader.exe, 00000003.00000002.2549398607.0000000003B2D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/globalv2.css?v=GlKQ1cghJWE2&l=english&_c
Source: ShadowLoader.exe, 00000003.00000002.2549398607.0000000003B2A000.00000004.00000800.00020000.00000000.sdmp, ShadowLoader.exe, 00000003.00000002.2549193218.0000000003A9B000.00000004.00000800.00020000.00000000.sdmp, ShadowLoader.exe, 00000003.00000002.2549398607.0000000003B2D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/promo/summer2017/stickers.css?v=Ncr6N09yZIap&amp
Source: ShadowLoader.exe, 00000003.00000002.2549398607.0000000003B2A000.00000004.00000800.00020000.00000000.sdmp, ShadowLoader.exe, 00000003.00000002.2549193218.0000000003A9B000.00000004.00000800.00020000.00000000.sdmp, ShadowLoader.exe, 00000003.00000002.2549398607.0000000003B2D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&l=english&a
Source: ShadowLoader.exe, 00000003.00000002.2549398607.0000000003B2A000.00000004.00000800.00020000.00000000.sdmp, ShadowLoader.exe, 00000003.00000002.2549193218.0000000003A9B000.00000004.00000800.00020000.00000000.sdmp, ShadowLoader.exe, 00000003.00000002.2549398607.0000000003B2D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/modalContent.css?v=WXAusLHclDIt&l=eng
Source: ShadowLoader.exe, 00000003.00000002.2549398607.0000000003B2A000.00000004.00000800.00020000.00000000.sdmp, ShadowLoader.exe, 00000003.00000002.2549193218.0000000003A9B000.00000004.00000800.00020000.00000000.sdmp, ShadowLoader.exe, 00000003.00000002.2549398607.0000000003B2D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/profilev2.css?v=fe66ET2uI50l&l=englis
Source: ShadowLoader.exe, 00000003.00000002.2549193218.0000000003A9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: ShadowLoader.exe, 00000003.00000002.2549193218.0000000003A9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: ShadowLoader.exe, 00000003.00000002.2549193218.0000000003A9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: ShadowLoader.exe, 00000003.00000002.2549193218.0000000003A9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/main.js?v=jfdbROVe
Source: ShadowLoader.exe, 00000003.00000002.2549193218.0000000003A9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=0wL-
Source: ShadowLoader.exe, 00000003.00000002.2549398607.0000000003B2A000.00000004.00000800.00020000.00000000.sdmp, ShadowLoader.exe, 00000003.00000002.2549193218.0000000003A9B000.00000004.00000800.00020000.00000000.sdmp, ShadowLoader.exe, 00000003.00000002.2549398607.0000000003B2D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/global.js?v=cMt-H-zOgNUp&l=english&am
Source: ShadowLoader.exe, 00000003.00000002.2549398607.0000000003B2A000.00000004.00000800.00020000.00000000.sdmp, ShadowLoader.exe, 00000003.00000002.2549193218.0000000003A9B000.00000004.00000800.00020000.00000000.sdmp, ShadowLoader.exe, 00000003.00000002.2549398607.0000000003B2D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=gQHVlrK4-jX-&l
Source: ShadowLoader.exe, 00000003.00000002.2549398607.0000000003B2A000.00000004.00000800.00020000.00000000.sdmp, ShadowLoader.exe, 00000003.00000002.2549193218.0000000003A9B000.00000004.00000800.00020000.00000000.sdmp, ShadowLoader.exe, 00000003.00000002.2549398607.0000000003B2D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/modalContent.js?v=uqf5ttWTRe7l&l=engl
Source: ShadowLoader.exe, 00000003.00000002.2549398607.0000000003B2A000.00000004.00000800.00020000.00000000.sdmp, ShadowLoader.exe, 00000003.00000002.2549193218.0000000003A9B000.00000004.00000800.00020000.00000000.sdmp, ShadowLoader.exe, 00000003.00000002.2549398607.0000000003B2D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/modalv2.js?v=zBXEuexVQ0FZ&l=english&a
Source: ShadowLoader.exe, 00000003.00000002.2549398607.0000000003B2A000.00000004.00000800.00020000.00000000.sdmp, ShadowLoader.exe, 00000003.00000002.2549193218.0000000003A9B000.00000004.00000800.00020000.00000000.sdmp, ShadowLoader.exe, 00000003.00000002.2549398607.0000000003B2D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/profile.js?v=GeQ6v03mWpAc&l=english&a
Source: ShadowLoader.exe, 00000003.00000002.2549193218.0000000003A9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/promo/stickers.js?v=CcLRHsa04otQ&l=en
Source: ShadowLoader.exe, 00000003.00000002.2549398607.0000000003B2A000.00000004.00000800.00020000.00000000.sdmp, ShadowLoader.exe, 00000003.00000002.2549193218.0000000003A9B000.00000004.00000800.00020000.00000000.sdmp, ShadowLoader.exe, 00000003.00000002.2549398607.0000000003B2D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&l=eng
Source: ShadowLoader.exe, 00000003.00000002.2549193218.0000000003A9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/reportedcontent.js?v=-lZqrarogJr8&l=e
Source: ShadowLoader.exe, 00000003.00000002.2549398607.0000000003B2A000.00000004.00000800.00020000.00000000.sdmp, ShadowLoader.exe, 00000003.00000002.2549193218.0000000003A9B000.00000004.00000800.00020000.00000000.sdmp, ShadowLoader.exe, 00000003.00000002.2549398607.0000000003B2D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbC
Source: ShadowLoader.exe, 00000003.00000002.2549193218.0000000003A9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/webui/clientcom.js?v=whw8EcafG167&l=e
Source: ShadowLoader.exe, 00000003.00000002.2549398607.0000000003B2A000.00000004.00000800.00020000.00000000.sdmp, ShadowLoader.exe, 00000003.00000002.2549193218.0000000003A9B000.00000004.00000800.00020000.00000000.sdmp, ShadowLoader.exe, 00000003.00000002.2549398607.0000000003B2D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&l=english&
Source: ShadowLoader.exe, 00000003.00000002.2549398607.0000000003B2D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=engl
Source: ShadowLoader.exe, 00000003.00000002.2549398607.0000000003B2A000.00000004.00000800.00020000.00000000.sdmp, ShadowLoader.exe, 00000003.00000002.2549193218.0000000003A9B000.00000004.00000800.00020000.00000000.sdmp, ShadowLoader.exe, 00000003.00000002.2549398607.0000000003B2D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=Eq36AUaEgab8&l=en
Source: ShadowLoader.exe, 00000003.00000002.2549398607.0000000003B2A000.00000004.00000800.00020000.00000000.sdmp, ShadowLoader.exe, 00000003.00000002.2549193218.0000000003A9B000.00000004.00000800.00020000.00000000.sdmp, ShadowLoader.exe, 00000003.00000002.2549398607.0000000003B2D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&
Source: ShadowLoader.exe, 00000003.00000002.2549193218.0000000003A9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/respons
Source: ShadowLoader.exe, 00000003.00000002.2549398607.0000000003B2A000.00000004.00000800.00020000.00000000.sdmp, ShadowLoader.exe, 00000003.00000002.2549193218.0000000003A9B000.00000004.00000800.00020000.00000000.sdmp, ShadowLoader.exe, 00000003.00000002.2549398607.0000000003B2D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/auth_refresh.js?v=w6QbwI-5-j2S&amp
Source: ShadowLoader.exe, 00000003.00000002.2549398607.0000000003B2A000.00000004.00000800.00020000.00000000.sdmp, ShadowLoader.exe, 00000003.00000002.2549193218.0000000003A9B000.00000004.00000800.00020000.00000000.sdmp, ShadowLoader.exe, 00000003.00000002.2549398607.0000000003B2D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=PCCoCNLxwF4M&am
Source: ShadowLoader.exe, 00000003.00000002.2549193218.0000000003A9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=tvQ
Source: ShadowLoader.exe, 00000003.00000002.2549398607.0000000003B2A000.00000004.00000800.00020000.00000000.sdmp, ShadowLoader.exe, 00000003.00000002.2549193218.0000000003A9B000.00000004.00000800.00020000.00000000.sdmp, ShadowLoader.exe, 00000003.00000002.2549398607.0000000003B2D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&l=en
Source: ShadowLoader.exe, 00000003.00000002.2548790483.0000000001396000.00000004.00000020.00020000.00000000.sdmp, ShadowLoader.exe, 00000003.00000002.2549193218.0000000003A92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://exploreth.shop/
Source: ShadowLoader.exe, 00000003.00000002.2548790483.0000000001396000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://exploreth.shop/98
Source: ShadowLoader.exe, 00000003.00000002.2548882084.00000000013C9000.00000004.00000020.00020000.00000000.sdmp, ShadowLoader.exe, 00000003.00000002.2548790483.0000000001396000.00000004.00000020.00020000.00000000.sdmp, ShadowLoader.exe, 00000003.00000002.2548611578.0000000001338000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://exploreth.shop/gJKDA
Source: ShadowLoader.exe, 00000003.00000002.2548436396.0000000001315000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://exploreth.shop:443/gJKDAal
Source: ShadowLoader.exe, 00000003.00000002.2548436396.0000000001315000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://exploreth.shop:443/gJKDAffxt.default-release/key4.dbPK
Source: ShadowLoader.exe, 00000003.00000002.2548436396.0000000001315000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://exploreth.shop:443/gJKDAofiles/76561199822375128ta
Source: ShadowLoader.exe, 00000003.00000002.2548722546.0000000001384000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/
Source: ShadowLoader.exe, 00000003.00000002.2549193218.0000000003A9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/en/
Source: ShadowLoader.exe, 00000003.00000002.2548722546.0000000001384000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.steampowered.com/
Source: ShadowLoader.exe, 00000003.00000002.2548722546.0000000001384000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lv.queniujq.cn
Source: ShadowLoader.exe, 00000003.00000002.2548722546.0000000001384000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://medal.tv
Source: ShadowLoader.exe, 00000003.00000002.2548722546.0000000001384000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://player.vimeo.com
Source: ShadowLoader.exe, 00000003.00000002.2548722546.0000000001384000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net
Source: ShadowLoader.exe, 00000003.00000002.2548722546.0000000001384000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: ShadowLoader.exe, 00000003.00000002.2548722546.0000000001384000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s.ytimg.com;
Source: ShadowLoader.exe, 00000003.00000002.2548722546.0000000001384000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sketchfab.com
Source: ShadowLoader.exe, 00000003.00000002.2548722546.0000000001384000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steam.tv/
Source: ShadowLoader.exe, 00000003.00000002.2548722546.0000000001384000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: ShadowLoader.exe, 00000003.00000002.2548722546.0000000001384000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast.akamaized.net
Source: ShadowLoader.exe, 00000003.00000002.2548722546.0000000001384000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: ShadowLoader.exe, 00000003.00000002.2549193218.0000000003A9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/
Source: ShadowLoader.exe, 00000003.00000002.2549193218.0000000003A9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: ShadowLoader.exe, 00000003.00000002.2548882084.00000000013C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/AAAA
Source: ShadowLoader.exe, 00000003.00000002.2549193218.0000000003A9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/discussions/
Source: ShadowLoader.exe, 00000003.00000002.2549193218.0000000003A9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: ShadowLoader.exe, 00000003.00000002.2549193218.0000000003A9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199822375128
Source: ShadowLoader.exe, 00000003.00000002.2549193218.0000000003A9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/market/
Source: ShadowLoader.exe, 00000003.00000002.2549193218.0000000003A9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: ShadowLoader.exe, 00000003.00000002.2548790483.0000000001396000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199822375128
Source: ShadowLoader.exe, 00000003.00000002.2549193218.0000000003A9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199822375128/badges
Source: ShadowLoader.exe, 00000003.00000002.2549193218.0000000003A9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199822375128/inventory/
Source: ShadowLoader.exe, 00000003.00000002.2549193218.0000000003A9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/workshop/
Source: ShadowLoader.exe, 00000003.00000002.2548436396.0000000001315000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com:443/profiles/76561199822375128
Source: ShadowLoader.exe, 00000003.00000002.2548436396.0000000001315000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com:443/profiles/76561199822375128ta
Source: ShadowLoader.exe, 00000003.00000002.2548722546.0000000001384000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamloopback.host
Source: ShadowLoader.exe, 00000003.00000002.2549193218.0000000003A9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/
Source: ShadowLoader.exe, 00000003.00000002.2549398607.0000000003B38000.00000004.00000800.00020000.00000000.sdmp, ShadowLoader.exe, 00000003.00000002.2548722546.0000000001384000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;
Source: ShadowLoader.exe, 00000003.00000002.2548722546.0000000001384000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;X-Frame-OptionsSAMEORIGINPersistent-AuthWWW-AuthenticateVarysteamCou
Source: ShadowLoader.exe, 00000003.00000002.2549193218.0000000003A9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/about/
Source: ShadowLoader.exe, 00000003.00000002.2549193218.0000000003A9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/explore/
Source: ShadowLoader.exe, 00000003.00000002.2549193218.0000000003A9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/legal/
Source: ShadowLoader.exe, 00000003.00000002.2549193218.0000000003A9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/mobile
Source: ShadowLoader.exe, 00000003.00000002.2549193218.0000000003A9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/news/
Source: ShadowLoader.exe, 00000003.00000002.2549193218.0000000003A9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: ShadowLoader.exe, 00000003.00000002.2549193218.0000000003A9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/stats/
Source: ShadowLoader.exe, 00000003.00000002.2548011816.00000000010FA000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://t.me
Source: ShadowLoader.exe, 00000003.00000002.2548266398.00000000012E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/asdawfq
Source: ShadowLoader.exe, 00000003.00000002.2548011816.00000000010FA000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://t.meawfq
Source: ShadowLoader.exe, 00000003.00000002.2548722546.0000000001384000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: ShadowLoader.exe, 00000003.00000002.2548722546.0000000001384000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptcha/
Source: ShadowLoader.exe, 00000003.00000002.2548722546.0000000001384000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: ShadowLoader.exe, 00000003.00000002.2548722546.0000000001384000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: ShadowLoader.exe, 00000003.00000002.2548722546.0000000001384000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com
Source: ShadowLoader.exe, 00000003.00000002.2548722546.0000000001384000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49697 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 49698 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49698
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49697
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49701

Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.6:49697 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 92.122.104.90:443 -> 192.168.2.6:49698 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.6:49701 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 92.122.104.90:443 -> 192.168.2.6:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 92.122.104.90:443 -> 192.168.2.6:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.6:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 92.122.104.90:443 -> 192.168.2.6:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.6:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.197.127.21:443 -> 192.168.2.6:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.6:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.197.127.21:443 -> 192.168.2.6:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.6:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.197.127.21:443 -> 192.168.2.6:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.6:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 92.122.104.90:443 -> 192.168.2.6:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.6:49719 version: TLS 1.2

Source: C:\Users\user\Desktop\ShadowLoader.exe

Code function: 3_2_00440D60 OpenClipboard,GetClipboardData,GlobalLock,GetWindowRect,GlobalUnlock,CloseClipboard,

3_2_00440D60

Source: C:\Users\user\Desktop\ShadowLoader.exe

Code function: 3_2_038F1000 EntryPoint,GetClipboardSequenceNumber,Sleep,Sleep,OpenClipboard,GetClipboardData,GlobalLock,GlobalAlloc,GlobalLock,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,GlobalUnlock,CloseClipboard,GetClipboardSequenceNumber,

3_2_038F1000

Source: C:\Users\user\Desktop\ShadowLoader.exe

Code function: 3_2_00440D60 OpenClipboard,GetClipboardData,GlobalLock,GetWindowRect,GlobalUnlock,CloseClipboard,

3_2_00440D60

Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 2_2_00C42630	2_2_00C42630
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 3_2_004171E0	3_2_004171E0
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 3_2_0044F1F0	3_2_0044F1F0
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 3_2_00431340	3_2_00431340
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 3_2_004463E0	3_2_004463E0
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 3_2_0044A670	3_2_0044A670
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 3_2_00446730	3_2_00446730
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 3_2_004157CD	3_2_004157CD
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 3_2_0041B889	3_2_0041B889
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 3_2_0040B8B0	3_2_0040B8B0
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 3_2_0041A8B0	3_2_0041A8B0
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 3_2_0041292E	3_2_0041292E
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 3_2_00439A83	3_2_00439A83
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 3_2_0040EABE	3_2_0040EABE
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 3_2_00421C80	3_2_00421C80
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 3_2_0042DD7A	3_2_0042DD7A
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 3_2_0044CF50	3_2_0044CF50
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 3_2_00401040	3_2_00401040
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 3_2_0044E06D	3_2_0044E06D
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 3_2_0040E017	3_2_0040E017
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 3_2_00434032	3_2_00434032
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 3_2_00426030	3_2_00426030
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 3_2_00411151	3_2_00411151
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 3_2_00448150	3_2_00448150
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 3_2_004331D4	3_2_004331D4
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 3_2_004301A3	3_2_004301A3
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 3_2_004291B0	3_2_004291B0
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 3_2_0043E1B0	3_2_0043E1B0
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 3_2_0041D25D	3_2_0041D25D
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 3_2_00426260	3_2_00426260
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 3_2_0043B265	3_2_0043B265
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 3_2_0040F27E	3_2_0040F27E
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 3_2_0040A200	3_2_0040A200
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 3_2_0043235C	3_2_0043235C
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 3_2_0042137A	3_2_0042137A
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 3_2_0042D379	3_2_0042D379
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 3_2_0040C310	3_2_0040C310
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 3_2_00428311	3_2_00428311
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 3_2_00447390	3_2_00447390
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 3_2_0043C3A4	3_2_0043C3A4
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 3_2_0043D411	3_2_0043D411
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 3_2_00409420	3_2_00409420
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 3_2_0044442D	3_2_0044442D
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 3_2_004034F0	3_2_004034F0
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 3_2_004334F2	3_2_004334F2
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 3_2_0042E480	3_2_0042E480
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 3_2_0041648E	3_2_0041648E
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 3_2_0040D4A0	3_2_0040D4A0
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 3_2_00430550	3_2_00430550
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 3_2_00434560	3_2_00434560
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 3_2_0044E500	3_2_0044E500
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 3_2_0042A5C0	3_2_0042A5C0
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 3_2_004405D0	3_2_004405D0
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 3_2_0044E5E0	3_2_0044E5E0
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 3_2_00425580	3_2_00425580
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 3_2_00448641	3_2_00448641
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 3_2_0044F670	3_2_0044F670
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 3_2_0040C620	3_2_0040C620
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 3_2_00414637	3_2_00414637
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 3_2_0041C6B9	3_2_0041C6B9
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 3_2_00404772	3_2_00404772
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 3_2_0044E700	3_2_0044E700
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 3_2_0041F721	3_2_0041F721
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 3_2_004317C0	3_2_004317C0
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 3_2_0044E790	3_2_0044E790
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 3_2_00421795	3_2_00421795
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 3_2_0042E7A0	3_2_0042E7A0
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 3_2_00433857	3_2_00433857
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 3_2_0044E820	3_2_0044E820
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 3_2_004138D1	3_2_004138D1
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 3_2_004318D2	3_2_004318D2
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 3_2_004478D0	3_2_004478D0
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 3_2_004258B0	3_2_004258B0
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 3_2_00428950	3_2_00428950
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 3_2_0041E960	3_2_0041E960
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 3_2_0043C966	3_2_0043C966
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 3_2_00430970	3_2_00430970
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 3_2_0041B912	3_2_0041B912
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 3_2_004329D5	3_2_004329D5
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 3_2_0044F9E0	3_2_0044F9E0
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 3_2_0042EA52	3_2_0042EA52
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 3_2_0044DA0C	3_2_0044DA0C
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 3_2_00408A20	3_2_00408A20
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 3_2_0044EAD0	3_2_0044EAD0
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 3_2_00440AD0	3_2_00440AD0
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 3_2_00402AF0	3_2_00402AF0
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 3_2_0042DB70	3_2_0042DB70
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 3_2_0042FB11	3_2_0042FB11
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 3_2_00445B10	3_2_00445B10
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 3_2_00438BD0	3_2_00438BD0
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 3_2_0043DBDD	3_2_0043DBDD
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 3_2_0044ABF0	3_2_0044ABF0
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 3_2_0042AC40	3_2_0042AC40
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 3_2_0040AC00	3_2_0040AC00
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 3_2_00416CC5	3_2_00416CC5
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 3_2_0041CCE6	3_2_0041CCE6
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 3_2_00443C89	3_2_00443C89
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 3_2_0040FC90	3_2_0040FC90
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 3_2_00438C9E	3_2_00438C9E
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 3_2_00444CA0	3_2_00444CA0
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 3_2_0040CD70	3_2_0040CD70
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 3_2_00407D10	3_2_00407D10
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 3_2_0041BD1D	3_2_0041BD1D
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 3_2_00438D22	3_2_00438D22
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 3_2_00439E46	3_2_00439E46
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 3_2_0041DE50	3_2_0041DE50
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 3_2_0043EE51	3_2_0043EE51
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 3_2_00433E50	3_2_00433E50
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 3_2_0044EE30	3_2_0044EE30
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 3_2_00403E90	3_2_00403E90
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 3_2_00408E90	3_2_00408E90
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 3_2_0043CF36	3_2_0043CF36
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 3_2_0043FFD2	3_2_0043FFD2
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 3_2_0044AFF0	3_2_0044AFF0
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 3_2_00420F80	3_2_00420F80
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 3_2_0044BF8B	3_2_0044BF8B

Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: String function: 0041A8A0 appears 100 times
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: String function: 0040B200 appears 50 times

Source: C:\Users\user\Desktop\ShadowLoader.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7660 -s 788

Source: ShadowLoader.exe, 00000002.00000002.1425454940.0000000003429000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePortals.exe0 vs ShadowLoader.exe
Source: ShadowLoader.exe, 00000002.00000000.1298887920.00000000000E6000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamePortals.exe0 vs ShadowLoader.exe
Source: ShadowLoader.exe, 00000002.00000002.1423671025.00000000007FE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs ShadowLoader.exe
Source: ShadowLoader.exe	Binary or memory string: OriginalFilenamePortals.exe0 vs ShadowLoader.exe

Source: ShadowLoader.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: ShadowLoader.exe

Static PE information: Section: .CSS ZLIB complexity 1.0003268715421854

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@4/6@14/4

Source: C:\Users\user\Desktop\ShadowLoader.exe

Code function: 3_2_00446730 CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,GetVolumeInformationW,

3_2_00446730

Source: C:\Users\user\Desktop\ShadowLoader.exe	Mutant created: NULL
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7660

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\b288d988-3a04-48de-979d-e8187879e917

Jump to behavior

Source: ShadowLoader.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: ShadowLoader.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\ShadowLoader.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: ShadowLoader.exe	ReversingLabs: Detection: 86%
Source: ShadowLoader.exe	Virustotal: Detection: 76%

Source: C:\Users\user\Desktop\ShadowLoader.exe

File read: C:\Users\user\Desktop\ShadowLoader.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\ShadowLoader.exe "C:\Users\user\Desktop\ShadowLoader.exe"
Source: C:\Users\user\Desktop\ShadowLoader.exe	Process created: C:\Users\user\Desktop\ShadowLoader.exe "C:\Users\user\Desktop\ShadowLoader.exe"
Source: C:\Users\user\Desktop\ShadowLoader.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7660 -s 788
Source: C:\Users\user\Desktop\ShadowLoader.exe	Process created: C:\Users\user\Desktop\ShadowLoader.exe "C:\Users\user\Desktop\ShadowLoader.exe"	Jump to behavior

Source: C:\Users\user\Desktop\ShadowLoader.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: ShadowLoader.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: ShadowLoader.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: ShadowLoader.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\Users\Hand1\source\repos\Portals\Portals\obj\Release\Portals.pdb source: ShadowLoader.exe
Source:	Binary string: Portals.pdb source: WERE60.tmp.dmp.6.dr
Source:	Binary string: System.Windows.Forms.pdb source: WERE60.tmp.dmp.6.dr
Source:	Binary string: mscorlib.pdb source: WERE60.tmp.dmp.6.dr
Source:	Binary string: System.ni.pdbRSDS source: WERE60.tmp.dmp.6.dr
Source:	Binary string: mscorlib.ni.pdb source: WERE60.tmp.dmp.6.dr
Source:	Binary string: C:\Users\Hand1\source\repos\Portals\Portals\obj\Release\Portals.pdb<;V; H;_CorExeMainmscoree.dll source: ShadowLoader.exe
Source:	Binary string: mscorlib.ni.pdbRSDS source: WERE60.tmp.dmp.6.dr
Source:	Binary string: Portals.pdbSystem.ni.dlln= source: WERE60.tmp.dmp.6.dr
Source:	Binary string: System.ni.pdb source: WERE60.tmp.dmp.6.dr
Source:	Binary string: System.pdb source: WERE60.tmp.dmp.6.dr

Source: ShadowLoader.exe

Static PE information: 0xADFF511F [Mon Jul 3 22:20:15 2062 UTC]

Source: ShadowLoader.exe

Static PE information: section name: .CSS

Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 3_2_0045722D push eax; ret	3_2_00457236
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 3_2_00457237 push ecx; ret	3_2_00457252
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 3_2_00457284 push ebx; ret	3_2_00457286
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 3_2_00457290 push ebx; ret	3_2_00457292
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 3_2_0045735C push ebp; ret	3_2_0045743A
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 3_2_0045735C push ebp; ret	3_2_0045744E
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 3_2_00457450 push ebp; ret	3_2_00457452
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 3_2_0045745C push ebp; ret	3_2_0045745E
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 3_2_00457459 push ebp; ret	3_2_0045745A
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 3_2_00457463 push ebp; ret	3_2_00457466
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 3_2_00457469 push esp; ret	3_2_0045746A
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 3_2_00457470 push esp; ret	3_2_00457482
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 3_2_0045742C push ebp; ret	3_2_0045743A
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 3_2_0045743F push ebp; ret	3_2_0045744E
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 3_2_00456D60 push eax; ret	3_2_00456D62
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 3_2_00456D63 push ecx; ret	3_2_00456D6A
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 3_2_00456D6C push ecx; ret	3_2_00456D6E
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 3_2_00456D7C push ebx; ret	3_2_00456D82
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 3_2_00456DF8 push ss; ret	3_2_00456DF9
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 3_2_00456DAF push edx; ret	3_2_00456DB2
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 3_2_00454DA9 push edi; iretd	3_2_00454DDF
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 3_2_00456E45 push esp; ret	3_2_00456E46
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 3_2_00456E4C push esi; ret	3_2_00456E52
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 3_2_00456E54 push ebp; ret	3_2_00456E5E
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 3_2_00456E90 push ecx; ret	3_2_00456E96

Source: C:\Users\user\Desktop\ShadowLoader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\ShadowLoader.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\ShadowLoader.exe

System information queried: FirmwareTableInformation

Jump to behavior

Source: C:\Users\user\Desktop\ShadowLoader.exe	Memory allocated: C40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	Memory allocated: 2420000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	Memory allocated: 4420000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\ShadowLoader.exe

Window / User API: threadDelayed 4208

Jump to behavior

Source: C:\Users\user\Desktop\ShadowLoader.exe TID: 7764	Thread sleep time: -150000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe TID: 7328	Thread sleep count: 4208 > 30			Jump to behavior

Source: C:\Users\user\Desktop\ShadowLoader.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Users\user\Desktop\ShadowLoader.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\ShadowLoader.exe	Last function: Thread delayed

Source: Amcache.hve.6.dr	Binary or memory string: VMware
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.6.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.6.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.6.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.6.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.6.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.6.dr	Binary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
Source: ShadowLoader.exe, 00000003.00000002.2548611578.0000000001338000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.6.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.6.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.6.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.6.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.6.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.6.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.6.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.6.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.6.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.6.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.6.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.6.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: ShadowLoader.exe, 00000003.00000002.2548266398.00000000012FC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWpG4
Source: Amcache.hve.6.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.6.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.6.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\ShadowLoader.exe

API call chain: ExitProcess graph end node

graph_3-23704

Source: C:\Users\user\Desktop\ShadowLoader.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\ShadowLoader.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\ShadowLoader.exe

Code function: 3_2_0044C8F0 LdrInitializeThunk,

3_2_0044C8F0

Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 2_2_0242216D mov edi, dword ptr fs:[00000030h]		2_2_0242216D
Source: C:\Users\user\Desktop\ShadowLoader.exe	Code function: 2_2_024222EA mov edi, dword ptr fs:[00000030h]		2_2_024222EA

Source: C:\Users\user\Desktop\ShadowLoader.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\ShadowLoader.exe

Code function: 2_2_0242216D GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessW,CreateProcessW,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,

2_2_0242216D

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\ShadowLoader.exe

Memory written: C:\Users\user\Desktop\ShadowLoader.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\ShadowLoader.exe

Process created: C:\Users\user\Desktop\ShadowLoader.exe "C:\Users\user\Desktop\ShadowLoader.exe"

Jump to behavior

Source: C:\Users\user\Desktop\ShadowLoader.exe	Queries volume information: C:\Users\user\Desktop\ShadowLoader.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\ShadowLoader.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.6.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.6.dr, Amcache.hve.LOG1.6.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.6.dr, Amcache.hve.LOG1.6.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: ShadowLoader.exe, 00000003.00000002.2548611578.0000000001338000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: Amcache.hve.6.dr, Amcache.hve.LOG1.6.dr	Binary or memory string: MsMpEng.exe

Source: C:\Users\user\Desktop\ShadowLoader.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: 3.2.ShadowLoader.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.ShadowLoader.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.ShadowLoader.exe.3429550.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2547626693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1425454940.0000000003429000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Found many strings related to Crypto-Wallets (likely being stolen)

Source: ShadowLoader.exe, 00000003.00000002.2548611578.0000000001338000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Electrum
Source: ShadowLoader.exe, 00000003.00000002.2548611578.0000000001338000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/ElectronCash
Source: ShadowLoader.exe, 00000003.00000002.2548611578.0000000001338000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: ShadowLoader.exe, 00000003.00000002.2548722546.000000000138C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ,"fs":20971520},{"t":0,"p":"%appdata%\\com.liberty.jaxx\\IndexedDB","m":["*"
Source: ShadowLoader.exe, 00000003.00000002.2548611578.0000000001338000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Ethereum

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\ShadowLoader.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\logins.json	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\ShadowLoader.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\ShadowLoader.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: C:\Users\user\Desktop\ShadowLoader.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	Directory queried: C:\Users\user\Documents\BNAGMGSPLO	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	Directory queried: C:\Users\user\Documents\BNAGMGSPLO	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	Directory queried: C:\Users\user\Documents\JSDNGYCOWY	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	Directory queried: C:\Users\user\Documents\JSDNGYCOWY	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	Directory queried: C:\Users\user\Documents\MXPXCVPDVN	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	Directory queried: C:\Users\user\Documents\MXPXCVPDVN	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	Directory queried: C:\Users\user\Documents\BNAGMGSPLO	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	Directory queried: C:\Users\user\Documents\BNAGMGSPLO	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	Directory queried: C:\Users\user\Documents\EFOYFBOLXA	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	Directory queried: C:\Users\user\Documents\EFOYFBOLXA	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	Directory queried: C:\Users\user\Documents\JSDNGYCOWY	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	Directory queried: C:\Users\user\Documents\JSDNGYCOWY	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	Directory queried: C:\Users\user\Documents\KZWFNRXYKI	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	Directory queried: C:\Users\user\Documents\KZWFNRXYKI	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	Directory queried: C:\Users\user\Documents\MXPXCVPDVN	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	Directory queried: C:\Users\user\Documents\MXPXCVPDVN	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	Directory queried: C:\Users\user\Documents\QCFWYSKMHA	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	Directory queried: C:\Users\user\Documents\QCFWYSKMHA	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	Directory queried: C:\Users\user\Documents\RAYHIWGKDI	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	Directory queried: C:\Users\user\Documents\RAYHIWGKDI	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	Directory queried: C:\Users\user\Documents\SQRKHNBNYN	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	Directory queried: C:\Users\user\Documents\SQRKHNBNYN	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	Directory queried: C:\Users\user\Documents\BNAGMGSPLO	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	Directory queried: C:\Users\user\Documents\BNAGMGSPLO	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	Directory queried: C:\Users\user\Documents\EFOYFBOLXA	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	Directory queried: C:\Users\user\Documents\EFOYFBOLXA	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	Directory queried: C:\Users\user\Documents\JSDNGYCOWY	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	Directory queried: C:\Users\user\Documents\JSDNGYCOWY	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	Directory queried: C:\Users\user\Documents\MXPXCVPDVN	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	Directory queried: C:\Users\user\Documents\MXPXCVPDVN	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	Directory queried: C:\Users\user\Documents\QCFWYSKMHA	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	Directory queried: C:\Users\user\Documents\QCFWYSKMHA	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	Directory queried: C:\Users\user\Documents\RAYHIWGKDI	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	Directory queried: C:\Users\user\Documents\RAYHIWGKDI	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	Directory queried: C:\Users\user\Documents\SQRKHNBNYN	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	Directory queried: C:\Users\user\Documents\SQRKHNBNYN	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	Directory queried: C:\Users\user\Documents\YPSIACHYXW	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	Directory queried: C:\Users\user\Documents\YPSIACHYXW	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	Directory queried: C:\Users\user\Documents\BNAGMGSPLO	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	Directory queried: C:\Users\user\Documents\BNAGMGSPLO	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	Directory queried: C:\Users\user\Documents\EFOYFBOLXA	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	Directory queried: C:\Users\user\Documents\EFOYFBOLXA	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	Directory queried: C:\Users\user\Documents\JSDNGYCOWY	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	Directory queried: C:\Users\user\Documents\JSDNGYCOWY	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	Directory queried: C:\Users\user\Documents\QCFWYSKMHA	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	Directory queried: C:\Users\user\Documents\QCFWYSKMHA	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	Directory queried: C:\Users\user\Documents\ZQIXMVQGAH	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	Directory queried: C:\Users\user\Documents\ZQIXMVQGAH	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	Directory queried: C:\Users\user\Documents\BNAGMGSPLO	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	Directory queried: C:\Users\user\Documents\BNAGMGSPLO	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	Directory queried: C:\Users\user\Documents\EFOYFBOLXA	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	Directory queried: C:\Users\user\Documents\EFOYFBOLXA	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	Directory queried: C:\Users\user\Documents\KZWFNRXYKI	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	Directory queried: C:\Users\user\Documents\KZWFNRXYKI	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	Directory queried: C:\Users\user\Documents\RAYHIWGKDI	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	Directory queried: C:\Users\user\Documents\RAYHIWGKDI	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	Directory queried: C:\Users\user\Documents\BNAGMGSPLO	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	Directory queried: C:\Users\user\Documents\BNAGMGSPLO	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	Directory queried: C:\Users\user\Documents\QCFWYSKMHA	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	Directory queried: C:\Users\user\Documents\QCFWYSKMHA	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	Directory queried: C:\Users\user\Documents\ZQIXMVQGAH	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	Directory queried: C:\Users\user\Documents\ZQIXMVQGAH	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	Directory queried: C:\Users\user\Documents\BNAGMGSPLO	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	Directory queried: C:\Users\user\Documents\BNAGMGSPLO	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	Directory queried: C:\Users\user\Documents\QCFWYSKMHA	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	Directory queried: C:\Users\user\Documents\QCFWYSKMHA	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	Directory queried: C:\Users\user\Documents\RAYHIWGKDI	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	Directory queried: C:\Users\user\Documents\RAYHIWGKDI	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	Directory queried: C:\Users\user\Documents\WUTJSCBCFX	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	Directory queried: C:\Users\user\Documents\WUTJSCBCFX	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	Directory queried: C:\Users\user\Documents\ZQIXMVQGAH	Jump to behavior
Source: C:\Users\user\Desktop\ShadowLoader.exe	Directory queried: C:\Users\user\Documents\ZQIXMVQGAH	Jump to behavior

Source: C:\Users\user\Desktop\ShadowLoader.exe

Directory queried: number of queries: 1001

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: 3.2.ShadowLoader.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.ShadowLoader.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.ShadowLoader.exe.3429550.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2547626693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1425454940.0000000003429000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	12 Windows Management Instrumentation	1 DLL Side-Loading	211 Process Injection	23 Virtualization/Sandbox Evasion	2 OS Credential Dumping	231 Security Software Discovery	Remote Services	1 Archive Collected Data	21 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	23 Virtualization/Sandbox Evasion	Remote Desktop Protocol	41 Data from Local System	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	211 Process Injection	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	3 Clipboard Data	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	114 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	3 Obfuscated Files or Information	LSA Secrets	2 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Software Packing	Cached Domain Credentials	22 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Timestomp	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report ShadowLoader.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: LummaC

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
ShadowLoader.exe