Overview
overview
8Static
static
3Shaderify 8.4.4.exe
windows7-x64
8Shaderify 8.4.4.exe
windows10-2004-x64
8$PLUGINSDI...ls.dll
windows7-x64
3$PLUGINSDI...ls.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3LICENSES.c...m.html
windows7-x64
1LICENSES.c...m.html
windows10-2004-x64
1Shaderify.exe
windows7-x64
8Shaderify.exe
windows10-2004-x64
8d3dcompiler_47.dll
windows10-2004-x64
1ffmpeg.dll
windows7-x64
1ffmpeg.dll
windows10-2004-x64
1libEGL.dll
windows7-x64
1libEGL.dll
windows10-2004-x64
1libGLESv2.dll
windows7-x64
1libGLESv2.dll
windows10-2004-x64
1resources/app.js
windows7-x64
3resources/app.js
windows10-2004-x64
3resources/elevate.exe
windows7-x64
1resources/elevate.exe
windows10-2004-x64
1swiftshade...GL.dll
windows7-x64
1swiftshade...GL.dll
windows10-2004-x64
1swiftshade...v2.dll
windows7-x64
1swiftshade...v2.dll
windows10-2004-x64
1vk_swiftshader.dll
windows7-x64
1vk_swiftshader.dll
windows10-2004-x64
1vulkan-1.dll
windows7-x64
1vulkan-1.dll
windows10-2004-x64
1$PLUGINSDI...7z.dll
windows7-x64
3$PLUGINSDI...7z.dll
windows10-2004-x64
3Analysis
-
max time kernel
134s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
03-06-2024 09:47
Static task
static1
Behavioral task
behavioral1
Sample
Shaderify 8.4.4.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
Shaderify 8.4.4.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240215-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral7
Sample
LICENSES.chromium.html
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
LICENSES.chromium.html
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
Shaderify.exe
Resource
win7-20240221-en
Behavioral task
behavioral10
Sample
Shaderify.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral11
Sample
d3dcompiler_47.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral12
Sample
ffmpeg.dll
Resource
win7-20240419-en
Behavioral task
behavioral13
Sample
ffmpeg.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral14
Sample
libEGL.dll
Resource
win7-20240508-en
Behavioral task
behavioral15
Sample
libEGL.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral16
Sample
libGLESv2.dll
Resource
win7-20240221-en
Behavioral task
behavioral17
Sample
libGLESv2.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral18
Sample
resources/app.js
Resource
win7-20231129-en
Behavioral task
behavioral19
Sample
resources/app.js
Resource
win10v2004-20240426-en
Behavioral task
behavioral20
Sample
resources/elevate.exe
Resource
win7-20240221-en
Behavioral task
behavioral21
Sample
resources/elevate.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral22
Sample
swiftshader/libEGL.dll
Resource
win7-20240508-en
Behavioral task
behavioral23
Sample
swiftshader/libEGL.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral24
Sample
swiftshader/libGLESv2.dll
Resource
win7-20240508-en
Behavioral task
behavioral25
Sample
swiftshader/libGLESv2.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral26
Sample
vk_swiftshader.dll
Resource
win7-20240221-en
Behavioral task
behavioral27
Sample
vk_swiftshader.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral28
Sample
vulkan-1.dll
Resource
win7-20240221-en
Behavioral task
behavioral29
Sample
vulkan-1.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral30
Sample
$PLUGINSDIR/nsis7z.dll
Resource
win7-20240215-en
Behavioral task
behavioral31
Sample
$PLUGINSDIR/nsis7z.dll
Resource
win10v2004-20240508-en
General
-
Target
Shaderify 8.4.4.exe
-
Size
53.4MB
-
MD5
505ea174fba0dea1147a32496c847101
-
SHA1
879cc448363cf6bfbbdf2a45f652fe4ca6720f98
-
SHA256
dd4ce9e1a9daf52b9264ed81d72af9a0c7037d4f09af1883bce0faaeef91e914
-
SHA512
2a952ac23fdbced88fa302346b26a853f1bc1824958dcb80e42df5ad37733b0349d3a207c2fa1aab8137048324f5aa2515b877c21dbcb6a0429ab59a5f1d9bc7
-
SSDEEP
786432:MOHETki1abUwp4cKt3pIlWf9KazQTqbuUGpudQ1EyU2FXG73mPaGrbaBq5H/p/Qk:H1rycKt3pG6VbuUuFUv2PaGSq7/Qc5
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Shaderify.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation Shaderify.exe -
Executes dropped EXE 4 IoCs
Processes:
Shaderify.exeShaderify.exeShaderify.exeShaderify.exepid process 2472 Shaderify.exe 736 Shaderify.exe 1252 Shaderify.exe 1240 Shaderify.exe -
Loads dropped DLL 11 IoCs
Processes:
Shaderify 8.4.4.exeShaderify.exeShaderify.exeShaderify.exeShaderify.exepid process 3560 Shaderify 8.4.4.exe 3560 Shaderify 8.4.4.exe 3560 Shaderify 8.4.4.exe 2472 Shaderify.exe 2472 Shaderify.exe 736 Shaderify.exe 736 Shaderify.exe 736 Shaderify.exe 736 Shaderify.exe 1252 Shaderify.exe 1240 Shaderify.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Powershell = "\"powershell.exe\" -WindowStyle Hidden -ExecutionPolicy Bypass -File \"C:\\Users\\Admin\\AppData\\Roaming\\SHsCQhOwdefuZpv.ps1\"" powershell.exe -
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 25 api.ipify.org 26 api.ipify.org 32 ipinfo.io 35 ipinfo.io -
An obfuscated cmd.exe command-line is typically used to evade detection. 2 IoCs
Processes:
cmd.execmd.exepid process 2584 cmd.exe 4812 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates processes with tasklist 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
powershell.exepowershell.exepowershell.exeShaderify.exeShaderify.exepid process 5016 powershell.exe 5016 powershell.exe 1240 powershell.exe 1240 powershell.exe 4208 powershell.exe 4208 powershell.exe 1252 Shaderify.exe 1252 Shaderify.exe 1240 Shaderify.exe 1240 Shaderify.exe 1240 Shaderify.exe 1240 Shaderify.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
Shaderify 8.4.4.exetasklist.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeSecurityPrivilege 3560 Shaderify 8.4.4.exe Token: SeDebugPrivilege 448 tasklist.exe Token: SeDebugPrivilege 5016 powershell.exe Token: SeDebugPrivilege 1240 powershell.exe Token: SeDebugPrivilege 4208 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Shaderify 8.4.4.exeShaderify.execmd.execmd.exepowershell.execmd.execsc.execmd.exedescription pid process target process PID 3560 wrote to memory of 2472 3560 Shaderify 8.4.4.exe Shaderify.exe PID 3560 wrote to memory of 2472 3560 Shaderify 8.4.4.exe Shaderify.exe PID 2472 wrote to memory of 2640 2472 Shaderify.exe cmd.exe PID 2472 wrote to memory of 2640 2472 Shaderify.exe cmd.exe PID 2472 wrote to memory of 5072 2472 Shaderify.exe cmd.exe PID 2472 wrote to memory of 5072 2472 Shaderify.exe cmd.exe PID 5072 wrote to memory of 448 5072 cmd.exe tasklist.exe PID 5072 wrote to memory of 448 5072 cmd.exe tasklist.exe PID 2640 wrote to memory of 5016 2640 cmd.exe powershell.exe PID 2640 wrote to memory of 5016 2640 cmd.exe powershell.exe PID 5016 wrote to memory of 4900 5016 powershell.exe csc.exe PID 5016 wrote to memory of 4900 5016 powershell.exe csc.exe PID 2472 wrote to memory of 2584 2472 Shaderify.exe cmd.exe PID 2472 wrote to memory of 2584 2472 Shaderify.exe cmd.exe PID 2584 wrote to memory of 1240 2584 cmd.exe powershell.exe PID 2584 wrote to memory of 1240 2584 cmd.exe powershell.exe PID 4900 wrote to memory of 1572 4900 csc.exe cvtres.exe PID 4900 wrote to memory of 1572 4900 csc.exe cvtres.exe PID 2472 wrote to memory of 4812 2472 Shaderify.exe cmd.exe PID 2472 wrote to memory of 4812 2472 Shaderify.exe cmd.exe PID 4812 wrote to memory of 4208 4812 cmd.exe powershell.exe PID 4812 wrote to memory of 4208 4812 cmd.exe powershell.exe PID 2472 wrote to memory of 736 2472 Shaderify.exe Shaderify.exe PID 2472 wrote to memory of 736 2472 Shaderify.exe Shaderify.exe PID 2472 wrote to memory of 736 2472 Shaderify.exe Shaderify.exe PID 2472 wrote to memory of 736 2472 Shaderify.exe Shaderify.exe PID 2472 wrote to memory of 736 2472 Shaderify.exe Shaderify.exe PID 2472 wrote to memory of 736 2472 Shaderify.exe Shaderify.exe PID 2472 wrote to memory of 736 2472 Shaderify.exe Shaderify.exe PID 2472 wrote to memory of 736 2472 Shaderify.exe Shaderify.exe PID 2472 wrote to memory of 736 2472 Shaderify.exe Shaderify.exe PID 2472 wrote to memory of 736 2472 Shaderify.exe Shaderify.exe PID 2472 wrote to memory of 736 2472 Shaderify.exe Shaderify.exe PID 2472 wrote to memory of 736 2472 Shaderify.exe Shaderify.exe PID 2472 wrote to memory of 736 2472 Shaderify.exe Shaderify.exe PID 2472 wrote to memory of 736 2472 Shaderify.exe Shaderify.exe PID 2472 wrote to memory of 736 2472 Shaderify.exe Shaderify.exe PID 2472 wrote to memory of 736 2472 Shaderify.exe Shaderify.exe PID 2472 wrote to memory of 736 2472 Shaderify.exe Shaderify.exe PID 2472 wrote to memory of 736 2472 Shaderify.exe Shaderify.exe PID 2472 wrote to memory of 736 2472 Shaderify.exe Shaderify.exe PID 2472 wrote to memory of 736 2472 Shaderify.exe Shaderify.exe PID 2472 wrote to memory of 736 2472 Shaderify.exe Shaderify.exe PID 2472 wrote to memory of 736 2472 Shaderify.exe Shaderify.exe PID 2472 wrote to memory of 736 2472 Shaderify.exe Shaderify.exe PID 2472 wrote to memory of 736 2472 Shaderify.exe Shaderify.exe PID 2472 wrote to memory of 736 2472 Shaderify.exe Shaderify.exe PID 2472 wrote to memory of 736 2472 Shaderify.exe Shaderify.exe PID 2472 wrote to memory of 736 2472 Shaderify.exe Shaderify.exe PID 2472 wrote to memory of 736 2472 Shaderify.exe Shaderify.exe PID 2472 wrote to memory of 736 2472 Shaderify.exe Shaderify.exe PID 2472 wrote to memory of 736 2472 Shaderify.exe Shaderify.exe PID 2472 wrote to memory of 736 2472 Shaderify.exe Shaderify.exe PID 2472 wrote to memory of 736 2472 Shaderify.exe Shaderify.exe PID 2472 wrote to memory of 736 2472 Shaderify.exe Shaderify.exe PID 2472 wrote to memory of 736 2472 Shaderify.exe Shaderify.exe PID 2472 wrote to memory of 736 2472 Shaderify.exe Shaderify.exe PID 2472 wrote to memory of 736 2472 Shaderify.exe Shaderify.exe PID 2472 wrote to memory of 736 2472 Shaderify.exe Shaderify.exe PID 2472 wrote to memory of 736 2472 Shaderify.exe Shaderify.exe PID 2472 wrote to memory of 736 2472 Shaderify.exe Shaderify.exe PID 2472 wrote to memory of 736 2472 Shaderify.exe Shaderify.exe PID 2472 wrote to memory of 1252 2472 Shaderify.exe Shaderify.exe PID 2472 wrote to memory of 1252 2472 Shaderify.exe Shaderify.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Shaderify 8.4.4.exe"C:\Users\Admin\AppData\Local\Temp\Shaderify 8.4.4.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3560 -
C:\Users\Admin\AppData\Local\Temp\2hKz7RyNFzXpF3YD41CyAiQnqEJ\Shaderify.exeC:\Users\Admin\AppData\Local\Temp\2hKz7RyNFzXpF3YD41CyAiQnqEJ\Shaderify.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\ProgramData\edge\Updater\Get-Clipboard.ps1""3⤵
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\ProgramData\edge\Updater\Get-Clipboard.ps1"4⤵
- Command and Scripting Interpreter: PowerShell
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5016 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zyipflkp\zyipflkp.cmdline"5⤵
- Suspicious use of WriteProcessMemory
PID:4900 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES67C2.tmp" "c:\Users\Admin\AppData\Local\Temp\zyipflkp\CSC442EA518B586492B98A0FAB9AEB2D3.TMP"6⤵PID:1572
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"3⤵
- Suspicious use of WriteProcessMemory
PID:5072 -
C:\Windows\system32\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:448 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,158,56,123,155,119,128,226,65,189,77,45,80,19,37,26,47,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,143,8,155,162,221,184,73,71,232,222,51,145,193,115,97,9,130,241,224,103,6,120,76,14,50,215,61,172,124,159,238,253,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,99,253,1,12,244,37,76,196,250,204,121,176,50,84,44,171,164,192,123,43,73,12,147,211,193,42,15,39,95,26,62,201,48,0,0,0,199,59,41,134,72,150,192,161,125,143,33,114,13,155,6,139,72,133,43,120,135,38,24,218,101,6,176,207,210,73,64,67,238,175,209,152,192,141,196,93,4,159,79,39,108,201,81,243,64,0,0,0,47,182,203,76,22,230,198,116,189,169,35,195,147,254,206,160,141,223,22,83,122,129,208,253,101,155,106,250,254,105,139,55,133,60,233,210,239,137,168,177,165,144,32,46,241,126,232,206,117,88,178,220,23,105,81,227,111,16,111,158,78,1,233,96), $null, 'CurrentUser')"3⤵
- An obfuscated cmd.exe command-line is typically used to evade detection.
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,158,56,123,155,119,128,226,65,189,77,45,80,19,37,26,47,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,143,8,155,162,221,184,73,71,232,222,51,145,193,115,97,9,130,241,224,103,6,120,76,14,50,215,61,172,124,159,238,253,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,99,253,1,12,244,37,76,196,250,204,121,176,50,84,44,171,164,192,123,43,73,12,147,211,193,42,15,39,95,26,62,201,48,0,0,0,199,59,41,134,72,150,192,161,125,143,33,114,13,155,6,139,72,133,43,120,135,38,24,218,101,6,176,207,210,73,64,67,238,175,209,152,192,141,196,93,4,159,79,39,108,201,81,243,64,0,0,0,47,182,203,76,22,230,198,116,189,169,35,195,147,254,206,160,141,223,22,83,122,129,208,253,101,155,106,250,254,105,139,55,133,60,233,210,239,137,168,177,165,144,32,46,241,126,232,206,117,88,178,220,23,105,81,227,111,16,111,158,78,1,233,96), $null, 'CurrentUser')4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1240 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,158,56,123,155,119,128,226,65,189,77,45,80,19,37,26,47,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,204,23,200,182,199,212,101,234,51,160,20,157,150,146,144,151,39,93,3,161,164,186,212,226,57,101,160,86,167,155,8,7,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,184,144,186,180,174,237,163,184,95,232,101,63,21,177,75,98,215,199,36,30,80,192,146,63,77,115,21,70,102,42,166,165,48,0,0,0,117,126,67,77,96,159,142,116,174,11,86,56,11,231,226,145,7,63,8,207,34,20,54,206,115,112,214,184,19,252,2,122,95,58,116,12,104,15,223,163,49,195,63,147,96,226,86,246,64,0,0,0,114,72,103,37,120,230,180,221,228,136,240,64,66,22,120,71,192,126,130,46,213,57,1,27,188,210,151,225,138,111,6,223,99,131,127,243,133,142,61,229,60,15,180,41,8,227,3,169,15,181,32,167,8,219,218,233,217,48,253,19,227,158,119,122), $null, 'CurrentUser')"3⤵
- An obfuscated cmd.exe command-line is typically used to evade detection.
- Suspicious use of WriteProcessMemory
PID:4812 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,158,56,123,155,119,128,226,65,189,77,45,80,19,37,26,47,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,204,23,200,182,199,212,101,234,51,160,20,157,150,146,144,151,39,93,3,161,164,186,212,226,57,101,160,86,167,155,8,7,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,184,144,186,180,174,237,163,184,95,232,101,63,21,177,75,98,215,199,36,30,80,192,146,63,77,115,21,70,102,42,166,165,48,0,0,0,117,126,67,77,96,159,142,116,174,11,86,56,11,231,226,145,7,63,8,207,34,20,54,206,115,112,214,184,19,252,2,122,95,58,116,12,104,15,223,163,49,195,63,147,96,226,86,246,64,0,0,0,114,72,103,37,120,230,180,221,228,136,240,64,66,22,120,71,192,126,130,46,213,57,1,27,188,210,151,225,138,111,6,223,99,131,127,243,133,142,61,229,60,15,180,41,8,227,3,169,15,181,32,167,8,219,218,233,217,48,253,19,227,158,119,122), $null, 'CurrentUser')4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4208 -
C:\Users\Admin\AppData\Local\Temp\2hKz7RyNFzXpF3YD41CyAiQnqEJ\Shaderify.exe"C:\Users\Admin\AppData\Local\Temp\2hKz7RyNFzXpF3YD41CyAiQnqEJ\Shaderify.exe" --type=gpu-process --field-trial-handle=1804,16734063316386581723,925908392957392502,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1812 /prefetch:23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:736 -
C:\Users\Admin\AppData\Local\Temp\2hKz7RyNFzXpF3YD41CyAiQnqEJ\Shaderify.exe"C:\Users\Admin\AppData\Local\Temp\2hKz7RyNFzXpF3YD41CyAiQnqEJ\Shaderify.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1804,16734063316386581723,925908392957392502,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2200 /prefetch:83⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1252 -
C:\Users\Admin\AppData\Local\Temp\2hKz7RyNFzXpF3YD41CyAiQnqEJ\Shaderify.exe"C:\Users\Admin\AppData\Local\Temp\2hKz7RyNFzXpF3YD41CyAiQnqEJ\Shaderify.exe" --type=gpu-process --field-trial-handle=1804,16734063316386581723,925908392957392502,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=MAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAIAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=2120 /prefetch:23⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1240
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5104
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD552cc110bb3777aa6bba7900630d4eb49
SHA13663dc658fd13d407e49781d1a5c2aa203c252fc
SHA256892a9edb03db3fd88fecc1e1a2f56a7339f16f6734e8d77e6538ea2c8c9026d6
SHA51289b80d2783e902d68ffd08b6f3fb1848ae6e6c4bf2d7a1e4afdac970b2ee6ffcc58116cdd6234e3d6278eb9413d36aafe62b5beca24a0846575d12af0c5112ab
-
Filesize
3KB
MD5f48896adf9a23882050cdff97f610a7f
SHA14c5a610df62834d43f470cae7e851946530e3086
SHA2563ae35c2828715a2f9a5531d334a0cfffc81396c2dc058ca42a9943f3cdc22e78
SHA51216644246f2a35a186fcb5c2b6456ed6a16e8db65ad1383109e06547f9b1f9358f071c30cca541ca4cf7bae66cb534535e88f75f6296a4bfc6c7b22b0684a6ba9
-
Filesize
1KB
MD5c3d0e052ba84a5a94a12f82b5523b45e
SHA118c9412da40f1d565c47dc150f782672a8913baa
SHA2560937d02e49f29b26b70ae49a9709208b79a25cb2b927251e5ef2cce71942638d
SHA51278a4c052734d4540e190e37c674302d1a234c9d83e0761b1337241519685dbe486b65a8d58919bc2e166c8a58395895fd1385b8a47f5fed4506dbf132ddfc607
-
Filesize
1.4MB
MD556192831a7f808874207ba593f464415
SHA1e0c18c72a62692d856da1f8988b0bc9c8088d2aa
SHA2566aa8763714aa5199a4065259af792292c2a7d6a2c381aa27007255421e5c9d8c
SHA512c82aa1ef569c232b4b4f98a3789f2390e5f7bf5cc7e73d199fe23a3f636817edfdc2fb49ce7f69169c028a9dd5ab9f63e8f64964bb22424fc08db71e85054a33
-
Filesize
22B
MD576cdb2bad9582d23c1f6f4d868218d6c
SHA1b04f3ee8f5e43fa3b162981b50bb72fe1acabb33
SHA2568739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85
SHA5125e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f
-
Filesize
4.3MB
MD57641e39b7da4077084d2afe7c31032e0
SHA12256644f69435ff2fee76deb04d918083960d1eb
SHA25644422e6936dc72b7ac5ed16bb8bcae164b7554513e52efb66a3e942cec328a47
SHA5128010e1cb17fa18bbf72d8344e1d63ded7cef7be6e7c13434fa6d8e22ce1d58a4d426959bdcb031502d4b145e29cb111af929fcbc66001111fbc6d7a19e8800a5
-
Filesize
121KB
MD506baf0ad34e0231bd76651203dba8326
SHA1a5f99ecdcc06dec9d7f9ce0a8c66e46969117391
SHA2565ae14147992a92548bcad76867dd88cdfcdb69d951c8720920cce6fb135e3189
SHA512aff6616e56781ebb925a0ca146245ad3b2827250b32261c0c7c0d5b10b20a343a17fc3761c95d93104163e77b2eae3f1f9cbd3cb2b377f49b42bea39bdd09b91
-
Filesize
181KB
MD557c27201e7cd33471da7ec205fe9973c
SHA1a8e7bce09c4cbdae2797611b2be8aeb5491036f9
SHA256dd8146b2ee289e4d54a4a0f1fd3b2f61b979c6a2baaba96a406d96c3f4fdb33b
SHA51257258aa169bec66abf0f45a3e026bb68751fb970b74bd0cb465607fa3b2a89967e832d92d8f675f0449bb6662fcb7786d05f0597124cc8e18bb99a47245779b4
-
Filesize
2.7MB
MD5eabfc10d56cb44a86493cb2f8ca7aab2
SHA109d7e87f43527333cd021329d6c2f4e8bd8ddab5
SHA25642a2a996ac433ac33a22776b8418a82753557093d90147b7951138b5c83924b6
SHA512ee31e3539fba9e5969a9f38c428f586de2dd7630cb5d8c5e3c2c934b5881f8176b8ab6ef6397c1ce4fa6ccf3ee9615225c7afa0e0b28c6fc23974e8b96625dec
-
Filesize
10.0MB
MD5ad2988770b8cb3281a28783ad833a201
SHA194b7586ee187d9b58405485f4c551b55615f11b5
SHA256df876c7af43ed93eec6aea4d2d55c805009c219653cdeb368f1d048f4922b108
SHA512f27e542a9c6c60fa28c5b7cc2818079341ef93aef3bbcadecad2dc11aff5b1592b19c7ebfa543ea42a3cbfec26a668641b255545fb0912056e25e852c2dedd01
-
Filesize
438KB
MD5660a9ae1282e6205fc0a51e64470eb5b
SHA1f91a9c9559f51a8f33a552f0145ed9e706909de8
SHA256f2a841b6ef320f226965c7cb01fbc4709fc31425e490a3edfa20147ce3656c85
SHA51220bed2bed042033e3d8b077f9d66bce67922aaec180cc3777f20560219226b7efc73932bb87445afda4e3877472ddcd307215d23954cd082051437e5f2224263
-
Filesize
7.3MB
MD5bc45db0195aa369cc3c572e4e9eefc7e
SHA1b880ca4933656be52f027028af5ef8a3b7e07e97
SHA256a81729fd6ee2d64dfc47501a1d53794cdeee5c1daa3751f7554aea2503686d10
SHA512dd8c39947e7d767fbdccf90c5b3eaedf3937b43c55200d2199107333b63ac09e5356c286618874fac841e1357dd927e0c70b5066c1feeedd8cc6c0fba605ee5f
-
Filesize
83KB
MD5bd8f7b719110342b7cefb16ddd05ec55
SHA182a79aeaa1dd4b1464b67053ba1766a4498c13e7
SHA256d1d3f892be16329c79f9a8ee8c5fa1c9fb46d17edfeb56a3d9407f9d7587a0de
SHA5127cd1493e59e87c70927e66769eb200f79a57e1eb1223af4eb4064088571893d3e32cbc4b5ece568fd308992aad65684aa280dc9834f2b5d327bdee514b046e5e
-
Filesize
4.8MB
MD5d13873f6fb051266deb3599b14535806
SHA1143782c0ce5a5773ae0aae7a22377c8a6d18a5b2
SHA2567b953443e3cd54a0a4775528b52fbfe5ebecbc2c71731600ed0999d227969506
SHA5121ab38fcb70d1958c74da2493459532b52a04b884009509a1ac8dd39f6e9e670658a52f4d19ef57f1bc71dccfdd6ceedbc18034bbcad0b500d75a97c74aac6939
-
Filesize
12.3MB
MD5e95d6f8d09a92e654aadf7a4117550cf
SHA18d1b84e9f8fae63fe5b598bdb767d1c062bf8ffe
SHA256781877bb7bbe002e7dacbadc65241df8ae5842b8db297f61c8786fb8e7bab09b
SHA512517c6e2a76a52880a08c18a0ea6201fdff385ed7485b462711eacf21dc32bf446539dc297c2517e9b049e0d9c3c5e1ea99ead5804ff3d90c728cf293e5589d2f
-
Filesize
168KB
MD5c2208c06c8ff81bca3c092cc42b8df1b
SHA1f7b9faa9ba0e72d062f68642a02cc8f3fed49910
SHA2564a67de195878d290f49b503b83e415917b8bbcbd9936b07a5d33b48e9bc6e0a3
SHA5126c3c370dd086a976c44d4059a315bd3bcbb50961aa34734e65a40d861cffca9090d47cec74575afe23952e394e4845bda2d8798eebe01fb54a7a6288bce238f5
-
Filesize
1KB
MD5ab545f8c3e530deeab49bae1185a7cc4
SHA15f5a853684e7bab4084ce1eaa581d4aa6503d913
SHA2566108e7cce3de3727da00080164f61d375e726e83cb4a60d116922916f5414d33
SHA512afea1426ebe23d9327a7e2bc7b136e8dfefcf074c7000fae4412904f697afc1dacfd4af273bd263807bf6449f82c616ab9cd4ecbc85313a0641b69c4110d0ddd
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
101KB
MD533b4e69e7835e18b9437623367dd1787
SHA153afa03edaf931abdc2d828e5a2c89ad573d926c
SHA25672d38ef115e71fc73dc5978987c583fc8c6b50ff12e4a5d30649a4d164a8b6ae
SHA512ca890e785d1a0a7e0b4a748416fba417826ae66b46e600f407d4e795b444612a8b830f579f2cf5b6e051bea800604f34f8801cc3daf05c8d29ad05bcda454a77
-
Filesize
11KB
MD575ed96254fbf894e42058062b4b4f0d1
SHA1996503f1383b49021eb3427bc28d13b5bbd11977
SHA256a632d74332b3f08f834c732a103dafeb09a540823a2217ca7f49159755e8f1d7
SHA51258174896db81d481947b8745dafe3a02c150f3938bb4543256e8cce1145154e016d481df9fe68dac6d48407c62cbe20753320ebd5fe5e84806d07ce78e0eb0c4
-
Filesize
391KB
MD5c6a070b3e68b292bb0efc9b26e85e9cc
SHA15a922b96eda6595a68fd0a9051236162ff2e2ada
SHA25666ac8bd1f273a73e17a3f31d6add739d3cb0330a6417faeda11a9cae00b62d8b
SHA5128eff8fc16f5bb574bd9483e3b217b67a8986e31497368c06fdaa3a1e93a40aee94a5b31729d01905157b0ae1e556a402f43cd29a4d30a0587e1ec334458a44e8
-
Filesize
3KB
MD529a18389399044ccdc4150bfbccae7a5
SHA1d3df3ed73c9583ebe50d3abc283f291a7488a093
SHA256f9166045d42e1306b7c4dd84bd4261455bc714744ff2b65ceb8dfa5c2638b997
SHA512425a85d4be9626ad50501cdf47797c3bbf52f17d7bb71cdee7fbc3948205edf69259fdeb17819af7b9cac55f2cd2d7b727bf603a2d1b6b9e2f9baf8e5a53754b
-
Filesize
652B
MD5e5821ce688f3aed0b2468931775a2f2a
SHA17a3e896eb39287e3b455f05eae33e179cc0b5d81
SHA256c113b69c698b779ee3075aa798a56f8c525eb7c791bba4071c898af6081e9e8d
SHA512d4229d6c161eae666eeae18849aa09476df6ef019a76d2ddbf9172e6e6595e8fb33125175a35423ecf2fcf4fbf88d2d1a1754440a088877e6055f7442cb21191
-
Filesize
426B
MD5b462a7b0998b386a2047c941506f7c1b
SHA161e8aa007164305a51fa2f1cebaf3f8e60a6a59f
SHA256a81f86cd4d33ebbf2b725df6702b8f6b3c31627bf52eb1cadc1e40b1c0c2bb35
SHA512eb41b838cc5726f4d1601d3c68d455203d3c23f17469b3c8cbdd552f479f14829856d699f310dec05fe7504a2ae511d0b7ffff6b66ceadb5a225efe3e2f3a020
-
Filesize
369B
MD5f3e706210daeebba6f59d0874c753703
SHA1864f54feb589cf24ba69a0150941b7199b09f977
SHA25624643f87d81dce65142b56f13f818c2d41a72d7b107da21c66ce18fd7f013a1f
SHA51214152fac106302c8e1b11ee2699f1e7437bd519a993048c2379b64113845baf57918e0cfbab787f5b5c88679011fe66f50478392b1d27ccb004e8ec420159fef