100565864eed928d474d1912b9de2f124a2e94f312a454922b4ccdff36860fba

Resubmissions

25/09/2024, 10:15

240925-mah9eazdjk 8

19/09/2024, 16:05

240919-tjgkhaxdjh 8

Analysis

max time kernel
302s
max time network
302s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25/09/2024, 10:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

download.exe
Size

67.1MB
MD5

7d658964c1874ca902f3dc0864b00a3c
SHA1

c972667622f44e4cb93a2fc7d9f1a0dc1cbb5edf
SHA256

100565864eed928d474d1912b9de2f124a2e94f312a454922b4ccdff36860fba
SHA512

28adf2797b6acc971d67f75bc2c8ea90693c68e62732f1f5986561b0b9bfc60d0ca4495f6547057a046286328c6a25268c07aadbe5cdacf246ddbbb0c8de086f
SSDEEP

1572864:AK93N+NLkIzv7Bc6hrd3L/HGuIa31UwAQEKhSzqYA8nfndf:AU9+NC69N/muIq1ULQE4SpFf

Score

8^/10

discovery execution persistence

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2184	powershell.exe
1840	powershell.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Kryptex = "\"C:\\Program Files\\Kryptex\\Kryptex.exe\" --from-startup"	Kryptex.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\International\Geo\Nation	Kryptex.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\International\Geo\Nation	Kryptex.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\International\Geo\Nation	Kryptex.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend	download.exe
File opened for modification	C:\Program Files\Kryptex\locales\ca.pak	download.exe
File opened for modification	C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\7zip-bin\package.json	download.exe
File created	C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\package.json	download.exe
File opened for modification	C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\7zip-bin\win\arm64	download.exe
File opened for modification	C:\Program Files\Kryptex\locales\bg.pak	download.exe
File created	C:\Program Files\Kryptex\locales\hi.pak	download.exe
File created	C:\Program Files\Kryptex\locales\ko.pak	download.exe
File opened for modification	C:\Program Files\Kryptex\locales\pt-BR.pak	download.exe
File opened for modification	C:\Program Files\Kryptex\resources.pak	download.exe
File created	C:\Program Files\Kryptex\locales\zh-TW.pak	download.exe
File created	C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\pagefile\build\Release\pagefile.exe	download.exe
File opened for modification	C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\pagefile\build	download.exe
File created	C:\Program Files\Kryptex\locales\cs.pak	download.exe
File created	C:\Program Files\Kryptex\locales\es.pak	download.exe
File created	C:\Program Files\Kryptex\locales\fa.pak	download.exe
File created	C:\Program Files\Kryptex\locales\nl.pak	download.exe
File created	C:\Program Files\Kryptex\locales\sw.pak	download.exe
File created	C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\7zip-bin\LICENSE.txt	download.exe
File opened for modification	C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\pagefile\package.json	download.exe
File opened for modification	C:\Program Files\Kryptex\chrome_200_percent.pak	download.exe
File opened for modification	C:\Program Files\Kryptex\locales\bn.pak	download.exe
File opened for modification	C:\Program Files\Kryptex\locales\de.pak	download.exe
File opened for modification	C:\Program Files\Kryptex\locales\es-419.pak	download.exe
File opened for modification	C:\Program Files\Kryptex\locales\fa.pak	download.exe
File opened for modification	C:\Program Files\Kryptex\locales\ta.pak	download.exe
File created	C:\Program Files\Kryptex\d3dcompiler_47.dll	download.exe
File opened for modification	C:\Program Files\Kryptex\Kryptex.exe	download.exe
File opened for modification	C:\Program Files\Kryptex\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Program Files\Kryptex\locales\fil.pak	download.exe
File created	C:\Program Files\Kryptex\locales\ta.pak	download.exe
File opened for modification	C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\nvapi\build	download.exe
File opened for modification	C:\Program Files\Kryptex\LICENSE.electron.txt	download.exe
File created	C:\Program Files\Kryptex\LICENSES.chromium.html	download.exe
File opened for modification	C:\Program Files\Kryptex\locales\ar.pak	download.exe
File opened for modification	C:\Program Files\Kryptex\locales\da.pak	download.exe
File opened for modification	C:\Program Files\Kryptex\locales\et.pak	download.exe
File opened for modification	C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\nvapi\build\Release\nvapi.exe	download.exe
File opened for modification	C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build	download.exe
File created	C:\Program Files\Kryptex\locales\da.pak	download.exe
File created	C:\Program Files\Kryptex\locales\en-US.pak	download.exe
File opened for modification	C:\Program Files\Kryptex\locales\hi.pak	download.exe
File opened for modification	C:\Program Files\Kryptex\snapshot_blob.bin	download.exe
File created	C:\Program Files\Kryptex\v8_context_snapshot.bin	download.exe
File opened for modification	C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\7zip-bin\win\arm64\7za.exe	download.exe
File opened for modification	C:\Program Files\Kryptex\swiftshader\libEGL.dll	download.exe
File opened for modification	C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules	download.exe
File created	C:\Program Files\Kryptex\icudtl.dat	download.exe
File opened for modification	C:\Program Files\Kryptex\locales\ja.pak	download.exe
File opened for modification	C:\Program Files\Kryptex\locales\sr.pak	download.exe
File opened for modification	C:\Program Files\Kryptex\locales\te.pak	download.exe
File created	C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\7zip-bin\win\arm64\7za.exe	download.exe
File created	C:\Program Files\Kryptex\locales\it.pak	download.exe
File created	C:\Program Files\Kryptex\locales\ms.pak	download.exe
File created	C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\7zip-bin\win\x64\7za.exe	download.exe
File opened for modification	C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe	download.exe
File opened for modification	C:\Program Files\Kryptex\swiftshader	download.exe
File created	C:\Program Files\Kryptex\locales\ca.pak	download.exe
File created	C:\Program Files\Kryptex\locales\en-GB.pak	download.exe
File opened for modification	C:\Program Files\Kryptex\locales\mr.pak	download.exe
File opened for modification	C:\Program Files\Kryptex\locales\ro.pak	download.exe
File opened for modification	C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\7zip-bin\7x.sh	download.exe
File opened for modification	C:\Program Files\Kryptex\locales\en-GB.pak	download.exe
File created	C:\Program Files\Kryptex\resources\elevate.exe	download.exe

Executes dropped EXE 64 IoCs

pid	Process
2632	Kryptex.exe
2752	Kryptex.exe
344	Kryptex.exe
2028	Kryptex.exe
1688	Kryptex.exe
2860	Kryptex.exe
2616	adlinfo.exe
852	pagefile.exe
2036	adlinfo.exe
1524	adlinfo.exe
1880	adlinfo.exe
2736	adlinfo.exe
852	adlinfo.exe
2864	adlinfo.exe
2300	adlinfo.exe
1648	adlinfo.exe
2360	adlinfo.exe
2216	adlinfo.exe
2772	adlinfo.exe
1416	adlinfo.exe
2616	adlinfo.exe
2692	adlinfo.exe
2712	adlinfo.exe
888	adlinfo.exe
1696	adlinfo.exe
1416	adlinfo.exe
1624	adlinfo.exe
2508	adlinfo.exe
940	adlinfo.exe
2052	adlinfo.exe
2216	adlinfo.exe
1480	adlinfo.exe
2864	adlinfo.exe
1628	adlinfo.exe
2180	adlinfo.exe
936	adlinfo.exe
2040	adlinfo.exe
2340	adlinfo.exe
2816	adlinfo.exe
3064	adlinfo.exe
1524	adlinfo.exe
2468	adlinfo.exe
2232	adlinfo.exe
2404	adlinfo.exe
1212	adlinfo.exe
2084	adlinfo.exe
1532	adlinfo.exe
2800	adlinfo.exe
1936	adlinfo.exe
952	adlinfo.exe
2236	adlinfo.exe
1452	adlinfo.exe
592	adlinfo.exe
2100	adlinfo.exe
2244	adlinfo.exe
112	adlinfo.exe
1832	adlinfo.exe
2352	adlinfo.exe
1976	adlinfo.exe
2036	adlinfo.exe
1640	adlinfo.exe
1660	adlinfo.exe
2508	adlinfo.exe
1736	adlinfo.exe

Loads dropped DLL 46 IoCs

pid	Process
1656	download.exe
1656	download.exe
1656	download.exe
1656	download.exe
1656	download.exe
1656	download.exe
1656	download.exe
1656	download.exe
1656	download.exe
1656	download.exe
1656	download.exe
1656	download.exe
1656	download.exe
1656	download.exe
1656	download.exe
1116	Process not Found
1116	Process not Found
1116	Process not Found
1116	Process not Found
1656	download.exe
1656	download.exe
1656	download.exe
2632	Kryptex.exe
2752	Kryptex.exe
344	Kryptex.exe
2028	Kryptex.exe
344	Kryptex.exe
1688	Kryptex.exe
344	Kryptex.exe
344	Kryptex.exe
344	Kryptex.exe
344	Kryptex.exe
344	Kryptex.exe
344	Kryptex.exe
344	Kryptex.exe
1688	Kryptex.exe
1688	Kryptex.exe
1688	Kryptex.exe
1688	Kryptex.exe
1688	Kryptex.exe
1688	Kryptex.exe
1688	Kryptex.exe
1116	Process not Found
2860	Kryptex.exe
1688	Kryptex.exe
1688	Kryptex.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	download.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Checks processor information in registry 2 TTPs 9 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Kryptex.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Kryptex.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	Kryptex.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	Kryptex.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Kryptex.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	Kryptex.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	Kryptex.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Kryptex.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Kryptex.exe

Modifies registry key 1 TTPs 58 IoCs

Modify Registry

T1112

pid	Process
2256	reg.exe
1908	reg.exe
464	reg.exe
1628	reg.exe
2600	reg.exe
1740	reg.exe
1640	reg.exe
924	reg.exe
2072	reg.exe
2740	reg.exe
1976	reg.exe
1836	reg.exe
2832	reg.exe
1556	reg.exe
2216	reg.exe
2256	reg.exe
2236	reg.exe
1984	reg.exe
1856	reg.exe
1560	reg.exe
1908	reg.exe
2832	reg.exe
1552	reg.exe
2720	reg.exe
1356	reg.exe
1932	reg.exe
1440	reg.exe
2204	reg.exe
2040	reg.exe
2620	reg.exe
1792	reg.exe
852	reg.exe
2592	reg.exe
2064	reg.exe
2512	reg.exe
1868	reg.exe
2288	reg.exe
2056	reg.exe
2876	reg.exe
1672	reg.exe
616	reg.exe
1888	reg.exe
652	reg.exe
1644	reg.exe
1580	reg.exe
1836	reg.exe
1492	reg.exe
1648	reg.exe
2164	reg.exe
2844	reg.exe
2004	reg.exe
1520	reg.exe
772	reg.exe
1700	reg.exe
1436	reg.exe
2500	reg.exe
2764	reg.exe
2496	reg.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	Kryptex.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	Kryptex.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2244	schtasks.exe
2160	schtasks.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
2184	powershell.exe
1840	powershell.exe
1656	download.exe
1656	download.exe
1656	download.exe
1724	powershell.exe
2632	Kryptex.exe
2632	Kryptex.exe
2632	Kryptex.exe
2632	Kryptex.exe
2632	Kryptex.exe
1688	Kryptex.exe
2028	Kryptex.exe
1688	Kryptex.exe
1688	Kryptex.exe
1688	Kryptex.exe
1688	Kryptex.exe
1688	Kryptex.exe
2632	Kryptex.exe
2632	Kryptex.exe
2860	Kryptex.exe
2632	Kryptex.exe
2632	Kryptex.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2184	powershell.exe
Token: SeDebugPrivilege	1840	powershell.exe
Token: SeSecurityPrivilege	1656	download.exe
Token: SeDebugPrivilege	1724	powershell.exe
Token: SeIncreaseQuotaPrivilege	1464	wmic.exe
Token: SeSecurityPrivilege	1464	wmic.exe
Token: SeTakeOwnershipPrivilege	1464	wmic.exe
Token: SeLoadDriverPrivilege	1464	wmic.exe
Token: SeSystemProfilePrivilege	1464	wmic.exe
Token: SeSystemtimePrivilege	1464	wmic.exe
Token: SeProfSingleProcessPrivilege	1464	wmic.exe
Token: SeIncBasePriorityPrivilege	1464	wmic.exe
Token: SeCreatePagefilePrivilege	1464	wmic.exe
Token: SeBackupPrivilege	1464	wmic.exe
Token: SeRestorePrivilege	1464	wmic.exe
Token: SeShutdownPrivilege	1464	wmic.exe
Token: SeDebugPrivilege	1464	wmic.exe
Token: SeSystemEnvironmentPrivilege	1464	wmic.exe
Token: SeRemoteShutdownPrivilege	1464	wmic.exe
Token: SeUndockPrivilege	1464	wmic.exe
Token: SeManageVolumePrivilege	1464	wmic.exe
Token: 33	1464	wmic.exe
Token: 34	1464	wmic.exe
Token: 35	1464	wmic.exe
Token: SeIncreaseQuotaPrivilege	1464	wmic.exe
Token: SeSecurityPrivilege	1464	wmic.exe
Token: SeTakeOwnershipPrivilege	1464	wmic.exe
Token: SeLoadDriverPrivilege	1464	wmic.exe
Token: SeSystemProfilePrivilege	1464	wmic.exe
Token: SeSystemtimePrivilege	1464	wmic.exe
Token: SeProfSingleProcessPrivilege	1464	wmic.exe
Token: SeIncBasePriorityPrivilege	1464	wmic.exe
Token: SeCreatePagefilePrivilege	1464	wmic.exe
Token: SeBackupPrivilege	1464	wmic.exe
Token: SeRestorePrivilege	1464	wmic.exe
Token: SeShutdownPrivilege	1464	wmic.exe
Token: SeDebugPrivilege	1464	wmic.exe
Token: SeSystemEnvironmentPrivilege	1464	wmic.exe
Token: SeRemoteShutdownPrivilege	1464	wmic.exe
Token: SeUndockPrivilege	1464	wmic.exe
Token: SeManageVolumePrivilege	1464	wmic.exe
Token: 33	1464	wmic.exe
Token: 34	1464	wmic.exe
Token: 35	1464	wmic.exe
Token: SeIncreaseQuotaPrivilege	2524	wmic.exe
Token: SeSecurityPrivilege	2524	wmic.exe
Token: SeTakeOwnershipPrivilege	2524	wmic.exe
Token: SeLoadDriverPrivilege	2524	wmic.exe
Token: SeSystemProfilePrivilege	2524	wmic.exe
Token: SeSystemtimePrivilege	2524	wmic.exe
Token: SeProfSingleProcessPrivilege	2524	wmic.exe
Token: SeIncBasePriorityPrivilege	2524	wmic.exe
Token: SeCreatePagefilePrivilege	2524	wmic.exe
Token: SeBackupPrivilege	2524	wmic.exe
Token: SeRestorePrivilege	2524	wmic.exe
Token: SeShutdownPrivilege	2524	wmic.exe
Token: SeDebugPrivilege	2524	wmic.exe
Token: SeSystemEnvironmentPrivilege	2524	wmic.exe
Token: SeRemoteShutdownPrivilege	2524	wmic.exe
Token: SeUndockPrivilege	2524	wmic.exe
Token: SeManageVolumePrivilege	2524	wmic.exe
Token: 33	2524	wmic.exe
Token: 34	2524	wmic.exe
Token: 35	2524	wmic.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2632	Kryptex.exe
2632	Kryptex.exe
1688	Kryptex.exe
1688	Kryptex.exe
1688	Kryptex.exe
1688	Kryptex.exe
1688	Kryptex.exe
1688	Kryptex.exe
1688	Kryptex.exe
1688	Kryptex.exe
1688	Kryptex.exe
1688	Kryptex.exe
1688	Kryptex.exe
1688	Kryptex.exe
1688	Kryptex.exe
1688	Kryptex.exe
1688	Kryptex.exe
1688	Kryptex.exe
1688	Kryptex.exe
1688	Kryptex.exe
1688	Kryptex.exe
1688	Kryptex.exe
1688	Kryptex.exe
1688	Kryptex.exe
1688	Kryptex.exe
1688	Kryptex.exe
1688	Kryptex.exe
1688	Kryptex.exe
1688	Kryptex.exe
1688	Kryptex.exe
1688	Kryptex.exe
1688	Kryptex.exe
1688	Kryptex.exe
1688	Kryptex.exe
1688	Kryptex.exe
1688	Kryptex.exe
1688	Kryptex.exe
1688	Kryptex.exe
1688	Kryptex.exe
1688	Kryptex.exe
1688	Kryptex.exe
1688	Kryptex.exe
1688	Kryptex.exe
1688	Kryptex.exe
1688	Kryptex.exe
1688	Kryptex.exe
1688	Kryptex.exe
1688	Kryptex.exe
1688	Kryptex.exe
1688	Kryptex.exe
1688	Kryptex.exe
1688	Kryptex.exe
1688	Kryptex.exe
1688	Kryptex.exe
1688	Kryptex.exe
1688	Kryptex.exe
1688	Kryptex.exe
1688	Kryptex.exe
1688	Kryptex.exe
1688	Kryptex.exe
1688	Kryptex.exe
1688	Kryptex.exe
1688	Kryptex.exe
1688	Kryptex.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2632	Kryptex.exe
2632	Kryptex.exe
1688	Kryptex.exe
1688	Kryptex.exe
1688	Kryptex.exe
1688	Kryptex.exe
1688	Kryptex.exe
1688	Kryptex.exe
1688	Kryptex.exe
1688	Kryptex.exe
1688	Kryptex.exe
1688	Kryptex.exe
1688	Kryptex.exe
1688	Kryptex.exe
1688	Kryptex.exe
1688	Kryptex.exe
1688	Kryptex.exe
1688	Kryptex.exe
1688	Kryptex.exe
1688	Kryptex.exe
1688	Kryptex.exe
1688	Kryptex.exe
1688	Kryptex.exe
1688	Kryptex.exe
1688	Kryptex.exe
1688	Kryptex.exe
1688	Kryptex.exe
1688	Kryptex.exe
1688	Kryptex.exe
1688	Kryptex.exe
1688	Kryptex.exe
1688	Kryptex.exe
1688	Kryptex.exe
1688	Kryptex.exe
1688	Kryptex.exe
1688	Kryptex.exe
1688	Kryptex.exe
1688	Kryptex.exe
1688	Kryptex.exe
1688	Kryptex.exe
1688	Kryptex.exe
1688	Kryptex.exe
1688	Kryptex.exe
1688	Kryptex.exe
1688	Kryptex.exe
1688	Kryptex.exe
1688	Kryptex.exe
1688	Kryptex.exe
1688	Kryptex.exe
1688	Kryptex.exe
1688	Kryptex.exe
1688	Kryptex.exe
1688	Kryptex.exe
1688	Kryptex.exe
1688	Kryptex.exe
1688	Kryptex.exe
1688	Kryptex.exe
1688	Kryptex.exe
1688	Kryptex.exe
1688	Kryptex.exe
1688	Kryptex.exe
1688	Kryptex.exe
1688	Kryptex.exe
1688	Kryptex.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1656 wrote to memory of 2184	1656	download.exe	28
PID 1656 wrote to memory of 2184	1656	download.exe	28
PID 1656 wrote to memory of 2184	1656	download.exe	28
PID 1656 wrote to memory of 2184	1656	download.exe	28
PID 1656 wrote to memory of 1840	1656	download.exe	30
PID 1656 wrote to memory of 1840	1656	download.exe	30
PID 1656 wrote to memory of 1840	1656	download.exe	30
PID 1656 wrote to memory of 1840	1656	download.exe	30
PID 1656 wrote to memory of 1724	1656	download.exe	32
PID 1656 wrote to memory of 1724	1656	download.exe	32
PID 1656 wrote to memory of 1724	1656	download.exe	32
PID 1656 wrote to memory of 1724	1656	download.exe	32
PID 1656 wrote to memory of 2972	1656	download.exe	34
PID 1656 wrote to memory of 2972	1656	download.exe	34
PID 1656 wrote to memory of 2972	1656	download.exe	34
PID 1656 wrote to memory of 2972	1656	download.exe	34
PID 1656 wrote to memory of 2976	1656	download.exe	37
PID 1656 wrote to memory of 2976	1656	download.exe	37
PID 1656 wrote to memory of 2976	1656	download.exe	37
PID 1656 wrote to memory of 2976	1656	download.exe	37
PID 1656 wrote to memory of 2244	1656	download.exe	39
PID 1656 wrote to memory of 2244	1656	download.exe	39
PID 1656 wrote to memory of 2244	1656	download.exe	39
PID 1656 wrote to memory of 2244	1656	download.exe	39
PID 1656 wrote to memory of 2160	1656	download.exe	41
PID 1656 wrote to memory of 2160	1656	download.exe	41
PID 1656 wrote to memory of 2160	1656	download.exe	41
PID 1656 wrote to memory of 2160	1656	download.exe	41
PID 2632 wrote to memory of 2752	2632	Kryptex.exe	46
PID 2632 wrote to memory of 2752	2632	Kryptex.exe	46
PID 2632 wrote to memory of 2752	2632	Kryptex.exe	46
PID 2632 wrote to memory of 344	2632	Kryptex.exe	47
PID 2632 wrote to memory of 344	2632	Kryptex.exe	47
PID 2632 wrote to memory of 344	2632	Kryptex.exe	47
PID 2632 wrote to memory of 344	2632	Kryptex.exe	47
PID 2632 wrote to memory of 344	2632	Kryptex.exe	47
PID 2632 wrote to memory of 344	2632	Kryptex.exe	47
PID 2632 wrote to memory of 344	2632	Kryptex.exe	47
PID 2632 wrote to memory of 344	2632	Kryptex.exe	47
PID 2632 wrote to memory of 344	2632	Kryptex.exe	47
PID 2632 wrote to memory of 344	2632	Kryptex.exe	47
PID 2632 wrote to memory of 344	2632	Kryptex.exe	47
PID 2632 wrote to memory of 344	2632	Kryptex.exe	47
PID 2632 wrote to memory of 344	2632	Kryptex.exe	47
PID 2632 wrote to memory of 344	2632	Kryptex.exe	47
PID 2632 wrote to memory of 344	2632	Kryptex.exe	47
PID 2632 wrote to memory of 344	2632	Kryptex.exe	47
PID 2632 wrote to memory of 344	2632	Kryptex.exe	47
PID 2632 wrote to memory of 344	2632	Kryptex.exe	47
PID 2632 wrote to memory of 344	2632	Kryptex.exe	47
PID 2632 wrote to memory of 344	2632	Kryptex.exe	47
PID 2632 wrote to memory of 344	2632	Kryptex.exe	47
PID 2632 wrote to memory of 344	2632	Kryptex.exe	47
PID 2632 wrote to memory of 344	2632	Kryptex.exe	47
PID 2632 wrote to memory of 344	2632	Kryptex.exe	47
PID 2632 wrote to memory of 344	2632	Kryptex.exe	47
PID 2632 wrote to memory of 344	2632	Kryptex.exe	47
PID 2632 wrote to memory of 344	2632	Kryptex.exe	47
PID 2632 wrote to memory of 344	2632	Kryptex.exe	47
PID 2632 wrote to memory of 344	2632	Kryptex.exe	47
PID 2632 wrote to memory of 344	2632	Kryptex.exe	47
PID 2632 wrote to memory of 344	2632	Kryptex.exe	47
PID 2632 wrote to memory of 344	2632	Kryptex.exe	47
PID 2632 wrote to memory of 344	2632	Kryptex.exe	47

C:\Users\Admin\AppData\Local\Temp\download.exe
"C:\Users\Admin\AppData\Local\Temp\download.exe"
1⤵
- Drops file in Program Files directory
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1656
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell -c Add-MpPreference -ExclusionPath \"C:\Users\Admin\AppData\Local\Temp\nsy92AF.tmp\"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2184
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell -c Add-MpPreference -ExclusionPath \"C:\Program Files\Kryptex\"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1840
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell -c Remove-MpPreference -ExclusionPath \"C:\Users\Admin\AppData\Local\Temp\nsy92AF.tmp\"
  2⤵
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1724
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /delete /f /tn KryptexElevation
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2972
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /delete /f /tn KryptexElevationFromStartup
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2976
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /create /f /tn KryptexElevationV2 /xml "C:\Program Files\Kryptex\KryptexElevation.xml"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2244
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /create /f /tn KryptexElevationV2FromStartup /xml "C:\Program Files\Kryptex\KryptexElevationFromStartup.xml"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2160

C:\Program Files\Kryptex\Kryptex.exe
"C:\Program Files\Kryptex\Kryptex.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2632
- C:\Program Files\Kryptex\Kryptex.exe
  "C:\Program Files\Kryptex\Kryptex.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Roaming\Kryptex /prefetch:7 --no-rate-limit --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Roaming\Kryptex\Crashpad --url=https://f.a.k/e --annotation=_productName=Kryptex --annotation=_version=4.44.2 --annotation=prod=Electron --annotation=ver=14.2.9 --initial-client-data=0x2f0,0x2f4,0x2f8,0x2e8,0x2fc,0x147028a38,0x147028a48,0x147028a58
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2752
- C:\Program Files\Kryptex\Kryptex.exe
  "C:\Program Files\Kryptex\Kryptex.exe" --type=gpu-process --field-trial-handle=1076,11521808900237572767,11769435166727064365,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --user-data-dir="C:\Users\Admin\AppData\Roaming\Kryptex" --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1080 /prefetch:2
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:344
- C:\Program Files\Kryptex\Kryptex.exe
  "C:\Program Files\Kryptex\Kryptex.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1076,11521808900237572767,11769435166727064365,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\Kryptex" --standard-schemes --secure-schemes --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --service-worker-schemes --streaming-schemes --mojo-platform-channel-handle=1304 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:2028
- C:\Program Files\Kryptex\Kryptex.exe
  "C:\Program Files\Kryptex\Kryptex.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\Kryptex" --standard-schemes --secure-schemes --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --service-worker-schemes --streaming-schemes --app-path="C:\Program Files\Kryptex\resources\app.asar" --no-sandbox --no-zygote --field-trial-handle=1076,11521808900237572767,11769435166727064365,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1500 /prefetch:1
  2⤵
  - Adds Run key to start application
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1688
- - C:\Windows\System32\Wbem\wmic.exe
    wmic os get locale
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1464
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:1524
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:2288
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:2616
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "chcp"
    3⤵
    PID:2672
  - - C:\Windows\system32\chcp.com
      chcp
      4⤵
      PID:2548
- - C:\Windows\System32\Wbem\wmic.exe
    wmic os get Caption /value
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2524
- - C:\Windows\System32\Wbem\wmic.exe
    wmic os get SerialNumber /value
    3⤵
    PID:2468
- - C:\Windows\System32\Wbem\wmic.exe
    wmic os get TotalVirtualMemorySize /value
    3⤵
    PID:1844
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic path Win32_NetworkAdapter where "PNPDeviceID like '%%%%PCI%%%%' AND NetConnectionStatus=2 AND AdapterTypeID='0'" get MacAddress"
    3⤵
    PID:2236
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path Win32_NetworkAdapter where "PNPDeviceID like '%%%%PCI%%%%' AND NetConnectionStatus=2 AND AdapterTypeID='0'" get MacAddress
      4⤵
      PID:1040
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic path Win32_NetworkAdapter where "PNPDeviceID like '%%%%PCI%%%%' AND NetConnectionStatus=2 AND AdapterTypeID='0'" get MacAddress"
    3⤵
    PID:1816
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path Win32_NetworkAdapter where "PNPDeviceID like '%%%%PCI%%%%' AND NetConnectionStatus=2 AND AdapterTypeID='0'" get MacAddress
      4⤵
      PID:1920
- - C:\Windows\System32\Wbem\wmic.exe
    wmic pagefile get AllocatedBaseSize /value
    3⤵
    PID:2676
- - C:\Windows\System32\Wbem\wmic.exe
    wmic logicaldisk where Caption='C:' get FreeSpace /value
    3⤵
    PID:1580
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\pagefile\build\Release\pagefile.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\pagefile\build\Release\pagefile.exe" 16 16
    3⤵
    - Executes dropped EXE
    PID:852
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe" setPageSize 2
    3⤵
    - Executes dropped EXE
    PID:2036
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers /v TdrDelay /t REG_DWORD /d 0x14 /f"
    3⤵
    PID:592
  - - C:\Windows\system32\reg.exe
      reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers /v TdrDelay /t REG_DWORD /d 0x14 /f
      4⤵
      PID:1864
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers /v TdrDdiDelay /t REG_DWORD /d 0xa /f"
    3⤵
    PID:1140
  - - C:\Windows\system32\reg.exe
      reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers /v TdrDdiDelay /t REG_DWORD /d 0xa /f
      4⤵
      PID:1792
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:1836
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:3016
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:1644
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:1908
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:1524
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:1880
- - C:\Windows\System32\Wbem\wmic.exe
    wmic os get Caption /value
    3⤵
    PID:2644
- - C:\Windows\System32\Wbem\wmic.exe
    wmic os get SerialNumber /value
    3⤵
    PID:2480
- - C:\Windows\System32\Wbem\wmic.exe
    wmic os get TotalVirtualMemorySize /value
    3⤵
    PID:2484
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic path Win32_NetworkAdapter where "PNPDeviceID like '%%%%PCI%%%%' AND NetConnectionStatus=2 AND AdapterTypeID='0'" get MacAddress"
    3⤵
    PID:2240
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path Win32_NetworkAdapter where "PNPDeviceID like '%%%%PCI%%%%' AND NetConnectionStatus=2 AND AdapterTypeID='0'" get MacAddress
      4⤵
      PID:1044
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic path Win32_NetworkAdapter where "PNPDeviceID like '%%%%PCI%%%%' AND NetConnectionStatus=2 AND AdapterTypeID='0'" get MacAddress"
    3⤵
    PID:2352
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path Win32_NetworkAdapter where "PNPDeviceID like '%%%%PCI%%%%' AND NetConnectionStatus=2 AND AdapterTypeID='0'" get MacAddress
      4⤵
      PID:2072
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:308
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:1888
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:2736
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:1224
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:1580
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:852
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:2104
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:2740
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:2864
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:2260
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:2256
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:2300
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:2932
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:2620
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:1648
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:2876
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:1440
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:2360
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:1672
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:1976
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:2216
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:2504
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:1700
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:2772
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:1724
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:1792
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:1416
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:1624
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:1628
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:2616
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:2436
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:2600
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:2692
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:812
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:1436
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:2712
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:1976
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:2216
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:888
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:2424
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:2056
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:1696
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:2972
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:1836
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:1416
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:2064
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:2832
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:1624
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:2528
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:2500
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:2508
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:2344
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:1740
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:940
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:1436
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:2236
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:2052
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:1364
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:1984
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:2216
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:1604
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:852
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:1480
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:616
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:1640
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:2864
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:2520
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:2832
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:1628
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:2512
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:1648
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:2180
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:1192
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:1520
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:936
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:1848
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:2164
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:2040
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:2760
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:2764
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:2340
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:1864
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:2204
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:2816
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:616
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:2844
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:3064
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:2200
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:1856
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:1524
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:2192
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:924
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:2468
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:1832
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:2876
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:2232
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:316
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:1672
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:2404
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:1976
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:652
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:1212
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:2036
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:1356
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:2084
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:564
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:1836
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:1532
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:1660
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:2256
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:2800
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:2436
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:1492
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:1936
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:1736
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:1556
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:952
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:1012
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:1560
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:2236
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:1816
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:2004
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:1452
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:1992
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:2592
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:592
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:1796
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:616
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:2100
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:2516
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:1908
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:2244
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:2800
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:1932
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:112
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:1804
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:1552
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:1832
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:812
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:464
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:2352
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:2236
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:2720
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:1976
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:1212
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:2496
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:2036
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:1696
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:772
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:1640
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:1324
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:2064
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:1660
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:2616
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:2512
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:2508
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:1904
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:1868
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:1736
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:1576
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:2072
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    PID:2248
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:2212
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:2040
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    PID:1984
- C:\Program Files\Kryptex\Kryptex.exe
  "C:\Program Files\Kryptex\Kryptex.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\Kryptex" --standard-schemes --secure-schemes --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --service-worker-schemes --streaming-schemes --app-path="C:\Program Files\Kryptex\resources\app.asar" --no-sandbox --no-zygote --field-trial-handle=1076,11521808900237572767,11769435166727064365,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2196 /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:2860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Kryptex\KryptexElevation.xml

Filesize
3KB

MD5
e584e974928f5c25896c57ab4473c7fa

SHA1
d0f41300aa9899cfd8cee99c5b1179764cb5b3a9

SHA256
9ea9d814ae35bd3f5d8603fb174342f73e7292032b0e822920be971221b98211

SHA512
f9dfeae6ef90eb474a16262fd2b96a22418c3249cbf8e5a8765a297d3e4e14bd504aeed093b50d6537cd40b93bb1fab5503225e4812a793eacc72f2982867d2e

Download Submit
C:\Program Files\Kryptex\KryptexElevationFromStartup.xml

Filesize
3KB

MD5
6613ead33c20d846c8a1ba281d6c9327

SHA1
c7be96f9d32af83f99c23f21165fe860a455fc54

SHA256
77de3447f0f69513af4bc08f410a28f58189234bd908e5f7d1ff5c35e0a086b1

SHA512
fa71a511b96628999ff1a1ac5f8aebc44c2be108a427a51e56ac4c72aec37bfda308cafd0ab12b6a55bc7f802cdd98ae7922be6ad67adf3c3bbb65b4c946bf7d

Download Submit
C:\Program Files\Kryptex\chrome_100_percent.pak

Filesize
139KB

MD5
109ee8ffd715c63e3e2248c2ad5ca559

SHA1
7f89b213e80e2b4f52f75b449baecb88054d5e07

SHA256
b581f176c6bdbf8a152947fb37af9c0e6d7651616408cb7312b336c37a704580

SHA512
3fc5e1de128ce0ddf6dddba758a651f4030323e5285b54859019eb95fb0ae11321ba9c391e8bc578acb7f49dd4d82821c4f9947f39972d79360fd2e6abc67de8

Download Submit
C:\Program Files\Kryptex\chrome_200_percent.pak

Filesize
203KB

MD5
3e50e56e351309566b7e3e5a5ca7c7b6

SHA1
3ef35792e0b9c3b902d4da59d0a4bb34590c5400

SHA256
abd207d3e55f0250b27ce23f2a15b0a5ff6f769c08f54e705e2fd0273dca5f1e

SHA512
b24b20fe5dd9766b86869c51b6d92fd3b191bc3a2cac8a4b43b781644958b49500a0fca3fc69781d9c5a80868508f1fa0af9bc1896dc73f944cf1af8546815f0

Download Submit
C:\Program Files\Kryptex\ffmpeg.dll

Filesize
2.6MB

MD5
002287b5dfe53d87c189f368c7f785b5

SHA1
00e6e0e224b5f391c0172008ec78ec5124153649

SHA256
b453afca000aef28c8f27a315a31f244c46755308dea8d9ad55d19a507471a6b

SHA512
c2b23dd13e3f1c009e2eb2e4aae7a9a4e713642a9031c1e51125c9f0c6c8c6430a2088dd5c20867a2e948c97ae9a9078535e96b5d06ea6c7bd7f67a2db2104aa

Download Submit
C:\Program Files\Kryptex\icudtl.dat

Filesize
9.7MB

MD5
224ba45e00bbbb237b34f0facbb550bf

SHA1
1b0f81da88149d9c610a8edf55f8f12a87ca67de

SHA256
8dee674ccd2387c14f01b746779c104e383d57b36c2bdc8e419c470a3d5ffadc

SHA512
c04d271288dd2eff89d91e31829586706eba95ffbab0b75c2d202a4037e66a4e2205e8a37ecf15116302c51239b1826064ed4670a3346439470b260aba0ea784

Download Submit
C:\Program Files\Kryptex\locales\en-US.pak

Filesize
95KB

MD5
a986c722c10b0639d00250468bb41100

SHA1
7d5d7188ec4723f32bfb13e3573db39b234d934b

SHA256
cb40b01d42057e1aa9a3660afa5db2507e4dadb9b23099ab087c4ff14a99d5e9

SHA512
768145c6dd70e9d3df09cbabb0562249442e86369c6d60d27b2408b8e9d767899911bcc254c0aedc0d29705ab51367a08ff1e25e387a5eb6daae5365c2082d81

Download Submit
C:\Program Files\Kryptex\resources.pak

Filesize
4.6MB

MD5
d98298d188d7ebed9b3e89a822f95df7

SHA1
a50523cc15f47abb6f1b50982db454e4e956ebc8

SHA256
0acd9cafd7c4fac398e85a6e008bad6d7ad34f90b0bfd207df330d3e69bcfa75

SHA512
24cd58294f12f0541d49d180c23b89796596a599d1fc4346d8155b552d765bad0e759c85dded98cf4f3c74ec150b98baf27528f0e864fd37f71dd41c90345791

Download Submit
C:\Program Files\Kryptex\resources\app.asar

Filesize
49.5MB

MD5
8c337b5f01bd3f9628ea513dbb2eb7f7

SHA1
9090597fb41c9527a17eaf23fd679eccf99b150e

SHA256
4043dc892963956232ee95734f5c4d9b1f4848190d5177cca2d1248ef2a4786e

SHA512
676938726779e894b8fb87e35894521667df6378d47b48debc8df309954a0bd570f69ed7397a6ce6cad1471593fa45946ac7780ef1b9369100dc3cdd6f7c3344

Download Submit
C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe

Filesize
1.1MB

MD5
54dad5920a331983f1d5c5d0d936261c

SHA1
c6e185e00f3196b8d0af2401f42cb051c5b4ad7b

SHA256
37fdd3b2c7f3be49619bc0ed731d2e33534abb12170698e4ae759fd9143edcb5

SHA512
cc45cb0aca06841c219c8f8caa4c4e21a2a9a580012bd0b1d67cd5609d8c870a17c7c0154da064a7940f73064146954de38c49637b023d3eeb34a05a1ee0f9ca

Download Submit
C:\Program Files\Kryptex\v8_context_snapshot.bin

Filesize
160KB

MD5
1c153a96607d3e2c38f11a396533fc80

SHA1
42d11efbaa549ade29c341e6b8ad5a0545047c62

SHA256
18ad1a1abeec0230f2a3e38a80c00d4e298bb55d2bb76a2c8e8b113814023815

SHA512
c3ed01af43532d75c845152f35e844f730f6c7ee14f59ef77222a9b62c52354b4c995fc32b95369d888353da56c308dd32cdec97d34d2aab968e426018416248

Download Submit
C:\Program Files\Kryptex\vk_swiftshader_icd.json

Filesize
106B

MD5
8642dd3a87e2de6e991fae08458e302b

SHA1
9c06735c31cec00600fd763a92f8112d085bd12a

SHA256
32d83ff113fef532a9f97e0d2831f8656628ab1c99e9060f0332b1532839afd9

SHA512
f5d37d1b45b006161e4cefeebba1e33af879a3a51d16ee3ff8c3968c0c36bbafae379bf9124c13310b77774c9cbb4fa53114e83f5b48b5314132736e5bb4496f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy92AF.tmp\StdUtils.dll

Filesize
100KB

MD5
c6a6e03f77c313b267498515488c5740

SHA1
3d49fc2784b9450962ed6b82b46e9c3c957d7c15

SHA256
b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e

SHA512
9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

Download Submit
C:\Users\Admin\AppData\Roaming\Kryptex\Crashpad\settings.dat

Filesize
40B

MD5
bd2c1d41711d43141717b3ee10d2a8d6

SHA1
72b69dde3efde933e56d22be2ec2c604f8137cee

SHA256
45cbf616d37f3632603e9e68dcd3ec85fb6b12e872ed9aca587bbf767c3cb204

SHA512
69c3ab2c3affc770e7a0787e0b86158e1d2ea425a3853257ce329dc2596c685511d2aefec9e44e089d551b1e8981261981f3a04a6921f3a75b2934f2dcd01349

Download Submit
C:\Users\Admin\AppData\Roaming\Kryptex\sentry\queue\92929ff621f54af0834fcf8224ea88d3

Filesize
7KB

MD5
704a9020254bdf2cc294c8fa5a7b4875

SHA1
3e6fdf7bd5b1a5ce1efd8d443a99223f36fe14e7

SHA256
695b319ff2173ece8a56c9ac60bcdffd04dc2144fe42e85e5ebf74f2bc693427

SHA512
e9331f9058abb09a6c5db291d4c3cdcf0b767e69bb9225a4315109ea518fee9ed874ee9fa4c26d2d65e2230c650eaafad2a9e8e5a393a70d20ec36213f00e91a

Download Submit
C:\Users\Admin\AppData\Roaming\Kryptex\sentry\scope_v2.json

Filesize
6KB

MD5
0058f8dacda64789831860b51a1358d8

SHA1
a3df5c5ba28a541f30a1de09fa85da02e03b2752

SHA256
65884ab3264038b89ea6850fb124a22e5b34aea5b127fdbf2818b48b61b86d22

SHA512
c0f5093ce56553dba964c0499100549120aa79da91e01df77445b1815908842701b426e9084156c1c86565fd2e3d0e6fe425a23475e08a97d4bf01639b64283a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
35cccd2e56fbb8f60a41f2d34bac3d44

SHA1
67bba59c8430603f3cf8a4054adc63b97dd56c44

SHA256
2312a62a11516a045d6ccf8cd0b39ece1fe1634979b574abec20ab89c7fa3c54

SHA512
82d38fb9aed9dfea2b98835abe68e13bcb563ece1fa0abc1530455256d24d230f96518e3f3de70a885696e479368aaef7e1bababb9401cee030fce44ef6ffc89

Download Submit
\Program Files\Kryptex\d3dcompiler_47.dll

Filesize
4.3MB

MD5
7641e39b7da4077084d2afe7c31032e0

SHA1
2256644f69435ff2fee76deb04d918083960d1eb

SHA256
44422e6936dc72b7ac5ed16bb8bcae164b7554513e52efb66a3e942cec328a47

SHA512
8010e1cb17fa18bbf72d8344e1d63ded7cef7be6e7c13434fa6d8e22ce1d58a4d426959bdcb031502d4b145e29cb111af929fcbc66001111fbc6d7a19e8800a5

Download Submit
\Program Files\Kryptex\libEGL.dll

Filesize
432KB

MD5
6efa8068776b4eadb3b9dfdef089ca68

SHA1
fa2023ecbcae030cddff3188c9d3c906cc69a64f

SHA256
fa59945648614e0ebf9f8eaf63500347da59a0d2e7484b6b5d4be6cf6ee917de

SHA512
70e6749841a384daa65f284c5d7a8afa358b03b38cc091819aa5545960834b9b4a394eccc19c0a1e290c5b33fbaaa56bd1d6d988b5da0a34e2e56dacde5b17d4

Download Submit
\Program Files\Kryptex\libGLESv2.dll

Filesize
7.8MB

MD5
cdc3935fa97855b4f9d692702ea95ef9

SHA1
68939afd7f1f4a470d9328b068250c0b5fbab2c2

SHA256
eea91ba71fdec104e8d7c9fd24687ec4f1c308d79d6730ef58127a92025cc006

SHA512
3cdbd833e8311023d673315c2aebc8e19a17e5767dfa40ca2646ee094eeef27117961f581aaa4584fc639e9ec0195f98ea5454b397cf1cd2709b7772207381b5

Download Submit
\Program Files\Kryptex\vk_swiftshader.dll

Filesize
4.4MB

MD5
e8ae323ba929d42e9e1b8112b47a7af2

SHA1
8c78eba22be420ea3094aff6b2dd35587805c012

SHA256
081210e45740985a91a25c7ea057761c89b619375af64e0b7d37d3d4b57de490

SHA512
649d1483bfa2e8bce5c1143639534b5b612d613156f59b6ec1fbb3ce96242a6018f15c59471627f1ece7c9a59e3ee8031d10e51fcbbbca776675dd4a26898693

Download Submit
\Program Files\Kryptex\vulkan-1.dll

Filesize
711KB

MD5
e2b4f5e5fa717ccd9cf32c5cb45691f6

SHA1
6adb41cb87757eb218af0df932273dd2a63e5e3f

SHA256
7fa723cd735f2ddffb146c838ac2542edbd1119e3df1864ec47c5e77ac30b8d2

SHA512
cab830d0027a7fcca934129cc83165d99f7c15c5b1d70c3bc74c2ad64003e2236bd43165b48124d0b5ca96a9e5eb1db5464ce9f69c3209dbc54c428db1df7e8b

Download Submit
\Users\Admin\AppData\Local\Temp\nsy92AF.tmp\SpiderBanner.dll

Filesize
9KB

MD5
17309e33b596ba3a5693b4d3e85cf8d7

SHA1
7d361836cf53df42021c7f2b148aec9458818c01

SHA256
996a259e53ca18b89ec36d038c40148957c978c0fd600a268497d4c92f882a93

SHA512
1abac3ce4f2d5e4a635162e16cf9125e059ba1539f70086c2d71cd00d41a6e2a54d468e6f37792e55a822d7082fb388b8dfecc79b59226bbb047b7d28d44d298

Download Submit
\Users\Admin\AppData\Local\Temp\nsy92AF.tmp\System.dll

Filesize
12KB

MD5
0d7ad4f45dc6f5aa87f606d0331c6901

SHA1
48df0911f0484cbe2a8cdd5362140b63c41ee457

SHA256
3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

SHA512
c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

Download Submit
\Users\Admin\AppData\Local\Temp\nsy92AF.tmp\WinShell.dll

Filesize
3KB

MD5
1cc7c37b7e0c8cd8bf04b6cc283e1e56

SHA1
0b9519763be6625bd5abce175dcc59c96d100d4c

SHA256
9be85b986ea66a6997dde658abe82b3147ed2a1a3dcb784bb5176f41d22815a6

SHA512
7acf7f8e68aa6066b59ca9f2ae2e67997e6b347bc08eb788d2a119b3295c844b5b9606757168e8d2fbd61c2cda367bf80e9e48c9a52c28d5a7a00464bfd2048f

Download Submit
\Users\Admin\AppData\Local\Temp\nsy92AF.tmp\nsExec.dll

Filesize
6KB

MD5
ec0504e6b8a11d5aad43b296beeb84b2

SHA1
91b5ce085130c8c7194d66b2439ec9e1c206497c

SHA256
5d9ceb1ce5f35aea5f9e5a0c0edeeec04dfefe0c77890c80c70e98209b58b962

SHA512
3f918f1b47e8a919cbe51eb17dc30acc8cfc18e743a1bae5b787d0db7d26038dc1210be98bf5ba3be8d6ed896dbbd7ac3d13e66454a98b2a38c7e69dad30bb57

Download Submit
\Users\Admin\AppData\Local\Temp\nsy92AF.tmp\nsProcess.dll

Filesize
4KB

MD5
f0438a894f3a7e01a4aae8d1b5dd0289

SHA1
b058e3fcfb7b550041da16bf10d8837024c38bf6

SHA256
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

SHA512
f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

Download Submit
\Users\Admin\AppData\Local\Temp\nsy92AF.tmp\nsis7z.dll

Filesize
424KB

MD5
80e44ce4895304c6a3a831310fbf8cd0

SHA1
36bd49ae21c460be5753a904b4501f1abca53508

SHA256
b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592

SHA512
c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

Download Submit
memory/344-329-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/344-367-0x00000000777A0000-0x00000000777A1000-memory.dmp

Filesize
4KB

Download
memory/1656-290-0x0000000004110000-0x0000000004112000-memory.dmp

Filesize
8KB

Download
memory/2184-22-0x0000000073F50000-0x00000000744FB000-memory.dmp

Filesize
5.7MB

Download
memory/2184-21-0x0000000073F50000-0x00000000744FB000-memory.dmp

Filesize
5.7MB

Download
memory/2184-19-0x0000000073F50000-0x00000000744FB000-memory.dmp

Filesize
5.7MB

Download
memory/2184-20-0x0000000073F50000-0x00000000744FB000-memory.dmp

Filesize
5.7MB

Download
memory/2184-18-0x0000000073F51000-0x0000000073F52000-memory.dmp

Filesize
4KB

Download
memory/2184-23-0x0000000073F50000-0x00000000744FB000-memory.dmp

Filesize
5.7MB

Download