100565864eed928d474d1912b9de2f124a2e94f312a454922b4ccdff36860fba

Resubmissions

25/09/2024, 10:15

240925-mah9eazdjk 8

19/09/2024, 16:05

240919-tjgkhaxdjh 8

Analysis

max time kernel
303s
max time network
305s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
25/09/2024, 10:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

download.exe
Size

67.1MB
MD5

7d658964c1874ca902f3dc0864b00a3c
SHA1

c972667622f44e4cb93a2fc7d9f1a0dc1cbb5edf
SHA256

100565864eed928d474d1912b9de2f124a2e94f312a454922b4ccdff36860fba
SHA512

28adf2797b6acc971d67f75bc2c8ea90693c68e62732f1f5986561b0b9bfc60d0ca4495f6547057a046286328c6a25268c07aadbe5cdacf246ddbbb0c8de086f
SSDEEP

1572864:AK93N+NLkIzv7Bc6hrd3L/HGuIa31UwAQEKhSzqYA8nfndf:AU9+NC69N/muIq1ULQE4SpFf

Score

8^/10

discovery execution persistence

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4812	powershell.exe
2308	powershell.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Windows\CurrentVersion\Run\Kryptex = "\"C:\\Program Files\\Kryptex\\Kryptex.exe\" --from-startup缀"	Kryptex.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\International\Geo\Nation	Kryptex.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\International\Geo\Nation	Kryptex.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\International\Geo\Nation	Kryptex.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Kryptex\locales\nl.pak	download.exe
File created	C:\Program Files\Kryptex\locales\pl.pak	download.exe
File created	C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\7zip-bin\7x.sh	download.exe
File created	C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\pagefile\index.js	download.exe
File opened for modification	C:\Program Files\Kryptex\ffmpeg.dll	download.exe
File opened for modification	C:\Program Files\Kryptex\LICENSES.chromium.html	download.exe
File opened for modification	C:\Program Files\Kryptex\locales\de.pak	download.exe
File opened for modification	C:\Program Files\Kryptex\locales\nb.pak	download.exe
File opened for modification	C:\Program Files\Kryptex\locales\ta.pak	download.exe
File created	C:\Program Files\Kryptex\locales\uk.pak	download.exe
File created	C:\Program Files\Kryptex\locales\zh-TW.pak	download.exe
File created	C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\7zip-bin\index.js	download.exe
File opened for modification	C:\Program Files\Kryptex\vk_swiftshader_icd.json	download.exe
File created	C:\Program Files\Kryptex\locales\am.pak	download.exe
File created	C:\Program Files\Kryptex\locales\fr.pak	download.exe
File created	C:\Program Files\Kryptex\d3dcompiler_47.dll	download.exe
File created	C:\Program Files\Kryptex\locales\sl.pak	download.exe
File created	C:\Program Files\Kryptex\locales\te.pak	download.exe
File created	C:\Program Files\Kryptex\resources.pak	download.exe
File created	C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\package.json	download.exe
File created	C:\Program Files\Kryptex\libGLESv2.dll	download.exe
File created	C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\7zip-bin\win\arm64\7za.exe	download.exe
File opened for modification	C:\Program Files\Kryptex\locales\bg.pak	download.exe
File opened for modification	C:\Program Files\Kryptex\locales\lv.pak	download.exe
File opened for modification	C:\Program Files\Kryptex\swiftshader	download.exe
File opened for modification	C:\Program Files\Kryptex\locales\ar.pak	download.exe
File opened for modification	C:\Program Files\Kryptex\locales\hi.pak	download.exe
File opened for modification	C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build	download.exe
File opened for modification	C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release	download.exe
File created	C:\Program Files\Kryptex\locales\de.pak	download.exe
File opened for modification	C:\Program Files\Kryptex\locales\es.pak	download.exe
File created	C:\Program Files\Kryptex\locales\ml.pak	download.exe
File created	C:\Program Files\Kryptex\locales\nb.pak	download.exe
File created	C:\Program Files\Kryptex\locales\zh-CN.pak	download.exe
File created	C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\7zip-bin\package.json	download.exe
File created	C:\Program Files\Kryptex\KryptexElevationFromStartup.xml	download.exe
File opened for modification	C:\Program Files\Kryptex\locales\cs.pak	download.exe
File opened for modification	C:\Program Files\Kryptex\libEGL.dll	download.exe
File created	C:\Program Files\Kryptex\vk_swiftshader.dll	download.exe
File created	C:\Program Files\Kryptex\Uninstall Kryptex.exe	download.exe
File created	C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\pagefile\package.json	download.exe
File created	C:\Program Files\Kryptex\snapshot_blob.bin	download.exe
File created	C:\Program Files\Kryptex\locales\fil.pak	download.exe
File created	C:\Program Files\Kryptex\locales\he.pak	download.exe
File opened for modification	C:\Program Files\Kryptex\locales\hu.pak	download.exe
File created	C:\Program Files\Kryptex\locales\ja.pak	download.exe
File created	C:\Program Files\Kryptex\locales\kn.pak	download.exe
File opened for modification	C:\Program Files\Kryptex\locales\sl.pak	download.exe
File opened for modification	C:\Program Files\Kryptex\locales\da.pak	download.exe
File created	C:\Program Files\Kryptex\locales\en-US.pak	download.exe
File created	C:\Program Files\Kryptex\libEGL.dll	download.exe
File created	C:\Program Files\Kryptex\locales\lt.pak	download.exe
File opened for modification	C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\nvapi\index.js	download.exe
File opened for modification	C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\7zip-bin\win\x64\7za.exe	download.exe
File created	C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe	download.exe
File opened for modification	C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding	download.exe
File opened for modification	C:\Program Files\Kryptex\locales\ko.pak	download.exe
File opened for modification	C:\Program Files\Kryptex\locales\en-GB.pak	download.exe
File opened for modification	C:\Program Files\Kryptex\locales\fa.pak	download.exe
File opened for modification	C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\index.js	download.exe
File opened for modification	C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\7zip-bin\win\x64	download.exe
File created	C:\Program Files\Kryptex\locales\ar.pak	download.exe
File created	C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\nvapi\index.js	download.exe
File opened for modification	C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\nvapi	download.exe

Executes dropped EXE 64 IoCs

pid	Process
2488	Kryptex.exe
1048	Kryptex.exe
224	Kryptex.exe
4448	Kryptex.exe
3908	Kryptex.exe
2008	Kryptex.exe
2560	adlinfo.exe
2684	pagefile.exe
2468	adlinfo.exe
4144	adlinfo.exe
5048	adlinfo.exe
2284	adlinfo.exe
3668	adlinfo.exe
3504	adlinfo.exe
4156	adlinfo.exe
2176	adlinfo.exe
4604	adlinfo.exe
3904	adlinfo.exe
4076	adlinfo.exe
3328	adlinfo.exe
3532	adlinfo.exe
3132	adlinfo.exe
1060	adlinfo.exe
3024	adlinfo.exe
1260	adlinfo.exe
2220	adlinfo.exe
688	adlinfo.exe
3668	adlinfo.exe
2864	adlinfo.exe
4844	adlinfo.exe
5028	adlinfo.exe
4272	adlinfo.exe
5048	adlinfo.exe
3576	Kryptex.exe
2580	adlinfo.exe
4772	adlinfo.exe
3328	adlinfo.exe
1192	adlinfo.exe
4272	adlinfo.exe
4260	adlinfo.exe
1220	adlinfo.exe
1060	adlinfo.exe
1916	adlinfo.exe
1640	adlinfo.exe
5056	adlinfo.exe
5032	adlinfo.exe
2628	adlinfo.exe
2444	adlinfo.exe
5116	adlinfo.exe
2616	adlinfo.exe
2708	adlinfo.exe
2352	adlinfo.exe
4476	adlinfo.exe
1032	adlinfo.exe
2624	adlinfo.exe
3364	adlinfo.exe
348	adlinfo.exe
4728	adlinfo.exe
5080	adlinfo.exe
3900	adlinfo.exe
3624	adlinfo.exe
1312	adlinfo.exe
2916	adlinfo.exe
4676	adlinfo.exe

Loads dropped DLL 40 IoCs

pid	Process
4700	download.exe
4700	download.exe
4700	download.exe
4700	download.exe
4700	download.exe
4700	download.exe
4700	download.exe
4700	download.exe
4700	download.exe
4700	download.exe
4700	download.exe
4700	download.exe
4700	download.exe
4700	download.exe
4700	download.exe
4700	download.exe
2488	Kryptex.exe
1048	Kryptex.exe
224	Kryptex.exe
4448	Kryptex.exe
3908	Kryptex.exe
224	Kryptex.exe
224	Kryptex.exe
224	Kryptex.exe
224	Kryptex.exe
224	Kryptex.exe
3908	Kryptex.exe
3908	Kryptex.exe
3908	Kryptex.exe
3908	Kryptex.exe
3908	Kryptex.exe
3908	Kryptex.exe
3908	Kryptex.exe
2008	Kryptex.exe
3576	Kryptex.exe
3576	Kryptex.exe
3576	Kryptex.exe
3576	Kryptex.exe
3576	Kryptex.exe
3576	Kryptex.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	download.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Checks processor information in registry 2 TTPs 9 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Kryptex.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Kryptex.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	Kryptex.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Kryptex.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	Kryptex.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	Kryptex.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	Kryptex.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Kryptex.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Kryptex.exe

Modifies registry key 1 TTPs 58 IoCs

Modify Registry

T1112

pid	Process
3868	reg.exe
3176	reg.exe
4064	reg.exe
576	reg.exe
4844	reg.exe
1512	reg.exe
1468	reg.exe
3644	reg.exe
2464	reg.exe
5080	reg.exe
3024	reg.exe
1504	reg.exe
4604	reg.exe
3676	reg.exe
4184	reg.exe
1856	reg.exe
4552	reg.exe
4100	reg.exe
2180	reg.exe
4684	reg.exe
4644	reg.exe
4424	reg.exe
1472	reg.exe
2796	reg.exe
4716	reg.exe
1852	reg.exe
2824	reg.exe
4184	reg.exe
2812	reg.exe
1308	reg.exe
4944	reg.exe
1724	reg.exe
908	reg.exe
1192	reg.exe
436	reg.exe
4704	reg.exe
4604	reg.exe
1360	reg.exe
4724	reg.exe
1196	reg.exe
792	reg.exe
3512	reg.exe
4708	reg.exe
1512	reg.exe
3480	reg.exe
3304	reg.exe
4912	reg.exe
4760	reg.exe
1292	reg.exe
1396	reg.exe
5052	reg.exe
4460	reg.exe
1472	reg.exe
4104	reg.exe
5048	reg.exe
5000	reg.exe
2308	reg.exe
944	reg.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	Kryptex.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	Kryptex.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	Kryptex.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3796	schtasks.exe
4568	schtasks.exe

Suspicious behavior: EnumeratesProcesses 49 IoCs

pid	Process
4812	powershell.exe
4812	powershell.exe
4812	powershell.exe
2308	powershell.exe
2308	powershell.exe
2308	powershell.exe
4700	download.exe
4700	download.exe
4700	download.exe
4700	download.exe
4700	download.exe
4700	download.exe
4328	powershell.exe
4328	powershell.exe
4328	powershell.exe
2488	Kryptex.exe
2488	Kryptex.exe
2488	Kryptex.exe
2488	Kryptex.exe
2488	Kryptex.exe
2488	Kryptex.exe
2488	Kryptex.exe
2488	Kryptex.exe
2488	Kryptex.exe
2488	Kryptex.exe
3908	Kryptex.exe
3908	Kryptex.exe
4448	Kryptex.exe
4448	Kryptex.exe
3908	Kryptex.exe
3908	Kryptex.exe
3908	Kryptex.exe
3908	Kryptex.exe
3908	Kryptex.exe
3908	Kryptex.exe
3908	Kryptex.exe
3908	Kryptex.exe
3908	Kryptex.exe
3908	Kryptex.exe
2488	Kryptex.exe
2488	Kryptex.exe
2488	Kryptex.exe
2488	Kryptex.exe
2008	Kryptex.exe
2008	Kryptex.exe
3576	Kryptex.exe
3576	Kryptex.exe
3576	Kryptex.exe
3576	Kryptex.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4812	powershell.exe
Token: SeDebugPrivilege	2308	powershell.exe
Token: SeSecurityPrivilege	4700	download.exe
Token: SeDebugPrivilege	4328	powershell.exe
Token: SeIncreaseQuotaPrivilege	1104	wmic.exe
Token: SeSecurityPrivilege	1104	wmic.exe
Token: SeTakeOwnershipPrivilege	1104	wmic.exe
Token: SeLoadDriverPrivilege	1104	wmic.exe
Token: SeSystemProfilePrivilege	1104	wmic.exe
Token: SeSystemtimePrivilege	1104	wmic.exe
Token: SeProfSingleProcessPrivilege	1104	wmic.exe
Token: SeIncBasePriorityPrivilege	1104	wmic.exe
Token: SeCreatePagefilePrivilege	1104	wmic.exe
Token: SeBackupPrivilege	1104	wmic.exe
Token: SeRestorePrivilege	1104	wmic.exe
Token: SeShutdownPrivilege	1104	wmic.exe
Token: SeDebugPrivilege	1104	wmic.exe
Token: SeSystemEnvironmentPrivilege	1104	wmic.exe
Token: SeRemoteShutdownPrivilege	1104	wmic.exe
Token: SeUndockPrivilege	1104	wmic.exe
Token: SeManageVolumePrivilege	1104	wmic.exe
Token: 33	1104	wmic.exe
Token: 34	1104	wmic.exe
Token: 35	1104	wmic.exe
Token: 36	1104	wmic.exe
Token: SeIncreaseQuotaPrivilege	1104	wmic.exe
Token: SeSecurityPrivilege	1104	wmic.exe
Token: SeTakeOwnershipPrivilege	1104	wmic.exe
Token: SeLoadDriverPrivilege	1104	wmic.exe
Token: SeSystemProfilePrivilege	1104	wmic.exe
Token: SeSystemtimePrivilege	1104	wmic.exe
Token: SeProfSingleProcessPrivilege	1104	wmic.exe
Token: SeIncBasePriorityPrivilege	1104	wmic.exe
Token: SeCreatePagefilePrivilege	1104	wmic.exe
Token: SeBackupPrivilege	1104	wmic.exe
Token: SeRestorePrivilege	1104	wmic.exe
Token: SeShutdownPrivilege	1104	wmic.exe
Token: SeDebugPrivilege	1104	wmic.exe
Token: SeSystemEnvironmentPrivilege	1104	wmic.exe
Token: SeRemoteShutdownPrivilege	1104	wmic.exe
Token: SeUndockPrivilege	1104	wmic.exe
Token: SeManageVolumePrivilege	1104	wmic.exe
Token: 33	1104	wmic.exe
Token: 34	1104	wmic.exe
Token: 35	1104	wmic.exe
Token: 36	1104	wmic.exe
Token: SeIncreaseQuotaPrivilege	4924	wmic.exe
Token: SeSecurityPrivilege	4924	wmic.exe
Token: SeTakeOwnershipPrivilege	4924	wmic.exe
Token: SeLoadDriverPrivilege	4924	wmic.exe
Token: SeSystemProfilePrivilege	4924	wmic.exe
Token: SeSystemtimePrivilege	4924	wmic.exe
Token: SeProfSingleProcessPrivilege	4924	wmic.exe
Token: SeIncBasePriorityPrivilege	4924	wmic.exe
Token: SeCreatePagefilePrivilege	4924	wmic.exe
Token: SeBackupPrivilege	4924	wmic.exe
Token: SeRestorePrivilege	4924	wmic.exe
Token: SeShutdownPrivilege	4924	wmic.exe
Token: SeDebugPrivilege	4924	wmic.exe
Token: SeSystemEnvironmentPrivilege	4924	wmic.exe
Token: SeRemoteShutdownPrivilege	4924	wmic.exe
Token: SeUndockPrivilege	4924	wmic.exe
Token: SeManageVolumePrivilege	4924	wmic.exe
Token: 33	4924	wmic.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2488	Kryptex.exe
2488	Kryptex.exe
2488	Kryptex.exe
3908	Kryptex.exe
3908	Kryptex.exe
3908	Kryptex.exe
3908	Kryptex.exe
3908	Kryptex.exe
3908	Kryptex.exe
3908	Kryptex.exe
3908	Kryptex.exe
3908	Kryptex.exe
3908	Kryptex.exe
3908	Kryptex.exe
3908	Kryptex.exe
3908	Kryptex.exe
3908	Kryptex.exe
3908	Kryptex.exe
3908	Kryptex.exe
3908	Kryptex.exe
3908	Kryptex.exe
3908	Kryptex.exe
3908	Kryptex.exe
3908	Kryptex.exe
3908	Kryptex.exe
3908	Kryptex.exe
3908	Kryptex.exe
3908	Kryptex.exe
3908	Kryptex.exe
3908	Kryptex.exe
3908	Kryptex.exe
3908	Kryptex.exe
3908	Kryptex.exe
3908	Kryptex.exe
3908	Kryptex.exe
3908	Kryptex.exe
3908	Kryptex.exe
3908	Kryptex.exe
3908	Kryptex.exe
3908	Kryptex.exe
3908	Kryptex.exe
3908	Kryptex.exe
3908	Kryptex.exe
3908	Kryptex.exe
3908	Kryptex.exe
3908	Kryptex.exe
3908	Kryptex.exe
3908	Kryptex.exe
3908	Kryptex.exe
3908	Kryptex.exe
3908	Kryptex.exe
3908	Kryptex.exe
3908	Kryptex.exe
3908	Kryptex.exe
3908	Kryptex.exe
3908	Kryptex.exe
3908	Kryptex.exe
3908	Kryptex.exe
3908	Kryptex.exe
3908	Kryptex.exe
3908	Kryptex.exe
3908	Kryptex.exe
3908	Kryptex.exe
3908	Kryptex.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2488	Kryptex.exe
2488	Kryptex.exe
2488	Kryptex.exe
2488	Kryptex.exe
3908	Kryptex.exe
3908	Kryptex.exe
3908	Kryptex.exe
3908	Kryptex.exe
3908	Kryptex.exe
3908	Kryptex.exe
3908	Kryptex.exe
3908	Kryptex.exe
3908	Kryptex.exe
3908	Kryptex.exe
3908	Kryptex.exe
3908	Kryptex.exe
3908	Kryptex.exe
3908	Kryptex.exe
3908	Kryptex.exe
3908	Kryptex.exe
3908	Kryptex.exe
3908	Kryptex.exe
3908	Kryptex.exe
3908	Kryptex.exe
3908	Kryptex.exe
3908	Kryptex.exe
3908	Kryptex.exe
3908	Kryptex.exe
3908	Kryptex.exe
3908	Kryptex.exe
3908	Kryptex.exe
3908	Kryptex.exe
3908	Kryptex.exe
3908	Kryptex.exe
3908	Kryptex.exe
3908	Kryptex.exe
3908	Kryptex.exe
3908	Kryptex.exe
3908	Kryptex.exe
3908	Kryptex.exe
3908	Kryptex.exe
3908	Kryptex.exe
3908	Kryptex.exe
3908	Kryptex.exe
3908	Kryptex.exe
3908	Kryptex.exe
3908	Kryptex.exe
3908	Kryptex.exe
3908	Kryptex.exe
3908	Kryptex.exe
3908	Kryptex.exe
3908	Kryptex.exe
3908	Kryptex.exe
3908	Kryptex.exe
3908	Kryptex.exe
3908	Kryptex.exe
3908	Kryptex.exe
3908	Kryptex.exe
3908	Kryptex.exe
3908	Kryptex.exe
3908	Kryptex.exe
3908	Kryptex.exe
3908	Kryptex.exe
3908	Kryptex.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4700 wrote to memory of 4812	4700	download.exe	72
PID 4700 wrote to memory of 4812	4700	download.exe	72
PID 4700 wrote to memory of 4812	4700	download.exe	72
PID 4700 wrote to memory of 2308	4700	download.exe	74
PID 4700 wrote to memory of 2308	4700	download.exe	74
PID 4700 wrote to memory of 2308	4700	download.exe	74
PID 4700 wrote to memory of 4328	4700	download.exe	76
PID 4700 wrote to memory of 4328	4700	download.exe	76
PID 4700 wrote to memory of 4328	4700	download.exe	76
PID 4700 wrote to memory of 5104	4700	download.exe	79
PID 4700 wrote to memory of 5104	4700	download.exe	79
PID 4700 wrote to memory of 5104	4700	download.exe	79
PID 4700 wrote to memory of 2008	4700	download.exe	81
PID 4700 wrote to memory of 2008	4700	download.exe	81
PID 4700 wrote to memory of 2008	4700	download.exe	81
PID 4700 wrote to memory of 3796	4700	download.exe	83
PID 4700 wrote to memory of 3796	4700	download.exe	83
PID 4700 wrote to memory of 3796	4700	download.exe	83
PID 4700 wrote to memory of 4568	4700	download.exe	85
PID 4700 wrote to memory of 4568	4700	download.exe	85
PID 4700 wrote to memory of 4568	4700	download.exe	85
PID 2488 wrote to memory of 1048	2488	Kryptex.exe	89
PID 2488 wrote to memory of 1048	2488	Kryptex.exe	89
PID 2488 wrote to memory of 224	2488	Kryptex.exe	90
PID 2488 wrote to memory of 224	2488	Kryptex.exe	90
PID 2488 wrote to memory of 224	2488	Kryptex.exe	90
PID 2488 wrote to memory of 224	2488	Kryptex.exe	90
PID 2488 wrote to memory of 224	2488	Kryptex.exe	90
PID 2488 wrote to memory of 224	2488	Kryptex.exe	90
PID 2488 wrote to memory of 224	2488	Kryptex.exe	90
PID 2488 wrote to memory of 224	2488	Kryptex.exe	90
PID 2488 wrote to memory of 224	2488	Kryptex.exe	90
PID 2488 wrote to memory of 224	2488	Kryptex.exe	90
PID 2488 wrote to memory of 224	2488	Kryptex.exe	90
PID 2488 wrote to memory of 224	2488	Kryptex.exe	90
PID 2488 wrote to memory of 224	2488	Kryptex.exe	90
PID 2488 wrote to memory of 224	2488	Kryptex.exe	90
PID 2488 wrote to memory of 224	2488	Kryptex.exe	90
PID 2488 wrote to memory of 224	2488	Kryptex.exe	90
PID 2488 wrote to memory of 224	2488	Kryptex.exe	90
PID 2488 wrote to memory of 224	2488	Kryptex.exe	90
PID 2488 wrote to memory of 224	2488	Kryptex.exe	90
PID 2488 wrote to memory of 224	2488	Kryptex.exe	90
PID 2488 wrote to memory of 224	2488	Kryptex.exe	90
PID 2488 wrote to memory of 224	2488	Kryptex.exe	90
PID 2488 wrote to memory of 224	2488	Kryptex.exe	90
PID 2488 wrote to memory of 224	2488	Kryptex.exe	90
PID 2488 wrote to memory of 224	2488	Kryptex.exe	90
PID 2488 wrote to memory of 224	2488	Kryptex.exe	90
PID 2488 wrote to memory of 224	2488	Kryptex.exe	90
PID 2488 wrote to memory of 224	2488	Kryptex.exe	90
PID 2488 wrote to memory of 224	2488	Kryptex.exe	90
PID 2488 wrote to memory of 224	2488	Kryptex.exe	90
PID 2488 wrote to memory of 224	2488	Kryptex.exe	90
PID 2488 wrote to memory of 224	2488	Kryptex.exe	90
PID 2488 wrote to memory of 224	2488	Kryptex.exe	90
PID 2488 wrote to memory of 224	2488	Kryptex.exe	90
PID 2488 wrote to memory of 224	2488	Kryptex.exe	90
PID 2488 wrote to memory of 224	2488	Kryptex.exe	90
PID 2488 wrote to memory of 224	2488	Kryptex.exe	90
PID 2488 wrote to memory of 224	2488	Kryptex.exe	90
PID 2488 wrote to memory of 224	2488	Kryptex.exe	90
PID 2488 wrote to memory of 224	2488	Kryptex.exe	90
PID 2488 wrote to memory of 4448	2488	Kryptex.exe	91

C:\Users\Admin\AppData\Local\Temp\download.exe
"C:\Users\Admin\AppData\Local\Temp\download.exe"
1⤵
- Drops file in Program Files directory
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4700
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell -c Add-MpPreference -ExclusionPath \"C:\Users\Admin\AppData\Local\Temp\nsf7ACE.tmp\"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4812
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell -c Add-MpPreference -ExclusionPath \"C:\Program Files\Kryptex\"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2308
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell -c Remove-MpPreference -ExclusionPath \"C:\Users\Admin\AppData\Local\Temp\nsf7ACE.tmp\"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4328
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /delete /f /tn KryptexElevation
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5104
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /delete /f /tn KryptexElevationFromStartup
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2008
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /create /f /tn KryptexElevationV2 /xml "C:\Program Files\Kryptex\KryptexElevation.xml"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:3796
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /create /f /tn KryptexElevationV2FromStartup /xml "C:\Program Files\Kryptex\KryptexElevationFromStartup.xml"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:4568

C:\Program Files\Kryptex\Kryptex.exe
"C:\Program Files\Kryptex\Kryptex.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2488
- C:\Program Files\Kryptex\Kryptex.exe
  "C:\Program Files\Kryptex\Kryptex.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Roaming\Kryptex /prefetch:7 --no-rate-limit --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Roaming\Kryptex\Crashpad --url=https://f.a.k/e --annotation=_productName=Kryptex --annotation=_version=4.44.2 --annotation=prod=Electron --annotation=ver=14.2.9 --initial-client-data=0x41c,0x424,0x428,0x404,0x42c,0x7ff713678a38,0x7ff713678a48,0x7ff713678a58
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1048
- C:\Program Files\Kryptex\Kryptex.exe
  "C:\Program Files\Kryptex\Kryptex.exe" --type=gpu-process --field-trial-handle=1680,18109829349134144014,12978708952631219360,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --user-data-dir="C:\Users\Admin\AppData\Roaming\Kryptex" --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1688 /prefetch:2
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:224
- C:\Program Files\Kryptex\Kryptex.exe
  "C:\Program Files\Kryptex\Kryptex.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1680,18109829349134144014,12978708952631219360,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\Kryptex" --standard-schemes --secure-schemes --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --service-worker-schemes --streaming-schemes --mojo-platform-channel-handle=1716 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:4448
- C:\Program Files\Kryptex\Kryptex.exe
  "C:\Program Files\Kryptex\Kryptex.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\Kryptex" --standard-schemes --secure-schemes --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --service-worker-schemes --streaming-schemes --app-path="C:\Program Files\Kryptex\resources\app.asar" --no-sandbox --no-zygote --field-trial-handle=1680,18109829349134144014,12978708952631219360,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1976 /prefetch:1
  2⤵
  - Adds Run key to start application
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3908
- - C:\Windows\System32\Wbem\wmic.exe
    wmic os get locale
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1104
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:4964
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:436
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:2560
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "chcp"
    3⤵
    PID:796
  - - C:\Windows\system32\chcp.com
      chcp
      4⤵
      PID:4828
- - C:\Windows\System32\Wbem\wmic.exe
    wmic os get Caption /value
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4924
- - C:\Windows\System32\Wbem\wmic.exe
    wmic os get SerialNumber /value
    3⤵
    PID:3068
- - C:\Windows\System32\Wbem\wmic.exe
    wmic os get TotalVirtualMemorySize /value
    3⤵
    PID:4708
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic path Win32_NetworkAdapter where "PNPDeviceID like '%%%%PCI%%%%' AND NetConnectionStatus=2 AND AdapterTypeID='0'" get MacAddress"
    3⤵
    PID:2616
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path Win32_NetworkAdapter where "PNPDeviceID like '%%%%PCI%%%%' AND NetConnectionStatus=2 AND AdapterTypeID='0'" get MacAddress
      4⤵
      PID:428
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic path Win32_NetworkAdapter where "PNPDeviceID like '%%%%PCI%%%%' AND NetConnectionStatus=2 AND AdapterTypeID='0'" get MacAddress"
    3⤵
    PID:2272
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path Win32_NetworkAdapter where "PNPDeviceID like '%%%%PCI%%%%' AND NetConnectionStatus=2 AND AdapterTypeID='0'" get MacAddress
      4⤵
      PID:304
- - C:\Windows\System32\Wbem\wmic.exe
    wmic pagefile get AllocatedBaseSize /value
    3⤵
    PID:3812
- - C:\Windows\System32\Wbem\wmic.exe
    wmic logicaldisk where Caption='C:' get FreeSpace /value
    3⤵
    PID:3644
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\pagefile\build\Release\pagefile.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\pagefile\build\Release\pagefile.exe" 16 16
    3⤵
    - Executes dropped EXE
    PID:2684
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe" setPageSize 2
    3⤵
    - Executes dropped EXE
    PID:2468
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers /v TdrDelay /t REG_DWORD /d 0x14 /f"
    3⤵
    PID:5084
  - - C:\Windows\system32\reg.exe
      reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers /v TdrDelay /t REG_DWORD /d 0x14 /f
      4⤵
      PID:4492
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers /v TdrDdiDelay /t REG_DWORD /d 0xa /f"
    3⤵
    PID:4224
  - - C:\Windows\system32\reg.exe
      reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers /v TdrDdiDelay /t REG_DWORD /d 0xa /f
      4⤵
      PID:3032
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:3800
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:1432
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:4184
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:1856
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:4144
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:5048
- - C:\Windows\System32\Wbem\wmic.exe
    wmic os get Caption /value
    3⤵
    PID:4592
- - C:\Windows\System32\Wbem\wmic.exe
    wmic os get SerialNumber /value
    3⤵
    PID:1564
- - C:\Windows\System32\Wbem\wmic.exe
    wmic os get TotalVirtualMemorySize /value
    3⤵
    PID:4956
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic path Win32_NetworkAdapter where "PNPDeviceID like '%%%%PCI%%%%' AND NetConnectionStatus=2 AND AdapterTypeID='0'" get MacAddress"
    3⤵
    PID:3604
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path Win32_NetworkAdapter where "PNPDeviceID like '%%%%PCI%%%%' AND NetConnectionStatus=2 AND AdapterTypeID='0'" get MacAddress
      4⤵
      PID:2864
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic path Win32_NetworkAdapter where "PNPDeviceID like '%%%%PCI%%%%' AND NetConnectionStatus=2 AND AdapterTypeID='0'" get MacAddress"
    3⤵
    PID:4524
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3032
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path Win32_NetworkAdapter where "PNPDeviceID like '%%%%PCI%%%%' AND NetConnectionStatus=2 AND AdapterTypeID='0'" get MacAddress
      4⤵
      PID:1916
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:2932
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:4184
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:2284
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:3116
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:1512
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:3668
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:4948
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:1852
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:3504
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:796
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:3868
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:4156
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:4648
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:3480
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:2176
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:5092
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:5052
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:4604
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:656
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:576
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:3904
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:2820
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:3024
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:4076
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:4212
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:4552
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:3328
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:1384
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:3304
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:3532
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:2028
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:4424
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:3132
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:4480
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:4604
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:1060
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:4352
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:4100
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:3024
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:1640
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:4460
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:1260
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:2316
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:2308
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:2220
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:3464
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:2812
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:688
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:5048
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:2464
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:3668
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:792
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:1472
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:2864
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:1648
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:2180
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:4844
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:788
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:5080
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:5028
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:2220
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:4912
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:4272
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:4252
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:4760
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:5048
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:3956
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:792
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:2580
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:4568
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:1504
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:4772
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:1432
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:4844
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:3328
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:1440
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:1292
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:1192
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:1288
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:3676
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:4272
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:2964
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:1512
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:4260
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:2644
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:944
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:1220
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:3284
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:3512
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:1060
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:2616
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:1468
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:1916
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:4224
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:4684
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:1640
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:2352
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:1308
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:5056
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:1264
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:4104
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:5032
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:3760
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:3176
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:2628
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:2356
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:3644
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:2444
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:1396
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:4644
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:5116
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:4560
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:4604
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:2616
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:3496
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:2824
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:2708
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:4608
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:4944
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:2352
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:2284
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:4704
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:4476
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:5092
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:1360
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:1032
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:2280
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:5048
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:2624
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:1044
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:1396
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:3364
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:3576
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:4064
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:348
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:5020
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:1472
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:4728
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:4820
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:4724
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:5080
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:1876
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:1724
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:3900
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:688
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:908
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:3624
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:4968
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:1196
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:1312
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:1356
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:2796
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:2916
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:3044
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:4716
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:4676
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:3324
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:5000
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    PID:4524
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:740
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:4708
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    PID:5040
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:1880
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:1192
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    PID:3464
- C:\Program Files\Kryptex\Kryptex.exe
  "C:\Program Files\Kryptex\Kryptex.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\Kryptex" --standard-schemes --secure-schemes --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --service-worker-schemes --streaming-schemes --app-path="C:\Program Files\Kryptex\resources\app.asar" --no-sandbox --no-zygote --field-trial-handle=1680,18109829349134144014,12978708952631219360,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2656 /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:2008
- C:\Program Files\Kryptex\Kryptex.exe
  "C:\Program Files\Kryptex\Kryptex.exe" --type=gpu-process --field-trial-handle=1680,18109829349134144014,12978708952631219360,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --user-data-dir="C:\Users\Admin\AppData\Roaming\Kryptex" --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAQAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1992 /prefetch:2
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:3576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Kryptex\KryptexElevation.xml

Filesize
3KB

MD5
e584e974928f5c25896c57ab4473c7fa

SHA1
d0f41300aa9899cfd8cee99c5b1179764cb5b3a9

SHA256
9ea9d814ae35bd3f5d8603fb174342f73e7292032b0e822920be971221b98211

SHA512
f9dfeae6ef90eb474a16262fd2b96a22418c3249cbf8e5a8765a297d3e4e14bd504aeed093b50d6537cd40b93bb1fab5503225e4812a793eacc72f2982867d2e

Download Submit
C:\Program Files\Kryptex\KryptexElevationFromStartup.xml

Filesize
3KB

MD5
6613ead33c20d846c8a1ba281d6c9327

SHA1
c7be96f9d32af83f99c23f21165fe860a455fc54

SHA256
77de3447f0f69513af4bc08f410a28f58189234bd908e5f7d1ff5c35e0a086b1

SHA512
fa71a511b96628999ff1a1ac5f8aebc44c2be108a427a51e56ac4c72aec37bfda308cafd0ab12b6a55bc7f802cdd98ae7922be6ad67adf3c3bbb65b4c946bf7d

Download Submit
C:\Program Files\Kryptex\chrome_100_percent.pak

Filesize
139KB

MD5
109ee8ffd715c63e3e2248c2ad5ca559

SHA1
7f89b213e80e2b4f52f75b449baecb88054d5e07

SHA256
b581f176c6bdbf8a152947fb37af9c0e6d7651616408cb7312b336c37a704580

SHA512
3fc5e1de128ce0ddf6dddba758a651f4030323e5285b54859019eb95fb0ae11321ba9c391e8bc578acb7f49dd4d82821c4f9947f39972d79360fd2e6abc67de8

Download Submit
C:\Program Files\Kryptex\chrome_200_percent.pak

Filesize
203KB

MD5
3e50e56e351309566b7e3e5a5ca7c7b6

SHA1
3ef35792e0b9c3b902d4da59d0a4bb34590c5400

SHA256
abd207d3e55f0250b27ce23f2a15b0a5ff6f769c08f54e705e2fd0273dca5f1e

SHA512
b24b20fe5dd9766b86869c51b6d92fd3b191bc3a2cac8a4b43b781644958b49500a0fca3fc69781d9c5a80868508f1fa0af9bc1896dc73f944cf1af8546815f0

Download Submit
C:\Program Files\Kryptex\icudtl.dat

Filesize
9.7MB

MD5
224ba45e00bbbb237b34f0facbb550bf

SHA1
1b0f81da88149d9c610a8edf55f8f12a87ca67de

SHA256
8dee674ccd2387c14f01b746779c104e383d57b36c2bdc8e419c470a3d5ffadc

SHA512
c04d271288dd2eff89d91e31829586706eba95ffbab0b75c2d202a4037e66a4e2205e8a37ecf15116302c51239b1826064ed4670a3346439470b260aba0ea784

Download Submit
C:\Program Files\Kryptex\locales\en-US.pak

Filesize
95KB

MD5
a986c722c10b0639d00250468bb41100

SHA1
7d5d7188ec4723f32bfb13e3573db39b234d934b

SHA256
cb40b01d42057e1aa9a3660afa5db2507e4dadb9b23099ab087c4ff14a99d5e9

SHA512
768145c6dd70e9d3df09cbabb0562249442e86369c6d60d27b2408b8e9d767899911bcc254c0aedc0d29705ab51367a08ff1e25e387a5eb6daae5365c2082d81

Download Submit
C:\Program Files\Kryptex\resources.pak

Filesize
4.6MB

MD5
d98298d188d7ebed9b3e89a822f95df7

SHA1
a50523cc15f47abb6f1b50982db454e4e956ebc8

SHA256
0acd9cafd7c4fac398e85a6e008bad6d7ad34f90b0bfd207df330d3e69bcfa75

SHA512
24cd58294f12f0541d49d180c23b89796596a599d1fc4346d8155b552d765bad0e759c85dded98cf4f3c74ec150b98baf27528f0e864fd37f71dd41c90345791

Download Submit
C:\Program Files\Kryptex\resources\app.asar

Filesize
49.5MB

MD5
8c337b5f01bd3f9628ea513dbb2eb7f7

SHA1
9090597fb41c9527a17eaf23fd679eccf99b150e

SHA256
4043dc892963956232ee95734f5c4d9b1f4848190d5177cca2d1248ef2a4786e

SHA512
676938726779e894b8fb87e35894521667df6378d47b48debc8df309954a0bd570f69ed7397a6ce6cad1471593fa45946ac7780ef1b9369100dc3cdd6f7c3344

Download Submit
C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\7zip-bin\index.js

Filesize
500B

MD5
9fe8a485038be54d687ad7dd9dff80d3

SHA1
76fc7b47a329b759539bca0b785ad41c083c29be

SHA256
48659f660a13b5fa01622f87dc8a5306ce7c232abf93b82a3b2f6e94c2cf5c86

SHA512
0f3b2ce074ede02079bdab4229f6d4ded5eb7ec64546c3b9f103114aabb35093fecfd04677a0a84d3691fb49bae8a6c5489cee946c7f5f4b86aec3e96434dfac

Download Submit
C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\7zip-bin\package.json

Filesize
244B

MD5
2a3677c6c6bba9a148bc83c2f145d136

SHA1
1b828bd2e2b4eaaed8e68821692a0bf87bdd54db

SHA256
acabcd4f1c0b7399de4c213e8fdfd5d064f29e278f94bd5b763d8ac8555e2c18

SHA512
907651c11e31ce7c8242c825033e168c04a185e4717d6c28b1c77a48317ef662419c833300198fc6292721299905d7fe32069307bcc5751e3192e50c3c26209b

Download Submit
C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\index.js

Filesize
4KB

MD5
976fc725b3643055a0ab0f1944b7b55c

SHA1
2728f42cd6889a0abb26a41d20a2e38fe8ea9d0f

SHA256
3e0b1ed5c6efb4e5b8afa244e4ee0a303180bed5d8d747177a1149e6e6bd77d5

SHA512
c31f0e83ee990b48324c4813b42ac41b47799be3ec8b009a667b22bd872a0414ef451d5df25e83f4ff910cda6d9a8814348d0ee3a519bf86d885045687568a0d

Download Submit
C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\package.json

Filesize
390B

MD5
1c1ab1eaac9d44cf7ba78abab3314f8b

SHA1
bc141359f6383fc6329fcd6bd60a7396074c5011

SHA256
1c1f9fa4f21bfdc05088b3d3e76d46a01a0a3eac388f2bf59584c96e5b00b15a

SHA512
7fc6d56c0abdacaab94e459dc656a92ef625295df47580386db4d88cb339089f1735cf6dff36188936b3197a917f6ea15bc90aefc9b612b4876a7258fa9ab5f4

Download Submit
C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\pagefile\index.js

Filesize
482B

MD5
f63893525bdabde99f42c544015b11ff

SHA1
85f947a7ccdc35df4796acc6b573c3e870fe12f8

SHA256
9b1588849017bb512ed2958133e2ee04d7703787246152440526513db0f72722

SHA512
b027ad668123b8d3f2eb7895b8afcb1b6d5439bb7efedc6d9b4cff8d198a46449bbe1f8ea0e5facc358fd60efda6bd392f26adf08a2d73e0de0359ce60be09c1

Download Submit
C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\pagefile\package.json

Filesize
294B

MD5
c1ef8b1c92d16bf52d8feb92fa29ab32

SHA1
c98865f894ec3c1ccd2310bca105d1872f9fe921

SHA256
8890db4f7f1d77acfae56339d378f8244e5ff5c867409464085ca22bea064a08

SHA512
07c36e200f5bf875475a54f6dd183a16bacfbb99be5c004c9d795e579ed4b40745235c3c7c67cf624e475aad4e7577cf6c34b03a21aea8d2a2d383234111d761

Download Submit
C:\Program Files\Kryptex\v8_context_snapshot.bin

Filesize
160KB

MD5
1c153a96607d3e2c38f11a396533fc80

SHA1
42d11efbaa549ade29c341e6b8ad5a0545047c62

SHA256
18ad1a1abeec0230f2a3e38a80c00d4e298bb55d2bb76a2c8e8b113814023815

SHA512
c3ed01af43532d75c845152f35e844f730f6c7ee14f59ef77222a9b62c52354b4c995fc32b95369d888353da56c308dd32cdec97d34d2aab968e426018416248

Download Submit
C:\Program Files\Kryptex\vk_swiftshader_icd.json

Filesize
106B

MD5
8642dd3a87e2de6e991fae08458e302b

SHA1
9c06735c31cec00600fd763a92f8112d085bd12a

SHA256
32d83ff113fef532a9f97e0d2831f8656628ab1c99e9060f0332b1532839afd9

SHA512
f5d37d1b45b006161e4cefeebba1e33af879a3a51d16ee3ff8c3968c0c36bbafae379bf9124c13310b77774c9cbb4fa53114e83f5b48b5314132736e5bb4496f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
1c19c16e21c97ed42d5beabc93391fc5

SHA1
8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

SHA256
1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

SHA512
7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
30949f4287f1ea01145b799b2433291f

SHA1
04577b790db1932d13699a22387e4c06df72646f

SHA256
fe6be14b21033416afd75a9e882d86dbe8b555ba96ad3b2aa685614a15d6753a

SHA512
5e61de0429bb7d7490b5a701006de2e0ebea94e57fc49cabb25d7b1351729fc6fee6618164e2f42492b214ea36363c557c0bd73715fb23427467452293774f41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
80cc71b1e9f9b5966234e78541e1477d

SHA1
f259052d009b4c34797278f57e819e45a56a0cc3

SHA256
c4182143fe6be4804eb9ce6dbbe401c7867f0216198d3444a6301456b3aa6bb6

SHA512
5a064836e086b12bfbe317f349375f6a81f9fecb43b838b366fa7f9d45d015f73d98f1cf6f0e45df08723d2e980b411aa90408b8360ec1878966da4c9adfb206

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_e1wf33lw.g4l.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Roaming\Kryptex\Crashpad\settings.dat

Filesize
40B

MD5
41d75a795507e530bdba02c53df60499

SHA1
83ccb9eb8b745cf1b07d2091afefddd3ea4b5766

SHA256
a7e99b3df05542b5051e22723729d1e766b49039f961634654006774037b40c5

SHA512
0af6ae341ddb0e15e6b063c7238fab6c81b76fa5623bc9763f28f8c78e5353cc40ff2f006d983b37696964eba3fc304fb80ca6fbeb8310fb5f800c1d1f1da58d

Download Submit
C:\Users\Admin\AppData\Roaming\Kryptex\Network Persistent State

Filesize
190B

MD5
144b52099522740457fb7554fc115877

SHA1
f8f27104c8c63d9f8d15b0dbfc69bd56074e222d

SHA256
7c403f84d980c75ea64d984e09e536e54869b80ccba91cec24d739238aacf984

SHA512
2e891bf8e7bfab586793d51ba520fb1e1f0d0100b76e76054f176873cf4353569e4165836dce4438af950561f0cf181ea6ee4635b1ceb1f4a45a919c0b68db8e

Download Submit
C:\Users\Admin\AppData\Roaming\Kryptex\Network Persistent State~RFe58e3e3.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Roaming\Kryptex\sentry\queue\86db8b0b8358475a88d4bf5d04634e2a

Filesize
7KB

MD5
f81003e77184d785446aadc041087afc

SHA1
1d0ed6df739a5ce173cd29ee2311f5e855cd0922

SHA256
55f35d7d084a7ea4fbd74391074991406bdda1e5290a622b139234ff491150f8

SHA512
d7bd965870b5c99f737d1cc264eed13bee11aefbd3755de1ec223961f3a947425199671286879983168cdab2c43322ab26ced6ada2d67a312cbadcd442018212

Download Submit
C:\Users\Admin\AppData\Roaming\Kryptex\sentry\scope_v2.json

Filesize
7KB

MD5
7b9ab335d01e6b0991772fd7a5388a72

SHA1
b610758d401568c8a0c0f7b6e426027d99f6ac39

SHA256
7f6b192e0496bbd3825ce31735b4637e0ce57745b0458d4fe62ad8ae8e9fb174

SHA512
1a4993e30e72b9d203d0349d55fe0fa9f34fd711ad567f9ea274e4ff96281850e8d5587350bcb24587520647030bb6155a0be35272e6990e64a74490cac12a82

Download Submit
\Program Files\Kryptex\d3dcompiler_47.dll

Filesize
4.3MB

MD5
7641e39b7da4077084d2afe7c31032e0

SHA1
2256644f69435ff2fee76deb04d918083960d1eb

SHA256
44422e6936dc72b7ac5ed16bb8bcae164b7554513e52efb66a3e942cec328a47

SHA512
8010e1cb17fa18bbf72d8344e1d63ded7cef7be6e7c13434fa6d8e22ce1d58a4d426959bdcb031502d4b145e29cb111af929fcbc66001111fbc6d7a19e8800a5

Download Submit
\Program Files\Kryptex\ffmpeg.dll

Filesize
2.6MB

MD5
002287b5dfe53d87c189f368c7f785b5

SHA1
00e6e0e224b5f391c0172008ec78ec5124153649

SHA256
b453afca000aef28c8f27a315a31f244c46755308dea8d9ad55d19a507471a6b

SHA512
c2b23dd13e3f1c009e2eb2e4aae7a9a4e713642a9031c1e51125c9f0c6c8c6430a2088dd5c20867a2e948c97ae9a9078535e96b5d06ea6c7bd7f67a2db2104aa

Download Submit
\Program Files\Kryptex\libEGL.dll

Filesize
432KB

MD5
6efa8068776b4eadb3b9dfdef089ca68

SHA1
fa2023ecbcae030cddff3188c9d3c906cc69a64f

SHA256
fa59945648614e0ebf9f8eaf63500347da59a0d2e7484b6b5d4be6cf6ee917de

SHA512
70e6749841a384daa65f284c5d7a8afa358b03b38cc091819aa5545960834b9b4a394eccc19c0a1e290c5b33fbaaa56bd1d6d988b5da0a34e2e56dacde5b17d4

Download Submit
\Program Files\Kryptex\libGLESv2.dll

Filesize
7.8MB

MD5
cdc3935fa97855b4f9d692702ea95ef9

SHA1
68939afd7f1f4a470d9328b068250c0b5fbab2c2

SHA256
eea91ba71fdec104e8d7c9fd24687ec4f1c308d79d6730ef58127a92025cc006

SHA512
3cdbd833e8311023d673315c2aebc8e19a17e5767dfa40ca2646ee094eeef27117961f581aaa4584fc639e9ec0195f98ea5454b397cf1cd2709b7772207381b5

Download Submit
\Program Files\Kryptex\vk_swiftshader.dll

Filesize
4.4MB

MD5
e8ae323ba929d42e9e1b8112b47a7af2

SHA1
8c78eba22be420ea3094aff6b2dd35587805c012

SHA256
081210e45740985a91a25c7ea057761c89b619375af64e0b7d37d3d4b57de490

SHA512
649d1483bfa2e8bce5c1143639534b5b612d613156f59b6ec1fbb3ce96242a6018f15c59471627f1ece7c9a59e3ee8031d10e51fcbbbca776675dd4a26898693

Download Submit
\Program Files\Kryptex\vulkan-1.dll

Filesize
711KB

MD5
e2b4f5e5fa717ccd9cf32c5cb45691f6

SHA1
6adb41cb87757eb218af0df932273dd2a63e5e3f

SHA256
7fa723cd735f2ddffb146c838ac2542edbd1119e3df1864ec47c5e77ac30b8d2

SHA512
cab830d0027a7fcca934129cc83165d99f7c15c5b1d70c3bc74c2ad64003e2236bd43165b48124d0b5ca96a9e5eb1db5464ce9f69c3209dbc54c428db1df7e8b

Download Submit
\Users\Admin\AppData\Local\Temp\1dc7f066-77eb-442c-bd07-75be4a9d308e.tmp.node

Filesize
148KB

MD5
4dc971c52b14a3843564fb0ce8a6a0c1

SHA1
5b19af49368e4f067cbc73af7b2b54bf2dc8efee

SHA256
27ec96008c48052d5f493683297c26b9136f1d6a9e73c3722e243bc959d7cc93

SHA512
52510b4c20146e635656814e7088464399cd4ca2d64ca67ee2b116ab4631918e092d90462fc450d610154b3284579cb8b7d0ca7bbc3a6eae6b0a348ccffd04dc

Download Submit
\Users\Admin\AppData\Local\Temp\36228c09-8b7e-4678-80e7-4a147d202ad2.tmp.node

Filesize
1.5MB

MD5
1f45de1aba2eb5820440183939e6107f

SHA1
c08e9af17578469a1692ee86e2d94ecdac5542b0

SHA256
0b8ec764bc98bc2fe44b0e3e3b398ddc9e82670663bd14c9e4a0cafec9c2713c

SHA512
bceebc835173eb542466b1a4f6f21c1eabd492ac9a86413e0b61194ef7b97f1310a54710dd4ae828b8ba7a52dc8db8caf95bdd7a8d0aa1348d9f83b97a04f25b

Download Submit
\Users\Admin\AppData\Local\Temp\5972fe02-9ef4-41a4-9626-7a960c8aabbb.tmp.node

Filesize
147KB

MD5
5cb6b3762df753d84e4ffd4afe1a7e1c

SHA1
ae2b1c4652aec7315607fc413a4c258f11b69544

SHA256
48b7275f47cd44a05d349eb4fdb6cfc451ccbf609a4a56fa34452bcf231c1208

SHA512
5723c10ea9c26524f7866b9c749d9887b10c1514bf0cc893ba2a6e9c5d9690015cbcbe024653956af3fb842de3290b4c6c4beb051b67480bdae543d8fd3981cc

Download Submit
\Users\Admin\AppData\Local\Temp\e208dd9e-3f38-44b6-8775-6a2488ce18b1.tmp.node

Filesize
761KB

MD5
dc2791bf78b39ef568ba7bb495dedb98

SHA1
2d80d8c47096b8eec1945094797c9466762f3c1f

SHA256
eb1a2a0903c456db115ac01742afb3fbd4af8598e809c8f52e5b1fde2d5fe36a

SHA512
21780f4198695410fa87237d0d2c60ae2fae109ef0c66606b959072de7cc7216b3825af1c6f4797e1748b22b8bfecf33f24d16ad76a4e2501b1ba8dcdecf1407

Download Submit
\Users\Admin\AppData\Local\Temp\nsf7ACE.tmp\SpiderBanner.dll

Filesize
9KB

MD5
17309e33b596ba3a5693b4d3e85cf8d7

SHA1
7d361836cf53df42021c7f2b148aec9458818c01

SHA256
996a259e53ca18b89ec36d038c40148957c978c0fd600a268497d4c92f882a93

SHA512
1abac3ce4f2d5e4a635162e16cf9125e059ba1539f70086c2d71cd00d41a6e2a54d468e6f37792e55a822d7082fb388b8dfecc79b59226bbb047b7d28d44d298

Download Submit
\Users\Admin\AppData\Local\Temp\nsf7ACE.tmp\StdUtils.dll

Filesize
100KB

MD5
c6a6e03f77c313b267498515488c5740

SHA1
3d49fc2784b9450962ed6b82b46e9c3c957d7c15

SHA256
b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e

SHA512
9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

Download Submit
\Users\Admin\AppData\Local\Temp\nsf7ACE.tmp\System.dll

Filesize
12KB

MD5
0d7ad4f45dc6f5aa87f606d0331c6901

SHA1
48df0911f0484cbe2a8cdd5362140b63c41ee457

SHA256
3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

SHA512
c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

Download Submit
\Users\Admin\AppData\Local\Temp\nsf7ACE.tmp\WinShell.dll

Filesize
3KB

MD5
1cc7c37b7e0c8cd8bf04b6cc283e1e56

SHA1
0b9519763be6625bd5abce175dcc59c96d100d4c

SHA256
9be85b986ea66a6997dde658abe82b3147ed2a1a3dcb784bb5176f41d22815a6

SHA512
7acf7f8e68aa6066b59ca9f2ae2e67997e6b347bc08eb788d2a119b3295c844b5b9606757168e8d2fbd61c2cda367bf80e9e48c9a52c28d5a7a00464bfd2048f

Download Submit
\Users\Admin\AppData\Local\Temp\nsf7ACE.tmp\nsExec.dll

Filesize
6KB

MD5
ec0504e6b8a11d5aad43b296beeb84b2

SHA1
91b5ce085130c8c7194d66b2439ec9e1c206497c

SHA256
5d9ceb1ce5f35aea5f9e5a0c0edeeec04dfefe0c77890c80c70e98209b58b962

SHA512
3f918f1b47e8a919cbe51eb17dc30acc8cfc18e743a1bae5b787d0db7d26038dc1210be98bf5ba3be8d6ed896dbbd7ac3d13e66454a98b2a38c7e69dad30bb57

Download Submit
\Users\Admin\AppData\Local\Temp\nsf7ACE.tmp\nsProcess.dll

Filesize
4KB

MD5
f0438a894f3a7e01a4aae8d1b5dd0289

SHA1
b058e3fcfb7b550041da16bf10d8837024c38bf6

SHA256
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

SHA512
f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

Download Submit
\Users\Admin\AppData\Local\Temp\nsf7ACE.tmp\nsis7z.dll

Filesize
424KB

MD5
80e44ce4895304c6a3a831310fbf8cd0

SHA1
36bd49ae21c460be5753a904b4501f1abca53508

SHA256
b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592

SHA512
c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

Download Submit
memory/224-1043-0x00007FFDDA790000-0x00007FFDDA791000-memory.dmp

Filesize
4KB

Download
memory/2308-291-0x000000006F900000-0x000000006F94B000-memory.dmp

Filesize
300KB

Download
memory/2308-273-0x0000000008040000-0x0000000008390000-memory.dmp

Filesize
3.3MB

Download
memory/4328-732-0x0000000007E20000-0x0000000008170000-memory.dmp

Filesize
3.3MB

Download
memory/4328-756-0x00000000097F0000-0x0000000009895000-memory.dmp

Filesize
660KB

Download
memory/4328-751-0x000000006EE50000-0x000000006EE9B000-memory.dmp

Filesize
300KB

Download
memory/4328-734-0x0000000008760000-0x00000000087AB000-memory.dmp

Filesize
300KB

Download
memory/4812-266-0x0000000072C20000-0x000000007330E000-memory.dmp

Filesize
6.9MB

Download
memory/4812-250-0x0000000008F80000-0x0000000008F88000-memory.dmp

Filesize
32KB

Download
memory/4812-245-0x0000000008FA0000-0x0000000008FBA000-memory.dmp

Filesize
104KB

Download
memory/4812-52-0x0000000009040000-0x00000000090D4000-memory.dmp

Filesize
592KB

Download
memory/4812-51-0x0000000072C20000-0x000000007330E000-memory.dmp

Filesize
6.9MB

Download
memory/4812-50-0x0000000008C10000-0x0000000008CB5000-memory.dmp

Filesize
660KB

Download
memory/4812-45-0x0000000008AA0000-0x0000000008ABE000-memory.dmp

Filesize
120KB

Download
memory/4812-44-0x000000006F900000-0x000000006F94B000-memory.dmp

Filesize
300KB

Download
memory/4812-42-0x0000000008AC0000-0x0000000008AF3000-memory.dmp

Filesize
204KB

Download
memory/4812-43-0x0000000072C20000-0x000000007330E000-memory.dmp

Filesize
6.9MB

Download
memory/4812-25-0x0000000007BE0000-0x0000000007C56000-memory.dmp

Filesize
472KB

Download
memory/4812-24-0x0000000007EB0000-0x0000000007EFB000-memory.dmp

Filesize
300KB

Download
memory/4812-23-0x0000000006D10000-0x0000000006D2C000-memory.dmp

Filesize
112KB

Download
memory/4812-22-0x0000000007530000-0x0000000007880000-memory.dmp

Filesize
3.3MB

Download
memory/4812-21-0x00000000073C0000-0x0000000007426000-memory.dmp

Filesize
408KB

Download
memory/4812-20-0x0000000006C10000-0x0000000006C76000-memory.dmp

Filesize
408KB

Download
memory/4812-19-0x0000000006720000-0x0000000006742000-memory.dmp

Filesize
136KB

Download
memory/4812-17-0x0000000072C20000-0x000000007330E000-memory.dmp

Filesize
6.9MB

Download
memory/4812-18-0x0000000006D90000-0x00000000073B8000-memory.dmp

Filesize
6.2MB

Download
memory/4812-16-0x0000000006660000-0x0000000006696000-memory.dmp

Filesize
216KB

Download
memory/4812-13-0x0000000072C2E000-0x0000000072C2F000-memory.dmp

Filesize
4KB

Download