100565864eed928d474d1912b9de2f124a2e94f312a454922b4ccdff36860fba

Resubmissions

25/09/2024, 10:15

240925-mah9eazdjk 8

19/09/2024, 16:05

240919-tjgkhaxdjh 8

Analysis

max time kernel
305s
max time network
306s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
25/09/2024, 10:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

download.exe
Size

67.1MB
MD5

7d658964c1874ca902f3dc0864b00a3c
SHA1

c972667622f44e4cb93a2fc7d9f1a0dc1cbb5edf
SHA256

100565864eed928d474d1912b9de2f124a2e94f312a454922b4ccdff36860fba
SHA512

28adf2797b6acc971d67f75bc2c8ea90693c68e62732f1f5986561b0b9bfc60d0ca4495f6547057a046286328c6a25268c07aadbe5cdacf246ddbbb0c8de086f
SSDEEP

1572864:AK93N+NLkIzv7Bc6hrd3L/HGuIa31UwAQEKhSzqYA8nfndf:AU9+NC69N/muIq1ULQE4SpFf

Score

8^/10

discovery execution persistence

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2272	powershell.exe
1364	powershell.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000\Software\Microsoft\Windows\CurrentVersion\Run\Kryptex = "\"C:\\Program Files\\Kryptex\\Kryptex.exe\" --from-startup"	Kryptex.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\7zip-bin\win\x64	download.exe
File opened for modification	C:\Program Files\Kryptex\KryptexElevationFromStartup.xml	download.exe
File created	C:\Program Files\Kryptex\locales\cs.pak	download.exe
File opened for modification	C:\Program Files\Kryptex\locales\es.pak	download.exe
File created	C:\Program Files\Kryptex\locales\it.pak	download.exe
File opened for modification	C:\Program Files\Kryptex\locales\it.pak	download.exe
File opened for modification	C:\Program Files\Kryptex\locales\nb.pak	download.exe
File created	C:\Program Files\Kryptex\locales\sw.pak	download.exe
File created	C:\Program Files\Kryptex\locales\te.pak	download.exe
File opened for modification	C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\pagefile\index.js	download.exe
File created	C:\Program Files\Kryptex\v8_context_snapshot.bin	download.exe
File opened for modification	C:\Program Files\Kryptex\locales\sv.pak	download.exe
File created	C:\Program Files\Kryptex\locales\zh-CN.pak	download.exe
File created	C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\7zip-bin\7x.sh	download.exe
File created	C:\Program Files\Kryptex\swiftshader\libEGL.dll	download.exe
File opened for modification	C:\Program Files\Kryptex\locales\de.pak	download.exe
File created	C:\Program Files\Kryptex\locales\en-US.pak	download.exe
File opened for modification	C:\Program Files\Kryptex\locales\he.pak	download.exe
File created	C:\Program Files\Kryptex\locales\ja.pak	download.exe
File opened for modification	C:\Program Files\Kryptex\locales\ja.pak	download.exe
File opened for modification	C:\Program Files\Kryptex\locales\sr.pak	download.exe
File created	C:\Program Files\Kryptex\libEGL.dll	download.exe
File opened for modification	C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\pagefile	download.exe
File created	C:\Program Files\Kryptex\locales\bg.pak	download.exe
File opened for modification	C:\Program Files\Kryptex\locales\ca.pak	download.exe
File opened for modification	C:\Program Files\Kryptex\locales\fr.pak	download.exe
File opened for modification	C:\Program Files\Kryptex\locales\tr.pak	download.exe
File created	C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\nvapi\index.js	download.exe
File opened for modification	C:\Program Files\Kryptex\resources\elevate.exe	download.exe
File opened for modification	C:\Program Files\Kryptex\locales\es-419.pak	download.exe
File opened for modification	C:\Program Files\Kryptex\locales\id.pak	download.exe
File created	C:\Program Files\Kryptex\locales\sk.pak	download.exe
File created	C:\Program Files\Kryptex\locales\sr.pak	download.exe
File created	C:\Program Files\Kryptex\locales\th.pak	download.exe
File opened for modification	C:\Program Files\Kryptex\locales\th.pak	download.exe
File created	C:\Program Files\Kryptex\locales\tr.pak	download.exe
File opened for modification	C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\pagefile\package.json	download.exe
File opened for modification	C:\Program Files\Kryptex\vulkan-1.dll	download.exe
File opened for modification	C:\Program Files\Kryptex\locales	download.exe
File opened for modification	C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release	download.exe
File opened for modification	C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\pagefile\build\Release	download.exe
File opened for modification	C:\Program Files\Kryptex\locales\ta.pak	download.exe
File opened for modification	C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\7zip-bin\index.js	download.exe
File opened for modification	C:\Program Files\Kryptex\v8_context_snapshot.bin	download.exe
File opened for modification	C:\Program Files\Kryptex\Kryptex.exe	download.exe
File opened for modification	C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build	download.exe
File created	C:\Program Files\Kryptex\icudtl.dat	download.exe
File opened for modification	C:\Program Files\Kryptex\locales\el.pak	download.exe
File created	C:\Program Files\Kryptex\locales\fi.pak	download.exe
File opened for modification	C:\Program Files\Kryptex\locales\sw.pak	download.exe
File created	C:\Program Files\Kryptex\d3dcompiler_47.dll	download.exe
File created	C:\Program Files\Kryptex\locales\da.pak	download.exe
File created	C:\Program Files\Kryptex\locales\fr.pak	download.exe
File opened for modification	C:\Program Files\Kryptex\locales\kn.pak	download.exe
File created	C:\Program Files\Kryptex\locales\ms.pak	download.exe
File created	C:\Program Files\Kryptex\snapshot_blob.bin	download.exe
File opened for modification	C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend	download.exe
File opened for modification	C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\7zip-bin\win	download.exe
File opened for modification	C:\Program Files\Kryptex\locales\gu.pak	download.exe
File created	C:\Program Files\Kryptex\locales\kn.pak	download.exe
File opened for modification	C:\Program Files\Kryptex\locales\lt.pak	download.exe
File created	C:\Program Files\Kryptex\locales\pl.pak	download.exe
File created	C:\Program Files\Kryptex\locales\lt.pak	download.exe
File created	C:\Program Files\Kryptex\locales\nl.pak	download.exe

Executes dropped EXE 64 IoCs

pid	Process
4560	Kryptex.exe
1496	Kryptex.exe
544	Kryptex.exe
420	Kryptex.exe
1592	Kryptex.exe
3856	Kryptex.exe
248	adlinfo.exe
2352	pagefile.exe
2452	adlinfo.exe
4520	adlinfo.exe
1016	adlinfo.exe
3240	adlinfo.exe
564	adlinfo.exe
1812	adlinfo.exe
3760	adlinfo.exe
2064	adlinfo.exe
3532	adlinfo.exe
1516	adlinfo.exe
464	adlinfo.exe
3600	adlinfo.exe
1256	adlinfo.exe
888	adlinfo.exe
2792	adlinfo.exe
3756	adlinfo.exe
2608	adlinfo.exe
4688	adlinfo.exe
3096	adlinfo.exe
3052	adlinfo.exe
1008	adlinfo.exe
2164	adlinfo.exe
900	adlinfo.exe
4544	adlinfo.exe
4748	adlinfo.exe
3924	Kryptex.exe
2700	adlinfo.exe
564	adlinfo.exe
1212	adlinfo.exe
4732	adlinfo.exe
3592	adlinfo.exe
2588	adlinfo.exe
2964	adlinfo.exe
4860	adlinfo.exe
4412	adlinfo.exe
1992	adlinfo.exe
4784	adlinfo.exe
952	adlinfo.exe
3140	adlinfo.exe
1824	adlinfo.exe
864	adlinfo.exe
5104	adlinfo.exe
1808	adlinfo.exe
2848	adlinfo.exe
4548	adlinfo.exe
4104	adlinfo.exe
4088	adlinfo.exe
3768	adlinfo.exe
3732	adlinfo.exe
1400	adlinfo.exe
3276	adlinfo.exe
2964	adlinfo.exe
2608	adlinfo.exe
1516	adlinfo.exe
3296	adlinfo.exe
924	adlinfo.exe

Loads dropped DLL 40 IoCs

pid	Process
3624	download.exe
3624	download.exe
3624	download.exe
3624	download.exe
3624	download.exe
3624	download.exe
3624	download.exe
3624	download.exe
3624	download.exe
3624	download.exe
3624	download.exe
3624	download.exe
3624	download.exe
3624	download.exe
3624	download.exe
3624	download.exe
4560	Kryptex.exe
1496	Kryptex.exe
544	Kryptex.exe
420	Kryptex.exe
544	Kryptex.exe
544	Kryptex.exe
544	Kryptex.exe
544	Kryptex.exe
544	Kryptex.exe
1592	Kryptex.exe
1592	Kryptex.exe
1592	Kryptex.exe
1592	Kryptex.exe
1592	Kryptex.exe
1592	Kryptex.exe
1592	Kryptex.exe
1592	Kryptex.exe
3856	Kryptex.exe
3924	Kryptex.exe
3924	Kryptex.exe
3924	Kryptex.exe
3924	Kryptex.exe
3924	Kryptex.exe
3924	Kryptex.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	download.exe

Checks processor information in registry 2 TTPs 9 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Kryptex.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	Kryptex.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	Kryptex.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Kryptex.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Kryptex.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Kryptex.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	Kryptex.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	Kryptex.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Kryptex.exe

Modifies registry key 1 TTPs 56 IoCs

Modify Registry

T1112

pid	Process
4260	reg.exe
4488	reg.exe
1652	reg.exe
3276	reg.exe
128	reg.exe
2956	reg.exe
2780	reg.exe
3164	reg.exe
4104	reg.exe
1540	reg.exe
4244	reg.exe
488	reg.exe
4868	reg.exe
492	reg.exe
4092	reg.exe
2404	reg.exe
2940	reg.exe
2704	reg.exe
1664	reg.exe
252	reg.exe
2964	reg.exe
1236	reg.exe
1332	reg.exe
1448	reg.exe
2672	reg.exe
1008	reg.exe
3172	reg.exe
3464	reg.exe
1324	reg.exe
4072	reg.exe
2212	reg.exe
2268	reg.exe
3304	reg.exe
3548	reg.exe
4704	reg.exe
2956	reg.exe
3284	reg.exe
1668	reg.exe
664	reg.exe
5112	reg.exe
2932	reg.exe
4840	reg.exe
4816	reg.exe
4732	reg.exe
928	reg.exe
1912	reg.exe
2568	reg.exe
3240	reg.exe
200	reg.exe
3560	reg.exe
436	reg.exe
1248	reg.exe
2096	reg.exe
3160	reg.exe
280	reg.exe
2352	reg.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	Kryptex.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	Kryptex.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	Kryptex.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1676	schtasks.exe
1652	schtasks.exe

Suspicious behavior: EnumeratesProcesses 46 IoCs

pid	Process
1364	powershell.exe
1364	powershell.exe
2272	powershell.exe
2272	powershell.exe
3624	download.exe
3624	download.exe
3624	download.exe
3624	download.exe
3624	download.exe
3624	download.exe
2512	powershell.exe
2512	powershell.exe
4560	Kryptex.exe
4560	Kryptex.exe
4560	Kryptex.exe
4560	Kryptex.exe
4560	Kryptex.exe
4560	Kryptex.exe
4560	Kryptex.exe
4560	Kryptex.exe
4560	Kryptex.exe
4560	Kryptex.exe
420	Kryptex.exe
420	Kryptex.exe
1592	Kryptex.exe
1592	Kryptex.exe
1592	Kryptex.exe
1592	Kryptex.exe
1592	Kryptex.exe
1592	Kryptex.exe
1592	Kryptex.exe
1592	Kryptex.exe
1592	Kryptex.exe
1592	Kryptex.exe
1592	Kryptex.exe
1592	Kryptex.exe
4560	Kryptex.exe
4560	Kryptex.exe
4560	Kryptex.exe
4560	Kryptex.exe
3856	Kryptex.exe
3856	Kryptex.exe
3924	Kryptex.exe
3924	Kryptex.exe
3924	Kryptex.exe
3924	Kryptex.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1364	powershell.exe
Token: SeDebugPrivilege	2272	powershell.exe
Token: SeSecurityPrivilege	3624	download.exe
Token: SeDebugPrivilege	2512	powershell.exe
Token: SeIncreaseQuotaPrivilege	4344	wmic.exe
Token: SeSecurityPrivilege	4344	wmic.exe
Token: SeTakeOwnershipPrivilege	4344	wmic.exe
Token: SeLoadDriverPrivilege	4344	wmic.exe
Token: SeSystemProfilePrivilege	4344	wmic.exe
Token: SeSystemtimePrivilege	4344	wmic.exe
Token: SeProfSingleProcessPrivilege	4344	wmic.exe
Token: SeIncBasePriorityPrivilege	4344	wmic.exe
Token: SeCreatePagefilePrivilege	4344	wmic.exe
Token: SeBackupPrivilege	4344	wmic.exe
Token: SeRestorePrivilege	4344	wmic.exe
Token: SeShutdownPrivilege	4344	wmic.exe
Token: SeDebugPrivilege	4344	wmic.exe
Token: SeSystemEnvironmentPrivilege	4344	wmic.exe
Token: SeRemoteShutdownPrivilege	4344	wmic.exe
Token: SeUndockPrivilege	4344	wmic.exe
Token: SeManageVolumePrivilege	4344	wmic.exe
Token: 33	4344	wmic.exe
Token: 34	4344	wmic.exe
Token: 35	4344	wmic.exe
Token: 36	4344	wmic.exe
Token: SeIncreaseQuotaPrivilege	4344	wmic.exe
Token: SeSecurityPrivilege	4344	wmic.exe
Token: SeTakeOwnershipPrivilege	4344	wmic.exe
Token: SeLoadDriverPrivilege	4344	wmic.exe
Token: SeSystemProfilePrivilege	4344	wmic.exe
Token: SeSystemtimePrivilege	4344	wmic.exe
Token: SeProfSingleProcessPrivilege	4344	wmic.exe
Token: SeIncBasePriorityPrivilege	4344	wmic.exe
Token: SeCreatePagefilePrivilege	4344	wmic.exe
Token: SeBackupPrivilege	4344	wmic.exe
Token: SeRestorePrivilege	4344	wmic.exe
Token: SeShutdownPrivilege	4344	wmic.exe
Token: SeDebugPrivilege	4344	wmic.exe
Token: SeSystemEnvironmentPrivilege	4344	wmic.exe
Token: SeRemoteShutdownPrivilege	4344	wmic.exe
Token: SeUndockPrivilege	4344	wmic.exe
Token: SeManageVolumePrivilege	4344	wmic.exe
Token: 33	4344	wmic.exe
Token: 34	4344	wmic.exe
Token: 35	4344	wmic.exe
Token: 36	4344	wmic.exe
Token: SeIncreaseQuotaPrivilege	4220	wmic.exe
Token: SeSecurityPrivilege	4220	wmic.exe
Token: SeTakeOwnershipPrivilege	4220	wmic.exe
Token: SeLoadDriverPrivilege	4220	wmic.exe
Token: SeSystemProfilePrivilege	4220	wmic.exe
Token: SeSystemtimePrivilege	4220	wmic.exe
Token: SeProfSingleProcessPrivilege	4220	wmic.exe
Token: SeIncBasePriorityPrivilege	4220	wmic.exe
Token: SeCreatePagefilePrivilege	4220	wmic.exe
Token: SeBackupPrivilege	4220	wmic.exe
Token: SeRestorePrivilege	4220	wmic.exe
Token: SeShutdownPrivilege	4220	wmic.exe
Token: SeDebugPrivilege	4220	wmic.exe
Token: SeSystemEnvironmentPrivilege	4220	wmic.exe
Token: SeRemoteShutdownPrivilege	4220	wmic.exe
Token: SeUndockPrivilege	4220	wmic.exe
Token: SeManageVolumePrivilege	4220	wmic.exe
Token: 33	4220	wmic.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4560	Kryptex.exe
4560	Kryptex.exe
4560	Kryptex.exe
1592	Kryptex.exe
1592	Kryptex.exe
1592	Kryptex.exe
1592	Kryptex.exe
1592	Kryptex.exe
1592	Kryptex.exe
1592	Kryptex.exe
1592	Kryptex.exe
1592	Kryptex.exe
1592	Kryptex.exe
1592	Kryptex.exe
1592	Kryptex.exe
1592	Kryptex.exe
1592	Kryptex.exe
1592	Kryptex.exe
1592	Kryptex.exe
1592	Kryptex.exe
1592	Kryptex.exe
1592	Kryptex.exe
1592	Kryptex.exe
1592	Kryptex.exe
1592	Kryptex.exe
1592	Kryptex.exe
1592	Kryptex.exe
1592	Kryptex.exe
1592	Kryptex.exe
1592	Kryptex.exe
1592	Kryptex.exe
1592	Kryptex.exe
1592	Kryptex.exe
1592	Kryptex.exe
1592	Kryptex.exe
1592	Kryptex.exe
1592	Kryptex.exe
1592	Kryptex.exe
1592	Kryptex.exe
1592	Kryptex.exe
1592	Kryptex.exe
1592	Kryptex.exe
1592	Kryptex.exe
1592	Kryptex.exe
1592	Kryptex.exe
1592	Kryptex.exe
1592	Kryptex.exe
1592	Kryptex.exe
1592	Kryptex.exe
1592	Kryptex.exe
1592	Kryptex.exe
1592	Kryptex.exe
1592	Kryptex.exe
1592	Kryptex.exe
1592	Kryptex.exe
1592	Kryptex.exe
1592	Kryptex.exe
1592	Kryptex.exe
1592	Kryptex.exe
1592	Kryptex.exe
1592	Kryptex.exe
1592	Kryptex.exe
1592	Kryptex.exe
1592	Kryptex.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4560	Kryptex.exe
4560	Kryptex.exe
4560	Kryptex.exe
4560	Kryptex.exe
1592	Kryptex.exe
1592	Kryptex.exe
1592	Kryptex.exe
1592	Kryptex.exe
1592	Kryptex.exe
1592	Kryptex.exe
1592	Kryptex.exe
1592	Kryptex.exe
1592	Kryptex.exe
1592	Kryptex.exe
1592	Kryptex.exe
1592	Kryptex.exe
1592	Kryptex.exe
1592	Kryptex.exe
1592	Kryptex.exe
1592	Kryptex.exe
1592	Kryptex.exe
1592	Kryptex.exe
1592	Kryptex.exe
1592	Kryptex.exe
1592	Kryptex.exe
1592	Kryptex.exe
1592	Kryptex.exe
1592	Kryptex.exe
1592	Kryptex.exe
1592	Kryptex.exe
1592	Kryptex.exe
1592	Kryptex.exe
1592	Kryptex.exe
1592	Kryptex.exe
1592	Kryptex.exe
1592	Kryptex.exe
1592	Kryptex.exe
1592	Kryptex.exe
1592	Kryptex.exe
1592	Kryptex.exe
1592	Kryptex.exe
1592	Kryptex.exe
1592	Kryptex.exe
1592	Kryptex.exe
1592	Kryptex.exe
1592	Kryptex.exe
1592	Kryptex.exe
1592	Kryptex.exe
1592	Kryptex.exe
1592	Kryptex.exe
1592	Kryptex.exe
1592	Kryptex.exe
1592	Kryptex.exe
1592	Kryptex.exe
1592	Kryptex.exe
1592	Kryptex.exe
1592	Kryptex.exe
1592	Kryptex.exe
1592	Kryptex.exe
1592	Kryptex.exe
1592	Kryptex.exe
1592	Kryptex.exe
1592	Kryptex.exe
1592	Kryptex.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3624 wrote to memory of 1364	3624	download.exe	78
PID 3624 wrote to memory of 1364	3624	download.exe	78
PID 3624 wrote to memory of 1364	3624	download.exe	78
PID 3624 wrote to memory of 2272	3624	download.exe	80
PID 3624 wrote to memory of 2272	3624	download.exe	80
PID 3624 wrote to memory of 2272	3624	download.exe	80
PID 3624 wrote to memory of 2512	3624	download.exe	82
PID 3624 wrote to memory of 2512	3624	download.exe	82
PID 3624 wrote to memory of 2512	3624	download.exe	82
PID 3624 wrote to memory of 1856	3624	download.exe	85
PID 3624 wrote to memory of 1856	3624	download.exe	85
PID 3624 wrote to memory of 1856	3624	download.exe	85
PID 3624 wrote to memory of 2420	3624	download.exe	87
PID 3624 wrote to memory of 2420	3624	download.exe	87
PID 3624 wrote to memory of 2420	3624	download.exe	87
PID 3624 wrote to memory of 1652	3624	download.exe	89
PID 3624 wrote to memory of 1652	3624	download.exe	89
PID 3624 wrote to memory of 1652	3624	download.exe	89
PID 3624 wrote to memory of 1676	3624	download.exe	91
PID 3624 wrote to memory of 1676	3624	download.exe	91
PID 3624 wrote to memory of 1676	3624	download.exe	91
PID 4560 wrote to memory of 1496	4560	Kryptex.exe	96
PID 4560 wrote to memory of 1496	4560	Kryptex.exe	96
PID 4560 wrote to memory of 544	4560	Kryptex.exe	97
PID 4560 wrote to memory of 544	4560	Kryptex.exe	97
PID 4560 wrote to memory of 544	4560	Kryptex.exe	97
PID 4560 wrote to memory of 544	4560	Kryptex.exe	97
PID 4560 wrote to memory of 544	4560	Kryptex.exe	97
PID 4560 wrote to memory of 544	4560	Kryptex.exe	97
PID 4560 wrote to memory of 544	4560	Kryptex.exe	97
PID 4560 wrote to memory of 544	4560	Kryptex.exe	97
PID 4560 wrote to memory of 544	4560	Kryptex.exe	97
PID 4560 wrote to memory of 544	4560	Kryptex.exe	97
PID 4560 wrote to memory of 544	4560	Kryptex.exe	97
PID 4560 wrote to memory of 544	4560	Kryptex.exe	97
PID 4560 wrote to memory of 544	4560	Kryptex.exe	97
PID 4560 wrote to memory of 544	4560	Kryptex.exe	97
PID 4560 wrote to memory of 544	4560	Kryptex.exe	97
PID 4560 wrote to memory of 544	4560	Kryptex.exe	97
PID 4560 wrote to memory of 544	4560	Kryptex.exe	97
PID 4560 wrote to memory of 544	4560	Kryptex.exe	97
PID 4560 wrote to memory of 544	4560	Kryptex.exe	97
PID 4560 wrote to memory of 544	4560	Kryptex.exe	97
PID 4560 wrote to memory of 544	4560	Kryptex.exe	97
PID 4560 wrote to memory of 544	4560	Kryptex.exe	97
PID 4560 wrote to memory of 544	4560	Kryptex.exe	97
PID 4560 wrote to memory of 544	4560	Kryptex.exe	97
PID 4560 wrote to memory of 544	4560	Kryptex.exe	97
PID 4560 wrote to memory of 544	4560	Kryptex.exe	97
PID 4560 wrote to memory of 544	4560	Kryptex.exe	97
PID 4560 wrote to memory of 544	4560	Kryptex.exe	97
PID 4560 wrote to memory of 544	4560	Kryptex.exe	97
PID 4560 wrote to memory of 544	4560	Kryptex.exe	97
PID 4560 wrote to memory of 544	4560	Kryptex.exe	97
PID 4560 wrote to memory of 544	4560	Kryptex.exe	97
PID 4560 wrote to memory of 544	4560	Kryptex.exe	97
PID 4560 wrote to memory of 544	4560	Kryptex.exe	97
PID 4560 wrote to memory of 544	4560	Kryptex.exe	97
PID 4560 wrote to memory of 544	4560	Kryptex.exe	97
PID 4560 wrote to memory of 544	4560	Kryptex.exe	97
PID 4560 wrote to memory of 544	4560	Kryptex.exe	97
PID 4560 wrote to memory of 544	4560	Kryptex.exe	97
PID 4560 wrote to memory of 544	4560	Kryptex.exe	97
PID 4560 wrote to memory of 420	4560	Kryptex.exe	98

C:\Users\Admin\AppData\Local\Temp\download.exe
"C:\Users\Admin\AppData\Local\Temp\download.exe"
1⤵
- Drops file in Program Files directory
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3624
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell -c Add-MpPreference -ExclusionPath \"C:\Users\Admin\AppData\Local\Temp\nsmA45F.tmp\"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1364
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell -c Add-MpPreference -ExclusionPath \"C:\Program Files\Kryptex\"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2272
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell -c Remove-MpPreference -ExclusionPath \"C:\Users\Admin\AppData\Local\Temp\nsmA45F.tmp\"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2512
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /delete /f /tn KryptexElevation
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1856
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /delete /f /tn KryptexElevationFromStartup
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2420
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /create /f /tn KryptexElevationV2 /xml "C:\Program Files\Kryptex\KryptexElevation.xml"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:1652
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /create /f /tn KryptexElevationV2FromStartup /xml "C:\Program Files\Kryptex\KryptexElevationFromStartup.xml"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:1676

C:\Program Files\Kryptex\Kryptex.exe
"C:\Program Files\Kryptex\Kryptex.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4560
- C:\Program Files\Kryptex\Kryptex.exe
  "C:\Program Files\Kryptex\Kryptex.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Roaming\Kryptex /prefetch:7 --no-rate-limit --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Roaming\Kryptex\Crashpad --url=https://f.a.k/e --annotation=_productName=Kryptex --annotation=_version=4.44.2 --annotation=prod=Electron --annotation=ver=14.2.9 --initial-client-data=0x468,0x470,0x474,0x444,0x478,0x7ff739d58a38,0x7ff739d58a48,0x7ff739d58a58
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1496
- C:\Program Files\Kryptex\Kryptex.exe
  "C:\Program Files\Kryptex\Kryptex.exe" --type=gpu-process --field-trial-handle=1708,10199179956900247321,10854991812100268229,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --user-data-dir="C:\Users\Admin\AppData\Roaming\Kryptex" --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1716 /prefetch:2
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:544
- C:\Program Files\Kryptex\Kryptex.exe
  "C:\Program Files\Kryptex\Kryptex.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1708,10199179956900247321,10854991812100268229,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\Kryptex" --standard-schemes --secure-schemes --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --service-worker-schemes --streaming-schemes --mojo-platform-channel-handle=1960 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:420
- C:\Program Files\Kryptex\Kryptex.exe
  "C:\Program Files\Kryptex\Kryptex.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\Kryptex" --standard-schemes --secure-schemes --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --service-worker-schemes --streaming-schemes --app-path="C:\Program Files\Kryptex\resources\app.asar" --no-sandbox --no-zygote --field-trial-handle=1708,10199179956900247321,10854991812100268229,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2308 /prefetch:1
  2⤵
  - Adds Run key to start application
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1592
- - C:\Windows\System32\Wbem\wmic.exe
    wmic os get locale
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4344
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:2760
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:2212
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:248
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "chcp"
    3⤵
    PID:3588
  - - C:\Windows\system32\chcp.com
      chcp
      4⤵
      PID:2776
- - C:\Windows\System32\Wbem\wmic.exe
    wmic os get Caption /value
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4220
- - C:\Windows\System32\Wbem\wmic.exe
    wmic os get SerialNumber /value
    3⤵
    PID:1664
- - C:\Windows\System32\Wbem\wmic.exe
    wmic os get TotalVirtualMemorySize /value
    3⤵
    PID:2516
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic path Win32_NetworkAdapter where "PNPDeviceID like '%%%%PCI%%%%' AND NetConnectionStatus=2 AND AdapterTypeID='0'" get MacAddress"
    3⤵
    PID:1436
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path Win32_NetworkAdapter where "PNPDeviceID like '%%%%PCI%%%%' AND NetConnectionStatus=2 AND AdapterTypeID='0'" get MacAddress
      4⤵
      PID:4544
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic path Win32_NetworkAdapter where "PNPDeviceID like '%%%%PCI%%%%' AND NetConnectionStatus=2 AND AdapterTypeID='0'" get MacAddress"
    3⤵
    PID:2788
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path Win32_NetworkAdapter where "PNPDeviceID like '%%%%PCI%%%%' AND NetConnectionStatus=2 AND AdapterTypeID='0'" get MacAddress
      4⤵
      PID:4964
- - C:\Windows\System32\Wbem\wmic.exe
    wmic pagefile get AllocatedBaseSize /value
    3⤵
    PID:3008
- - C:\Windows\System32\Wbem\wmic.exe
    wmic logicaldisk where Caption='C:' get FreeSpace /value
    3⤵
    PID:2300
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\pagefile\build\Release\pagefile.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\pagefile\build\Release\pagefile.exe" 16 16
    3⤵
    - Executes dropped EXE
    PID:2352
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe" setPageSize 2
    3⤵
    - Executes dropped EXE
    PID:2452
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers /v TdrDelay /t REG_DWORD /d 0x14 /f"
    3⤵
    PID:924
  - - C:\Windows\system32\reg.exe
      reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers /v TdrDelay /t REG_DWORD /d 0x14 /f
      4⤵
      PID:4104
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers /v TdrDdiDelay /t REG_DWORD /d 0xa /f"
    3⤵
    PID:3600
  - - C:\Windows\system32\reg.exe
      reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers /v TdrDdiDelay /t REG_DWORD /d 0xa /f
      4⤵
      PID:904
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:4488
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:3056
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:1008
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:3160
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:4520
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:1016
- - C:\Windows\System32\Wbem\wmic.exe
    wmic os get Caption /value
    3⤵
    PID:2716
- - C:\Windows\System32\Wbem\wmic.exe
    wmic os get SerialNumber /value
    3⤵
    PID:2212
- - C:\Windows\System32\Wbem\wmic.exe
    wmic os get TotalVirtualMemorySize /value
    3⤵
    PID:4600
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic path Win32_NetworkAdapter where "PNPDeviceID like '%%%%PCI%%%%' AND NetConnectionStatus=2 AND AdapterTypeID='0'" get MacAddress"
    3⤵
    PID:1476
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path Win32_NetworkAdapter where "PNPDeviceID like '%%%%PCI%%%%' AND NetConnectionStatus=2 AND AdapterTypeID='0'" get MacAddress
      4⤵
      PID:4816
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic path Win32_NetworkAdapter where "PNPDeviceID like '%%%%PCI%%%%' AND NetConnectionStatus=2 AND AdapterTypeID='0'" get MacAddress"
    3⤵
    PID:624
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path Win32_NetworkAdapter where "PNPDeviceID like '%%%%PCI%%%%' AND NetConnectionStatus=2 AND AdapterTypeID='0'" get MacAddress
      4⤵
      PID:2552
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:3924
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:3172
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:3240
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:3948
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:4104
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:564
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:4112
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:1236
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:1812
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:644
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:1332
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:3760
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:2820
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:664
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:2064
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:4220
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:2956
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:3532
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:4748
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:436
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:1516
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:4836
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:2268
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:464
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:1540
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:2404
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:3600
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:2688
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:2940
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:1256
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:1812
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:4732
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:888
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:3276
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:5112
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:2792
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:2064
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:2964
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:3756
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:2632
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:3284
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:2608
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:4524
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:280
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:4688
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:2228
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:4840
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:3096
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:2740
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:1540
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:3052
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:4452
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:4244
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:1008
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:1984
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:3304
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:2164
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:5112
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:2704
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:900
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:840
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:4816
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:4544
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:912
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:4868
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:4748
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:5052
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:3464
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:2700
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:3972
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:492
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:564
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:1640
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:4488
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:1212
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:2384
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:200
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:4732
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:4464
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:2932
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:3592
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:2388
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:1652
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:2588
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:2064
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:4092
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:2964
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:4532
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:128
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:4860
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:3488
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:1912
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:4412
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:3240
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:2352
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:1992
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:1512
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:3560
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:4784
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:3024
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:1448
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:952
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:3164
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:2568
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:3140
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:2164
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:1664
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:1824
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:3092
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:3276
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:864
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:440
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:252
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:5104
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:2552
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:2956
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:1808
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:1712
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:2780
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:2848
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:3296
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:1668
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:4548
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:4916
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:488
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:4104
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:564
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:3548
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:4088
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:1640
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:4704
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:3768
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:2548
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:3164
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:3732
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:3148
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:2672
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:1400
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:3608
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:1248
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:3276
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:2836
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:2096
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:2964
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:1424
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:1324
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:2608
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:912
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:4260
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:1516
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:228
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:3240
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:3296
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:2268
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:4072
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    - Executes dropped EXE
    PID:924
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AMD Catalyst Install Manager" /v DisplayVersion
    3⤵
    PID:492
- - C:\Windows\system32\reg.exe
    reg query HKLM\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 /v RadeonSoftwareVersion
    3⤵
    - Modifies registry key
    PID:928
- - C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe
    "C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\build\Release\adlinfo.exe"
    3⤵
    PID:2636
- C:\Program Files\Kryptex\Kryptex.exe
  "C:\Program Files\Kryptex\Kryptex.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\Kryptex" --standard-schemes --secure-schemes --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --service-worker-schemes --streaming-schemes --app-path="C:\Program Files\Kryptex\resources\app.asar" --no-sandbox --no-zygote --field-trial-handle=1708,10199179956900247321,10854991812100268229,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2664 /prefetch:1
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:3856
- C:\Program Files\Kryptex\Kryptex.exe
  "C:\Program Files\Kryptex\Kryptex.exe" --type=gpu-process --field-trial-handle=1708,10199179956900247321,10854991812100268229,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --user-data-dir="C:\Users\Admin\AppData\Roaming\Kryptex" --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAQAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1704 /prefetch:2
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:3924

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Kryptex\KryptexElevation.xml

Filesize
3KB

MD5
e584e974928f5c25896c57ab4473c7fa

SHA1
d0f41300aa9899cfd8cee99c5b1179764cb5b3a9

SHA256
9ea9d814ae35bd3f5d8603fb174342f73e7292032b0e822920be971221b98211

SHA512
f9dfeae6ef90eb474a16262fd2b96a22418c3249cbf8e5a8765a297d3e4e14bd504aeed093b50d6537cd40b93bb1fab5503225e4812a793eacc72f2982867d2e

Download Submit
C:\Program Files\Kryptex\KryptexElevationFromStartup.xml

Filesize
3KB

MD5
6613ead33c20d846c8a1ba281d6c9327

SHA1
c7be96f9d32af83f99c23f21165fe860a455fc54

SHA256
77de3447f0f69513af4bc08f410a28f58189234bd908e5f7d1ff5c35e0a086b1

SHA512
fa71a511b96628999ff1a1ac5f8aebc44c2be108a427a51e56ac4c72aec37bfda308cafd0ab12b6a55bc7f802cdd98ae7922be6ad67adf3c3bbb65b4c946bf7d

Download Submit
C:\Program Files\Kryptex\chrome_100_percent.pak

Filesize
139KB

MD5
109ee8ffd715c63e3e2248c2ad5ca559

SHA1
7f89b213e80e2b4f52f75b449baecb88054d5e07

SHA256
b581f176c6bdbf8a152947fb37af9c0e6d7651616408cb7312b336c37a704580

SHA512
3fc5e1de128ce0ddf6dddba758a651f4030323e5285b54859019eb95fb0ae11321ba9c391e8bc578acb7f49dd4d82821c4f9947f39972d79360fd2e6abc67de8

Download Submit
C:\Program Files\Kryptex\chrome_200_percent.pak

Filesize
203KB

MD5
3e50e56e351309566b7e3e5a5ca7c7b6

SHA1
3ef35792e0b9c3b902d4da59d0a4bb34590c5400

SHA256
abd207d3e55f0250b27ce23f2a15b0a5ff6f769c08f54e705e2fd0273dca5f1e

SHA512
b24b20fe5dd9766b86869c51b6d92fd3b191bc3a2cac8a4b43b781644958b49500a0fca3fc69781d9c5a80868508f1fa0af9bc1896dc73f944cf1af8546815f0

Download Submit
C:\Program Files\Kryptex\d3dcompiler_47.dll

Filesize
4.3MB

MD5
7641e39b7da4077084d2afe7c31032e0

SHA1
2256644f69435ff2fee76deb04d918083960d1eb

SHA256
44422e6936dc72b7ac5ed16bb8bcae164b7554513e52efb66a3e942cec328a47

SHA512
8010e1cb17fa18bbf72d8344e1d63ded7cef7be6e7c13434fa6d8e22ce1d58a4d426959bdcb031502d4b145e29cb111af929fcbc66001111fbc6d7a19e8800a5

Download Submit
C:\Program Files\Kryptex\ffmpeg.dll

Filesize
2.6MB

MD5
002287b5dfe53d87c189f368c7f785b5

SHA1
00e6e0e224b5f391c0172008ec78ec5124153649

SHA256
b453afca000aef28c8f27a315a31f244c46755308dea8d9ad55d19a507471a6b

SHA512
c2b23dd13e3f1c009e2eb2e4aae7a9a4e713642a9031c1e51125c9f0c6c8c6430a2088dd5c20867a2e948c97ae9a9078535e96b5d06ea6c7bd7f67a2db2104aa

Download Submit
C:\Program Files\Kryptex\icudtl.dat

Filesize
9.7MB

MD5
224ba45e00bbbb237b34f0facbb550bf

SHA1
1b0f81da88149d9c610a8edf55f8f12a87ca67de

SHA256
8dee674ccd2387c14f01b746779c104e383d57b36c2bdc8e419c470a3d5ffadc

SHA512
c04d271288dd2eff89d91e31829586706eba95ffbab0b75c2d202a4037e66a4e2205e8a37ecf15116302c51239b1826064ed4670a3346439470b260aba0ea784

Download Submit
C:\Program Files\Kryptex\libEGL.dll

Filesize
432KB

MD5
6efa8068776b4eadb3b9dfdef089ca68

SHA1
fa2023ecbcae030cddff3188c9d3c906cc69a64f

SHA256
fa59945648614e0ebf9f8eaf63500347da59a0d2e7484b6b5d4be6cf6ee917de

SHA512
70e6749841a384daa65f284c5d7a8afa358b03b38cc091819aa5545960834b9b4a394eccc19c0a1e290c5b33fbaaa56bd1d6d988b5da0a34e2e56dacde5b17d4

Download Submit
C:\Program Files\Kryptex\libGLESv2.dll

Filesize
7.8MB

MD5
cdc3935fa97855b4f9d692702ea95ef9

SHA1
68939afd7f1f4a470d9328b068250c0b5fbab2c2

SHA256
eea91ba71fdec104e8d7c9fd24687ec4f1c308d79d6730ef58127a92025cc006

SHA512
3cdbd833e8311023d673315c2aebc8e19a17e5767dfa40ca2646ee094eeef27117961f581aaa4584fc639e9ec0195f98ea5454b397cf1cd2709b7772207381b5

Download Submit
C:\Program Files\Kryptex\locales\en-US.pak

Filesize
95KB

MD5
a986c722c10b0639d00250468bb41100

SHA1
7d5d7188ec4723f32bfb13e3573db39b234d934b

SHA256
cb40b01d42057e1aa9a3660afa5db2507e4dadb9b23099ab087c4ff14a99d5e9

SHA512
768145c6dd70e9d3df09cbabb0562249442e86369c6d60d27b2408b8e9d767899911bcc254c0aedc0d29705ab51367a08ff1e25e387a5eb6daae5365c2082d81

Download Submit
C:\Program Files\Kryptex\resources.pak

Filesize
4.6MB

MD5
d98298d188d7ebed9b3e89a822f95df7

SHA1
a50523cc15f47abb6f1b50982db454e4e956ebc8

SHA256
0acd9cafd7c4fac398e85a6e008bad6d7ad34f90b0bfd207df330d3e69bcfa75

SHA512
24cd58294f12f0541d49d180c23b89796596a599d1fc4346d8155b552d765bad0e759c85dded98cf4f3c74ec150b98baf27528f0e864fd37f71dd41c90345791

Download Submit
C:\Program Files\Kryptex\resources\app.asar

Filesize
49.5MB

MD5
8c337b5f01bd3f9628ea513dbb2eb7f7

SHA1
9090597fb41c9527a17eaf23fd679eccf99b150e

SHA256
4043dc892963956232ee95734f5c4d9b1f4848190d5177cca2d1248ef2a4786e

SHA512
676938726779e894b8fb87e35894521667df6378d47b48debc8df309954a0bd570f69ed7397a6ce6cad1471593fa45946ac7780ef1b9369100dc3cdd6f7c3344

Download Submit
C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\7zip-bin\index.js

Filesize
500B

MD5
9fe8a485038be54d687ad7dd9dff80d3

SHA1
76fc7b47a329b759539bca0b785ad41c083c29be

SHA256
48659f660a13b5fa01622f87dc8a5306ce7c232abf93b82a3b2f6e94c2cf5c86

SHA512
0f3b2ce074ede02079bdab4229f6d4ded5eb7ec64546c3b9f103114aabb35093fecfd04677a0a84d3691fb49bae8a6c5489cee946c7f5f4b86aec3e96434dfac

Download Submit
C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\7zip-bin\package.json

Filesize
244B

MD5
2a3677c6c6bba9a148bc83c2f145d136

SHA1
1b828bd2e2b4eaaed8e68821692a0bf87bdd54db

SHA256
acabcd4f1c0b7399de4c213e8fdfd5d064f29e278f94bd5b763d8ac8555e2c18

SHA512
907651c11e31ce7c8242c825033e168c04a185e4717d6c28b1c77a48317ef662419c833300198fc6292721299905d7fe32069307bcc5751e3192e50c3c26209b

Download Submit
C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\index.js

Filesize
4KB

MD5
976fc725b3643055a0ab0f1944b7b55c

SHA1
2728f42cd6889a0abb26a41d20a2e38fe8ea9d0f

SHA256
3e0b1ed5c6efb4e5b8afa244e4ee0a303180bed5d8d747177a1149e6e6bd77d5

SHA512
c31f0e83ee990b48324c4813b42ac41b47799be3ec8b009a667b22bd872a0414ef451d5df25e83f4ff910cda6d9a8814348d0ee3a519bf86d885045687568a0d

Download Submit
C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\amd-binding\package.json

Filesize
390B

MD5
1c1ab1eaac9d44cf7ba78abab3314f8b

SHA1
bc141359f6383fc6329fcd6bd60a7396074c5011

SHA256
1c1f9fa4f21bfdc05088b3d3e76d46a01a0a3eac388f2bf59584c96e5b00b15a

SHA512
7fc6d56c0abdacaab94e459dc656a92ef625295df47580386db4d88cb339089f1735cf6dff36188936b3197a917f6ea15bc90aefc9b612b4876a7258fa9ab5f4

Download Submit
C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\pagefile\index.js

Filesize
482B

MD5
f63893525bdabde99f42c544015b11ff

SHA1
85f947a7ccdc35df4796acc6b573c3e870fe12f8

SHA256
9b1588849017bb512ed2958133e2ee04d7703787246152440526513db0f72722

SHA512
b027ad668123b8d3f2eb7895b8afcb1b6d5439bb7efedc6d9b4cff8d198a46449bbe1f8ea0e5facc358fd60efda6bd392f26adf08a2d73e0de0359ce60be09c1

Download Submit
C:\Program Files\Kryptex\resources\app.asar.unpacked\node_modules\kryptex-backend\node_modules\pagefile\package.json

Filesize
294B

MD5
c1ef8b1c92d16bf52d8feb92fa29ab32

SHA1
c98865f894ec3c1ccd2310bca105d1872f9fe921

SHA256
8890db4f7f1d77acfae56339d378f8244e5ff5c867409464085ca22bea064a08

SHA512
07c36e200f5bf875475a54f6dd183a16bacfbb99be5c004c9d795e579ed4b40745235c3c7c67cf624e475aad4e7577cf6c34b03a21aea8d2a2d383234111d761

Download Submit
C:\Program Files\Kryptex\v8_context_snapshot.bin

Filesize
160KB

MD5
1c153a96607d3e2c38f11a396533fc80

SHA1
42d11efbaa549ade29c341e6b8ad5a0545047c62

SHA256
18ad1a1abeec0230f2a3e38a80c00d4e298bb55d2bb76a2c8e8b113814023815

SHA512
c3ed01af43532d75c845152f35e844f730f6c7ee14f59ef77222a9b62c52354b4c995fc32b95369d888353da56c308dd32cdec97d34d2aab968e426018416248

Download Submit
C:\Program Files\Kryptex\vk_swiftshader.dll

Filesize
4.4MB

MD5
e8ae323ba929d42e9e1b8112b47a7af2

SHA1
8c78eba22be420ea3094aff6b2dd35587805c012

SHA256
081210e45740985a91a25c7ea057761c89b619375af64e0b7d37d3d4b57de490

SHA512
649d1483bfa2e8bce5c1143639534b5b612d613156f59b6ec1fbb3ce96242a6018f15c59471627f1ece7c9a59e3ee8031d10e51fcbbbca776675dd4a26898693

Download Submit
C:\Program Files\Kryptex\vk_swiftshader_icd.json

Filesize
106B

MD5
8642dd3a87e2de6e991fae08458e302b

SHA1
9c06735c31cec00600fd763a92f8112d085bd12a

SHA256
32d83ff113fef532a9f97e0d2831f8656628ab1c99e9060f0332b1532839afd9

SHA512
f5d37d1b45b006161e4cefeebba1e33af879a3a51d16ee3ff8c3968c0c36bbafae379bf9124c13310b77774c9cbb4fa53114e83f5b48b5314132736e5bb4496f

Download Submit
C:\Program Files\Kryptex\vulkan-1.dll

Filesize
711KB

MD5
e2b4f5e5fa717ccd9cf32c5cb45691f6

SHA1
6adb41cb87757eb218af0df932273dd2a63e5e3f

SHA256
7fa723cd735f2ddffb146c838ac2542edbd1119e3df1864ec47c5e77ac30b8d2

SHA512
cab830d0027a7fcca934129cc83165d99f7c15c5b1d70c3bc74c2ad64003e2236bd43165b48124d0b5ca96a9e5eb1db5464ce9f69c3209dbc54c428db1df7e8b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d0c46cad6c0778401e21910bd6b56b70

SHA1
7be418951ea96326aca445b8dfe449b2bfa0dca6

SHA256
9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02

SHA512
057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
8861c5de592c099d12f19165e2908230

SHA1
7a756ba29a4e477bdb7cb1b640375b4a250c5a70

SHA256
047cd3948f49068409a57f2624a9b661a37ed73b375bed87be3078c23d206b1f

SHA512
20c31cd8f34cb73c81c187f6842beb4aef262ac4bd2029fc48fe78374c15d2016e8d47a4c8d6f704f6eabf2d49f1c7bc519db328e17a828a447f22cd0591a11f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
ffac4017beac9aea0980b05ceede4e98

SHA1
2a5ac22ac2a30f491fb7e26b7d66c16beb86b046

SHA256
98cef4dcde752f5bab940eaabcc93cff8a0a8e23abbc0c8dced60c810032d154

SHA512
d4b14bd43ee9136002e728ca2d99fe9c3c8d8c69bbfd4f323a495256375837d2802ec66f9e33302f5a6325506481b095135d18ef57b4e1a82e8705bd4c404faf

Download Submit
C:\Users\Admin\AppData\Local\Temp\30ec3f07-a70e-41bf-9a03-d021c709fe30.tmp.node

Filesize
1.5MB

MD5
1f45de1aba2eb5820440183939e6107f

SHA1
c08e9af17578469a1692ee86e2d94ecdac5542b0

SHA256
0b8ec764bc98bc2fe44b0e3e3b398ddc9e82670663bd14c9e4a0cafec9c2713c

SHA512
bceebc835173eb542466b1a4f6f21c1eabd492ac9a86413e0b61194ef7b97f1310a54710dd4ae828b8ba7a52dc8db8caf95bdd7a8d0aa1348d9f83b97a04f25b

Download Submit
C:\Users\Admin\AppData\Local\Temp\731d19fc-5505-480e-a2bb-844600d9cdb7.tmp.node

Filesize
148KB

MD5
4dc971c52b14a3843564fb0ce8a6a0c1

SHA1
5b19af49368e4f067cbc73af7b2b54bf2dc8efee

SHA256
27ec96008c48052d5f493683297c26b9136f1d6a9e73c3722e243bc959d7cc93

SHA512
52510b4c20146e635656814e7088464399cd4ca2d64ca67ee2b116ab4631918e092d90462fc450d610154b3284579cb8b7d0ca7bbc3a6eae6b0a348ccffd04dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\8dbeaa63-3f26-4f0b-905f-15403e615fb1.tmp.node

Filesize
147KB

MD5
5cb6b3762df753d84e4ffd4afe1a7e1c

SHA1
ae2b1c4652aec7315607fc413a4c258f11b69544

SHA256
48b7275f47cd44a05d349eb4fdb6cfc451ccbf609a4a56fa34452bcf231c1208

SHA512
5723c10ea9c26524f7866b9c749d9887b10c1514bf0cc893ba2a6e9c5d9690015cbcbe024653956af3fb842de3290b4c6c4beb051b67480bdae543d8fd3981cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4nigccvc.xbs.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a678611f-e02f-40fc-ae96-f0e481b8d061.tmp.node

Filesize
761KB

MD5
dc2791bf78b39ef568ba7bb495dedb98

SHA1
2d80d8c47096b8eec1945094797c9466762f3c1f

SHA256
eb1a2a0903c456db115ac01742afb3fbd4af8598e809c8f52e5b1fde2d5fe36a

SHA512
21780f4198695410fa87237d0d2c60ae2fae109ef0c66606b959072de7cc7216b3825af1c6f4797e1748b22b8bfecf33f24d16ad76a4e2501b1ba8dcdecf1407

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmA45F.tmp\SpiderBanner.dll

Filesize
9KB

MD5
17309e33b596ba3a5693b4d3e85cf8d7

SHA1
7d361836cf53df42021c7f2b148aec9458818c01

SHA256
996a259e53ca18b89ec36d038c40148957c978c0fd600a268497d4c92f882a93

SHA512
1abac3ce4f2d5e4a635162e16cf9125e059ba1539f70086c2d71cd00d41a6e2a54d468e6f37792e55a822d7082fb388b8dfecc79b59226bbb047b7d28d44d298

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmA45F.tmp\StdUtils.dll

Filesize
100KB

MD5
c6a6e03f77c313b267498515488c5740

SHA1
3d49fc2784b9450962ed6b82b46e9c3c957d7c15

SHA256
b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e

SHA512
9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmA45F.tmp\System.dll

Filesize
12KB

MD5
0d7ad4f45dc6f5aa87f606d0331c6901

SHA1
48df0911f0484cbe2a8cdd5362140b63c41ee457

SHA256
3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

SHA512
c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmA45F.tmp\WinShell.dll

Filesize
3KB

MD5
1cc7c37b7e0c8cd8bf04b6cc283e1e56

SHA1
0b9519763be6625bd5abce175dcc59c96d100d4c

SHA256
9be85b986ea66a6997dde658abe82b3147ed2a1a3dcb784bb5176f41d22815a6

SHA512
7acf7f8e68aa6066b59ca9f2ae2e67997e6b347bc08eb788d2a119b3295c844b5b9606757168e8d2fbd61c2cda367bf80e9e48c9a52c28d5a7a00464bfd2048f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmA45F.tmp\nsExec.dll

Filesize
6KB

MD5
ec0504e6b8a11d5aad43b296beeb84b2

SHA1
91b5ce085130c8c7194d66b2439ec9e1c206497c

SHA256
5d9ceb1ce5f35aea5f9e5a0c0edeeec04dfefe0c77890c80c70e98209b58b962

SHA512
3f918f1b47e8a919cbe51eb17dc30acc8cfc18e743a1bae5b787d0db7d26038dc1210be98bf5ba3be8d6ed896dbbd7ac3d13e66454a98b2a38c7e69dad30bb57

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmA45F.tmp\nsProcess.dll

Filesize
4KB

MD5
f0438a894f3a7e01a4aae8d1b5dd0289

SHA1
b058e3fcfb7b550041da16bf10d8837024c38bf6

SHA256
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

SHA512
f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmA45F.tmp\nsis7z.dll

Filesize
424KB

MD5
80e44ce4895304c6a3a831310fbf8cd0

SHA1
36bd49ae21c460be5753a904b4501f1abca53508

SHA256
b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592

SHA512
c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

Download Submit
C:\Users\Admin\AppData\Roaming\Kryptex\Crashpad\settings.dat

Filesize
40B

MD5
6854c518048a7893a4c4d7bf9c909f31

SHA1
6d237938e96efe8389a923838ff98d2e38f90471

SHA256
b8fb37395483bc86ffa6dc698765155fc4c1b7142d9e6f917ee8b5ee196c7c3a

SHA512
eb6d78ac0906ef1625f58df8bb4047d179d0da1c24600acc082f540e583f4d10abeb26dd4942f190371571a527861b31487cff90b79fe2fe3e575c3f7c2690ee

Download Submit
C:\Users\Admin\AppData\Roaming\Kryptex\Network Persistent State

Filesize
190B

MD5
144b52099522740457fb7554fc115877

SHA1
f8f27104c8c63d9f8d15b0dbfc69bd56074e222d

SHA256
7c403f84d980c75ea64d984e09e536e54869b80ccba91cec24d739238aacf984

SHA512
2e891bf8e7bfab586793d51ba520fb1e1f0d0100b76e76054f176873cf4353569e4165836dce4438af950561f0cf181ea6ee4635b1ceb1f4a45a919c0b68db8e

Download Submit
C:\Users\Admin\AppData\Roaming\Kryptex\Network Persistent State~RFe593251.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Roaming\Kryptex\sentry\queue\971842efe49a4ec4b2c2cb7a257e1f7f

Filesize
9KB

MD5
d114e671347cc631dddf5e8f9d613811

SHA1
bab8b0abd4c953feb8d3852d21e6ed4480f5b427

SHA256
071834fbfabf56647b7c21e965f6538da8c6e35e8c854799c1185cc925f90a8c

SHA512
7f475d17f86a5734687453c4f721f016c939f907936be835b30c028f1654957739204c952bcf9de202b6144f5c25b1fe2056b401acf412e0b9b13a87e98a8170

Download Submit
C:\Users\Admin\AppData\Roaming\Kryptex\sentry\queue\c6f20ec9935b45a58a36dc1b95af8afa

Filesize
7KB

MD5
5c4d689606286bb4a5067341eb85349c

SHA1
77fcc06f123cb762a440d124d099fad536d6a3bc

SHA256
4cde806291ebdc14a2db28d87a28acde33fa77da59e412def21e15e75de9ea25

SHA512
96be2ffb99b303b4c560cd794a6e9d68dc17d01c9539ca94b9a07b1e48e06b5b601ff950284655be73fdd0c68dd53d51114fff8654a1a9a741ef9bd0c0ad40d2

Download Submit
C:\Users\Admin\AppData\Roaming\Kryptex\sentry\scope_v2.json

Filesize
7KB

MD5
564f86114a91eb984d23909319530375

SHA1
daef7308b516b817a1ab1f5ea1ea9361db6118dd

SHA256
9489a4ff801ee8f5d7ac5cbe92bb403a985ea45c0750093c5e5d96b9397fddb2

SHA512
b169d84439284c078c3e444e44930a2aaa9bf2930521e7fbf5f35fe786424944d79f4e559d0edec03c2a10be190e03709f113105bd40151454f6a168ff7ef878

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
memory/544-389-0x00007FF83DF70000-0x00007FF83DF71000-memory.dmp

Filesize
4KB

Download
memory/1364-48-0x0000000007B50000-0x0000000007B5A000-memory.dmp

Filesize
40KB

Download
memory/1364-42-0x0000000006D70000-0x0000000006D8E000-memory.dmp

Filesize
120KB

Download
memory/1364-13-0x00000000744DE000-0x00000000744DF000-memory.dmp

Filesize
4KB

Download
memory/1364-14-0x0000000002F60000-0x0000000002F96000-memory.dmp

Filesize
216KB

Download
memory/1364-15-0x00000000744D0000-0x0000000074C81000-memory.dmp

Filesize
7.7MB

Download
memory/1364-16-0x0000000005CA0000-0x00000000062CA000-memory.dmp

Filesize
6.2MB

Download
memory/1364-17-0x0000000005900000-0x0000000005922000-memory.dmp

Filesize
136KB

Download
memory/1364-18-0x00000000059A0000-0x0000000005A06000-memory.dmp

Filesize
408KB

Download
memory/1364-19-0x0000000005A10000-0x0000000005A76000-memory.dmp

Filesize
408KB

Download
memory/1364-28-0x00000000062D0000-0x0000000006627000-memory.dmp

Filesize
3.3MB

Download
memory/1364-29-0x0000000006790000-0x00000000067AE000-memory.dmp

Filesize
120KB

Download
memory/1364-30-0x00000000067C0000-0x000000000680C000-memory.dmp

Filesize
304KB

Download
memory/1364-31-0x0000000007970000-0x00000000079A4000-memory.dmp

Filesize
208KB

Download
memory/1364-57-0x00000000744D0000-0x0000000074C81000-memory.dmp

Filesize
7.7MB

Download
memory/1364-54-0x0000000007E20000-0x0000000007E28000-memory.dmp

Filesize
32KB

Download
memory/1364-53-0x0000000007E40000-0x0000000007E5A000-memory.dmp

Filesize
104KB

Download
memory/1364-52-0x0000000007D40000-0x0000000007D55000-memory.dmp

Filesize
84KB

Download
memory/1364-51-0x0000000007D30000-0x0000000007D3E000-memory.dmp

Filesize
56KB

Download
memory/1364-50-0x0000000007CF0000-0x0000000007D01000-memory.dmp

Filesize
68KB

Download
memory/1364-49-0x0000000007D80000-0x0000000007E16000-memory.dmp

Filesize
600KB

Download
memory/1364-46-0x0000000008120000-0x000000000879A000-memory.dmp

Filesize
6.5MB

Download
memory/1364-47-0x0000000007AE0000-0x0000000007AFA000-memory.dmp

Filesize
104KB

Download
memory/1364-45-0x00000000744D0000-0x0000000074C81000-memory.dmp

Filesize
7.7MB

Download
memory/1364-44-0x00000000744D0000-0x0000000074C81000-memory.dmp

Filesize
7.7MB

Download
memory/1364-43-0x00000000079B0000-0x0000000007A54000-memory.dmp

Filesize
656KB

Download
memory/1364-38-0x00000000744D0000-0x0000000074C81000-memory.dmp

Filesize
7.7MB

Download
memory/1364-32-0x0000000070E90000-0x0000000070EDC000-memory.dmp

Filesize
304KB

Download
memory/2272-85-0x00000000744D0000-0x0000000074C81000-memory.dmp

Filesize
7.7MB

Download
memory/2272-63-0x00000000744D0000-0x0000000074C81000-memory.dmp

Filesize
7.7MB

Download
memory/2272-62-0x00000000744D0000-0x0000000074C81000-memory.dmp

Filesize
7.7MB

Download
memory/2272-64-0x00000000744D0000-0x0000000074C81000-memory.dmp

Filesize
7.7MB

Download
memory/2272-73-0x0000000005870000-0x0000000005BC7000-memory.dmp

Filesize
3.3MB

Download
memory/2272-75-0x0000000070E90000-0x0000000070EDC000-memory.dmp

Filesize
304KB

Download
memory/2512-332-0x0000000007450000-0x0000000007465000-memory.dmp

Filesize
84KB

Download
memory/2512-318-0x0000000005930000-0x0000000005C87000-memory.dmp

Filesize
3.3MB

Download
memory/2512-320-0x0000000006360000-0x00000000063AC000-memory.dmp

Filesize
304KB

Download
memory/2512-321-0x0000000070820000-0x000000007086C000-memory.dmp

Filesize
304KB

Download
memory/2512-330-0x0000000007090000-0x0000000007134000-memory.dmp

Filesize
656KB

Download
memory/2512-331-0x0000000007370000-0x0000000007381000-memory.dmp

Filesize
68KB

Download
memory/3924-714-0x000001F7D8BC0000-0x000001F7D8BC1000-memory.dmp

Filesize
4KB

Download
memory/3924-713-0x000001F7D8BC0000-0x000001F7D8BC1000-memory.dmp

Filesize
4KB

Download
memory/3924-718-0x000001F7D8BC0000-0x000001F7D8BC1000-memory.dmp

Filesize
4KB

Download
memory/3924-720-0x000001F7D8BC0000-0x000001F7D8BC1000-memory.dmp

Filesize
4KB

Download
memory/3924-724-0x000001F7D8BC0000-0x000001F7D8BC1000-memory.dmp

Filesize
4KB

Download
memory/3924-723-0x000001F7D8BC0000-0x000001F7D8BC1000-memory.dmp

Filesize
4KB

Download
memory/3924-722-0x000001F7D8BC0000-0x000001F7D8BC1000-memory.dmp

Filesize
4KB

Download
memory/3924-721-0x000001F7D8BC0000-0x000001F7D8BC1000-memory.dmp

Filesize
4KB

Download
memory/3924-719-0x000001F7D8BC0000-0x000001F7D8BC1000-memory.dmp

Filesize
4KB

Download
memory/3924-712-0x000001F7D8BC0000-0x000001F7D8BC1000-memory.dmp

Filesize
4KB

Download