Andrew

College track star warned police about her ex-boyfriend 6 times in the 10 days before he k!lled her

People tagged me saying this is malware. It's not malware. It's a false positive. It's flagged as malware because it functionality present which modifies system components and settings (in the name of gaming, or something) which some malware families may also try to do. It also has some unusual stuff inside which looks like malware, but it's not. 1. It's 144MB because it's the new fancy .NET "hostfxr" stuff, so it's all bundled together and comes with all the necessary dependencies. Inside of the binary though is an RCData section (custom section) which is (probably) flagged as malware because it contains a .DLL which is (yet another) .NET dependency. However, this is all unironically normal stuff. 2. The binary loads an internal module called "XillyGameMode". XillyGameMode is fancy, has a bunch of fancy graphics, but it ultimately contains a few core services 3. Internal "services" - "GameDetector" + GameModeService - MemoryService - NetworkService - PowerService - RegistryService - UpdateService Each "service" also has settings associated with it. 4. GameModeService checks for the presence of a bunch of random video games based on their process in-memory string (how they appear in Task Manager). It looks for: Call of Duty, Fortnite, Apex, CS2, Valheim, DOTA2, LoL, Overwatch, Valorant, GTA5, RDR2, Cyberpunk2077, and Minecraft. If any of these are identified it sets it to focus. In other words, it makes sure it's not in the background of something. This service also functions as the thingie that handles all the other services. 5. MemoryService invokes PSAPI!EmptyWorkSet and attempts to flush unused memory to disk. 6. NetworkService disables multicasting stuff, for DNS stuff, or something. It also disables NetBIOS. 7. PowerService attempts to determine if it's a desktop using Win32_SystemEnclosure from WMI. If it thinks it's a Desktop, it changes power settings to High Performance. If it thinks you're a laptop, or can't determine if it's a Desktop, it tries modifying power read scheme thingies. Some weird power stuff I never cared to look more into. 8. RegistryService modifies registry stuff to give GPU priority, disables explorer.exe restart functionality (???), enables Game Bar auto start stuff 9. UpdateService looks for updates on GitHub. It has some weird update logic by dropping a *.BAT file, but it just kills the current process. There is smarter ways to do this, but whatever. 10. It's not malware. It has malware-like functionality because it changes system settings. I don't think changing some of these things really matters a whole lot, but I'm not a gamer NERD, so I don't know. Thanks