purelogstealer | 92c799a2fd29060a44558a153d1ff5866e420e46b35bdd4546c782c17d4bb50f

System Information Discovery

Processes:

SyncSpoofer.exeVC_redistx64.exeHpsrSpoof.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	SyncSpoofer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	VC_redistx64.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	HpsrSpoof.exe

Executes dropped EXE 43 IoCs

Processes:

sWsmPty.exeVC_redistx64.exeHpsrSpoof.exeVolumeid64.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeAMIDEWINx64.exeAMIDEWINx64.exeAMIDEWINx64.exeAMIDEWINx64.exeAMIDEWINx64.exeAMIDEWINx64.exeAMIDEWINx64.exeAMIDEWINx64.exeAMIDEWINx64.exeAMIDEWINx64.exeAMIDEWINx64.exeAMIDEWINx64.exeAMIDEWINx64.exeAMIDEWINx64.exeAMIDEWINx64.exeAMIDEWINx64.exeAMIDEWINx64.exeAMIDEWINx64.exeAMIDEWINx64.exeAMIDEWINx64.exeAMIDEWINx64.exeAMIDEWINx64.exeAMIDEWINx64.exeAMIDEWINx64.exe

pid	process
1176	sWsmPty.exe
5560	VC_redistx64.exe
6024	HpsrSpoof.exe
2780	Volumeid64.exe
412	DevManView.exe
5016	DevManView.exe
5436	DevManView.exe
5404	DevManView.exe
5360	DevManView.exe
5540	DevManView.exe
5656	DevManView.exe
5672	DevManView.exe
5740	DevManView.exe
5764	DevManView.exe
1228	DevManView.exe
5200	DevManView.exe
5912	DevManView.exe
5396	DevManView.exe
5356	DevManView.exe
3260	AMIDEWINx64.exe
5256	AMIDEWINx64.exe
5756	AMIDEWINx64.exe
3304	AMIDEWINx64.exe
5540	AMIDEWINx64.exe
5764	AMIDEWINx64.exe
5372	AMIDEWINx64.exe
1980	AMIDEWINx64.exe
5404	AMIDEWINx64.exe
5016	AMIDEWINx64.exe
3680	AMIDEWINx64.exe
5016	AMIDEWINx64.exe
4344	AMIDEWINx64.exe
3336	AMIDEWINx64.exe
2780	AMIDEWINx64.exe
5204	AMIDEWINx64.exe
4764	AMIDEWINx64.exe
2588	AMIDEWINx64.exe
4396	AMIDEWINx64.exe
2288	AMIDEWINx64.exe
5672	AMIDEWINx64.exe
4276	AMIDEWINx64.exe
5740	AMIDEWINx64.exe
5464	AMIDEWINx64.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

VC_redistx64.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\My Program = "C:\\Users\\Admin\\AppData\\Local\\MyHiddenFolder\\VC_redistx64.exe"	VC_redistx64.exe

Enumerates connected drives 3 TTPs 30 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

System Information Discovery

Processes:

DevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exe

description	ioc	process
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe

Maps connected drives based on registry 3 TTPs 64 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

System Information Discovery

Processes:

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	DevManView.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\NextInstance = "0"	DevManView.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count = "0"	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Delete value	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	DevManView.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe

Drops file in System32 directory 2 IoCs

Processes:

chrome.exe

description	ioc	process
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 11 IoCs

Processes:

VC_redistx64.exe

pid	process
5560	VC_redistx64.exe
5560	VC_redistx64.exe
5560	VC_redistx64.exe
5560	VC_redistx64.exe
5560	VC_redistx64.exe
5560	VC_redistx64.exe
5560	VC_redistx64.exe
5560	VC_redistx64.exe
5560	VC_redistx64.exe
5560	VC_redistx64.exe
5560	VC_redistx64.exe

Drops file in Windows directory 3 IoCs

Processes:

DevManView.exeDevManView.exechrome.exe

description	ioc	process
File opened for modification	C:\Windows\INF\setupapi.dev.log	DevManView.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DevManView.exe
File opened for modification	C:\Windows\INF\display.PNF	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

SyncSpoofer.exeVC_redistx64.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SyncSpoofer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VC_redistx64.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

System Information Discovery

Processes:

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ClassGUID	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\00000065\00000000	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\00000064\00000000	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0064\	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0067	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Service	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0067\	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\DeviceDesc	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0064	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0064\	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\ClassGuid	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0066	DevManView.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters	DevManView.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0065	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\LocationInformation	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Mfg	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\00000066\00000000	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Driver	DevManView.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0066\	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities	DevManView.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}	DevManView.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\00000064\00000000	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\00000067\00000000	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Driver	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0066\	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0065\	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0064	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Control	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0065	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Control	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Service	DevManView.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ClassGUID	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\00000065\00000000	DevManView.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\ConfigFlags	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0064	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\00000067\00000000	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0065	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\LocationInformation	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0064\	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ClassGuid	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\00000065\00000000	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0066\	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0064	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\DeviceDesc	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0066\	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\ConfigFlags	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Control	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Service	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0066	DevManView.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133688224508336321"	chrome.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

SyncSpoofer.exe

pid	process
3864	SyncSpoofer.exe
3864	SyncSpoofer.exe
3864	SyncSpoofer.exe
3864	SyncSpoofer.exe
3864	SyncSpoofer.exe
3864	SyncSpoofer.exe
3864	SyncSpoofer.exe
3864	SyncSpoofer.exe
3864	SyncSpoofer.exe
3864	SyncSpoofer.exe
3864	SyncSpoofer.exe
3864	SyncSpoofer.exe
3864	SyncSpoofer.exe
3864	SyncSpoofer.exe
3864	SyncSpoofer.exe
3864	SyncSpoofer.exe
3864	SyncSpoofer.exe
3864	SyncSpoofer.exe
3864	SyncSpoofer.exe
3864	SyncSpoofer.exe
3864	SyncSpoofer.exe
3864	SyncSpoofer.exe
3864	SyncSpoofer.exe
3864	SyncSpoofer.exe
3864	SyncSpoofer.exe
3864	SyncSpoofer.exe
3864	SyncSpoofer.exe
3864	SyncSpoofer.exe
3864	SyncSpoofer.exe
3864	SyncSpoofer.exe
3864	SyncSpoofer.exe
3864	SyncSpoofer.exe
3864	SyncSpoofer.exe
3864	SyncSpoofer.exe
3864	SyncSpoofer.exe
3864	SyncSpoofer.exe
3864	SyncSpoofer.exe
3864	SyncSpoofer.exe
3864	SyncSpoofer.exe
3864	SyncSpoofer.exe
3864	SyncSpoofer.exe
3864	SyncSpoofer.exe
3864	SyncSpoofer.exe
3864	SyncSpoofer.exe
3864	SyncSpoofer.exe
3864	SyncSpoofer.exe
3864	SyncSpoofer.exe
3864	SyncSpoofer.exe
3864	SyncSpoofer.exe
3864	SyncSpoofer.exe
3864	SyncSpoofer.exe
3864	SyncSpoofer.exe
3864	SyncSpoofer.exe
3864	SyncSpoofer.exe
3864	SyncSpoofer.exe
3864	SyncSpoofer.exe
3864	SyncSpoofer.exe
3864	SyncSpoofer.exe
3864	SyncSpoofer.exe
3864	SyncSpoofer.exe
3864	SyncSpoofer.exe
3864	SyncSpoofer.exe
3864	SyncSpoofer.exe
3864	SyncSpoofer.exe

Suspicious behavior: LoadsDriver 23 IoCs

Processes:

pid process

660
660
660
660
660
660
660
660
660
660
660
660
660
660
660
660
660
660
660
660
660
660
660

pid	process
660
660
660
660
660
660
660
660
660
660
660
660
660
660
660
660
660
660
660
660
660
660
660

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 45 IoCs

Processes:

chrome.exe

pid	process
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

SyncSpoofer.exechrome.exe

description	pid	process
Token: SeDebugPrivilege	3864	SyncSpoofer.exe
Token: SeShutdownPrivilege	4236	chrome.exe
Token: SeCreatePagefilePrivilege	4236	chrome.exe
Token: SeShutdownPrivilege	4236	chrome.exe
Token: SeCreatePagefilePrivilege	4236	chrome.exe
Token: SeShutdownPrivilege	4236	chrome.exe
Token: SeCreatePagefilePrivilege	4236	chrome.exe
Token: SeShutdownPrivilege	4236	chrome.exe
Token: SeCreatePagefilePrivilege	4236	chrome.exe
Token: SeShutdownPrivilege	4236	chrome.exe
Token: SeCreatePagefilePrivilege	4236	chrome.exe
Token: SeShutdownPrivilege	4236	chrome.exe
Token: SeCreatePagefilePrivilege	4236	chrome.exe
Token: SeShutdownPrivilege	4236	chrome.exe
Token: SeCreatePagefilePrivilege	4236	chrome.exe
Token: SeShutdownPrivilege	4236	chrome.exe
Token: SeCreatePagefilePrivilege	4236	chrome.exe
Token: SeShutdownPrivilege	4236	chrome.exe
Token: SeCreatePagefilePrivilege	4236	chrome.exe
Token: SeShutdownPrivilege	4236	chrome.exe
Token: SeCreatePagefilePrivilege	4236	chrome.exe
Token: SeShutdownPrivilege	4236	chrome.exe
Token: SeCreatePagefilePrivilege	4236	chrome.exe
Token: SeShutdownPrivilege	4236	chrome.exe
Token: SeCreatePagefilePrivilege	4236	chrome.exe
Token: SeShutdownPrivilege	4236	chrome.exe
Token: SeCreatePagefilePrivilege	4236	chrome.exe
Token: SeShutdownPrivilege	4236	chrome.exe
Token: SeCreatePagefilePrivilege	4236	chrome.exe
Token: SeShutdownPrivilege	4236	chrome.exe
Token: SeCreatePagefilePrivilege	4236	chrome.exe
Token: SeShutdownPrivilege	4236	chrome.exe
Token: SeCreatePagefilePrivilege	4236	chrome.exe
Token: SeShutdownPrivilege	4236	chrome.exe
Token: SeCreatePagefilePrivilege	4236	chrome.exe
Token: SeShutdownPrivilege	4236	chrome.exe
Token: SeCreatePagefilePrivilege	4236	chrome.exe
Token: SeShutdownPrivilege	4236	chrome.exe
Token: SeCreatePagefilePrivilege	4236	chrome.exe
Token: SeShutdownPrivilege	4236	chrome.exe
Token: SeCreatePagefilePrivilege	4236	chrome.exe
Token: SeShutdownPrivilege	4236	chrome.exe
Token: SeCreatePagefilePrivilege	4236	chrome.exe
Token: SeShutdownPrivilege	4236	chrome.exe
Token: SeCreatePagefilePrivilege	4236	chrome.exe
Token: SeShutdownPrivilege	4236	chrome.exe
Token: SeCreatePagefilePrivilege	4236	chrome.exe
Token: SeShutdownPrivilege	4236	chrome.exe
Token: SeCreatePagefilePrivilege	4236	chrome.exe
Token: SeShutdownPrivilege	4236	chrome.exe
Token: SeCreatePagefilePrivilege	4236	chrome.exe
Token: SeShutdownPrivilege	4236	chrome.exe
Token: SeCreatePagefilePrivilege	4236	chrome.exe
Token: SeShutdownPrivilege	4236	chrome.exe
Token: SeCreatePagefilePrivilege	4236	chrome.exe
Token: SeShutdownPrivilege	4236	chrome.exe
Token: SeCreatePagefilePrivilege	4236	chrome.exe
Token: SeShutdownPrivilege	4236	chrome.exe
Token: SeCreatePagefilePrivilege	4236	chrome.exe
Token: SeShutdownPrivilege	4236	chrome.exe
Token: SeCreatePagefilePrivilege	4236	chrome.exe
Token: SeShutdownPrivilege	4236	chrome.exe
Token: SeCreatePagefilePrivilege	4236	chrome.exe
Token: SeShutdownPrivilege	4236	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

chrome.exe

pid	process
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

VC_redistx64.exe

pid process

5560 VC_redistx64.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 4236 wrote to memory of 3292	4236	chrome.exe	chrome.exe
PID 4236 wrote to memory of 3292	4236	chrome.exe	chrome.exe
PID 4236 wrote to memory of 4064	4236	chrome.exe	chrome.exe
PID 4236 wrote to memory of 4064	4236	chrome.exe	chrome.exe
PID 4236 wrote to memory of 4064	4236	chrome.exe	chrome.exe
PID 4236 wrote to memory of 4064	4236	chrome.exe	chrome.exe
PID 4236 wrote to memory of 4064	4236	chrome.exe	chrome.exe
PID 4236 wrote to memory of 4064	4236	chrome.exe	chrome.exe
PID 4236 wrote to memory of 4064	4236	chrome.exe	chrome.exe
PID 4236 wrote to memory of 4064	4236	chrome.exe	chrome.exe
PID 4236 wrote to memory of 4064	4236	chrome.exe	chrome.exe
PID 4236 wrote to memory of 4064	4236	chrome.exe	chrome.exe
PID 4236 wrote to memory of 4064	4236	chrome.exe	chrome.exe
PID 4236 wrote to memory of 4064	4236	chrome.exe	chrome.exe
PID 4236 wrote to memory of 4064	4236	chrome.exe	chrome.exe
PID 4236 wrote to memory of 4064	4236	chrome.exe	chrome.exe
PID 4236 wrote to memory of 4064	4236	chrome.exe	chrome.exe
PID 4236 wrote to memory of 4064	4236	chrome.exe	chrome.exe
PID 4236 wrote to memory of 4064	4236	chrome.exe	chrome.exe
PID 4236 wrote to memory of 4064	4236	chrome.exe	chrome.exe
PID 4236 wrote to memory of 4064	4236	chrome.exe	chrome.exe
PID 4236 wrote to memory of 4064	4236	chrome.exe	chrome.exe
PID 4236 wrote to memory of 4064	4236	chrome.exe	chrome.exe
PID 4236 wrote to memory of 4064	4236	chrome.exe	chrome.exe
PID 4236 wrote to memory of 4064	4236	chrome.exe	chrome.exe
PID 4236 wrote to memory of 4064	4236	chrome.exe	chrome.exe
PID 4236 wrote to memory of 4064	4236	chrome.exe	chrome.exe
PID 4236 wrote to memory of 4064	4236	chrome.exe	chrome.exe
PID 4236 wrote to memory of 4064	4236	chrome.exe	chrome.exe
PID 4236 wrote to memory of 4064	4236	chrome.exe	chrome.exe
PID 4236 wrote to memory of 4064	4236	chrome.exe	chrome.exe
PID 4236 wrote to memory of 4064	4236	chrome.exe	chrome.exe
PID 4236 wrote to memory of 1512	4236	chrome.exe	chrome.exe
PID 4236 wrote to memory of 1512	4236	chrome.exe	chrome.exe
PID 4236 wrote to memory of 4572	4236	chrome.exe	chrome.exe
PID 4236 wrote to memory of 4572	4236	chrome.exe	chrome.exe
PID 4236 wrote to memory of 4572	4236	chrome.exe	chrome.exe
PID 4236 wrote to memory of 4572	4236	chrome.exe	chrome.exe
PID 4236 wrote to memory of 4572	4236	chrome.exe	chrome.exe
PID 4236 wrote to memory of 4572	4236	chrome.exe	chrome.exe
PID 4236 wrote to memory of 4572	4236	chrome.exe	chrome.exe
PID 4236 wrote to memory of 4572	4236	chrome.exe	chrome.exe
PID 4236 wrote to memory of 4572	4236	chrome.exe	chrome.exe
PID 4236 wrote to memory of 4572	4236	chrome.exe	chrome.exe
PID 4236 wrote to memory of 4572	4236	chrome.exe	chrome.exe
PID 4236 wrote to memory of 4572	4236	chrome.exe	chrome.exe
PID 4236 wrote to memory of 4572	4236	chrome.exe	chrome.exe
PID 4236 wrote to memory of 4572	4236	chrome.exe	chrome.exe
PID 4236 wrote to memory of 4572	4236	chrome.exe	chrome.exe
PID 4236 wrote to memory of 4572	4236	chrome.exe	chrome.exe
PID 4236 wrote to memory of 4572	4236	chrome.exe	chrome.exe
PID 4236 wrote to memory of 4572	4236	chrome.exe	chrome.exe
PID 4236 wrote to memory of 4572	4236	chrome.exe	chrome.exe
PID 4236 wrote to memory of 4572	4236	chrome.exe	chrome.exe
PID 4236 wrote to memory of 4572	4236	chrome.exe	chrome.exe
PID 4236 wrote to memory of 4572	4236	chrome.exe	chrome.exe
PID 4236 wrote to memory of 4572	4236	chrome.exe	chrome.exe
PID 4236 wrote to memory of 4572	4236	chrome.exe	chrome.exe
PID 4236 wrote to memory of 4572	4236	chrome.exe	chrome.exe
PID 4236 wrote to memory of 4572	4236	chrome.exe	chrome.exe
PID 4236 wrote to memory of 4572	4236	chrome.exe	chrome.exe
PID 4236 wrote to memory of 4572	4236	chrome.exe	chrome.exe
PID 4236 wrote to memory of 4572	4236	chrome.exe	chrome.exe
PID 4236 wrote to memory of 4572	4236	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\SyncSpoofer.exe
"C:\Users\Admin\AppData\Local\Temp\SyncSpoofer.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3864
- C:\Users\Admin\AppData\Roaming\sWsmPty.exe
  "C:\Users\Admin\AppData\Roaming\sWsmPty.exe"
  2⤵
  - Executes dropped EXE
  PID:1176
- C:\Users\Admin\AppData\Roaming\VC_redistx64.exe
  "C:\Users\Admin\AppData\Roaming\VC_redistx64.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5560
- C:\Users\Admin\AppData\Roaming\HpsrSpoof.exe
  "C:\Users\Admin\AppData\Roaming\HpsrSpoof.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:6024
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe c: DBVV-GH75
    3⤵
    PID:5904
  - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
      C:\ProgramData\Microsoft\Windows\Volumeid64.exe c: DBVV-GH75
      4⤵
      Executes dropped EXE
      PID:2780
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Disk.bat
    3⤵
    PID:3004
  - - C:\ProgramData\Microsoft\Windows\DevManView.exe
      C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "WAN Miniport*" /use_wildcard""
      4⤵
      Executes dropped EXE
      Enumerates connected drives
      Maps connected drives based on registry
      Checks SCSI registry key(s)
      PID:412
  - - C:\ProgramData\Microsoft\Windows\DevManView.exe
      C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "Disk drive*" /use_wildcard""
      4⤵
      Executes dropped EXE
      Enumerates connected drives
      Maps connected drives based on registry
      Checks SCSI registry key(s)
      PID:5016
  - - C:\ProgramData\Microsoft\Windows\DevManView.exe
      C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "C:\"
      4⤵
      Executes dropped EXE
      Enumerates connected drives
      Maps connected drives based on registry
      Checks SCSI registry key(s)
      PID:5436
  - - C:\ProgramData\Microsoft\Windows\DevManView.exe
      C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "D:\"
      4⤵
      Executes dropped EXE
      Enumerates connected drives
      Maps connected drives based on registry
      Checks SCSI registry key(s)
      PID:5404
  - - C:\ProgramData\Microsoft\Windows\DevManView.exe
      C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "E:\"
      4⤵
      Executes dropped EXE
      Enumerates connected drives
      Maps connected drives based on registry
      Checks SCSI registry key(s)
      PID:5360
  - - C:\ProgramData\Microsoft\Windows\DevManView.exe
      C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "F:\"
      4⤵
      Executes dropped EXE
      Enumerates connected drives
      Maps connected drives based on registry
      Checks SCSI registry key(s)
      PID:5540
  - - C:\ProgramData\Microsoft\Windows\DevManView.exe
      C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "G:\"
      4⤵
      Executes dropped EXE
      Enumerates connected drives
      Maps connected drives based on registry
      Checks SCSI registry key(s)
      PID:5656
  - - C:\ProgramData\Microsoft\Windows\DevManView.exe
      C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "Disk"
      4⤵
      Executes dropped EXE
      Enumerates connected drives
      Maps connected drives based on registry
      Checks SCSI registry key(s)
      PID:5672
  - - C:\ProgramData\Microsoft\Windows\DevManView.exe
      C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "disk"
      4⤵
      Executes dropped EXE
      Enumerates connected drives
      Maps connected drives based on registry
      Checks SCSI registry key(s)
      PID:5740
  - - C:\ProgramData\Microsoft\Windows\DevManView.exe
      C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "Disk&*" /use_wildcard""
      4⤵
      Executes dropped EXE
      Enumerates connected drives
      Maps connected drives based on registry
      Checks SCSI registry key(s)
      PID:5764
  - - C:\ProgramData\Microsoft\Windows\DevManView.exe
      C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "SWD\WPDBUSENUM*" /use_wildcard""
      4⤵
      Executes dropped EXE
      Enumerates connected drives
      Maps connected drives based on registry
      Checks SCSI registry key(s)
      PID:1228
  - - C:\ProgramData\Microsoft\Windows\DevManView.exe
      C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "USBSTOR*" /use_wildcard""
      4⤵
      Executes dropped EXE
      Enumerates connected drives
      Maps connected drives based on registry
      Checks SCSI registry key(s)
      PID:5200
  - - C:\ProgramData\Microsoft\Windows\DevManView.exe
      C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "SCSI\Disk*" /use_wildcard""
      4⤵
      Executes dropped EXE
      Enumerates connected drives
      Maps connected drives based on registry
      Drops file in Windows directory
      Checks SCSI registry key(s)
      PID:5912
  - - C:\ProgramData\Microsoft\Windows\DevManView.exe
      C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "STORAGE*" /use_wildcard""
      4⤵
      Executes dropped EXE
      Enumerates connected drives
      Maps connected drives based on registry
      Drops file in Windows directory
      Checks SCSI registry key(s)
      PID:5396
  - - C:\ProgramData\Microsoft\Windows\DevManView.exe
      C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "WAN Miniport*" /use_wildcard""
      4⤵
      Executes dropped EXE
      Enumerates connected drives
      Maps connected drives based on registry
      Checks SCSI registry key(s)
      PID:5356
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS %RANDOM%HP-TRGT%RANDOM%AB
    3⤵
    PID:3732
  - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
      C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS 13765HP-TRGT7992AB
      4⤵
      Executes dropped EXE
      PID:3260
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 2%RANDOM%HP-TRGT%RANDOM%RV
    3⤵
    PID:4792
  - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
      C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 213765HP-TRGT7992RV
      4⤵
      Executes dropped EXE
      PID:5256
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 8%RANDOM%HP-TRGT%RANDOM%SG
    3⤵
    PID:5400
  - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
      C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 813765HP-TRGT7992SG
      4⤵
      Executes dropped EXE
      PID:5756
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto
    3⤵
    PID:5476
  - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
      C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto
      4⤵
      Executes dropped EXE
      PID:3304
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 5%RANDOM%HP-TRGT%RANDOM%SL
    3⤵
    PID:6100
  - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
      C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 513765HP-TRGT7992SL
      4⤵
      Executes dropped EXE
      PID:5540
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 4%RANDOM%HP-TRGT%RANDOM%FA
    3⤵
    PID:5672
  - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
      C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 413765HP-TRGT7992FA
      4⤵
      Executes dropped EXE
      PID:5764
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 6%RANDOM%HP-TRGT%RANDOM%FU
    3⤵
    PID:5012
  - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
      C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 613765HP-TRGT7992FU
      4⤵
      Executes dropped EXE
      PID:5372
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 3%RANDOM%HP-TRGT%RANDOM%DQ
    3⤵
    PID:4988
  - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
      C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 313765HP-TRGT7992DQ
      4⤵
      Executes dropped EXE
      PID:1980
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 7%RANDOM%HP-TRGT%RANDOM%MST
    3⤵
    PID:412
  - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
      C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 713769HP-TRGT18741MST
      4⤵
      Executes dropped EXE
      PID:5404
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF
    3⤵
    PID:5740
  - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
      C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF
      4⤵
      Executes dropped EXE
      PID:5016
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS %RANDOM%HP-TRGT%RANDOM%AB
    3⤵
    PID:4396
  - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
      C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS 13785HP-TRGT6947AB
      4⤵
      Executes dropped EXE
      PID:3680
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 2%RANDOM%HP-TRGT%RANDOM%RV
    3⤵
    PID:5484
  - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
      C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 213785HP-TRGT6947RV
      4⤵
      Executes dropped EXE
      PID:5016
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 8%RANDOM%HP-TRGT%RANDOM%SG
    3⤵
    PID:5372
  - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
      C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 813785HP-TRGT6947SG
      4⤵
      Executes dropped EXE
      PID:3336
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto
    3⤵
    PID:5360
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4988
  - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
      C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto
      4⤵
      Executes dropped EXE
      PID:4344
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 5%RANDOM%HP-TRGT%RANDOM%SL
    3⤵
    PID:4436
  - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
      C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 513785HP-TRGT6947SL
      4⤵
      Executes dropped EXE
      PID:5204
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 4%RANDOM%HP-TRGT%RANDOM%FA
    3⤵
    PID:4768
  - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
      C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 413785HP-TRGT6947FA
      4⤵
      Executes dropped EXE
      PID:2780
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 6%RANDOM%HP-TRGT%RANDOM%FU
    3⤵
    PID:3004
  - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
      C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 613785HP-TRGT6947FU
      4⤵
      Executes dropped EXE
      PID:4764
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 3%RANDOM%HP-TRGT%RANDOM%DQ
    3⤵
    PID:5748
  - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
      C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 313785HP-TRGT6947DQ
      4⤵
      Executes dropped EXE
      PID:2588
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 7%RANDOM%HP-TRGT%RANDOM%MST
    3⤵
    PID:3260
  - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
      C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 713785HP-TRGT6947MST
      4⤵
      Executes dropped EXE
      PID:4396
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF
    3⤵
    PID:3544
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5012
  - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
      C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF
      4⤵
      Executes dropped EXE
      PID:2288
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS %RANDOM%HP-TRGT%RANDOM%AB
    3⤵
    PID:5284
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4436
  - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
      C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS 13801HP-TRGT27921AB
      4⤵
      Executes dropped EXE
      PID:5672
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 2%RANDOM%HP-TRGT%RANDOM%RV
    3⤵
    PID:2096
  - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
      C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 213801HP-TRGT27921RV
      4⤵
      Executes dropped EXE
      PID:4276
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 8%RANDOM%HP-TRGT%RANDOM%SG
    3⤵
    PID:5268
  - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
      C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 813801HP-TRGT27921SG
      4⤵
      Executes dropped EXE
      PID:5740
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto
    3⤵
    PID:3680
  - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
      C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto
      4⤵
      Executes dropped EXE
      PID:5464

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffcf741cc40,0x7ffcf741cc4c,0x7ffcf741cc58
  2⤵
  PID:3292
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1888,i,17736336835900951744,4428239969607966491,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1884 /prefetch:2
  2⤵
  PID:4064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2176,i,17736336835900951744,4428239969607966491,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2428 /prefetch:3
  2⤵
  PID:1512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2236,i,17736336835900951744,4428239969607966491,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2436 /prefetch:8
  2⤵
  PID:4572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3180,i,17736336835900951744,4428239969607966491,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3200 /prefetch:1
  2⤵
  PID:2732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3224,i,17736336835900951744,4428239969607966491,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3324 /prefetch:1
  2⤵
  PID:3052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4632,i,17736336835900951744,4428239969607966491,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4644 /prefetch:1
  2⤵
  PID:4816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4652,i,17736336835900951744,4428239969607966491,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4552 /prefetch:8
  2⤵
  PID:4336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4580,i,17736336835900951744,4428239969607966491,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4868 /prefetch:8
  2⤵
  PID:3556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4472,i,17736336835900951744,4428239969607966491,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5204 /prefetch:1
  2⤵
  PID:1416
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=5348,i,17736336835900951744,4428239969607966491,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5384 /prefetch:1
  2⤵
  PID:4732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=5212,i,17736336835900951744,4428239969607966491,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5504 /prefetch:1
  2⤵
  PID:2696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=3460,i,17736336835900951744,4428239969607966491,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3340 /prefetch:1
  2⤵
  PID:3016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=3464,i,17736336835900951744,4428239969607966491,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3420 /prefetch:1
  2⤵
  PID:1448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=3296,i,17736336835900951744,4428239969607966491,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5780 /prefetch:1
  2⤵
  PID:1228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=4668,i,17736336835900951744,4428239969607966491,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5228 /prefetch:1
  2⤵
  PID:5028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=5580,i,17736336835900951744,4428239969607966491,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5504 /prefetch:1
  2⤵
  PID:876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=4508,i,17736336835900951744,4428239969607966491,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3248 /prefetch:1
  2⤵
  PID:2036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --field-trial-handle=4084,i,17736336835900951744,4428239969607966491,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3244 /prefetch:1
  2⤵
  PID:868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --field-trial-handle=5648,i,17736336835900951744,4428239969607966491,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5960 /prefetch:1
  2⤵
  PID:3408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --field-trial-handle=5620,i,17736336835900951744,4428239969607966491,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=6084 /prefetch:1
  2⤵
  PID:1892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --field-trial-handle=5688,i,17736336835900951744,4428239969607966491,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=6108 /prefetch:1
  2⤵
  PID:2460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --field-trial-handle=5136,i,17736336835900951744,4428239969607966491,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5192 /prefetch:1
  2⤵
  PID:380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --field-trial-handle=5172,i,17736336835900951744,4428239969607966491,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5544 /prefetch:1
  2⤵
  PID:5524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --field-trial-handle=1244,i,17736336835900951744,4428239969607966491,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3232 /prefetch:1
  2⤵
  PID:5532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --field-trial-handle=6404,i,17736336835900951744,4428239969607966491,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=6420 /prefetch:1
  2⤵
  PID:5660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --field-trial-handle=6444,i,17736336835900951744,4428239969607966491,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=6564 /prefetch:1
  2⤵
  PID:5688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --field-trial-handle=6740,i,17736336835900951744,4428239969607966491,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=6724 /prefetch:1
  2⤵
  PID:5788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --field-trial-handle=6952,i,17736336835900951744,4428239969607966491,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=6976 /prefetch:1
  2⤵
  PID:4916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --field-trial-handle=7104,i,17736336835900951744,4428239969607966491,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=6984 /prefetch:1
  2⤵
  PID:4908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --field-trial-handle=7228,i,17736336835900951744,4428239969607966491,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=7240 /prefetch:1
  2⤵
  PID:5200
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --field-trial-handle=7360,i,17736336835900951744,4428239969607966491,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=7372 /prefetch:1
  2⤵
  PID:5208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --field-trial-handle=7568,i,17736336835900951744,4428239969607966491,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=7584 /prefetch:1
  2⤵
  PID:1904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --field-trial-handle=6744,i,17736336835900951744,4428239969607966491,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=8276 /prefetch:1
  2⤵
  PID:6036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --field-trial-handle=7048,i,17736336835900951744,4428239969607966491,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=7272 /prefetch:1
  2⤵
  PID:1644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --field-trial-handle=7276,i,17736336835900951744,4428239969607966491,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=7144 /prefetch:1
  2⤵
  PID:1676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --field-trial-handle=7032,i,17736336835900951744,4428239969607966491,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=7172 /prefetch:1
  2⤵
  PID:1392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --field-trial-handle=7008,i,17736336835900951744,4428239969607966491,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=7260 /prefetch:1
  2⤵
  PID:3064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --field-trial-handle=7348,i,17736336835900951744,4428239969607966491,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=7320 /prefetch:1
  2⤵
  PID:2404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --field-trial-handle=6764,i,17736336835900951744,4428239969607966491,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=8640 /prefetch:1
  2⤵
  PID:3732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --field-trial-handle=6792,i,17736336835900951744,4428239969607966491,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=7080 /prefetch:1
  2⤵
  PID:5356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --field-trial-handle=6804,i,17736336835900951744,4428239969607966491,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=7716 /prefetch:1
  2⤵
  PID:2272
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --field-trial-handle=8548,i,17736336835900951744,4428239969607966491,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=8160 /prefetch:1
  2⤵
  PID:6092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --field-trial-handle=8440,i,17736336835900951744,4428239969607966491,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=8808 /prefetch:1
  2⤵
  PID:5404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --field-trial-handle=8432,i,17736336835900951744,4428239969607966491,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=7140 /prefetch:1
  2⤵
  PID:5624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --field-trial-handle=7020,i,17736336835900951744,4428239969607966491,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=8868 /prefetch:1
  2⤵
  PID:404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --field-trial-handle=8308,i,17736336835900951744,4428239969607966491,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=8856 /prefetch:1
  2⤵
  PID:3336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --field-trial-handle=9032,i,17736336835900951744,4428239969607966491,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=8320 /prefetch:1
  2⤵
  PID:4880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --field-trial-handle=8328,i,17736336835900951744,4428239969607966491,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=6864 /prefetch:1
  2⤵
  PID:428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --field-trial-handle=7960,i,17736336835900951744,4428239969607966491,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=9052 /prefetch:1
  2⤵
  PID:3940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --field-trial-handle=8172,i,17736336835900951744,4428239969607966491,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=7496 /prefetch:1
  2⤵
  PID:5676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=8032,i,17736336835900951744,4428239969607966491,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=6800 /prefetch:8
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  PID:700

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4052

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

Query Registry

System Information Discovery