970253f12e332e4e36537198556cdefe1ba6ae7c20be6482d5fe33f366cd6af2

Analysis

max time kernel
145s
max time network
150s
platform
windows7_x64
resource
win7v20210410
submitted
07-05-2021 14:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DRP_15.9_Full/Tools/modules/bugreport/SysInfo.exe
Size

5.5MB
MD5

ffc1771da2961a16f68670262aeac3b9
SHA1

ada0cfb2fe7e8097373510be273d5e9443b1936e
SHA256

1a24d8cdc38765e6d5d98a6a9351f5d102d7db45d507f4ee05e85893eb305922
SHA512

2575a75eb42b1b56d43e9e6bb5c6428b3efcef566d05c70917c7c6195e2f410d1c3665dd05d0e5035578a7d4972b4962c50aa48f916e7b869000834f3901102c

Score

9^/10

discovery upx

Malware Config

Signatures

Nirsoft 10 IoCs

Processes:

resource	yara_rule
\Windows\Logs\SysInfo\Tools\LastActivityView.exe	Nirsoft
C:\Windows\Logs\SysInfo\Tools\LastActivityView.exe	Nirsoft
\Windows\Logs\SysInfo\Tools\ExecutedProgramsList.exe	Nirsoft
C:\Windows\Logs\SysInfo\Tools\ExecutedProgramsList.exe	Nirsoft
\Windows\Logs\SysInfo\Tools\DriverView64.exe	Nirsoft
\Windows\Logs\SysInfo\Tools\DriverView64.exe	Nirsoft
C:\Windows\Logs\SysInfo\Tools\DriverView64.exe	Nirsoft
\Windows\Logs\SysInfo\Tools\InstalledDriversList64.exe	Nirsoft
\Windows\Logs\SysInfo\Tools\InstalledDriversList64.exe	Nirsoft
C:\Windows\Logs\SysInfo\Tools\InstalledDriversList64.exe	Nirsoft

Drops file in Drivers directory 2 IoCs

Processes:

SIV64X.exe

description	ioc	process
File created	C:\Windows\system32\Drivers\SIVX64.sys	SIV64X.exe
File opened for modification	C:\Windows\system32\Drivers\SIVX64.sys	SIV64X.exe

Executes dropped EXE 20 IoCs

Processes:

LastActivityView.exeCProcess.exeSDI-drv.exeDevManView.exeAppCrashView.exeBlueScreenView.exeBlueScreenView.exeExecutedProgramsList.exeWhatInStartup.exeWinAudit.exehidec.exehidec.exeDriverView64.exeInstalledDriversList64.exeSIV64X.exeLog.exehidec.exe7za.exehidec.exewput.exe

pid	process
1696	LastActivityView.exe
308	CProcess.exe
316	SDI-drv.exe
960	DevManView.exe
620	AppCrashView.exe
1832	BlueScreenView.exe
1076	BlueScreenView.exe
2032	ExecutedProgramsList.exe
1928	WhatInStartup.exe
1160	WinAudit.exe
1696	hidec.exe
1300	hidec.exe
1448	DriverView64.exe
1284	InstalledDriversList64.exe
876	SIV64X.exe
1212	Log.exe
2044	hidec.exe
668	7za.exe
1964	hidec.exe
1980	wput.exe

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Windows\Logs\SysInfo\Tools\CProcess.exe	upx
\Windows\Logs\SysInfo\Tools\CProcess.exe	upx
C:\Windows\Logs\SysInfo\Tools\CProcess.exe	upx
C:\Windows\Logs\SysInfo\Tools\CProcess.exe	upx
\Windows\Logs\SysInfo\Tools\SDI-drv.exe	upx
C:\Windows\Logs\SysInfo\Tools\SDI-drv.exe	upx
\Windows\Logs\SysInfo\Tools\DevManView.exe	upx
C:\Windows\Logs\SysInfo\Tools\DevManView.exe	upx
\Windows\Logs\SysInfo\Tools\AppCrashView.exe	upx
\Windows\Logs\SysInfo\Tools\AppCrashView.exe	upx
C:\Windows\Logs\SysInfo\Tools\AppCrashView.exe	upx
\Windows\Logs\SysInfo\Tools\BlueScreenView.exe	upx
C:\Windows\Logs\SysInfo\Tools\BlueScreenView.exe	upx
C:\Windows\Logs\SysInfo\Tools\BlueScreenView.exe	upx
\Windows\Logs\SysInfo\Tools\WhatInStartup.exe	upx
C:\Windows\Logs\SysInfo\Tools\WhatInStartup.exe	upx

Checks BIOS information in registry 2 TTPs 6 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WinAudit.exeSIV64X.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	WinAudit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	WinAudit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	SIV64X.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	SIV64X.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	SIV64X.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	WinAudit.exe

Loads dropped DLL 28 IoCs

Processes:

SysInfo.exehidec.exehidec.exe

pid	process
1088	SysInfo.exe
1088	SysInfo.exe
1088	SysInfo.exe
1088	SysInfo.exe
1088	SysInfo.exe
1088	SysInfo.exe
1088	SysInfo.exe
1088	SysInfo.exe
1088	SysInfo.exe
1088	SysInfo.exe
1088	SysInfo.exe
1088	SysInfo.exe
1088	SysInfo.exe
1088	SysInfo.exe
1088	SysInfo.exe
1088	SysInfo.exe
1088	SysInfo.exe
1088	SysInfo.exe
1088	SysInfo.exe
1088	SysInfo.exe
1088	SysInfo.exe
1088	SysInfo.exe
1088	SysInfo.exe
2044	hidec.exe
2044	hidec.exe
1088	SysInfo.exe
1964	hidec.exe
1964	hidec.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

DevManView.exe

description ioc process

File opened (read-only) \??\D: DevManView.exe

description	ioc	process
File opened (read-only)	\??\D:	DevManView.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

DevManView.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe

Drops file in Windows directory 64 IoCs

Processes:

Log.exeSysInfo.exeSDI-drv.exeDriverView64.exeSIV64X.exeDevManView.exeBlueScreenView.exedxdiag.exeWhatInStartup.exeWinAudit.exeLastActivityView.exe7za.exeBlueScreenView.exeInstalledDriversList64.exeAppCrashView.exe

description	ioc	process
File created	C:\Windows\Logs\SysInfo\Tools\ERROR.BUG	Log.exe
File opened for modification	C:\Windows\Logs\SysInfo\LOGs\MRBKYMNO\System\DxDiag.txt	SysInfo.exe
File opened for modification	C:\Windows\Logs\SysInfo\Tools\logs\	SysInfo.exe
File opened for modification	C:\Windows\Logs\SysInfo\Tools\	SysInfo.exe
File created	C:\Windows\Logs\SysInfo\Tools\logs\2021_05_07__14_45_51__MRBKYMNO_state.snp	SDI-drv.exe
File created	C:\Windows\Logs\SysInfo\LOGs\MRBKYMNO\SysInfo\Drivers.htm	DriverView64.exe
File opened for modification	C:\Windows\Logs\SysInfo\Tools\SIV_DBGOUT.log	SIV64X.exe
File created	C:\Windows\Logs\SysInfo\Tools\AppCrashView.exe	SysInfo.exe
File created	C:\Windows\Logs\SysInfo\Tools\SIVX64.sys	SysInfo.exe
File created	C:\Windows\Logs\SysInfo\Tools\usbdevs.txt	SysInfo.exe
File created	C:\Windows\Logs\SysInfo\Tools\wput.exe	SysInfo.exe
File opened for modification	C:\Windows\Logs\SysInfo\LOGs\MRBKYMNO\SysInfo\Execute.htm	SysInfo.exe
File created	C:\Windows\Logs\SysInfo\Tools\Log.exe	SysInfo.exe
File opened for modification	C:\Windows\Logs\SysInfo\LOGs\MRBKYMNO\DIA-Logs\	SysInfo.exe
File opened for modification	C:\Windows\Logs\SysInfo\LOGs\MRBKYMNO\SysInfo\Devices.htm	SysInfo.exe
File created	C:\Windows\Logs\SysInfo\Tools\LastActivityView.exe	SysInfo.exe
File created	C:\Windows\Logs\SysInfo\Tools\SIV64X.exe	SysInfo.exe
File created	C:\Windows\Logs\SysInfo\LOGs\MRBKYMNO\SysInfo\Devices.htm	DevManView.exe
File created	C:\Windows\Logs\SysInfo\LOGs\MRBKYMNO\SysInfo\!BSOD!.txt	BlueScreenView.exe
File opened for modification	C:\Windows\INF\setupapi.app.log	dxdiag.exe
File created	C:\Windows\Logs\SysInfo\LOGs\MRBKYMNO\SysInfo\Startup.htm	WhatInStartup.exe
File created	C:\Windows\Logs\SysInfo\Tools\SIV_MRBKYMNO.txt	SIV64X.exe
File created	C:\Windows\Logs\SysInfo\LOGs\MRBKYMNO\SysInfo\MRBKYMNO.html	SysInfo.exe
File created	C:\Windows\Logs\SysInfo\LOGs\MRBKYMNO\SysInfo\SIV_MRBKYMNO.txt	SysInfo.exe
File opened for modification	C:\Windows\Logs\SysInfo\LOGs\MRBKYMNO\SysInfo\Actions.htm	SysInfo.exe
File created	C:\Windows\Logs\SysInfo\Tools\MRBKYMNO.html	WinAudit.exe
File created	C:\Windows\Logs\SysInfo\LOGs\MRBKYMNO\System\setupapi.dev.log	SysInfo.exe
File opened for modification	C:\Windows\Logs\SysInfo\LOGs\MRBKYMNO\SysInfo\Drivers.htm	SysInfo.exe
File created	C:\Windows\Logs\SysInfo\Tools\SysInf.bat	SysInfo.exe
File created	C:\Windows\Logs\SysInfo\Tools\pcmdevs.txt	SysInfo.exe
File created	C:\Windows\Logs\SysInfo\Tools\www.SamLab.ws.url	SysInfo.exe
File created	C:\Windows\Logs\SysInfo\LOGs\MRBKYMNO\SysInfo\Actions.htm	LastActivityView.exe
File created	C:\Windows\Logs\SysInfo\LOGs\MRBKYMNO\System\DxDiag.txt	dxdiag.exe
File created	C:\Windows\Logs\SysInfo\Tools\7za.exe	SysInfo.exe
File created	C:\Windows\Logs\SysInfo\Tools\DevManView.exe	SysInfo.exe
File created	C:\Windows\Logs\SysInfo\Tools\logs\2021_05_07__14_45_49__MRBKYMNO_log.txt	SDI-drv.exe
File created	C:\Windows\Logs\SysInfo\SysInfo.7z	7za.exe
File opened for modification	C:\Windows\Logs\SysInfo\LOGs\MRBKYMNO\SysInfo\Process.htm	SysInfo.exe
File opened for modification	C:\Windows\Logs\SysInfo\LOGs\MRBKYMNO\System\	SysInfo.exe
File created	C:\Windows\Logs\SysInfo\Tools\InstalledDriversList.exe	SysInfo.exe
File created	C:\Windows\Logs\SysInfo\Tools\pcidevs.txt	SysInfo.exe
File opened for modification	C:\Windows\Logs\SysInfo\LOGs\MRBKYMNO\SDI-Logs\	SysInfo.exe
File opened for modification	C:\Windows\Logs\SysInfo\LOGs\MRBKYMNO\SysInfo\Startup.htm	SysInfo.exe
File opened for modification	C:\Windows\Logs\SysInfo\LOGs\MRBKYMNO\System\setupapi.dev.log	SysInfo.exe
File created	C:\Windows\Logs\SysInfo\Tools\BlueScreenView.exe	SysInfo.exe
File created	C:\Windows\Logs\SysInfo\LOGs\MRBKYMNO\SysInfo\!BSOD!.htm	BlueScreenView.exe
File created	C:\Windows\Logs\SysInfo\LOGs\MRBKYMNO\SDI-Logs\2021_05_07__14_45_51__MRBKYMNO_state.snp	SysInfo.exe
File opened for modification	C:\Windows\Logs\SysInfo\LOGs\MRBKYMNO\SysInfo\MRBKYMNO.html	SysInfo.exe
File opened for modification	C:\Windows\Logs\SysInfo\LOGs\	SysInfo.exe
File created	C:\Windows\Logs\SysInfo\Tools\InstalledDriversList64.exe	SysInfo.exe
File created	C:\Windows\Logs\SysInfo\Tools\pnpdevs.txt	SysInfo.exe
File opened for modification	C:\Windows\Logs\SysInfo\LOGs\MRBKYMNO\DRP-Online\	SysInfo.exe
File opened for modification	C:\Windows\Logs\SysInfo\LOGs\MRBKYMNO\SysInfo\Drivers.html	SysInfo.exe
File created	C:\Windows\Logs\SysInfo\Tools\HWIDs.cmd	SysInfo.exe
File created	C:\Windows\Logs\SysInfo\Tools\SDI-drv.exe	SysInfo.exe
File created	C:\Windows\Logs\SysInfo\LOGs\MRBKYMNO\SysInfo\Drivers.html	InstalledDriversList64.exe
File opened for modification	C:\Windows\Logs\SysInfo\LOGs\MRBKYMNO\SysInfo\	SysInfo.exe
File created	C:\Windows\Logs\SysInfo\Tools\SIV32X.exe	SysInfo.exe
File created	C:\Windows\Logs\SysInfo\Tools\mondevs.txt	SysInfo.exe
File created	C:\Windows\Logs\SysInfo\LOGs\MRBKYMNO\SysInfo\Crashes.htm	AppCrashView.exe
File opened for modification	C:\Windows\Logs\SysInfo\LOGs\MRBKYMNO\SysInfo\SIV_MRBKYMNO.txt	SysInfo.exe
File opened for modification	C:\Windows\Logs\SysInfo\LOGs\MRBKYMNO\	SysInfo.exe
File created	C:\Windows\Logs\SysInfo\Tools\BoxCutter.exe	SysInfo.exe
File created	C:\Windows\Logs\SysInfo\Tools\WhatInStartup.exe	SysInfo.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 8 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

DevManView.exeSIV64X.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DevManView.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DevManView.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Dell&Prod_THINAIR_DISK	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	SIV64X.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	SIV64X.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	SIV64X.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Dell&Prod_THINAIR_DISK	SIV64X.exe

Checks processor information in registry 2 TTPs 15 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

SIV64X.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	SIV64X.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	SIV64X.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	SIV64X.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\2	SIV64X.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	SIV64X.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	SIV64X.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	SIV64X.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	SIV64X.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	SIV64X.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	SIV64X.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	SIV64X.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\1	SIV64X.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	SIV64X.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Signature	SIV64X.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	SIV64X.exe

Enumerates system info in registry 2 TTPs 5 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WinAudit.exeSIV64X.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosDate	WinAudit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	SIV64X.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VirtualAddressBits	SIV64X.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\PhysicalAddressBits	SIV64X.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosDate	SIV64X.exe

Modifies registry class 36 IoCs

Processes:

reg.exedxdiag.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.css\Content Type = "text/css"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CurVer\ = "DxDiag.DxDiagClassObject.1"	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CurVer\ = "DxDiag.DxDiagClassObject.1"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32\ThreadingModel = "Apartment"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1\CLSID	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\ = "DxDiagProvider Class"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\ = "DxDiagClassObject Class"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ProgID	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\VersionIndependentProgID	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ForceRemove	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32\ = "C:\\Windows\\SysWOW64\\dxdiagn.dll"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CLSID	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ = "DxDiagClassObject Class"	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\VersionIndependentProgID\ = "DxDiag.DxDiagClassObject"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1\ = "DxDiagProvider Class"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\VersionIndependentProgID	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\CLSID	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CLSID	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ForceRemove\ = "Programmable"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\InprocServer32	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CLSID\ = "{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CurVer	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\CLSID\ = "{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CurVer	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\ProgID	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\ = "DxDiagClassObject Class"	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ProgID\ = "DxDiag.DxDiagClassObject.1"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.css	reg.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

Processes:

SysInfo.exeCProcess.exeWhatInStartup.exeWinAudit.exedxdiag.exeSIV64X.exe

pid	process
1088	SysInfo.exe
1088	SysInfo.exe
1088	SysInfo.exe
1088	SysInfo.exe
1088	SysInfo.exe
1088	SysInfo.exe
1088	SysInfo.exe
1088	SysInfo.exe
1088	SysInfo.exe
1088	SysInfo.exe
308	CProcess.exe
308	CProcess.exe
1928	WhatInStartup.exe
1928	WhatInStartup.exe
1160	WinAudit.exe
1212	dxdiag.exe
1212	dxdiag.exe
876	SIV64X.exe
876	SIV64X.exe
876	SIV64X.exe
876	SIV64X.exe
876	SIV64X.exe
876	SIV64X.exe
1088	SysInfo.exe
1088	SysInfo.exe
1088	SysInfo.exe
1088	SysInfo.exe
1088	SysInfo.exe
1088	SysInfo.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

SysInfo.exe

pid process

1088 SysInfo.exe
Suspicious behavior: LoadsDriver 7 IoCs

Processes:

pid process

464
464
464
464
464
464
464

pid	process
464
464
464
464
464
464
464

Suspicious use of AdjustPrivilegeToken 49 IoCs

Processes:

LastActivityView.exeCProcess.exeDevManView.exeWhatInStartup.exeWinAudit.exedxdiag.exeSIV64X.exe

description	pid	process
Token: SeBackupPrivilege	1696	LastActivityView.exe
Token: SeSecurityPrivilege	1696	LastActivityView.exe
Token: SeSecurityPrivilege	1696	LastActivityView.exe
Token: SeSecurityPrivilege	1696	LastActivityView.exe
Token: SeSecurityPrivilege	1696	LastActivityView.exe
Token: SeSecurityPrivilege	1696	LastActivityView.exe
Token: SeSecurityPrivilege	1696	LastActivityView.exe
Token: SeBackupPrivilege	1696	LastActivityView.exe
Token: SeSecurityPrivilege	1696	LastActivityView.exe
Token: SeSecurityPrivilege	1696	LastActivityView.exe
Token: SeSecurityPrivilege	1696	LastActivityView.exe
Token: SeSecurityPrivilege	1696	LastActivityView.exe
Token: SeSecurityPrivilege	1696	LastActivityView.exe
Token: SeSecurityPrivilege	1696	LastActivityView.exe
Token: SeSecurityPrivilege	1696	LastActivityView.exe
Token: SeBackupPrivilege	1696	LastActivityView.exe
Token: SeSecurityPrivilege	1696	LastActivityView.exe
Token: SeSecurityPrivilege	1696	LastActivityView.exe
Token: SeSecurityPrivilege	1696	LastActivityView.exe
Token: SeSecurityPrivilege	1696	LastActivityView.exe
Token: SeSecurityPrivilege	1696	LastActivityView.exe
Token: SeSecurityPrivilege	1696	LastActivityView.exe
Token: SeSecurityPrivilege	1696	LastActivityView.exe
Token: SeSecurityPrivilege	1696	LastActivityView.exe
Token: SeSecurityPrivilege	1696	LastActivityView.exe
Token: SeSecurityPrivilege	1696	LastActivityView.exe
Token: SeSecurityPrivilege	1696	LastActivityView.exe
Token: SeSecurityPrivilege	1696	LastActivityView.exe
Token: SeSecurityPrivilege	1696	LastActivityView.exe
Token: SeSecurityPrivilege	1696	LastActivityView.exe
Token: SeSecurityPrivilege	1696	LastActivityView.exe
Token: SeDebugPrivilege	308	CProcess.exe
Token: SeBackupPrivilege	960	DevManView.exe
Token: SeRestorePrivilege	960	DevManView.exe
Token: SeTakeOwnershipPrivilege	960	DevManView.exe
Token: SeRestorePrivilege	1928	WhatInStartup.exe
Token: SeBackupPrivilege	1928	WhatInStartup.exe
Token: SeIncBasePriorityPrivilege	1160	WinAudit.exe
Token: SeRestorePrivilege	1212	dxdiag.exe
Token: SeRestorePrivilege	1212	dxdiag.exe
Token: SeRestorePrivilege	1212	dxdiag.exe
Token: SeRestorePrivilege	1212	dxdiag.exe
Token: SeRestorePrivilege	1212	dxdiag.exe
Token: SeRestorePrivilege	1212	dxdiag.exe
Token: SeRestorePrivilege	1212	dxdiag.exe
Token: SeIncBasePriorityPrivilege	876	SIV64X.exe
Token: SeSystemEnvironmentPrivilege	876	SIV64X.exe
Token: SeLoadDriverPrivilege	876	SIV64X.exe
Token: SeDebugPrivilege	876	SIV64X.exe

Suspicious use of FindShellTrayWindow 8 IoCs

Processes:

SysInfo.exe

pid process

1088 SysInfo.exe
1088 SysInfo.exe
1088 SysInfo.exe
1088 SysInfo.exe
1088 SysInfo.exe
1088 SysInfo.exe
1088 SysInfo.exe
1088 SysInfo.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

dxdiag.exe

pid process

1212 dxdiag.exe

pid	process
1212	dxdiag.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

SysInfo.exedxdiag.exehidec.exe

description	pid	process	target process
PID 1088 wrote to memory of 832	1088	SysInfo.exe	dxdiag.exe
PID 1088 wrote to memory of 832	1088	SysInfo.exe	dxdiag.exe
PID 1088 wrote to memory of 832	1088	SysInfo.exe	dxdiag.exe
PID 1088 wrote to memory of 832	1088	SysInfo.exe	dxdiag.exe
PID 832 wrote to memory of 1212	832	dxdiag.exe	dxdiag.exe
PID 832 wrote to memory of 1212	832	dxdiag.exe	dxdiag.exe
PID 832 wrote to memory of 1212	832	dxdiag.exe	dxdiag.exe
PID 832 wrote to memory of 1212	832	dxdiag.exe	dxdiag.exe
PID 1088 wrote to memory of 1696	1088	SysInfo.exe	LastActivityView.exe
PID 1088 wrote to memory of 1696	1088	SysInfo.exe	LastActivityView.exe
PID 1088 wrote to memory of 1696	1088	SysInfo.exe	LastActivityView.exe
PID 1088 wrote to memory of 1696	1088	SysInfo.exe	LastActivityView.exe
PID 1088 wrote to memory of 308	1088	SysInfo.exe	CProcess.exe
PID 1088 wrote to memory of 308	1088	SysInfo.exe	CProcess.exe
PID 1088 wrote to memory of 308	1088	SysInfo.exe	CProcess.exe
PID 1088 wrote to memory of 308	1088	SysInfo.exe	CProcess.exe
PID 1088 wrote to memory of 316	1088	SysInfo.exe	SDI-drv.exe
PID 1088 wrote to memory of 316	1088	SysInfo.exe	SDI-drv.exe
PID 1088 wrote to memory of 316	1088	SysInfo.exe	SDI-drv.exe
PID 1088 wrote to memory of 316	1088	SysInfo.exe	SDI-drv.exe
PID 1088 wrote to memory of 316	1088	SysInfo.exe	SDI-drv.exe
PID 1088 wrote to memory of 316	1088	SysInfo.exe	SDI-drv.exe
PID 1088 wrote to memory of 316	1088	SysInfo.exe	SDI-drv.exe
PID 1088 wrote to memory of 960	1088	SysInfo.exe	DevManView.exe
PID 1088 wrote to memory of 960	1088	SysInfo.exe	DevManView.exe
PID 1088 wrote to memory of 960	1088	SysInfo.exe	DevManView.exe
PID 1088 wrote to memory of 960	1088	SysInfo.exe	DevManView.exe
PID 1088 wrote to memory of 620	1088	SysInfo.exe	AppCrashView.exe
PID 1088 wrote to memory of 620	1088	SysInfo.exe	AppCrashView.exe
PID 1088 wrote to memory of 620	1088	SysInfo.exe	AppCrashView.exe
PID 1088 wrote to memory of 620	1088	SysInfo.exe	AppCrashView.exe
PID 1088 wrote to memory of 1832	1088	SysInfo.exe	BlueScreenView.exe
PID 1088 wrote to memory of 1832	1088	SysInfo.exe	BlueScreenView.exe
PID 1088 wrote to memory of 1832	1088	SysInfo.exe	BlueScreenView.exe
PID 1088 wrote to memory of 1832	1088	SysInfo.exe	BlueScreenView.exe
PID 1088 wrote to memory of 1076	1088	SysInfo.exe	BlueScreenView.exe
PID 1088 wrote to memory of 1076	1088	SysInfo.exe	BlueScreenView.exe
PID 1088 wrote to memory of 1076	1088	SysInfo.exe	BlueScreenView.exe
PID 1088 wrote to memory of 1076	1088	SysInfo.exe	BlueScreenView.exe
PID 1088 wrote to memory of 2032	1088	SysInfo.exe	ExecutedProgramsList.exe
PID 1088 wrote to memory of 2032	1088	SysInfo.exe	ExecutedProgramsList.exe
PID 1088 wrote to memory of 2032	1088	SysInfo.exe	ExecutedProgramsList.exe
PID 1088 wrote to memory of 2032	1088	SysInfo.exe	ExecutedProgramsList.exe
PID 1088 wrote to memory of 1928	1088	SysInfo.exe	WhatInStartup.exe
PID 1088 wrote to memory of 1928	1088	SysInfo.exe	WhatInStartup.exe
PID 1088 wrote to memory of 1928	1088	SysInfo.exe	WhatInStartup.exe
PID 1088 wrote to memory of 1928	1088	SysInfo.exe	WhatInStartup.exe
PID 1088 wrote to memory of 1160	1088	SysInfo.exe	WinAudit.exe
PID 1088 wrote to memory of 1160	1088	SysInfo.exe	WinAudit.exe
PID 1088 wrote to memory of 1160	1088	SysInfo.exe	WinAudit.exe
PID 1088 wrote to memory of 1160	1088	SysInfo.exe	WinAudit.exe
PID 1088 wrote to memory of 1696	1088	SysInfo.exe	hidec.exe
PID 1088 wrote to memory of 1696	1088	SysInfo.exe	hidec.exe
PID 1088 wrote to memory of 1696	1088	SysInfo.exe	hidec.exe
PID 1088 wrote to memory of 1696	1088	SysInfo.exe	hidec.exe
PID 1696 wrote to memory of 596	1696	hidec.exe	cmd.exe
PID 1696 wrote to memory of 596	1696	hidec.exe	cmd.exe
PID 1696 wrote to memory of 596	1696	hidec.exe	cmd.exe
PID 1696 wrote to memory of 596	1696	hidec.exe	cmd.exe
PID 1088 wrote to memory of 1300	1088	SysInfo.exe	hidec.exe
PID 1088 wrote to memory of 1300	1088	SysInfo.exe	hidec.exe
PID 1088 wrote to memory of 1300	1088	SysInfo.exe	hidec.exe
PID 1088 wrote to memory of 1300	1088	SysInfo.exe	hidec.exe
PID 1088 wrote to memory of 1448	1088	SysInfo.exe	DriverView64.exe

C:\Users\Admin\AppData\Local\Temp\DRP_15.9_Full\Tools\modules\bugreport\SysInfo.exe
"C:\Users\Admin\AppData\Local\Temp\DRP_15.9_Full\Tools\modules\bugreport\SysInfo.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1088

C:\Windows\system32\dxdiag.exe
dxdiag /t C:\Windows\Logs\SysInfo\LOGs\MRBKYMNO\System\DxDiag.txt
2⤵
- Suspicious use of WriteProcessMemory
PID:832

C:\Windows\SysWOW64\dxdiag.exe
"C:\Windows\SysWOW64\dxdiag.exe" /t C:\Windows\Logs\SysInfo\LOGs\MRBKYMNO\System\DxDiag.txt
3⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1212

C:\Windows\Logs\SysInfo\Tools\LastActivityView.exe
C:\Windows\Logs\SysInfo\Tools\LastActivityView.exe /shtml C:\Windows\Logs\SysInfo\LOGs\MRBKYMNO\SysInfo\Actions.htm
2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1696

C:\Windows\Logs\SysInfo\Tools\CProcess.exe
C:\Windows\Logs\SysInfo\Tools\CProcess.exe /shtml C:\Windows\Logs\SysInfo\LOGs\MRBKYMNO\SysInfo\Process.htm
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:308

C:\Windows\Logs\SysInfo\Tools\SDI-drv.exe
C:\Windows\Logs\SysInfo\Tools\SDI-drv.exe -nogui -autoclose
2⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:316

C:\Windows\Logs\SysInfo\Tools\DevManView.exe
C:\Windows\Logs\SysInfo\Tools\DevManView.exe /shtml C:\Windows\Logs\SysInfo\LOGs\MRBKYMNO\SysInfo\Devices.htm
2⤵
- Executes dropped EXE
- Enumerates connected drives
- Maps connected drives based on registry
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:960

C:\Windows\Logs\SysInfo\Tools\AppCrashView.exe
C:\Windows\Logs\SysInfo\Tools\AppCrashView.exe /shtml C:\Windows\Logs\SysInfo\LOGs\MRBKYMNO\SysInfo\Crashes.htm
2⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:620

C:\Windows\Logs\SysInfo\Tools\BlueScreenView.exe
C:\Windows\Logs\SysInfo\Tools\BlueScreenView.exe /shtml C:\Windows\Logs\SysInfo\LOGs\MRBKYMNO\SysInfo\!BSOD!.htm
2⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1832

C:\Windows\Logs\SysInfo\Tools\BlueScreenView.exe
C:\Windows\Logs\SysInfo\Tools\BlueScreenView.exe /scomma C:\Windows\Logs\SysInfo\LOGs\MRBKYMNO\SysInfo\!BSOD!.txt
2⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1076

C:\Windows\Logs\SysInfo\Tools\ExecutedProgramsList.exe
C:\Windows\Logs\SysInfo\Tools\ExecutedProgramsList.exe /shtml C:\Windows\Logs\SysInfo\LOGs\MRBKYMNO\SysInfo\Execute.htm
2⤵
- Executes dropped EXE
PID:2032

C:\Windows\Logs\SysInfo\Tools\WhatInStartup.exe
C:\Windows\Logs\SysInfo\Tools\WhatInStartup.exe /shtml C:\Windows\Logs\SysInfo\LOGs\MRBKYMNO\SysInfo\Startup.htm
2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1928

C:\Windows\Logs\SysInfo\Tools\WinAudit.exe
C:\Windows\Logs\SysInfo\Tools\WinAudit.exe /r=gz /o=HTML
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Drops file in Windows directory
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1160

C:\Windows\Logs\SysInfo\Tools\hidec.exe
C:\Windows\Logs\SysInfo\Tools\hidec.exe /W C:\Windows\Logs\SysInfo\Tools\HWIDs.cmd
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1696

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Windows\Logs\SysInfo\Tools\HWIDs.cmd
3⤵
PID:596

C:\Windows\Logs\SysInfo\Tools\DriverView64.exe
C:\Windows\Logs\SysInfo\Tools\DriverView64.exe /shtml C:\Windows\Logs\SysInfo\LOGs\MRBKYMNO\SysInfo\Drivers.htm
2⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1448

C:\Windows\Logs\SysInfo\Tools\hidec.exe
C:\Windows\Logs\SysInfo\Tools\hidec.exe /W C:\Windows\Logs\SysInfo\Tools\fix_dll.cmd
2⤵
- Executes dropped EXE
PID:1300

C:\Windows\Logs\SysInfo\Tools\InstalledDriversList64.exe
C:\Windows\Logs\SysInfo\Tools\InstalledDriversList64.exe /shtml C:\Windows\Logs\SysInfo\LOGs\MRBKYMNO\SysInfo\Drivers.html
2⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1284

C:\Windows\Logs\SysInfo\Tools\SIV64X.exe
C:\Windows\Logs\SysInfo\Tools\SIV64X.exe -SAVE[devices][device-ids][dimms][driver-vsn][environment][hw-status][interfaces][my-ip-address][overview][pnp-dev][processes][startup][software][system][uaa-dev]
2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Checks BIOS information in registry
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:876

C:\Windows\Logs\SysInfo\Tools\Log.exe
C:\Windows\Logs\SysInfo\Tools\Log.exe /S /C
2⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1212

C:\Windows\Logs\SysInfo\Tools\hidec.exe
C:\Windows\Logs\SysInfo\Tools\hidec.exe /W C:\Windows\Logs\SysInfo\Tools\7za a -t7z C:\Windows\Logs\SysInfo\SysInfo.7z C:\Windows\Logs\SysInfo\LOGs\
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2044

C:\Windows\Logs\SysInfo\Tools\7za.exe
C:\Windows\Logs\SysInfo\Tools\7za a -t7z C:\Windows\Logs\SysInfo\SysInfo.7z C:\Windows\Logs\SysInfo\LOGs\
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:668

C:\Windows\Logs\SysInfo\Tools\hidec.exe
C:\Windows\Logs\SysInfo\Tools\hidec.exe /W C:\Windows\Logs\SysInfo\Tools\wput.exe --output-file=C:\Windows\Temp\MRBKYMNO_2021.05.07_v15.9.log "C:\Windows\Logs\SysInfo\MRBKYMNO_2021.05.07_v15.9.7z" "ftp://feedback:pq9KvdyeRVA6u@download0.drp.su/logs/15.9_full/MRBKYMNO_2021.05.07_v15.9.7z"
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1964

C:\Windows\Logs\SysInfo\Tools\wput.exe
C:\Windows\Logs\SysInfo\Tools\wput.exe --output-file=C:\Windows\Temp\MRBKYMNO_2021.05.07_v15.9.log "C:\Windows\Logs\SysInfo\MRBKYMNO_2021.05.07_v15.9.7z" "ftp://feedback:pq9KvdyeRVA6u@download0.drp.su/logs/15.9_full/MRBKYMNO_2021.05.07_v15.9.7z"
3⤵
- Executes dropped EXE
PID:1980

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Windows\Logs\SysInfo\Tools\fix_dll.cmd
1⤵
PID:1292

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.css" /v "Content Type" /t reg_sz /d text/css /f
2⤵
- Modifies registry class
PID:1736

C:\Windows\SysWOW64\net.exe
net stop RpcSs
2⤵
PID:1832

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop RpcSs
3⤵
PID:296

C:\Windows\SysWOW64\net.exe
net stop wmiApSrv
2⤵
PID:1612

C:\Windows\SysWOW64\net.exe
net stop RpcLocator
2⤵
PID:1464

C:\Windows\SysWOW64\net.exe
net stop DcomLaunch
2⤵
PID:1532

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop DcomLaunch
3⤵
PID:744

C:\Windows\SysWOW64\sc.exe
sc config RpcSs start=auto
2⤵
PID:396

C:\Windows\SysWOW64\sc.exe
sc config RpcLocator start=auto
2⤵
PID:556

C:\Windows\SysWOW64\sc.exe
sc config wmiApSrv start=auto
2⤵
PID:308

C:\Windows\SysWOW64\net.exe
net start RpcSs
2⤵
PID:1836

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start RpcSs
3⤵
PID:592

C:\Windows\SysWOW64\sc.exe
sc config DcomLaunch start=auto
2⤵
PID:332

C:\Windows\SysWOW64\net.exe
net start wmiApSrv
2⤵
PID:668

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start wmiApSrv
3⤵
PID:1472

C:\Windows\SysWOW64\net.exe
net start RpcLocator
2⤵
PID:396

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start RpcLocator
3⤵
PID:576

C:\Windows\SysWOW64\net.exe
net start DcomLaunch
2⤵
PID:1620

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start DcomLaunch
3⤵
PID:1160

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop wmiApSrv
1⤵
PID:1584

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop RpcLocator
1⤵
PID:2044

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:960

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Logs\SysInfo\LOGs\MRBKYMNO\SysInfo\!BSOD!.htm
MD5
d2030e1dc75e340c8b5b226634ed9a6b

SHA1
ac0621bbf1afa6b4358c36029667460756e365f6

SHA256
f3e7af6477095dc4f2514d842b3745a555134ffb0dccd905626094d7eaf5788a

SHA512
36fd77aa9d70bf3ea7fce656151b37948620bb8be858976339a6ae570fe31ddd6f5731fad5c61f2eaae0dae28a7db4526c059c74abae74aa6f9e8ef21b458995

Download Submit
C:\Windows\Logs\SysInfo\LOGs\MRBKYMNO\SysInfo\Actions.htm
MD5
a3635f83c4f6fb0b01d8e4c371657168

SHA1
1a2678a0215eb7a83ae033fec024a2fafe30d234

SHA256
15384125b84658d42b710c05f7cd52aeaf9700bcf0384673d37254256155702e

SHA512
91fdefee8e2a7f4756c882451938f718d77e855308b0c4d2f9a2805819929aa48e559b7888262fc1411ccd1d50b21882895641ded9d39ec72f6f1e6cc4379368

Download Submit
C:\Windows\Logs\SysInfo\LOGs\MRBKYMNO\SysInfo\Crashes.htm
MD5
cc3c4955c46de2b2eabba10094a591b2

SHA1
1552359dec577f7b55759f9fc640106103b471a5

SHA256
6be95e301f67a32220de26a206e0017950090af207b16c1689fae9a9cb17aecd

SHA512
ad8bb5f8ac1cbf7f9b61a20e00d9c7dcdbbe542a067c0770b772f2a874928b932dcb24c4ed9b34c011ed9ce50c8189bd3955664872342e167a23290b2345802c

Download Submit
C:\Windows\Logs\SysInfo\LOGs\MRBKYMNO\SysInfo\Devices.htm
MD5
7f01db4d934621dee6cb46e1dd2fdd65

SHA1
ef7248861c3a10417fe2778385e99101db9f792b

SHA256
7a0fe87e87b52234952a39f87afda194525914a71ddae8f7a280090bca9df493

SHA512
2dbfec5e40a95200262b2349ede36632dbefbd5beadbcc7ab048af8d40c662924bb4f61484fb7281cbacb059ea0c35d0d70424c914a61c408efa7de95c2de7bd

Download Submit
C:\Windows\Logs\SysInfo\LOGs\MRBKYMNO\SysInfo\Drivers.htm
MD5
ad884a73806049ebc23a641d71ef781e

SHA1
d3bd6b0de8de399bc5bbbf235ca7610c9d646169

SHA256
436f6f918566ae4a657bdb8b833701489c8bc9bebe0b7501b135e7aa1e51b593

SHA512
7eb0b81392a0958480efd0ae58dd6dfaab901253fb823aa42b376f554ffb8a77ffc65b519e9942558d976bbde3e3f97fa99a91c0b9421d15037566454975100b

Download Submit
C:\Windows\Logs\SysInfo\LOGs\MRBKYMNO\SysInfo\Execute.htm
MD5
3eac1b06c9c6aa3ffc669adec42cd5a8

SHA1
be9726376d37f5d2814a749d4efbba1d9e01a059

SHA256
b8c2cc798fe0b2d01accaea492e4ff8dcbb75fff92067e25d37de18cc1da3ad5

SHA512
76db2dd3bb6b493b5e270e8e81cc292ef28af74e5c5cf2dc0cebe2968a00658fa7d46a8dcdbba5095caf90386182651cfc897c8596dbf657c3a4c1ab6dee9c10

Download Submit
C:\Windows\Logs\SysInfo\LOGs\MRBKYMNO\SysInfo\Process.htm
MD5
4fb532b9140301ed68309fb34d7b763c

SHA1
9bbd04ee65e1abc6b40a981851c6cf5463a65c7b

SHA256
83710b46a5b517f03c93a056797f361dac8fcf46e47cc5c40d97bdab75689215

SHA512
5299faa6ec93e6cf3eeb1291d51ddadd807fa08053837727bde6e4e8258c276c90b98437d13eafabc6dada7f7dbc09055c27fe1c583bb6df51300d07d4f2171c

Download Submit
C:\Windows\Logs\SysInfo\Tools\7za.exe
MD5
c3d309156b8e8cf1d158de5fab1c2b40

SHA1
58ad15d91abac2c6203e389ac8a8ff6685406d41

SHA256
993cd78a697a09a497f3d05db6cc8183aea95a62f3fb4d1073173a919794747c

SHA512
2995d193512d0a4789b1710c51c1fc94939cba17ebbcf0181a214bc0d15ba21234bdc53816b3af6dc495d71fcce08dd1d1acc41e3de0fce17ce9f782e33d1498

Download Submit
C:\Windows\Logs\SysInfo\Tools\7za.exe
MD5
c3d309156b8e8cf1d158de5fab1c2b40

SHA1
58ad15d91abac2c6203e389ac8a8ff6685406d41

SHA256
993cd78a697a09a497f3d05db6cc8183aea95a62f3fb4d1073173a919794747c

SHA512
2995d193512d0a4789b1710c51c1fc94939cba17ebbcf0181a214bc0d15ba21234bdc53816b3af6dc495d71fcce08dd1d1acc41e3de0fce17ce9f782e33d1498

Download Submit
C:\Windows\Logs\SysInfo\Tools\AppCrashView.exe
MD5
54227eba885d489c4d8e37a5a9c61b35

SHA1
27867cb79221f8eed34cd7c146cee55592e39049

SHA256
097fe6029108f854c536ca464a7873160e9b1442b04c8b03a331ad1a23f47d41

SHA512
a57a61e1327da125a711778eb59ff61939310cc13169fde7665cf974b7abe1ee601b09cdb4a84d405963d7445dd2e728904234346814dcaffaaf36d9f6017b96

Download Submit
C:\Windows\Logs\SysInfo\Tools\BlueScreenView.exe
MD5
6126f1221d29712c069ee28ef4186e24

SHA1
dc3b083deea57b413618f4e19d481f1d5bb50df0

SHA256
f5f52ec9c38e7123507fe362ba0a0cd0e3ac17b820813ec3bf435fa3a8135ed0

SHA512
36eafeb63896fda2c93465253cea7a2503969502723f413c8f33f64d15f008e34901b5ddb3f9f28764491cbaa4230a763d4142deccf95bc2f29f2c16c499dfa0

Download Submit
C:\Windows\Logs\SysInfo\Tools\BlueScreenView.exe
MD5
6126f1221d29712c069ee28ef4186e24

SHA1
dc3b083deea57b413618f4e19d481f1d5bb50df0

SHA256
f5f52ec9c38e7123507fe362ba0a0cd0e3ac17b820813ec3bf435fa3a8135ed0

SHA512
36eafeb63896fda2c93465253cea7a2503969502723f413c8f33f64d15f008e34901b5ddb3f9f28764491cbaa4230a763d4142deccf95bc2f29f2c16c499dfa0

Download Submit
C:\Windows\Logs\SysInfo\Tools\CProcess.exe
MD5
5af6b376e660805759683865437acbc0

SHA1
75f61ab72f67c53553ef87c655777c430c3c91c2

SHA256
f0cf25602f19d5b2f2c0050180815eb5c727427142639fa1c177b5d1dc078a1b

SHA512
faf2750a1dcfa6bbac2fc0162f14977ac7b145fe4361e58e880ac727902fc90afe1e92c7107c5096050c2e8a5dae1aab322c84851fbd30542f35e6e846d16e63

Download Submit
C:\Windows\Logs\SysInfo\Tools\CProcess.exe
MD5
5af6b376e660805759683865437acbc0

SHA1
75f61ab72f67c53553ef87c655777c430c3c91c2

SHA256
f0cf25602f19d5b2f2c0050180815eb5c727427142639fa1c177b5d1dc078a1b

SHA512
faf2750a1dcfa6bbac2fc0162f14977ac7b145fe4361e58e880ac727902fc90afe1e92c7107c5096050c2e8a5dae1aab322c84851fbd30542f35e6e846d16e63

Download Submit
C:\Windows\Logs\SysInfo\Tools\DevManView.exe
MD5
6e9a801ff8d54fdd9601988d7786d9a3

SHA1
aeafd86714ded460a758978b9809d62f5aaaf441

SHA256
1fe5616f99dd57c62a8be15de9d591bc116960cdf8f508ae7e6cdc6499ce74d6

SHA512
d0170f9a7346ce44decb33730fd0b41da203c97f6692dbf7cb56e5049acdbd749baef40a02c9ec2761bfaab7a048a0f9ef1f87222a54248620f6497bdd1f2189

Download Submit
C:\Windows\Logs\SysInfo\Tools\DriverView64.exe
MD5
394ae47a85784cc150dba8e23baf50b7

SHA1
29fbf7b25d43e64cc0c05b633bdadfac8edd0eaf

SHA256
b59c3d14968a9d7d90baa0df624339aa977dc98e5de1c7f6b71bef23606db769

SHA512
95d62f45a8db256c3f434b66488e81cef6a47f5995b7290c2bae0d8e95806ba9aa4748f556c72cdb2bef078afd5d9143b94b62f689b247cce72d627344db6cf2

Download Submit
C:\Windows\Logs\SysInfo\Tools\ExecutedProgramsList.exe
MD5
826156f50213ef802c832308972dab7a

SHA1
da8dd1377c8d803cbeb793d2da0709d5bb4c6d95

SHA256
f545352831e1a4ed14b102f7e9bab9c17b5c05d5a2a8a83ce09e6b12ace1a357

SHA512
53e3fd7e59629159a97d874c30b19f2936fb6ed61990e8f883411ca1d170f1bd9741b9c86264747be5160067fa762b1a50092c1463c88395f43863a0994081fe

Download Submit
C:\Windows\Logs\SysInfo\Tools\HWIDs.cmd
MD5
303dd5852f8ef2d2e3bb75a1c797c196

SHA1
80e83a3ce04853572a73b07880b784af023c9ed3

SHA256
1fc7e5639a2d7fa4b65f092ae4919d897a6d9c80bf8cb45dc8bf1564fde14318

SHA512
5b65ab5e4b77b4eedee17d4c1c6ff04916f5f164fc91935e4a92d29e6933f235a38c8d1278058725aaacf332b8ed3bc904dcd7284a66c3daee0e900fd3ce37ad

Download Submit
C:\Windows\Logs\SysInfo\Tools\HWIDs.txt
MD5
ecab63065bf40088dbd1b9726a452073

SHA1
8e310c958c77ce7c9fe049db0be5364ad91b565d

SHA256
837d63f4d1394900f80d43b3e1a119cb0fd2a4e2e1cd6ad756d73e8f8db0fdd3

SHA512
0919ac02b59de8b9354eb70044d2184dd8f80c0773735d902f9cb1d17706570b1196faa799bd97aaf05dbae41ca62bc089d3e8206c07d235d4824b74ef6f8be1

Download Submit
C:\Windows\Logs\SysInfo\Tools\InstalledDriversList64.exe
MD5
0c2370c4716c039ded5e30167799e491

SHA1
9cadf1f158c372d9bbee08a4a5a7caeefc18ea66

SHA256
583eaf01e0ba2ac1f41715fb2bcc2da911ce96989060c2c231f5eefef3746ede

SHA512
9fbb488d818b735bfe89833b4babf98c511e6f25e85ae67f8c817b5da56f6a687b9eb5e31721e6a5a9f3d664cc66eb18f632a07c6e6ad183d95c9c115a300ab9

Download Submit
C:\Windows\Logs\SysInfo\Tools\LastActivityView.exe
MD5
596fbfb52190c388c460576db867dcef

SHA1
e7a1431b04e5a5620b1abcb7840f1be5057c6270

SHA256
1bb3309488c00c052e3b69669486c3e7acedc101d2efd03fb129012a937e8311

SHA512
84eca3ae8333bc3ed2a10f30e0028ffd54bc63aeb448f87e79e01e7fd96f25facc08c0cb0b8adca91ae1cc5bf66c754aba096612eb0881e3bbad5550458ecc05

Download Submit
C:\Windows\Logs\SysInfo\Tools\Log.exe
MD5
00cc7593a89abb525f406e74967d2273

SHA1
2343d09a3cf0ff973e1153050a46b4c354358e12

SHA256
b9082d0e28858a8a0d7b749ca31a3cd778155c5539b463efb8a49a44e45cbe5c

SHA512
f169fe6f94a20ca309aabf0a2afbe5b1484b8d6271bab5a8612d4585960ad9fa433355e59fb97b2f85cb47b4aaee26b5d20a8fb03c652e6192be4b11516de05e

Download Submit
C:\Windows\Logs\SysInfo\Tools\MONDEVS.txt
MD5
610fef7f0b3112675c0eb2c85ab87807

SHA1
96b5d189eba62ec3368045138503d0af1cd897eb

SHA256
0076c52b54eb9d15947b0c2e52278ccab38ce2edf5b71ff8ca13bc9ce2f3cb1e

SHA512
153701b4620c0aa3f64645d848ba441d593916a9d6877fe4c4e6d6c17427516e912f0a0d6ae77cbeb48c76483ea4a88750ca8697adbc4c1b0f9b1fda66e9bd19

Download Submit
C:\Windows\Logs\SysInfo\Tools\MRBKYMNO.html
MD5
c9596a2e20a17491292f423bb86cd4e9

SHA1
60bb474089fc7cfa8639ea073dfc2c3fa73ad69a

SHA256
5274ae566ec773799a642fb02be4335f31f8c59f510f6be173e7213429886507

SHA512
57ae54d669de29c87bf22c27cd19331c9967b737fb86bc71b16490a1f347e1a2572c462c60648a0dcc6c81878d9acc299abce90d3ffa86db410c1c65df4be33d

Download Submit
C:\Windows\Logs\SysInfo\Tools\PCIDEVS.txt
MD5
38e71645fd9e76389a3633babe1fe882

SHA1
3d6c0775090cccb47bb7f371a36da7777cb6a5a1

SHA256
af21202c9d6912e72e2c56cdf4edf40552d59f71dc889585b078711732d9b6e7

SHA512
3433a19ae3aebf8ccf64876774248a9c0b3cadacff417295a8521255daa7334a59fc0ce916ea51270bf47590aad37e94d7e4bdc1f1d8f0c57b13e60c6871f51a

Download Submit
C:\Windows\Logs\SysInfo\Tools\PCMDEVS.txt
MD5
1819008e9ee4035ff7ef71958bca5f32

SHA1
ab7eda3b536d48b32741774f7f9e921da072fe63

SHA256
80b9d7f98342ae910a513d16dd760975fcd453df6ab86852f745ad9f22d94041

SHA512
e70ae84c13f323ea4031f19fec43413aea66881e1d63314ffbb897586b5a3b5465d10e0a4b699ce9acaf8c4d0c28846cd31346b6584ee51c6ae12e5c0fada78f

Download Submit
C:\Windows\Logs\SysInfo\Tools\PNPDEVS.txt
MD5
27af0994c13c15284c03d5f1456d8c85

SHA1
252510245b9bccefb81565b5b5cc7ae17772614b

SHA256
90925e63d4373ae0c636388fd113c50fd0d05972e2a5e592edf373cae8b342f4

SHA512
7cdfdf062a3b86275328eeda4e2b1a970df534f074de901b2a14c002bbd6b8b419078fdcefb638c104fe092d5128ba820a1884d38f329c292ceb320469be21c0

Download Submit
C:\Windows\Logs\SysInfo\Tools\SDI-drv.exe
MD5
b0b0c9d7b08f10b1b38b9c137fbf13da

SHA1
18c49f26de70b1842e08923082d6ac1ed5a9fd35

SHA256
956e9a001c3ae0b4996fa2cc337c2d1d6efbbfd64292866a284cc65cfe0e7d51

SHA512
8785a925b97297febc13a232d72761e623276d05d7dc2a48b697233965a05b4d3d43e7910df2610c5ed9641673121d41e4db92ec90c1cea66af8a1561633f315

Download Submit
C:\Windows\Logs\SysInfo\Tools\SIV64X.exe
MD5
7763c800239914ae3665d0fa55091c7c

SHA1
6d5b1513045b68ec957c3faa385260ceed65047b

SHA256
a2e79e37a834b60d5105c6cff2ae18b66973ed192900fe64330e442a3e4c5f6e

SHA512
35498e641fdb8fe09487b2672fa719c73c2d6a918e7545c6c7d8225879c1767180a3a953f835b8614838bbac833fdfecb803c85e256a1a10f97a80d7092e5a7a

Download Submit
C:\Windows\Logs\SysInfo\Tools\SIVX64.sys
MD5
3edb474037615be19d430bd05fb8d20d

SHA1
2dfe7c3266341a5c94ff8a006f8c41989123a3a0

SHA256
939375205f731af340771db3b10194adbff18d82c846d524ed2facab1545c012

SHA512
8205e1f1ffae11463d72d12ca52e974ba1a8c104e6ed76860b48473a31e6ad6d3ee053e9bd9af6588ea6b9ef114b6131791dbf60a6e589975fa29c5d781cb508

Download Submit
C:\Windows\Logs\SysInfo\Tools\SIV_MRBKYMNO.txt
MD5
61167492b02d9834e07cc7dbce83f695

SHA1
9625b11a8ccf23319dfb6bbcf0eb2a5646f63036

SHA256
607e4c80fe2e9e27cc00f0ac1bd55f945f5a4d095331155daa5d9fa38a35bda4

SHA512
566c9e6d63938f0e61b755d887c8c6196a162a95b17591a448166c3d33fbf8f1f2cf6ff60a503ff90664425ef1fb7a46b34d7c432dca53b374216f046a5f4428

Download Submit
C:\Windows\Logs\SysInfo\Tools\USBDEVS.txt
MD5
6acab42496e1547387533a5fc7d8e317

SHA1
e7ff10340aae3b37c644098e68e4bd0f6c78f964

SHA256
b5ebb17f0a978ff110fdd5184955e631e2046d0830d9b6042a50e6354cf1536b

SHA512
3a406b45cc74881f3167ef6d9cd6dc8d2e16f53f07c32eb236c01b9f76f471a41752dff66cd21cb32d1b7ec8345c9335f6804665d8c45bac898ecc94791fce54

Download Submit
C:\Windows\Logs\SysInfo\Tools\WhatInStartup.exe
MD5
d2a2a0ce38faa12254fbba8c0467ac46

SHA1
fbb7b582ea66642c8ac774696e150526f2cc8fa4

SHA256
7d8e7090d53098f029abd9f98d1a9f1afcdc02d4439ed6a167c53e877a35cff9

SHA512
625fb26cc03da58e98cf640550196aafd48413b16698673bedfd279c6dae16b2cb566b9f703e4bb07860fb2f3bc06247d6f4d0241b786a2bbaf261276db6c036

Download Submit
C:\Windows\Logs\SysInfo\Tools\WinAudit.exe
MD5
11a4917010f23a9caa8fef1f3bcd6b98

SHA1
79c51b63ceb4668a2974ad0c94462b699747da93

SHA256
f9bd55277cbde6f84db9d017512277812e64da6b86ff176b9716f52e322cf926

SHA512
2e95e4492db32f3683949448704527ef23658af836421ef6064b5fdbf4cdd6dcf57212be2ab916171401951c5d1ea23b7dd227ca5ab9226bf33d26f954bf00b9

Download Submit
C:\Windows\Logs\SysInfo\Tools\fix_dll.cmd
MD5
df28279478a8b82ed171dacfc137f617

SHA1
01192107dd9eb5ce0adaf535cfbd5d18af50eb73

SHA256
6ec68bf3e10f3a0c88ac1ef317e171a74452081735f45d3ac59c1b95772597c6

SHA512
fb9acf6825d3766b0c454c464e50f988a55ff41bd1b810ea24dfa2918cfdc5ac36e6a5e69be12e8e21875e23e88cb27f6be39f4e8069ec89055b35a2335cc2d2

Download Submit
C:\Windows\Logs\SysInfo\Tools\hidec.exe
MD5
abc6379205de2618851c4fcbf72112eb

SHA1
1ed7b1e965eab56f55efda975f9f7ade95337267

SHA256
22e7528e56dffaa26cfe722994655686c90824b13eb51184abfe44d4e95d473f

SHA512
180c7f400dd13092b470e3a91bf02e98ef6247c1193bf349e3710e8d1e9003f3bc9b792bb776eacb746e9c67b3041f2333cc07f28c5f046d59274742230fb7c1

Download Submit
C:\Windows\Logs\SysInfo\Tools\hidec.exe
MD5
abc6379205de2618851c4fcbf72112eb

SHA1
1ed7b1e965eab56f55efda975f9f7ade95337267

SHA256
22e7528e56dffaa26cfe722994655686c90824b13eb51184abfe44d4e95d473f

SHA512
180c7f400dd13092b470e3a91bf02e98ef6247c1193bf349e3710e8d1e9003f3bc9b792bb776eacb746e9c67b3041f2333cc07f28c5f046d59274742230fb7c1

Download Submit
C:\Windows\Logs\SysInfo\Tools\hidec.exe
MD5
abc6379205de2618851c4fcbf72112eb

SHA1
1ed7b1e965eab56f55efda975f9f7ade95337267

SHA256
22e7528e56dffaa26cfe722994655686c90824b13eb51184abfe44d4e95d473f

SHA512
180c7f400dd13092b470e3a91bf02e98ef6247c1193bf349e3710e8d1e9003f3bc9b792bb776eacb746e9c67b3041f2333cc07f28c5f046d59274742230fb7c1

Download Submit
C:\Windows\Logs\SysInfo\Tools\logs\2021_05_07__14_45_51__MRBKYMNO_state.snp
MD5
8ee637d9544d46b4f67f2e3482143003

SHA1
4b8810499c0d589702a4083b71f27dc88d471320

SHA256
63f9ff6d25e8befb0e02be4fd8aa7d82146e47622bf811764f2faf29ad3a119c

SHA512
31e7edeea8d61d0371cb452366572b78d176ee9985f9306d9d49edb0530831bf58871464200a76ec69ac8e2a10c114994503471b1e81c3e96ede9640fdf0e5b0

Download Submit
\Users\Admin\AppData\Local\Temp\nsn3249.tmp\System.dll
MD5
6f5257c0b8c0ef4d440f4f4fce85fb1b

SHA1
b6ac111dfb0d1fc75ad09c56bde7830232395785

SHA256
b7ccb923387cc346731471b20fc3df1ead13ec8c2e3147353c71bb0bd59bc8b1

SHA512
a3cc27f1efb52fb8ecda54a7c36ada39cefeabb7b16f2112303ea463b0e1a4d745198d413eebb3551e012c84a20dcdf4359e511e51bc3f1a60b13f1e3bad1aa8

Download Submit
\Users\Admin\AppData\Local\Temp\nsn3249.tmp\nsProcess.dll
MD5
05450face243b3a7472407b999b03a72

SHA1
ffd88af2e338ae606c444390f7eaaf5f4aef2cd9

SHA256
95fe9d92512ff2318cc2520311ef9145b2cee01209ab0e1b6e45c7ce1d4d0e89

SHA512
f4cbe30166aff20a226a7150d93a876873ba699d80d7e9f46f32a9b4753fa7966c3113a3124340b39ca67a13205463a413e740e541e742903e3f89af5a53ad3b

Download Submit
\Windows\Logs\SysInfo\Tools\7za.exe
MD5
c3d309156b8e8cf1d158de5fab1c2b40

SHA1
58ad15d91abac2c6203e389ac8a8ff6685406d41

SHA256
993cd78a697a09a497f3d05db6cc8183aea95a62f3fb4d1073173a919794747c

SHA512
2995d193512d0a4789b1710c51c1fc94939cba17ebbcf0181a214bc0d15ba21234bdc53816b3af6dc495d71fcce08dd1d1acc41e3de0fce17ce9f782e33d1498

Download Submit
\Windows\Logs\SysInfo\Tools\7za.exe
MD5
c3d309156b8e8cf1d158de5fab1c2b40

SHA1
58ad15d91abac2c6203e389ac8a8ff6685406d41

SHA256
993cd78a697a09a497f3d05db6cc8183aea95a62f3fb4d1073173a919794747c

SHA512
2995d193512d0a4789b1710c51c1fc94939cba17ebbcf0181a214bc0d15ba21234bdc53816b3af6dc495d71fcce08dd1d1acc41e3de0fce17ce9f782e33d1498

Download Submit
\Windows\Logs\SysInfo\Tools\AppCrashView.exe
MD5
54227eba885d489c4d8e37a5a9c61b35

SHA1
27867cb79221f8eed34cd7c146cee55592e39049

SHA256
097fe6029108f854c536ca464a7873160e9b1442b04c8b03a331ad1a23f47d41

SHA512
a57a61e1327da125a711778eb59ff61939310cc13169fde7665cf974b7abe1ee601b09cdb4a84d405963d7445dd2e728904234346814dcaffaaf36d9f6017b96

Download Submit
\Windows\Logs\SysInfo\Tools\AppCrashView.exe
MD5
54227eba885d489c4d8e37a5a9c61b35

SHA1
27867cb79221f8eed34cd7c146cee55592e39049

SHA256
097fe6029108f854c536ca464a7873160e9b1442b04c8b03a331ad1a23f47d41

SHA512
a57a61e1327da125a711778eb59ff61939310cc13169fde7665cf974b7abe1ee601b09cdb4a84d405963d7445dd2e728904234346814dcaffaaf36d9f6017b96

Download Submit
\Windows\Logs\SysInfo\Tools\BlueScreenView.exe
MD5
6126f1221d29712c069ee28ef4186e24

SHA1
dc3b083deea57b413618f4e19d481f1d5bb50df0

SHA256
f5f52ec9c38e7123507fe362ba0a0cd0e3ac17b820813ec3bf435fa3a8135ed0

SHA512
36eafeb63896fda2c93465253cea7a2503969502723f413c8f33f64d15f008e34901b5ddb3f9f28764491cbaa4230a763d4142deccf95bc2f29f2c16c499dfa0

Download Submit
\Windows\Logs\SysInfo\Tools\CProcess.exe
MD5
5af6b376e660805759683865437acbc0

SHA1
75f61ab72f67c53553ef87c655777c430c3c91c2

SHA256
f0cf25602f19d5b2f2c0050180815eb5c727427142639fa1c177b5d1dc078a1b

SHA512
faf2750a1dcfa6bbac2fc0162f14977ac7b145fe4361e58e880ac727902fc90afe1e92c7107c5096050c2e8a5dae1aab322c84851fbd30542f35e6e846d16e63

Download Submit
\Windows\Logs\SysInfo\Tools\CProcess.exe
MD5
5af6b376e660805759683865437acbc0

SHA1
75f61ab72f67c53553ef87c655777c430c3c91c2

SHA256
f0cf25602f19d5b2f2c0050180815eb5c727427142639fa1c177b5d1dc078a1b

SHA512
faf2750a1dcfa6bbac2fc0162f14977ac7b145fe4361e58e880ac727902fc90afe1e92c7107c5096050c2e8a5dae1aab322c84851fbd30542f35e6e846d16e63

Download Submit
\Windows\Logs\SysInfo\Tools\DevManView.exe
MD5
6e9a801ff8d54fdd9601988d7786d9a3

SHA1
aeafd86714ded460a758978b9809d62f5aaaf441

SHA256
1fe5616f99dd57c62a8be15de9d591bc116960cdf8f508ae7e6cdc6499ce74d6

SHA512
d0170f9a7346ce44decb33730fd0b41da203c97f6692dbf7cb56e5049acdbd749baef40a02c9ec2761bfaab7a048a0f9ef1f87222a54248620f6497bdd1f2189

Download Submit
\Windows\Logs\SysInfo\Tools\DriverView64.exe
MD5
394ae47a85784cc150dba8e23baf50b7

SHA1
29fbf7b25d43e64cc0c05b633bdadfac8edd0eaf

SHA256
b59c3d14968a9d7d90baa0df624339aa977dc98e5de1c7f6b71bef23606db769

SHA512
95d62f45a8db256c3f434b66488e81cef6a47f5995b7290c2bae0d8e95806ba9aa4748f556c72cdb2bef078afd5d9143b94b62f689b247cce72d627344db6cf2

Download Submit
\Windows\Logs\SysInfo\Tools\DriverView64.exe
MD5
394ae47a85784cc150dba8e23baf50b7

SHA1
29fbf7b25d43e64cc0c05b633bdadfac8edd0eaf

SHA256
b59c3d14968a9d7d90baa0df624339aa977dc98e5de1c7f6b71bef23606db769

SHA512
95d62f45a8db256c3f434b66488e81cef6a47f5995b7290c2bae0d8e95806ba9aa4748f556c72cdb2bef078afd5d9143b94b62f689b247cce72d627344db6cf2

Download Submit
\Windows\Logs\SysInfo\Tools\ExecutedProgramsList.exe
MD5
826156f50213ef802c832308972dab7a

SHA1
da8dd1377c8d803cbeb793d2da0709d5bb4c6d95

SHA256
f545352831e1a4ed14b102f7e9bab9c17b5c05d5a2a8a83ce09e6b12ace1a357

SHA512
53e3fd7e59629159a97d874c30b19f2936fb6ed61990e8f883411ca1d170f1bd9741b9c86264747be5160067fa762b1a50092c1463c88395f43863a0994081fe

Download Submit
\Windows\Logs\SysInfo\Tools\InstalledDriversList64.exe
MD5
0c2370c4716c039ded5e30167799e491

SHA1
9cadf1f158c372d9bbee08a4a5a7caeefc18ea66

SHA256
583eaf01e0ba2ac1f41715fb2bcc2da911ce96989060c2c231f5eefef3746ede

SHA512
9fbb488d818b735bfe89833b4babf98c511e6f25e85ae67f8c817b5da56f6a687b9eb5e31721e6a5a9f3d664cc66eb18f632a07c6e6ad183d95c9c115a300ab9

Download Submit
\Windows\Logs\SysInfo\Tools\InstalledDriversList64.exe
MD5
0c2370c4716c039ded5e30167799e491

SHA1
9cadf1f158c372d9bbee08a4a5a7caeefc18ea66

SHA256
583eaf01e0ba2ac1f41715fb2bcc2da911ce96989060c2c231f5eefef3746ede

SHA512
9fbb488d818b735bfe89833b4babf98c511e6f25e85ae67f8c817b5da56f6a687b9eb5e31721e6a5a9f3d664cc66eb18f632a07c6e6ad183d95c9c115a300ab9

Download Submit
\Windows\Logs\SysInfo\Tools\LastActivityView.exe
MD5
596fbfb52190c388c460576db867dcef

SHA1
e7a1431b04e5a5620b1abcb7840f1be5057c6270

SHA256
1bb3309488c00c052e3b69669486c3e7acedc101d2efd03fb129012a937e8311

SHA512
84eca3ae8333bc3ed2a10f30e0028ffd54bc63aeb448f87e79e01e7fd96f25facc08c0cb0b8adca91ae1cc5bf66c754aba096612eb0881e3bbad5550458ecc05

Download Submit
\Windows\Logs\SysInfo\Tools\Log.exe
MD5
00cc7593a89abb525f406e74967d2273

SHA1
2343d09a3cf0ff973e1153050a46b4c354358e12

SHA256
b9082d0e28858a8a0d7b749ca31a3cd778155c5539b463efb8a49a44e45cbe5c

SHA512
f169fe6f94a20ca309aabf0a2afbe5b1484b8d6271bab5a8612d4585960ad9fa433355e59fb97b2f85cb47b4aaee26b5d20a8fb03c652e6192be4b11516de05e

Download Submit
\Windows\Logs\SysInfo\Tools\SDI-drv.exe
MD5
b0b0c9d7b08f10b1b38b9c137fbf13da

SHA1
18c49f26de70b1842e08923082d6ac1ed5a9fd35

SHA256
956e9a001c3ae0b4996fa2cc337c2d1d6efbbfd64292866a284cc65cfe0e7d51

SHA512
8785a925b97297febc13a232d72761e623276d05d7dc2a48b697233965a05b4d3d43e7910df2610c5ed9641673121d41e4db92ec90c1cea66af8a1561633f315

Download Submit
\Windows\Logs\SysInfo\Tools\SIV64X.exe
MD5
7763c800239914ae3665d0fa55091c7c

SHA1
6d5b1513045b68ec957c3faa385260ceed65047b

SHA256
a2e79e37a834b60d5105c6cff2ae18b66973ed192900fe64330e442a3e4c5f6e

SHA512
35498e641fdb8fe09487b2672fa719c73c2d6a918e7545c6c7d8225879c1767180a3a953f835b8614838bbac833fdfecb803c85e256a1a10f97a80d7092e5a7a

Download Submit
\Windows\Logs\SysInfo\Tools\WhatInStartup.exe
MD5
d2a2a0ce38faa12254fbba8c0467ac46

SHA1
fbb7b582ea66642c8ac774696e150526f2cc8fa4

SHA256
7d8e7090d53098f029abd9f98d1a9f1afcdc02d4439ed6a167c53e877a35cff9

SHA512
625fb26cc03da58e98cf640550196aafd48413b16698673bedfd279c6dae16b2cb566b9f703e4bb07860fb2f3bc06247d6f4d0241b786a2bbaf261276db6c036

Download Submit
\Windows\Logs\SysInfo\Tools\WinAudit.exe
MD5
11a4917010f23a9caa8fef1f3bcd6b98

SHA1
79c51b63ceb4668a2974ad0c94462b699747da93

SHA256
f9bd55277cbde6f84db9d017512277812e64da6b86ff176b9716f52e322cf926

SHA512
2e95e4492db32f3683949448704527ef23658af836421ef6064b5fdbf4cdd6dcf57212be2ab916171401951c5d1ea23b7dd227ca5ab9226bf33d26f954bf00b9

Download Submit
\Windows\Logs\SysInfo\Tools\hidec.exe
MD5
abc6379205de2618851c4fcbf72112eb

SHA1
1ed7b1e965eab56f55efda975f9f7ade95337267

SHA256
22e7528e56dffaa26cfe722994655686c90824b13eb51184abfe44d4e95d473f

SHA512
180c7f400dd13092b470e3a91bf02e98ef6247c1193bf349e3710e8d1e9003f3bc9b792bb776eacb746e9c67b3041f2333cc07f28c5f046d59274742230fb7c1

Download Submit
\Windows\Logs\SysInfo\Tools\hidec.exe
MD5
abc6379205de2618851c4fcbf72112eb

SHA1
1ed7b1e965eab56f55efda975f9f7ade95337267

SHA256
22e7528e56dffaa26cfe722994655686c90824b13eb51184abfe44d4e95d473f

SHA512
180c7f400dd13092b470e3a91bf02e98ef6247c1193bf349e3710e8d1e9003f3bc9b792bb776eacb746e9c67b3041f2333cc07f28c5f046d59274742230fb7c1

Download Submit
\Windows\Logs\SysInfo\Tools\hidec.exe
MD5
abc6379205de2618851c4fcbf72112eb

SHA1
1ed7b1e965eab56f55efda975f9f7ade95337267

SHA256
22e7528e56dffaa26cfe722994655686c90824b13eb51184abfe44d4e95d473f

SHA512
180c7f400dd13092b470e3a91bf02e98ef6247c1193bf349e3710e8d1e9003f3bc9b792bb776eacb746e9c67b3041f2333cc07f28c5f046d59274742230fb7c1

Download Submit
\Windows\Logs\SysInfo\Tools\hidec.exe
MD5
abc6379205de2618851c4fcbf72112eb

SHA1
1ed7b1e965eab56f55efda975f9f7ade95337267

SHA256
22e7528e56dffaa26cfe722994655686c90824b13eb51184abfe44d4e95d473f

SHA512
180c7f400dd13092b470e3a91bf02e98ef6247c1193bf349e3710e8d1e9003f3bc9b792bb776eacb746e9c67b3041f2333cc07f28c5f046d59274742230fb7c1

Download Submit
memory/296-126-0x0000000000000000-mapping.dmp

Download
memory/308-139-0x0000000000000000-mapping.dmp

Download
memory/308-72-0x0000000000000000-mapping.dmp

Download
memory/316-77-0x0000000000000000-mapping.dmp

Download
memory/332-141-0x0000000000000000-mapping.dmp

Download
memory/396-158-0x0000000000000000-mapping.dmp

Download
memory/396-138-0x0000000000000000-mapping.dmp

Download
memory/556-140-0x0000000000000000-mapping.dmp

Download
memory/576-159-0x0000000000000000-mapping.dmp

Download
memory/592-143-0x0000000000000000-mapping.dmp

Download
memory/596-113-0x0000000000000000-mapping.dmp

Download
memory/620-86-0x0000000000000000-mapping.dmp

Download
memory/668-177-0x0000000000000000-mapping.dmp

Download
memory/668-144-0x0000000000000000-mapping.dmp

Download
memory/744-137-0x0000000000000000-mapping.dmp

Download
memory/832-61-0x0000000000000000-mapping.dmp

Download
memory/832-63-0x000007FEFBBF1000-0x000007FEFBBF3000-memory.dmp

Filesize
8KB

Download
memory/876-155-0x0000000000910000-0x0000000000911000-memory.dmp

Filesize
4KB

Download
memory/876-147-0x0000000000000000-mapping.dmp

Download
memory/876-157-0x0000000009550000-0x0000000009B90000-memory.dmp

Filesize
6.2MB

Download
memory/960-80-0x0000000000000000-mapping.dmp

Download
memory/1076-93-0x0000000000000000-mapping.dmp

Download
memory/1088-59-0x00000000753B1000-0x00000000753B3000-memory.dmp

Filesize
8KB

Download
memory/1088-167-0x0000000002520000-0x000000000316A000-memory.dmp

Filesize
12.3MB

Download
memory/1160-161-0x0000000000000000-mapping.dmp

Download
memory/1160-105-0x0000000000000000-mapping.dmp

Download
memory/1212-64-0x0000000000000000-mapping.dmp

Download
memory/1212-168-0x0000000000000000-mapping.dmp

Download
memory/1212-186-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1284-134-0x0000000000000000-mapping.dmp

Download
memory/1292-121-0x0000000000000000-mapping.dmp

Download
memory/1300-115-0x0000000000000000-mapping.dmp

Download
memory/1448-120-0x0000000000000000-mapping.dmp

Download
memory/1464-129-0x0000000000000000-mapping.dmp

Download
memory/1472-145-0x0000000000000000-mapping.dmp

Download
memory/1532-131-0x0000000000000000-mapping.dmp

Download
memory/1584-128-0x0000000000000000-mapping.dmp

Download
memory/1612-127-0x0000000000000000-mapping.dmp

Download
memory/1620-160-0x0000000000000000-mapping.dmp

Download
memory/1696-110-0x0000000000000000-mapping.dmp

Download
memory/1696-67-0x0000000000000000-mapping.dmp

Download
memory/1736-124-0x0000000000000000-mapping.dmp

Download
memory/1832-125-0x0000000000000000-mapping.dmp

Download
memory/1832-90-0x0000000000000000-mapping.dmp

Download
memory/1836-142-0x0000000000000000-mapping.dmp

Download
memory/1928-101-0x0000000000000000-mapping.dmp

Download
memory/1964-187-0x0000000000000000-mapping.dmp

Download
memory/1980-188-0x0000000000000000-mapping.dmp

Download
memory/2032-97-0x0000000000000000-mapping.dmp

Download
memory/2044-130-0x0000000000000000-mapping.dmp

Download
memory/2044-172-0x0000000000000000-mapping.dmp

Download