970253f12e332e4e36537198556cdefe1ba6ae7c20be6482d5fe33f366cd6af2

Analysis

max time kernel
137s
max time network
146s
platform
windows10_x64
resource
win10v20210410
submitted
07-05-2021 14:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DRP_15.9_Full/Tools/modules/bugreport/SysInfo.exe
Size

5.5MB
MD5

ffc1771da2961a16f68670262aeac3b9
SHA1

ada0cfb2fe7e8097373510be273d5e9443b1936e
SHA256

1a24d8cdc38765e6d5d98a6a9351f5d102d7db45d507f4ee05e85893eb305922
SHA512

2575a75eb42b1b56d43e9e6bb5c6428b3efcef566d05c70917c7c6195e2f410d1c3665dd05d0e5035578a7d4972b4962c50aa48f916e7b869000834f3901102c

Score

10^/10

discovery persistence upx

Malware Config

Signatures

Registers COM server for autorun 1 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Nirsoft 8 IoCs

Processes:

resource	yara_rule
C:\Windows\Logs\SysInfo\Tools\LastActivityView.exe	Nirsoft
C:\Windows\Logs\SysInfo\Tools\LastActivityView.exe	Nirsoft
C:\Windows\Logs\SysInfo\Tools\ExecutedProgramsList.exe	Nirsoft
C:\Windows\Logs\SysInfo\Tools\ExecutedProgramsList.exe	Nirsoft
C:\Windows\Logs\SysInfo\Tools\DriverView64.exe	Nirsoft
C:\Windows\Logs\SysInfo\Tools\DriverView64.exe	Nirsoft
C:\Windows\Logs\SysInfo\Tools\InstalledDriversList64.exe	Nirsoft
C:\Windows\Logs\SysInfo\Tools\InstalledDriversList64.exe	Nirsoft

Drops file in Drivers directory 2 IoCs

Processes:

SIV64X.exe

description	ioc	process
File created	C:\Windows\system32\Drivers\SIVX64.sys	SIV64X.exe
File opened for modification	C:\Windows\system32\Drivers\SIVX64.sys	SIV64X.exe

Executes dropped EXE 20 IoCs

Processes:

LastActivityView.exeCProcess.exeSDI-drv.exeDevManView.exeAppCrashView.exeBlueScreenView.exeBlueScreenView.exeExecutedProgramsList.exeWhatInStartup.exeWinAudit.exehidec.exehidec.exeDriverView64.exeInstalledDriversList64.exeSIV64X.exeslui.exehidec.exe7za.exehidec.exewput.exe

pid	process
3588	LastActivityView.exe
4016	CProcess.exe
3884	SDI-drv.exe
204	DevManView.exe
2744	AppCrashView.exe
1536	BlueScreenView.exe
2116	BlueScreenView.exe
2884	ExecutedProgramsList.exe
732	WhatInStartup.exe
1412	WinAudit.exe
3900	hidec.exe
2692	hidec.exe
3332	DriverView64.exe
3612	InstalledDriversList64.exe
1980	SIV64X.exe
3148	slui.exe
1364	hidec.exe
1968	7za.exe
2868	hidec.exe
204	wput.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Windows\Logs\SysInfo\Tools\CProcess.exe	upx
C:\Windows\Logs\SysInfo\Tools\CProcess.exe	upx
C:\Windows\Logs\SysInfo\Tools\SDI-drv.exe	upx
C:\Windows\Logs\SysInfo\Tools\DevManView.exe	upx
C:\Windows\Logs\SysInfo\Tools\DevManView.exe	upx
C:\Windows\Logs\SysInfo\Tools\AppCrashView.exe	upx
C:\Windows\Logs\SysInfo\Tools\AppCrashView.exe	upx
C:\Windows\Logs\SysInfo\Tools\BlueScreenView.exe	upx
C:\Windows\Logs\SysInfo\Tools\BlueScreenView.exe	upx
C:\Windows\Logs\SysInfo\Tools\BlueScreenView.exe	upx
C:\Windows\Logs\SysInfo\Tools\WhatInStartup.exe	upx
C:\Windows\Logs\SysInfo\Tools\WhatInStartup.exe	upx

Checks BIOS information in registry 2 TTPs 6 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

SIV64X.exeWinAudit.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	SIV64X.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	SIV64X.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	SIV64X.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	WinAudit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	WinAudit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	WinAudit.exe

Loads dropped DLL 3 IoCs

Processes:

SysInfo.exe

pid process

3968 SysInfo.exe
3968 SysInfo.exe
3968 SysInfo.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

DevManView.exe

description ioc process

File opened (read-only) \??\D: DevManView.exe

description	ioc	process
File opened (read-only)	\??\D:	DevManView.exe

Maps connected drives based on registry 3 TTPs 4 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

DevManView.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\Count	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe

Drops file in System32 directory 14 IoCs

Processes:

dxdiag.exe

description	ioc	process
File created	\??\c:\windows\system32\driverstore\filerepository\input.inf_amd64_e15abe7d25aa2071\input.PNF	dxdiag.exe
File created	\??\c:\windows\system32\driverstore\filerepository\msmouse.inf_amd64_b0ca8be2ac09ed24\msmouse.PNF	dxdiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\hdaudbus.inf_amd64_e22da3cb2d7a1ed6\hdaudbus.PNF	dxdiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\machine.inf_amd64_e6c89cc58804e205\machine.PNF	dxdiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\msmouse.inf_amd64_b0ca8be2ac09ed24\msmouse.PNF	dxdiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\keyboard.inf_amd64_82738beb7b514250\keyboard.PNF	dxdiag.exe
File created	\??\c:\windows\system32\driverstore\filerepository\mshdc.inf_amd64_74965e869fab271a\mshdc.PNF	dxdiag.exe
File created	\??\c:\windows\system32\driverstore\filerepository\machine.inf_amd64_e6c89cc58804e205\machine.PNF	dxdiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\usbport.inf_amd64_8e5f608c0111283d\usbport.PNF	dxdiag.exe
File created	\??\c:\windows\system32\driverstore\filerepository\usbport.inf_amd64_8e5f608c0111283d\usbport.PNF	dxdiag.exe
File created	\??\c:\windows\system32\driverstore\filerepository\keyboard.inf_amd64_82738beb7b514250\keyboard.PNF	dxdiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\input.inf_amd64_e15abe7d25aa2071\input.PNF	dxdiag.exe
File created	\??\c:\windows\system32\driverstore\filerepository\hdaudbus.inf_amd64_e22da3cb2d7a1ed6\hdaudbus.PNF	dxdiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_amd64_74965e869fab271a\mshdc.PNF	dxdiag.exe

Drops file in Windows directory 64 IoCs

Processes:

WinAudit.exeWhatInStartup.exeSysInfo.exedxdiag.exeInstalledDriversList64.exeSDI-drv.exeLastActivityView.exeExecutedProgramsList.exeBlueScreenView.execmd.exeDevManView.exeBlueScreenView.exeCProcess.exeSIV64X.exe7za.exeslui.exe

description	ioc	process
File created	C:\Windows\INF\c_volume.PNF	WinAudit.exe
File created	C:\Windows\Logs\SysInfo\LOGs\RJMQBVDN\SysInfo\Startup.htm	WhatInStartup.exe
File created	C:\Windows\Logs\SysInfo\LOGs\RJMQBVDN\System\FXSAPIDebugLogFile.txt	SysInfo.exe
File created	C:\Windows\Logs\SysInfo\LOGs\RJMQBVDN\SDI-Logs\2021_05_07__14_45_50__RJMQBVDN_state.snp	SysInfo.exe
File opened for modification	C:\Windows\Logs\SysInfo\LOGs\RJMQBVDN\SysInfo\Execute.htm	SysInfo.exe
File created	C:\Windows\Logs\SysInfo\LOGs\RJMQBVDN\System\DxDiag.txt	dxdiag.exe
File created	C:\Windows\Logs\SysInfo\LOGs\RJMQBVDN\SysInfo\Drivers.html	InstalledDriversList64.exe
File created	C:\Windows\Logs\SysInfo\LOGs\RJMQBVDN\SysInfo\FXSTIFFDebugLogFile.txt	SysInfo.exe
File opened for modification	C:\Windows\setupact.log	dxdiag.exe
File opened for modification	C:\Windows\Logs\SysInfo\LOGs\RJMQBVDN\DIA-Logs\	SysInfo.exe
File opened for modification	C:\Windows\Logs\SysInfo\LOGs\RJMQBVDN\SysInfo\Actions.htm	SysInfo.exe
File created	C:\Windows\INF\c_diskdrive.PNF	SDI-drv.exe
File created	C:\Windows\Logs\SysInfo\Tools\pcmdevs.txt	SysInfo.exe
File created	C:\Windows\Logs\SysInfo\Tools\www.SamLab.ws.url	SysInfo.exe
File created	C:\Windows\Logs\SysInfo\LOGs\RJMQBVDN\SysInfo\Actions.htm	LastActivityView.exe
File created	C:\Windows\Logs\SysInfo\LOGs\RJMQBVDN\SysInfo\Execute.htm	ExecutedProgramsList.exe
File created	C:\Windows\Logs\SysInfo\LOGs\RJMQBVDN\System\FXSTIFFDebugLogFile.txt	SysInfo.exe
File opened for modification	C:\Windows\setuperr.log	dxdiag.exe
File created	C:\Windows\Logs\SysInfo\Tools\pcidevs.txt	SysInfo.exe
File created	C:\Windows\Logs\SysInfo\Tools\BlueScreenView.exe	SysInfo.exe
File created	C:\Windows\Logs\SysInfo\Tools\hidec.exe	SysInfo.exe
File opened for modification	C:\Windows\Logs\SysInfo\LOGs\RJMQBVDN\SysInfo\Crashes.htm	SysInfo.exe
File created	C:\Windows\Logs\SysInfo\Tools\7za.exe	SysInfo.exe
File created	C:\Windows\Logs\SysInfo\LOGs\RJMQBVDN\SysInfo\!BSOD!.txt	BlueScreenView.exe
File opened for modification	C:\Windows\Logs\SysInfo\Tools\HWIDs.txt	cmd.exe
File opened for modification	C:\Windows\Logs\SysInfo\LOGs\RJMQBVDN\SysInfo\FXSTIFFDebugLogFile.txt	SysInfo.exe
File created	C:\Windows\Logs\SysInfo\LOGs\RJMQBVDN\SysInfo\SIV_RJMQBVDN.txt	SysInfo.exe
File opened for modification	C:\Windows\Logs\SysInfo\LOGs\RJMQBVDN\SysInfo\Startup.htm	SysInfo.exe
File created	C:\Windows\Logs\SysInfo\Tools\pnpdevs.txt	SysInfo.exe
File created	C:\Windows\Logs\SysInfo\Tools\DriverView.exe	SysInfo.exe
File created	C:\Windows\Logs\SysInfo\Tools\ExecutedProgramsList.exe	SysInfo.exe
File created	C:\Windows\Logs\SysInfo\Tools\SDI-drv.exe	SysInfo.exe
File created	C:\Windows\Logs\SysInfo\Tools\SysInf.bat	SysInfo.exe
File created	C:\Windows\Logs\SysInfo\LOGs\RJMQBVDN\SysInfo\Devices.htm	DevManView.exe
File opened for modification	C:\Windows\Logs\SysInfo\LOGs\	SysInfo.exe
File created	C:\Windows\Logs\SysInfo\Tools\DevManView.exe	SysInfo.exe
File created	C:\Windows\Logs\SysInfo\Tools\InstalledDriversList64.exe	SysInfo.exe
File created	C:\Windows\Logs\SysInfo\Tools\SIVX32.sys	SysInfo.exe
File created	C:\Windows\Logs\SysInfo\Tools\WhatInStartup.exe	SysInfo.exe
File created	C:\Windows\Logs\SysInfo\Tools\wput.exe	SysInfo.exe
File created	C:\Windows\Logs\SysInfo\LOGs\RJMQBVDN\System\setupapi.setup.log	SysInfo.exe
File opened for modification	C:\Windows\Logs\SysInfo\LOGs\RJMQBVDN\SysInfo\Drivers.htm	SysInfo.exe
File created	C:\Windows\Logs\SysInfo\Tools\DriverView64.exe	SysInfo.exe
File created	C:\Windows\Logs\SysInfo\LOGs\RJMQBVDN\System\setupapi.dev.log	SysInfo.exe
File opened for modification	C:\Windows\Logs\SysInfo\LOGs\RJMQBVDN\DRP-Online\	SysInfo.exe
File opened for modification	C:\Windows\Logs\SysInfo\LOGs\RJMQBVDN\SysInfo\HWIDs.txt	SysInfo.exe
File opened for modification	C:\Windows\Logs\SysInfo\LOGs\RJMQBVDN\SysInfo\SIV_RJMQBVDN.txt	SysInfo.exe
File created	C:\Windows\Logs\SysInfo\Tools\BoxCutter.exe	SysInfo.exe
File created	C:\Windows\Logs\SysInfo\Tools\mondevs.txt	SysInfo.exe
File created	C:\Windows\Logs\SysInfo\Tools\usbdevs.txt	SysInfo.exe
File created	C:\Windows\Logs\SysInfo\LOGs\RJMQBVDN\SysInfo\!BSOD!.htm	BlueScreenView.exe
File created	C:\Windows\Logs\SysInfo\LOGs\RJMQBVDN\SysInfo\HWIDs.txt	SysInfo.exe
File created	C:\Windows\Logs\SysInfo\Tools\HWIDs.cmd	SysInfo.exe
File created	C:\Windows\Logs\SysInfo\LOGs\RJMQBVDN\SysInfo\Process.htm	CProcess.exe
File created	C:\Windows\INF\c_monitor.PNF	SDI-drv.exe
File created	C:\Windows\Logs\SysInfo\Tools\SIV_RJMQBVDN.txt	SIV64X.exe
File created	C:\Windows\Logs\SysInfo\LOGs\RJMQBVDN\SysInfo\RJMQBVDN.html	SysInfo.exe
File created	C:\Windows\Logs\SysInfo\SysInfo.7z	7za.exe
File opened for modification	C:\Windows\Logs\SysInfo\LOGs\RJMQBVDN\SysInfo\!BSOD!.htm	SysInfo.exe
File opened for modification	C:\Windows\Logs\SysInfo\LOGs\RJMQBVDN\SysInfo\RJMQBVDN.html	SysInfo.exe
File created	C:\Windows\Logs\SysInfo\Tools\CProcess.exe	SysInfo.exe
File created	C:\Windows\Logs\SysInfo\LOGs\RJMQBVDN\SysInfo\FXSAPIDebugLogFile.txt	SysInfo.exe
File opened for modification	C:\Windows\Logs\SysInfo\LOGs\RJMQBVDN\SysInfo\FXSAPIDebugLogFile.txt	SysInfo.exe
File created	C:\Windows\Logs\SysInfo\Tools\ERROR.BUG	slui.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

DevManView.exeWinAudit.exeSIV64X.exeSDI-drv.exedxdiag.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Mfg	WinAudit.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\LowerFilters	SIV64X.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\CompatibleIDs	SDI-drv.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Driver	SIV64X.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Mfg	SDI-drv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000	SDI-drv.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName	SDI-drv.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\CompatibleIDs	dxdiag.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\HardwareID	SDI-drv.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\CPU	SIV64X.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Mfg	SIV64X.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Capabilities	SIV64X.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Mfg	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\ConfigFlags	SDI-drv.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName	SIV64X.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Class	SIV64X.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName	SDI-drv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000	WinAudit.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\ConfigFlags	DevManView.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Device Parameters	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Capabilities	SDI-drv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000	WinAudit.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DevManView.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Capabilities	SDI-drv.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Driver	WinAudit.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Mfg	WinAudit.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\CurrentDriveLetterAssignment	SIV64X.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\BIOSVersion	SIV64X.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Service	DevManView.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Mfg	SIV64X.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Mfg	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\LocationInformation	WinAudit.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM	SIV64X.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM	SIV64X.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\ConfigFlags	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName	SIV64X.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000	SIV64X.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Capabilities	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc	WinAudit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	SIV64X.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\HardwareID	SIV64X.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk	SIV64X.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Class	SIV64X.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\HardwareID	SDI-drv.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Driver	SIV64X.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\HardwareID	dxdiag.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Service	SIV64X.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\CurrentDriveLetterAssignment	SIV64X.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc	SDI-drv.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\HardwareID	SIV64X.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\CompatibleIDs	dxdiag.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc	SDI-drv.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\ContainerID	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc	SIV64X.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\BIOSVersion	SIV64X.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Control	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000	SIV64X.exe

Checks processor information in registry 2 TTPs 15 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

SIV64X.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	SIV64X.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	SIV64X.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\1	SIV64X.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	SIV64X.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	SIV64X.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	SIV64X.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	SIV64X.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	SIV64X.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	SIV64X.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	SIV64X.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Signature	SIV64X.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\2	SIV64X.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	SIV64X.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	SIV64X.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	SIV64X.exe

Enumerates system info in registry 2 TTPs 5 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WinAudit.exeSIV64X.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosDate	WinAudit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	SIV64X.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VirtualAddressBits	SIV64X.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\PhysicalAddressBits	SIV64X.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosDate	SIV64X.exe

Modifies registry class 36 IoCs

Processes:

dxdiag.exereg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CurVer\ = "DxDiag.DxDiagClassObject.1"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CurVer	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\ = "DxDiagClassObject Class"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\ = "DxDiagClassObject Class"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\VersionIndependentProgID	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32\ThreadingModel = "Apartment"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\VersionIndependentProgID\ = "DxDiag.DxDiagClassObject"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\InprocServer32	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\ = "DxDiagProvider Class"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ProgID	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ForceRemove\ = "Programmable"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\CLSID\ = "{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}"	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ = "DxDiagClassObject Class"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\VersionIndependentProgID	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32\ = "C:\\Windows\\SYSTEM32\\dxdiagn.dll"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CLSID	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CurVer\ = "DxDiag.DxDiagClassObject.1"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\ProgID	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CLSID	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CLSID\ = "{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ForceRemove	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1\ = "DxDiagProvider Class"	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ProgID\ = "DxDiag.DxDiagClassObject.1"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1\CLSID	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.css	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.css\Content Type = "text/css"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\CLSID	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CurVer	dxdiag.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

Processes:

SysInfo.exeCProcess.exeWhatInStartup.exeWinAudit.exedxdiag.exeSIV64X.exe

pid	process
3968	SysInfo.exe
3968	SysInfo.exe
3968	SysInfo.exe
3968	SysInfo.exe
3968	SysInfo.exe
3968	SysInfo.exe
3968	SysInfo.exe
3968	SysInfo.exe
3968	SysInfo.exe
3968	SysInfo.exe
3968	SysInfo.exe
3968	SysInfo.exe
3968	SysInfo.exe
3968	SysInfo.exe
3968	SysInfo.exe
3968	SysInfo.exe
3968	SysInfo.exe
3968	SysInfo.exe
3968	SysInfo.exe
3968	SysInfo.exe
4016	CProcess.exe
4016	CProcess.exe
732	WhatInStartup.exe
732	WhatInStartup.exe
1412	WinAudit.exe
1412	WinAudit.exe
1944	dxdiag.exe
1944	dxdiag.exe
1980	SIV64X.exe
1980	SIV64X.exe
1980	SIV64X.exe
1980	SIV64X.exe
1980	SIV64X.exe
1980	SIV64X.exe
3968	SysInfo.exe
3968	SysInfo.exe
3968	SysInfo.exe
3968	SysInfo.exe
3968	SysInfo.exe
3968	SysInfo.exe
3968	SysInfo.exe
3968	SysInfo.exe

Suspicious behavior: LoadsDriver 7 IoCs

Processes:

pid process

612
612
612
612
612
612
612

pid	process
612
612
612
612
612
612
612

Suspicious use of AdjustPrivilegeToken 61 IoCs

Processes:

LastActivityView.exeCProcess.exeDevManView.exeWhatInStartup.exeWinAudit.exeSIV64X.exe

description	pid	process
Token: SeBackupPrivilege	3588	LastActivityView.exe
Token: SeSecurityPrivilege	3588	LastActivityView.exe
Token: SeSecurityPrivilege	3588	LastActivityView.exe
Token: SeSecurityPrivilege	3588	LastActivityView.exe
Token: SeSecurityPrivilege	3588	LastActivityView.exe
Token: SeSecurityPrivilege	3588	LastActivityView.exe
Token: SeBackupPrivilege	3588	LastActivityView.exe
Token: SeSecurityPrivilege	3588	LastActivityView.exe
Token: SeSecurityPrivilege	3588	LastActivityView.exe
Token: SeSecurityPrivilege	3588	LastActivityView.exe
Token: SeSecurityPrivilege	3588	LastActivityView.exe
Token: SeSecurityPrivilege	3588	LastActivityView.exe
Token: SeSecurityPrivilege	3588	LastActivityView.exe
Token: SeSecurityPrivilege	3588	LastActivityView.exe
Token: SeSecurityPrivilege	3588	LastActivityView.exe
Token: SeSecurityPrivilege	3588	LastActivityView.exe
Token: SeSecurityPrivilege	3588	LastActivityView.exe
Token: SeBackupPrivilege	3588	LastActivityView.exe
Token: SeSecurityPrivilege	3588	LastActivityView.exe
Token: SeSecurityPrivilege	3588	LastActivityView.exe
Token: SeSecurityPrivilege	3588	LastActivityView.exe
Token: SeSecurityPrivilege	3588	LastActivityView.exe
Token: SeSecurityPrivilege	3588	LastActivityView.exe
Token: SeSecurityPrivilege	3588	LastActivityView.exe
Token: SeSecurityPrivilege	3588	LastActivityView.exe
Token: SeSecurityPrivilege	3588	LastActivityView.exe
Token: SeSecurityPrivilege	3588	LastActivityView.exe
Token: SeSecurityPrivilege	3588	LastActivityView.exe
Token: SeSecurityPrivilege	3588	LastActivityView.exe
Token: SeSecurityPrivilege	3588	LastActivityView.exe
Token: SeSecurityPrivilege	3588	LastActivityView.exe
Token: SeSecurityPrivilege	3588	LastActivityView.exe
Token: SeSecurityPrivilege	3588	LastActivityView.exe
Token: SeSecurityPrivilege	3588	LastActivityView.exe
Token: SeSecurityPrivilege	3588	LastActivityView.exe
Token: SeSecurityPrivilege	3588	LastActivityView.exe
Token: SeSecurityPrivilege	3588	LastActivityView.exe
Token: SeSecurityPrivilege	3588	LastActivityView.exe
Token: SeSecurityPrivilege	3588	LastActivityView.exe
Token: SeSecurityPrivilege	3588	LastActivityView.exe
Token: SeSecurityPrivilege	3588	LastActivityView.exe
Token: SeSecurityPrivilege	3588	LastActivityView.exe
Token: SeSecurityPrivilege	3588	LastActivityView.exe
Token: SeSecurityPrivilege	3588	LastActivityView.exe
Token: SeSecurityPrivilege	3588	LastActivityView.exe
Token: SeSecurityPrivilege	3588	LastActivityView.exe
Token: SeSecurityPrivilege	3588	LastActivityView.exe
Token: SeSecurityPrivilege	3588	LastActivityView.exe
Token: SeSecurityPrivilege	3588	LastActivityView.exe
Token: SeSecurityPrivilege	3588	LastActivityView.exe
Token: SeDebugPrivilege	4016	CProcess.exe
Token: SeBackupPrivilege	204	DevManView.exe
Token: SeRestorePrivilege	204	DevManView.exe
Token: SeTakeOwnershipPrivilege	204	DevManView.exe
Token: SeRestorePrivilege	732	WhatInStartup.exe
Token: SeBackupPrivilege	732	WhatInStartup.exe
Token: SeIncBasePriorityPrivilege	1412	WinAudit.exe
Token: SeIncBasePriorityPrivilege	1980	SIV64X.exe
Token: SeSystemEnvironmentPrivilege	1980	SIV64X.exe
Token: SeLoadDriverPrivilege	1980	SIV64X.exe
Token: SeDebugPrivilege	1980	SIV64X.exe

Suspicious use of FindShellTrayWindow 12 IoCs

Processes:

SysInfo.exe

pid	process
3968	SysInfo.exe
3968	SysInfo.exe
3968	SysInfo.exe
3968	SysInfo.exe
3968	SysInfo.exe
3968	SysInfo.exe
3968	SysInfo.exe
3968	SysInfo.exe
3968	SysInfo.exe
3968	SysInfo.exe
3968	SysInfo.exe
3968	SysInfo.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

dxdiag.exe

pid process

1944 dxdiag.exe

pid	process
1944	dxdiag.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

SysInfo.exehidec.exehidec.execmd.exenet.exenet.exe

description	pid	process	target process
PID 3968 wrote to memory of 1944	3968	SysInfo.exe	dxdiag.exe
PID 3968 wrote to memory of 1944	3968	SysInfo.exe	dxdiag.exe
PID 3968 wrote to memory of 3588	3968	SysInfo.exe	LastActivityView.exe
PID 3968 wrote to memory of 3588	3968	SysInfo.exe	LastActivityView.exe
PID 3968 wrote to memory of 3588	3968	SysInfo.exe	LastActivityView.exe
PID 3968 wrote to memory of 4016	3968	SysInfo.exe	CProcess.exe
PID 3968 wrote to memory of 4016	3968	SysInfo.exe	CProcess.exe
PID 3968 wrote to memory of 4016	3968	SysInfo.exe	CProcess.exe
PID 3968 wrote to memory of 3884	3968	SysInfo.exe	SDI-drv.exe
PID 3968 wrote to memory of 3884	3968	SysInfo.exe	SDI-drv.exe
PID 3968 wrote to memory of 3884	3968	SysInfo.exe	SDI-drv.exe
PID 3968 wrote to memory of 204	3968	SysInfo.exe	DevManView.exe
PID 3968 wrote to memory of 204	3968	SysInfo.exe	DevManView.exe
PID 3968 wrote to memory of 204	3968	SysInfo.exe	DevManView.exe
PID 3968 wrote to memory of 2744	3968	SysInfo.exe	AppCrashView.exe
PID 3968 wrote to memory of 2744	3968	SysInfo.exe	AppCrashView.exe
PID 3968 wrote to memory of 2744	3968	SysInfo.exe	AppCrashView.exe
PID 3968 wrote to memory of 1536	3968	SysInfo.exe	BlueScreenView.exe
PID 3968 wrote to memory of 1536	3968	SysInfo.exe	BlueScreenView.exe
PID 3968 wrote to memory of 1536	3968	SysInfo.exe	BlueScreenView.exe
PID 3968 wrote to memory of 2116	3968	SysInfo.exe	BlueScreenView.exe
PID 3968 wrote to memory of 2116	3968	SysInfo.exe	BlueScreenView.exe
PID 3968 wrote to memory of 2116	3968	SysInfo.exe	BlueScreenView.exe
PID 3968 wrote to memory of 2884	3968	SysInfo.exe	ExecutedProgramsList.exe
PID 3968 wrote to memory of 2884	3968	SysInfo.exe	ExecutedProgramsList.exe
PID 3968 wrote to memory of 2884	3968	SysInfo.exe	ExecutedProgramsList.exe
PID 3968 wrote to memory of 732	3968	SysInfo.exe	WhatInStartup.exe
PID 3968 wrote to memory of 732	3968	SysInfo.exe	WhatInStartup.exe
PID 3968 wrote to memory of 732	3968	SysInfo.exe	WhatInStartup.exe
PID 3968 wrote to memory of 1412	3968	SysInfo.exe	WinAudit.exe
PID 3968 wrote to memory of 1412	3968	SysInfo.exe	WinAudit.exe
PID 3968 wrote to memory of 1412	3968	SysInfo.exe	WinAudit.exe
PID 3968 wrote to memory of 3900	3968	SysInfo.exe	hidec.exe
PID 3968 wrote to memory of 3900	3968	SysInfo.exe	hidec.exe
PID 3968 wrote to memory of 3900	3968	SysInfo.exe	hidec.exe
PID 3900 wrote to memory of 3076	3900	hidec.exe	cmd.exe
PID 3900 wrote to memory of 3076	3900	hidec.exe	cmd.exe
PID 3900 wrote to memory of 3076	3900	hidec.exe	cmd.exe
PID 3968 wrote to memory of 2692	3968	SysInfo.exe	hidec.exe
PID 3968 wrote to memory of 2692	3968	SysInfo.exe	hidec.exe
PID 3968 wrote to memory of 2692	3968	SysInfo.exe	hidec.exe
PID 3968 wrote to memory of 3332	3968	SysInfo.exe	DriverView64.exe
PID 3968 wrote to memory of 3332	3968	SysInfo.exe	DriverView64.exe
PID 2692 wrote to memory of 3220	2692	hidec.exe	cmd.exe
PID 2692 wrote to memory of 3220	2692	hidec.exe	cmd.exe
PID 2692 wrote to memory of 3220	2692	hidec.exe	cmd.exe
PID 3220 wrote to memory of 1968	3220	cmd.exe	reg.exe
PID 3220 wrote to memory of 1968	3220	cmd.exe	reg.exe
PID 3220 wrote to memory of 1968	3220	cmd.exe	reg.exe
PID 3220 wrote to memory of 2744	3220	cmd.exe	net.exe
PID 3220 wrote to memory of 2744	3220	cmd.exe	net.exe
PID 3220 wrote to memory of 2744	3220	cmd.exe	net.exe
PID 2744 wrote to memory of 3624	2744	net.exe	net1.exe
PID 2744 wrote to memory of 3624	2744	net.exe	net1.exe
PID 2744 wrote to memory of 3624	2744	net.exe	net1.exe
PID 3968 wrote to memory of 3612	3968	SysInfo.exe	InstalledDriversList64.exe
PID 3968 wrote to memory of 3612	3968	SysInfo.exe	InstalledDriversList64.exe
PID 3220 wrote to memory of 1856	3220	cmd.exe	net.exe
PID 3220 wrote to memory of 1856	3220	cmd.exe	net.exe
PID 3220 wrote to memory of 1856	3220	cmd.exe	net.exe
PID 1856 wrote to memory of 3064	1856	net.exe	net1.exe
PID 1856 wrote to memory of 3064	1856	net.exe	net1.exe
PID 1856 wrote to memory of 3064	1856	net.exe	net1.exe
PID 3220 wrote to memory of 2804	3220	cmd.exe	net.exe

C:\Users\Admin\AppData\Local\Temp\DRP_15.9_Full\Tools\modules\bugreport\SysInfo.exe
"C:\Users\Admin\AppData\Local\Temp\DRP_15.9_Full\Tools\modules\bugreport\SysInfo.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3968

C:\Windows\SYSTEM32\dxdiag.exe
dxdiag /t C:\Windows\Logs\SysInfo\LOGs\RJMQBVDN\System\DxDiag.txt
2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1944

C:\Windows\Logs\SysInfo\Tools\LastActivityView.exe
C:\Windows\Logs\SysInfo\Tools\LastActivityView.exe /shtml C:\Windows\Logs\SysInfo\LOGs\RJMQBVDN\SysInfo\Actions.htm
2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3588

C:\Windows\Logs\SysInfo\Tools\CProcess.exe
C:\Windows\Logs\SysInfo\Tools\CProcess.exe /shtml C:\Windows\Logs\SysInfo\LOGs\RJMQBVDN\SysInfo\Process.htm
2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4016

C:\Windows\Logs\SysInfo\Tools\SDI-drv.exe
C:\Windows\Logs\SysInfo\Tools\SDI-drv.exe -nogui -autoclose
2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Checks SCSI registry key(s)
PID:3884

C:\Windows\Logs\SysInfo\Tools\DevManView.exe
C:\Windows\Logs\SysInfo\Tools\DevManView.exe /shtml C:\Windows\Logs\SysInfo\LOGs\RJMQBVDN\SysInfo\Devices.htm
2⤵
- Executes dropped EXE
- Enumerates connected drives
- Maps connected drives based on registry
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:204

C:\Windows\Logs\SysInfo\Tools\AppCrashView.exe
C:\Windows\Logs\SysInfo\Tools\AppCrashView.exe /shtml C:\Windows\Logs\SysInfo\LOGs\RJMQBVDN\SysInfo\Crashes.htm
2⤵
- Executes dropped EXE
PID:2744

C:\Windows\Logs\SysInfo\Tools\BlueScreenView.exe
C:\Windows\Logs\SysInfo\Tools\BlueScreenView.exe /shtml C:\Windows\Logs\SysInfo\LOGs\RJMQBVDN\SysInfo\!BSOD!.htm
2⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1536

C:\Windows\Logs\SysInfo\Tools\BlueScreenView.exe
C:\Windows\Logs\SysInfo\Tools\BlueScreenView.exe /scomma C:\Windows\Logs\SysInfo\LOGs\RJMQBVDN\SysInfo\!BSOD!.txt
2⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2116

C:\Windows\Logs\SysInfo\Tools\ExecutedProgramsList.exe
C:\Windows\Logs\SysInfo\Tools\ExecutedProgramsList.exe /shtml C:\Windows\Logs\SysInfo\LOGs\RJMQBVDN\SysInfo\Execute.htm
2⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2884

C:\Windows\Logs\SysInfo\Tools\WhatInStartup.exe
C:\Windows\Logs\SysInfo\Tools\WhatInStartup.exe /shtml C:\Windows\Logs\SysInfo\LOGs\RJMQBVDN\SysInfo\Startup.htm
2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:732

C:\Windows\Logs\SysInfo\Tools\WinAudit.exe
C:\Windows\Logs\SysInfo\Tools\WinAudit.exe /r=gz /o=HTML
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1412

C:\Windows\Logs\SysInfo\Tools\hidec.exe
C:\Windows\Logs\SysInfo\Tools\hidec.exe /W C:\Windows\Logs\SysInfo\Tools\HWIDs.cmd
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3900

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Logs\SysInfo\Tools\HWIDs.cmd
3⤵
- Drops file in Windows directory
PID:3076

C:\Windows\Logs\SysInfo\Tools\hidec.exe
C:\Windows\Logs\SysInfo\Tools\hidec.exe /W C:\Windows\Logs\SysInfo\Tools\fix_dll.cmd
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2692

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Logs\SysInfo\Tools\fix_dll.cmd
3⤵
- Suspicious use of WriteProcessMemory
PID:3220

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.css" /v "Content Type" /t reg_sz /d text/css /f
4⤵
- Modifies registry class
PID:1968

C:\Windows\SysWOW64\net.exe
net stop RpcSs
4⤵
- Suspicious use of WriteProcessMemory
PID:2744

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop RpcSs
5⤵
PID:3624

C:\Windows\SysWOW64\net.exe
net stop wmiApSrv
4⤵
- Suspicious use of WriteProcessMemory
PID:1856

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop wmiApSrv
5⤵
PID:3064

C:\Windows\SysWOW64\net.exe
net stop RpcLocator
4⤵
PID:2804

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop RpcLocator
5⤵
PID:3768

C:\Windows\SysWOW64\net.exe
net stop DcomLaunch
4⤵
PID:3712

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop DcomLaunch
5⤵
PID:3880

C:\Windows\SysWOW64\sc.exe
sc config RpcSs start=auto
4⤵
PID:1388

C:\Windows\SysWOW64\sc.exe
sc config wmiApSrv start=auto
4⤵
PID:2848

C:\Windows\SysWOW64\sc.exe
sc config RpcLocator start=auto
4⤵
PID:2512

C:\Windows\SysWOW64\sc.exe
sc config DcomLaunch start=auto
4⤵
PID:3212

C:\Windows\SysWOW64\net.exe
net start RpcSs
4⤵
PID:2772

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start RpcSs
5⤵
PID:3600

C:\Windows\SysWOW64\net.exe
net start wmiApSrv
4⤵
PID:3448

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start wmiApSrv
5⤵
PID:3808

C:\Windows\SysWOW64\net.exe
net start RpcLocator
4⤵
PID:2392

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start RpcLocator
5⤵
PID:500

C:\Windows\SysWOW64\net.exe
net start DcomLaunch
4⤵
PID:2652

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start DcomLaunch
5⤵
PID:2868

C:\Windows\Logs\SysInfo\Tools\DriverView64.exe
C:\Windows\Logs\SysInfo\Tools\DriverView64.exe /shtml C:\Windows\Logs\SysInfo\LOGs\RJMQBVDN\SysInfo\Drivers.htm
2⤵
- Executes dropped EXE
PID:3332

C:\Windows\Logs\SysInfo\Tools\InstalledDriversList64.exe
C:\Windows\Logs\SysInfo\Tools\InstalledDriversList64.exe /shtml C:\Windows\Logs\SysInfo\LOGs\RJMQBVDN\SysInfo\Drivers.html
2⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3612

C:\Windows\Logs\SysInfo\Tools\SIV64X.exe
C:\Windows\Logs\SysInfo\Tools\SIV64X.exe -SAVE[devices][device-ids][dimms][driver-vsn][environment][hw-status][interfaces][my-ip-address][overview][pnp-dev][processes][startup][software][system][uaa-dev]
2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Checks BIOS information in registry
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1980

C:\Windows\Logs\SysInfo\Tools\Log.exe
C:\Windows\Logs\SysInfo\Tools\Log.exe /S /C
2⤵
PID:3148

C:\Windows\Logs\SysInfo\Tools\hidec.exe
C:\Windows\Logs\SysInfo\Tools\hidec.exe /W C:\Windows\Logs\SysInfo\Tools\7za a -t7z C:\Windows\Logs\SysInfo\SysInfo.7z C:\Windows\Logs\SysInfo\LOGs\
2⤵
- Executes dropped EXE
PID:1364

C:\Windows\Logs\SysInfo\Tools\7za.exe
C:\Windows\Logs\SysInfo\Tools\7za a -t7z C:\Windows\Logs\SysInfo\SysInfo.7z C:\Windows\Logs\SysInfo\LOGs\
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1968

C:\Windows\Logs\SysInfo\Tools\hidec.exe
C:\Windows\Logs\SysInfo\Tools\hidec.exe /W C:\Windows\Logs\SysInfo\Tools\wput.exe --output-file=C:\Windows\Temp\RJMQBVDN_2021.05.07_v15.9.log "C:\Windows\Logs\SysInfo\RJMQBVDN_2021.05.07_v15.9.7z" "ftp://feedback:pq9KvdyeRVA6u@download0.drp.su/logs/15.9_full/RJMQBVDN_2021.05.07_v15.9.7z"
2⤵
- Executes dropped EXE
PID:2868

C:\Windows\Logs\SysInfo\Tools\wput.exe
C:\Windows\Logs\SysInfo\Tools\wput.exe --output-file=C:\Windows\Temp\RJMQBVDN_2021.05.07_v15.9.log "C:\Windows\Logs\SysInfo\RJMQBVDN_2021.05.07_v15.9.7z" "ftp://feedback:pq9KvdyeRVA6u@download0.drp.su/logs/15.9_full/RJMQBVDN_2021.05.07_v15.9.7z"
3⤵
- Executes dropped EXE
PID:204

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:3588

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
PID:3564

C:\Windows\System32\SLUI.exe
"C:\Windows\System32\SLUI.exe" RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2de67392-b7a7-462a-b1ca-108dd189f588;NotificationInterval=1440;Trigger=TimerEvent
1⤵
PID:2392

C:\Windows\System32\slui.exe
C:\Windows\System32\slui.exe -Embedding
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3148

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\INF\c_diskdrive.PNF
MD5
ce08d90859fac82d2e92413f823b6e2d

SHA1
3993816f49686ef464fc9414eb2b33643b763950

SHA256
bfadbea5b5594b10e92477c5b54b7e60cee42f6ed836db225a6cb8ce8e060cc9

SHA512
42cf4d44a5a241111bfb834c135a859c253637172d9a22441bb6faa530712cd223a0c78a90e7c65adecdaf7b84fee3b53b874b814a1a02593955191a7be81f0f

Download Submit
C:\Windows\INF\c_monitor.PNF
MD5
03eeab0e759b0f49671968419acabeb1

SHA1
153a214d7bab96ac9732a0a094927fc72eb21779

SHA256
6ead6adaab3ed989ac989c3c28e9660172afd3c732c9f145751afb9d57f29018

SHA512
ef34e173ce53087a7fa1153aa4d9b2be5f1fb11cff2908304fb3ae6456a1a8597d8b7a3d150428d7838087ac82df644ad89cc0389cf45ce112108cb9166d821e

Download Submit
C:\Windows\INF\c_processor.PNF
MD5
faae33656c78deb72ff9b3bdd673fa3a

SHA1
302b1f074d5a50636fafb2232e7928a05b05a30a

SHA256
9836057b14021082e33547621ebaa4c1e6ec7a314f9d6e3e683695843b2a3b12

SHA512
5d5d17a3702255b8e0093734885d8adc44f52d5057f5566b30032551494aeb43ab149c98a686eac5f680f470f24c6bc7883343789584573add2cac01066ea7ce

Download Submit
C:\Windows\INF\c_volume.PNF
MD5
9928873d826d3c2b28fc34de6a8d258b

SHA1
004ce000c9a45c754b4b8683d04bad69399ede12

SHA256
7a0b2d514fc79377984e382dbb0069891895d6c6410625c4978ab3cfcd094ff3

SHA512
4ab53c58c0a7db9ed96f8483012b2f7cdfb9647d7ff10eb5eade9c54bf8ffc4013e35fc141b6f84d2d02a06d476591f8dc6fb2f31f8dd54c8d944fd8228cdef0

Download Submit
C:\Windows\Logs\SysInfo\LOGs\RJMQBVDN\SysInfo\!BSOD!.htm
MD5
d2030e1dc75e340c8b5b226634ed9a6b

SHA1
ac0621bbf1afa6b4358c36029667460756e365f6

SHA256
f3e7af6477095dc4f2514d842b3745a555134ffb0dccd905626094d7eaf5788a

SHA512
36fd77aa9d70bf3ea7fce656151b37948620bb8be858976339a6ae570fe31ddd6f5731fad5c61f2eaae0dae28a7db4526c059c74abae74aa6f9e8ef21b458995

Download Submit
C:\Windows\Logs\SysInfo\LOGs\RJMQBVDN\SysInfo\Actions.htm
MD5
588eaecfcadd8c45c7a4e921f8a9d43f

SHA1
119fcd8d1979ddab795079f4547f9e0e1044c7b9

SHA256
35ad4b43f5e877651c606876a5ab79d547c26f0be2808f32a420cbacd0d4fb65

SHA512
a666a203708656097f28ed733e307b14ff721c345454a7a59761a87ce80c608e4f93e06c10a21146ce3012b3acacd1b46c1b9fa6e785d5287587abc274611379

Download Submit
C:\Windows\Logs\SysInfo\LOGs\RJMQBVDN\SysInfo\Crashes.htm
MD5
08f9c7a71245c7f3517c23d4cbca1e83

SHA1
2b8c83585f79d09b5e7a71f4a0c156e9aed0b461

SHA256
15eeb897d467fde1202f0d93f12ccec5f46b36f1427951652e33c77cf364dc86

SHA512
23a5d323b1b04e3af8190371dc630ad951e85e1520d6a756b4fa1a9b92d3c178802fa3b839d16fc26ac482d2c339f80e75151861cabcef41e9c04d4345b95e52

Download Submit
C:\Windows\Logs\SysInfo\LOGs\RJMQBVDN\SysInfo\Devices.htm
MD5
bc532ab2e5edfeb0d19a95097f331398

SHA1
804d71fb010c3758abd6963e18527674ec7b5215

SHA256
73268ca231ca823bbfb8577fe1482c386d3dd5714c492c460f036d31c22c10b3

SHA512
b0de3fb83f61cb888298d14a5a473f1d7aa5ea807c25356982d74afc75c1742cb467af426dad97f2a9b51e75e0d470deb3f33489432dffd6265c9e0c0aa7e85f

Download Submit
C:\Windows\Logs\SysInfo\LOGs\RJMQBVDN\SysInfo\Drivers.htm
MD5
d45ae8741e786d2d8aaff955cf635879

SHA1
42cf8fb5f74929afeea0d75775a92573a21f8871

SHA256
a5f0ec5ab118be164bbee9de9aa6f6460ee466f6bde18ddce765369f53e5eb6e

SHA512
139e83723edb57e789094159e6eb4d6a6fa04b70ace494c444e76273c0542f712696a7ccac2f609a632bf68aecda3ce2bb2531b870b28fba58e5921f49260505

Download Submit
C:\Windows\Logs\SysInfo\LOGs\RJMQBVDN\SysInfo\Drivers.html
MD5
84575fb9f463b79abab2c801e901999c

SHA1
c626be552429bc8568053e3ea1f92f36bd7f8f77

SHA256
fe9f1c9bbe2181775bd80cee2391defed4ae8a7420ca2367e73cf0df75c6b12f

SHA512
5f7d8a93f0e41458a029ee773e5215e04b8693f971dd087a6ddd500b8c6965ec0ad443428eeaa021013205b970f6e3f065c03887c49f9ae5b69227ecff630c97

Download Submit
C:\Windows\Logs\SysInfo\LOGs\RJMQBVDN\SysInfo\Execute.htm
MD5
6de30e213ea03e4f2e67cf2899bf9794

SHA1
cf7ed46cba88b81c34cea9e961cce0f4ce7d6cec

SHA256
666db124e6002379ed95588369b0937d70f2fda6c4a84d4bf7abac67976007a4

SHA512
1f9090fcd33ff4d92402621d1ab87dffc1d4062df69e5304061a6513c1ebc3b8df381c408a949f86f930996c94f27a653806f91795c69dad38869e3b385e2017

Download Submit
C:\Windows\Logs\SysInfo\LOGs\RJMQBVDN\SysInfo\HWIDs.txt
MD5
ecab63065bf40088dbd1b9726a452073

SHA1
8e310c958c77ce7c9fe049db0be5364ad91b565d

SHA256
837d63f4d1394900f80d43b3e1a119cb0fd2a4e2e1cd6ad756d73e8f8db0fdd3

SHA512
0919ac02b59de8b9354eb70044d2184dd8f80c0773735d902f9cb1d17706570b1196faa799bd97aaf05dbae41ca62bc089d3e8206c07d235d4824b74ef6f8be1

Download Submit
C:\Windows\Logs\SysInfo\LOGs\RJMQBVDN\SysInfo\Process.htm
MD5
97ba4f51d668906d5b9e3c1d84ee988a

SHA1
91838b51796d082afe5155dc5b6a1cade7e4ccf6

SHA256
77bd93d3da5d3e068e54e3b5aaff267fcdf04d3ba72ae305810797c3cfc11b56

SHA512
3915c42c0c9d4b820ed3c762f86a16b5833b47d54036291cc3f86741aa8cf44053e43264a46244e831171ffe6052be9ab9f412bfc5b0e889b7093d5afb7de49b

Download Submit
C:\Windows\Logs\SysInfo\LOGs\RJMQBVDN\SysInfo\RJMQBVDN.html
MD5
d0c3f84c882c84628ed0c8cd8b21adf0

SHA1
dc161aa7466e7c3fa30d68bfa54638a08b9e35f9

SHA256
b03e0b41ee6b72552270a2e28e2f6e42aeacd6c07c18ff0bcffc2533bd7d708a

SHA512
e15875f3e5a4242d12473e3f1744bdd4557deddbccf6d9183a648b6914c5309b50b2d4d3247937161b39039c326e881f0a8c011c0051ebc564bbabbd1cefb683

Download Submit
C:\Windows\Logs\SysInfo\LOGs\RJMQBVDN\SysInfo\SIV_RJMQBVDN.txt
MD5
a35e8f291c5856b9b30713f7c2a092e3

SHA1
b50b542891c220f868ffabd045fd929fe41389c9

SHA256
df38e573ea913d81ab0f5a753c9675c2c4cb43bf2a1b6ccaa86f00f9f7683cbf

SHA512
e12de497e24c7217d7f44921d15507e862c96d95ea609880906fc203bdc64f0cb5f476d11800bc1767168c41ccc47a30573bab19ea1f5027fa0173d954deaeaa

Download Submit
C:\Windows\Logs\SysInfo\LOGs\RJMQBVDN\SysInfo\Startup.htm
MD5
20fbcef0bd35a0f23ce7ada50cb67fdd

SHA1
e947565cc7be1322c35842e2f4b5fe43b5573ceb

SHA256
3ca7301eba07499338badbc89e94bc33901789fda7ffa203327a758d494205f3

SHA512
c7955136d3aa8a77e8bcc2242b189239de5edb957eed10c3061b8337088ba2b3e115ec3312b23590726cfa36bb4644e68455c6549257c456f8fff96a914fa32d

Download Submit
C:\Windows\Logs\SysInfo\LOGs\RJMQBVDN\System\setupapi.dev.log
MD5
f752c21da6b6bbf904473fe34da37b43

SHA1
027bf50f87d2f28373bd2fe46afaf28b050fa7fc

SHA256
7bbefd0e5c00f737de9f4718fcfbf0979c885d4551acecba0697c507076731bf

SHA512
0ba18a40bb553e1f2e0bb197fa4ab50608a4c8c19936c5435b5ceb66d2fb9b526b2a148fae0df11532c4c8072fbccb4af6767d7a8f39f27f5717f394a11c5601

Download Submit
C:\Windows\Logs\SysInfo\LOGs\RJMQBVDN\System\setupapi.setup.log
MD5
4d28d79fd38414b1d27911c83d2d032f

SHA1
5dc47ea6f9b77be66abc708bd1c505670ed7c95b

SHA256
30c48dda0b06c1b29ca3f869c5f72d7c61f1884e91eeb3b4686b31e38846907e

SHA512
3d4ac4e02de071c9b9b849f76219b54fa2005c15c76f652bde5f1a8d145a18681610c731f0cd136856a1d562586e2799976e07c85466860b0bf8567b1905e148

Download Submit
C:\Windows\Logs\SysInfo\Tools\7za.exe
MD5
c3d309156b8e8cf1d158de5fab1c2b40

SHA1
58ad15d91abac2c6203e389ac8a8ff6685406d41

SHA256
993cd78a697a09a497f3d05db6cc8183aea95a62f3fb4d1073173a919794747c

SHA512
2995d193512d0a4789b1710c51c1fc94939cba17ebbcf0181a214bc0d15ba21234bdc53816b3af6dc495d71fcce08dd1d1acc41e3de0fce17ce9f782e33d1498

Download Submit
C:\Windows\Logs\SysInfo\Tools\7za.exe
MD5
c3d309156b8e8cf1d158de5fab1c2b40

SHA1
58ad15d91abac2c6203e389ac8a8ff6685406d41

SHA256
993cd78a697a09a497f3d05db6cc8183aea95a62f3fb4d1073173a919794747c

SHA512
2995d193512d0a4789b1710c51c1fc94939cba17ebbcf0181a214bc0d15ba21234bdc53816b3af6dc495d71fcce08dd1d1acc41e3de0fce17ce9f782e33d1498

Download Submit
C:\Windows\Logs\SysInfo\Tools\AppCrashView.exe
MD5
54227eba885d489c4d8e37a5a9c61b35

SHA1
27867cb79221f8eed34cd7c146cee55592e39049

SHA256
097fe6029108f854c536ca464a7873160e9b1442b04c8b03a331ad1a23f47d41

SHA512
a57a61e1327da125a711778eb59ff61939310cc13169fde7665cf974b7abe1ee601b09cdb4a84d405963d7445dd2e728904234346814dcaffaaf36d9f6017b96

Download Submit
C:\Windows\Logs\SysInfo\Tools\AppCrashView.exe
MD5
54227eba885d489c4d8e37a5a9c61b35

SHA1
27867cb79221f8eed34cd7c146cee55592e39049

SHA256
097fe6029108f854c536ca464a7873160e9b1442b04c8b03a331ad1a23f47d41

SHA512
a57a61e1327da125a711778eb59ff61939310cc13169fde7665cf974b7abe1ee601b09cdb4a84d405963d7445dd2e728904234346814dcaffaaf36d9f6017b96

Download Submit
C:\Windows\Logs\SysInfo\Tools\BlueScreenView.exe
MD5
6126f1221d29712c069ee28ef4186e24

SHA1
dc3b083deea57b413618f4e19d481f1d5bb50df0

SHA256
f5f52ec9c38e7123507fe362ba0a0cd0e3ac17b820813ec3bf435fa3a8135ed0

SHA512
36eafeb63896fda2c93465253cea7a2503969502723f413c8f33f64d15f008e34901b5ddb3f9f28764491cbaa4230a763d4142deccf95bc2f29f2c16c499dfa0

Download Submit
C:\Windows\Logs\SysInfo\Tools\BlueScreenView.exe
MD5
6126f1221d29712c069ee28ef4186e24

SHA1
dc3b083deea57b413618f4e19d481f1d5bb50df0

SHA256
f5f52ec9c38e7123507fe362ba0a0cd0e3ac17b820813ec3bf435fa3a8135ed0

SHA512
36eafeb63896fda2c93465253cea7a2503969502723f413c8f33f64d15f008e34901b5ddb3f9f28764491cbaa4230a763d4142deccf95bc2f29f2c16c499dfa0

Download Submit
C:\Windows\Logs\SysInfo\Tools\BlueScreenView.exe
MD5
6126f1221d29712c069ee28ef4186e24

SHA1
dc3b083deea57b413618f4e19d481f1d5bb50df0

SHA256
f5f52ec9c38e7123507fe362ba0a0cd0e3ac17b820813ec3bf435fa3a8135ed0

SHA512
36eafeb63896fda2c93465253cea7a2503969502723f413c8f33f64d15f008e34901b5ddb3f9f28764491cbaa4230a763d4142deccf95bc2f29f2c16c499dfa0

Download Submit
C:\Windows\Logs\SysInfo\Tools\CProcess.exe
MD5
5af6b376e660805759683865437acbc0

SHA1
75f61ab72f67c53553ef87c655777c430c3c91c2

SHA256
f0cf25602f19d5b2f2c0050180815eb5c727427142639fa1c177b5d1dc078a1b

SHA512
faf2750a1dcfa6bbac2fc0162f14977ac7b145fe4361e58e880ac727902fc90afe1e92c7107c5096050c2e8a5dae1aab322c84851fbd30542f35e6e846d16e63

Download Submit
C:\Windows\Logs\SysInfo\Tools\CProcess.exe
MD5
5af6b376e660805759683865437acbc0

SHA1
75f61ab72f67c53553ef87c655777c430c3c91c2

SHA256
f0cf25602f19d5b2f2c0050180815eb5c727427142639fa1c177b5d1dc078a1b

SHA512
faf2750a1dcfa6bbac2fc0162f14977ac7b145fe4361e58e880ac727902fc90afe1e92c7107c5096050c2e8a5dae1aab322c84851fbd30542f35e6e846d16e63

Download Submit
C:\Windows\Logs\SysInfo\Tools\DevManView.exe
MD5
6e9a801ff8d54fdd9601988d7786d9a3

SHA1
aeafd86714ded460a758978b9809d62f5aaaf441

SHA256
1fe5616f99dd57c62a8be15de9d591bc116960cdf8f508ae7e6cdc6499ce74d6

SHA512
d0170f9a7346ce44decb33730fd0b41da203c97f6692dbf7cb56e5049acdbd749baef40a02c9ec2761bfaab7a048a0f9ef1f87222a54248620f6497bdd1f2189

Download Submit
C:\Windows\Logs\SysInfo\Tools\DevManView.exe
MD5
6e9a801ff8d54fdd9601988d7786d9a3

SHA1
aeafd86714ded460a758978b9809d62f5aaaf441

SHA256
1fe5616f99dd57c62a8be15de9d591bc116960cdf8f508ae7e6cdc6499ce74d6

SHA512
d0170f9a7346ce44decb33730fd0b41da203c97f6692dbf7cb56e5049acdbd749baef40a02c9ec2761bfaab7a048a0f9ef1f87222a54248620f6497bdd1f2189

Download Submit
C:\Windows\Logs\SysInfo\Tools\DriverView64.exe
MD5
394ae47a85784cc150dba8e23baf50b7

SHA1
29fbf7b25d43e64cc0c05b633bdadfac8edd0eaf

SHA256
b59c3d14968a9d7d90baa0df624339aa977dc98e5de1c7f6b71bef23606db769

SHA512
95d62f45a8db256c3f434b66488e81cef6a47f5995b7290c2bae0d8e95806ba9aa4748f556c72cdb2bef078afd5d9143b94b62f689b247cce72d627344db6cf2

Download Submit
C:\Windows\Logs\SysInfo\Tools\DriverView64.exe
MD5
394ae47a85784cc150dba8e23baf50b7

SHA1
29fbf7b25d43e64cc0c05b633bdadfac8edd0eaf

SHA256
b59c3d14968a9d7d90baa0df624339aa977dc98e5de1c7f6b71bef23606db769

SHA512
95d62f45a8db256c3f434b66488e81cef6a47f5995b7290c2bae0d8e95806ba9aa4748f556c72cdb2bef078afd5d9143b94b62f689b247cce72d627344db6cf2

Download Submit
C:\Windows\Logs\SysInfo\Tools\ExecutedProgramsList.exe
MD5
826156f50213ef802c832308972dab7a

SHA1
da8dd1377c8d803cbeb793d2da0709d5bb4c6d95

SHA256
f545352831e1a4ed14b102f7e9bab9c17b5c05d5a2a8a83ce09e6b12ace1a357

SHA512
53e3fd7e59629159a97d874c30b19f2936fb6ed61990e8f883411ca1d170f1bd9741b9c86264747be5160067fa762b1a50092c1463c88395f43863a0994081fe

Download Submit
C:\Windows\Logs\SysInfo\Tools\ExecutedProgramsList.exe
MD5
826156f50213ef802c832308972dab7a

SHA1
da8dd1377c8d803cbeb793d2da0709d5bb4c6d95

SHA256
f545352831e1a4ed14b102f7e9bab9c17b5c05d5a2a8a83ce09e6b12ace1a357

SHA512
53e3fd7e59629159a97d874c30b19f2936fb6ed61990e8f883411ca1d170f1bd9741b9c86264747be5160067fa762b1a50092c1463c88395f43863a0994081fe

Download Submit
C:\Windows\Logs\SysInfo\Tools\HWIDs.cmd
MD5
303dd5852f8ef2d2e3bb75a1c797c196

SHA1
80e83a3ce04853572a73b07880b784af023c9ed3

SHA256
1fc7e5639a2d7fa4b65f092ae4919d897a6d9c80bf8cb45dc8bf1564fde14318

SHA512
5b65ab5e4b77b4eedee17d4c1c6ff04916f5f164fc91935e4a92d29e6933f235a38c8d1278058725aaacf332b8ed3bc904dcd7284a66c3daee0e900fd3ce37ad

Download Submit
C:\Windows\Logs\SysInfo\Tools\HWIDs.txt
MD5
ecab63065bf40088dbd1b9726a452073

SHA1
8e310c958c77ce7c9fe049db0be5364ad91b565d

SHA256
837d63f4d1394900f80d43b3e1a119cb0fd2a4e2e1cd6ad756d73e8f8db0fdd3

SHA512
0919ac02b59de8b9354eb70044d2184dd8f80c0773735d902f9cb1d17706570b1196faa799bd97aaf05dbae41ca62bc089d3e8206c07d235d4824b74ef6f8be1

Download Submit
C:\Windows\Logs\SysInfo\Tools\InstalledDriversList64.exe
MD5
0c2370c4716c039ded5e30167799e491

SHA1
9cadf1f158c372d9bbee08a4a5a7caeefc18ea66

SHA256
583eaf01e0ba2ac1f41715fb2bcc2da911ce96989060c2c231f5eefef3746ede

SHA512
9fbb488d818b735bfe89833b4babf98c511e6f25e85ae67f8c817b5da56f6a687b9eb5e31721e6a5a9f3d664cc66eb18f632a07c6e6ad183d95c9c115a300ab9

Download Submit
C:\Windows\Logs\SysInfo\Tools\InstalledDriversList64.exe
MD5
0c2370c4716c039ded5e30167799e491

SHA1
9cadf1f158c372d9bbee08a4a5a7caeefc18ea66

SHA256
583eaf01e0ba2ac1f41715fb2bcc2da911ce96989060c2c231f5eefef3746ede

SHA512
9fbb488d818b735bfe89833b4babf98c511e6f25e85ae67f8c817b5da56f6a687b9eb5e31721e6a5a9f3d664cc66eb18f632a07c6e6ad183d95c9c115a300ab9

Download Submit
C:\Windows\Logs\SysInfo\Tools\LastActivityView.exe
MD5
596fbfb52190c388c460576db867dcef

SHA1
e7a1431b04e5a5620b1abcb7840f1be5057c6270

SHA256
1bb3309488c00c052e3b69669486c3e7acedc101d2efd03fb129012a937e8311

SHA512
84eca3ae8333bc3ed2a10f30e0028ffd54bc63aeb448f87e79e01e7fd96f25facc08c0cb0b8adca91ae1cc5bf66c754aba096612eb0881e3bbad5550458ecc05

Download Submit
C:\Windows\Logs\SysInfo\Tools\LastActivityView.exe
MD5
596fbfb52190c388c460576db867dcef

SHA1
e7a1431b04e5a5620b1abcb7840f1be5057c6270

SHA256
1bb3309488c00c052e3b69669486c3e7acedc101d2efd03fb129012a937e8311

SHA512
84eca3ae8333bc3ed2a10f30e0028ffd54bc63aeb448f87e79e01e7fd96f25facc08c0cb0b8adca91ae1cc5bf66c754aba096612eb0881e3bbad5550458ecc05

Download Submit
C:\Windows\Logs\SysInfo\Tools\Log.exe
MD5
00cc7593a89abb525f406e74967d2273

SHA1
2343d09a3cf0ff973e1153050a46b4c354358e12

SHA256
b9082d0e28858a8a0d7b749ca31a3cd778155c5539b463efb8a49a44e45cbe5c

SHA512
f169fe6f94a20ca309aabf0a2afbe5b1484b8d6271bab5a8612d4585960ad9fa433355e59fb97b2f85cb47b4aaee26b5d20a8fb03c652e6192be4b11516de05e

Download Submit
C:\Windows\Logs\SysInfo\Tools\Log.exe
MD5
00cc7593a89abb525f406e74967d2273

SHA1
2343d09a3cf0ff973e1153050a46b4c354358e12

SHA256
b9082d0e28858a8a0d7b749ca31a3cd778155c5539b463efb8a49a44e45cbe5c

SHA512
f169fe6f94a20ca309aabf0a2afbe5b1484b8d6271bab5a8612d4585960ad9fa433355e59fb97b2f85cb47b4aaee26b5d20a8fb03c652e6192be4b11516de05e

Download Submit
C:\Windows\Logs\SysInfo\Tools\MONDEVS.txt
MD5
610fef7f0b3112675c0eb2c85ab87807

SHA1
96b5d189eba62ec3368045138503d0af1cd897eb

SHA256
0076c52b54eb9d15947b0c2e52278ccab38ce2edf5b71ff8ca13bc9ce2f3cb1e

SHA512
153701b4620c0aa3f64645d848ba441d593916a9d6877fe4c4e6d6c17427516e912f0a0d6ae77cbeb48c76483ea4a88750ca8697adbc4c1b0f9b1fda66e9bd19

Download Submit
C:\Windows\Logs\SysInfo\Tools\PCIDEVS.txt
MD5
38e71645fd9e76389a3633babe1fe882

SHA1
3d6c0775090cccb47bb7f371a36da7777cb6a5a1

SHA256
af21202c9d6912e72e2c56cdf4edf40552d59f71dc889585b078711732d9b6e7

SHA512
3433a19ae3aebf8ccf64876774248a9c0b3cadacff417295a8521255daa7334a59fc0ce916ea51270bf47590aad37e94d7e4bdc1f1d8f0c57b13e60c6871f51a

Download Submit
C:\Windows\Logs\SysInfo\Tools\PCMDEVS.txt
MD5
1819008e9ee4035ff7ef71958bca5f32

SHA1
ab7eda3b536d48b32741774f7f9e921da072fe63

SHA256
80b9d7f98342ae910a513d16dd760975fcd453df6ab86852f745ad9f22d94041

SHA512
e70ae84c13f323ea4031f19fec43413aea66881e1d63314ffbb897586b5a3b5465d10e0a4b699ce9acaf8c4d0c28846cd31346b6584ee51c6ae12e5c0fada78f

Download Submit
C:\Windows\Logs\SysInfo\Tools\PNPDEVS.txt
MD5
27af0994c13c15284c03d5f1456d8c85

SHA1
252510245b9bccefb81565b5b5cc7ae17772614b

SHA256
90925e63d4373ae0c636388fd113c50fd0d05972e2a5e592edf373cae8b342f4

SHA512
7cdfdf062a3b86275328eeda4e2b1a970df534f074de901b2a14c002bbd6b8b419078fdcefb638c104fe092d5128ba820a1884d38f329c292ceb320469be21c0

Download Submit
C:\Windows\Logs\SysInfo\Tools\RJMQBVDN.html
MD5
d0c3f84c882c84628ed0c8cd8b21adf0

SHA1
dc161aa7466e7c3fa30d68bfa54638a08b9e35f9

SHA256
b03e0b41ee6b72552270a2e28e2f6e42aeacd6c07c18ff0bcffc2533bd7d708a

SHA512
e15875f3e5a4242d12473e3f1744bdd4557deddbccf6d9183a648b6914c5309b50b2d4d3247937161b39039c326e881f0a8c011c0051ebc564bbabbd1cefb683

Download Submit
C:\Windows\Logs\SysInfo\Tools\SDI-drv.exe
MD5
b0b0c9d7b08f10b1b38b9c137fbf13da

SHA1
18c49f26de70b1842e08923082d6ac1ed5a9fd35

SHA256
956e9a001c3ae0b4996fa2cc337c2d1d6efbbfd64292866a284cc65cfe0e7d51

SHA512
8785a925b97297febc13a232d72761e623276d05d7dc2a48b697233965a05b4d3d43e7910df2610c5ed9641673121d41e4db92ec90c1cea66af8a1561633f315

Download Submit
C:\Windows\Logs\SysInfo\Tools\SIV64X.exe
MD5
7763c800239914ae3665d0fa55091c7c

SHA1
6d5b1513045b68ec957c3faa385260ceed65047b

SHA256
a2e79e37a834b60d5105c6cff2ae18b66973ed192900fe64330e442a3e4c5f6e

SHA512
35498e641fdb8fe09487b2672fa719c73c2d6a918e7545c6c7d8225879c1767180a3a953f835b8614838bbac833fdfecb803c85e256a1a10f97a80d7092e5a7a

Download Submit
C:\Windows\Logs\SysInfo\Tools\SIVX64.sys
MD5
3edb474037615be19d430bd05fb8d20d

SHA1
2dfe7c3266341a5c94ff8a006f8c41989123a3a0

SHA256
939375205f731af340771db3b10194adbff18d82c846d524ed2facab1545c012

SHA512
8205e1f1ffae11463d72d12ca52e974ba1a8c104e6ed76860b48473a31e6ad6d3ee053e9bd9af6588ea6b9ef114b6131791dbf60a6e589975fa29c5d781cb508

Download Submit
C:\Windows\Logs\SysInfo\Tools\SIV_RJMQBVDN.txt
MD5
a35e8f291c5856b9b30713f7c2a092e3

SHA1
b50b542891c220f868ffabd045fd929fe41389c9

SHA256
df38e573ea913d81ab0f5a753c9675c2c4cb43bf2a1b6ccaa86f00f9f7683cbf

SHA512
e12de497e24c7217d7f44921d15507e862c96d95ea609880906fc203bdc64f0cb5f476d11800bc1767168c41ccc47a30573bab19ea1f5027fa0173d954deaeaa

Download Submit
C:\Windows\Logs\SysInfo\Tools\USBDEVS.txt
MD5
6acab42496e1547387533a5fc7d8e317

SHA1
e7ff10340aae3b37c644098e68e4bd0f6c78f964

SHA256
b5ebb17f0a978ff110fdd5184955e631e2046d0830d9b6042a50e6354cf1536b

SHA512
3a406b45cc74881f3167ef6d9cd6dc8d2e16f53f07c32eb236c01b9f76f471a41752dff66cd21cb32d1b7ec8345c9335f6804665d8c45bac898ecc94791fce54

Download Submit
C:\Windows\Logs\SysInfo\Tools\WhatInStartup.exe
MD5
d2a2a0ce38faa12254fbba8c0467ac46

SHA1
fbb7b582ea66642c8ac774696e150526f2cc8fa4

SHA256
7d8e7090d53098f029abd9f98d1a9f1afcdc02d4439ed6a167c53e877a35cff9

SHA512
625fb26cc03da58e98cf640550196aafd48413b16698673bedfd279c6dae16b2cb566b9f703e4bb07860fb2f3bc06247d6f4d0241b786a2bbaf261276db6c036

Download Submit
C:\Windows\Logs\SysInfo\Tools\WhatInStartup.exe
MD5
d2a2a0ce38faa12254fbba8c0467ac46

SHA1
fbb7b582ea66642c8ac774696e150526f2cc8fa4

SHA256
7d8e7090d53098f029abd9f98d1a9f1afcdc02d4439ed6a167c53e877a35cff9

SHA512
625fb26cc03da58e98cf640550196aafd48413b16698673bedfd279c6dae16b2cb566b9f703e4bb07860fb2f3bc06247d6f4d0241b786a2bbaf261276db6c036

Download Submit
C:\Windows\Logs\SysInfo\Tools\WinAudit.exe
MD5
11a4917010f23a9caa8fef1f3bcd6b98

SHA1
79c51b63ceb4668a2974ad0c94462b699747da93

SHA256
f9bd55277cbde6f84db9d017512277812e64da6b86ff176b9716f52e322cf926

SHA512
2e95e4492db32f3683949448704527ef23658af836421ef6064b5fdbf4cdd6dcf57212be2ab916171401951c5d1ea23b7dd227ca5ab9226bf33d26f954bf00b9

Download Submit
C:\Windows\Logs\SysInfo\Tools\WinAudit.exe
MD5
11a4917010f23a9caa8fef1f3bcd6b98

SHA1
79c51b63ceb4668a2974ad0c94462b699747da93

SHA256
f9bd55277cbde6f84db9d017512277812e64da6b86ff176b9716f52e322cf926

SHA512
2e95e4492db32f3683949448704527ef23658af836421ef6064b5fdbf4cdd6dcf57212be2ab916171401951c5d1ea23b7dd227ca5ab9226bf33d26f954bf00b9

Download Submit
C:\Windows\Logs\SysInfo\Tools\fix_dll.cmd
MD5
df28279478a8b82ed171dacfc137f617

SHA1
01192107dd9eb5ce0adaf535cfbd5d18af50eb73

SHA256
6ec68bf3e10f3a0c88ac1ef317e171a74452081735f45d3ac59c1b95772597c6

SHA512
fb9acf6825d3766b0c454c464e50f988a55ff41bd1b810ea24dfa2918cfdc5ac36e6a5e69be12e8e21875e23e88cb27f6be39f4e8069ec89055b35a2335cc2d2

Download Submit
C:\Windows\Logs\SysInfo\Tools\hidec.exe
MD5
abc6379205de2618851c4fcbf72112eb

SHA1
1ed7b1e965eab56f55efda975f9f7ade95337267

SHA256
22e7528e56dffaa26cfe722994655686c90824b13eb51184abfe44d4e95d473f

SHA512
180c7f400dd13092b470e3a91bf02e98ef6247c1193bf349e3710e8d1e9003f3bc9b792bb776eacb746e9c67b3041f2333cc07f28c5f046d59274742230fb7c1

Download Submit
C:\Windows\Logs\SysInfo\Tools\hidec.exe
MD5
abc6379205de2618851c4fcbf72112eb

SHA1
1ed7b1e965eab56f55efda975f9f7ade95337267

SHA256
22e7528e56dffaa26cfe722994655686c90824b13eb51184abfe44d4e95d473f

SHA512
180c7f400dd13092b470e3a91bf02e98ef6247c1193bf349e3710e8d1e9003f3bc9b792bb776eacb746e9c67b3041f2333cc07f28c5f046d59274742230fb7c1

Download Submit
C:\Windows\Logs\SysInfo\Tools\hidec.exe
MD5
abc6379205de2618851c4fcbf72112eb

SHA1
1ed7b1e965eab56f55efda975f9f7ade95337267

SHA256
22e7528e56dffaa26cfe722994655686c90824b13eb51184abfe44d4e95d473f

SHA512
180c7f400dd13092b470e3a91bf02e98ef6247c1193bf349e3710e8d1e9003f3bc9b792bb776eacb746e9c67b3041f2333cc07f28c5f046d59274742230fb7c1

Download Submit
C:\Windows\Logs\SysInfo\Tools\hidec.exe
MD5
abc6379205de2618851c4fcbf72112eb

SHA1
1ed7b1e965eab56f55efda975f9f7ade95337267

SHA256
22e7528e56dffaa26cfe722994655686c90824b13eb51184abfe44d4e95d473f

SHA512
180c7f400dd13092b470e3a91bf02e98ef6247c1193bf349e3710e8d1e9003f3bc9b792bb776eacb746e9c67b3041f2333cc07f28c5f046d59274742230fb7c1

Download Submit
C:\Windows\Logs\SysInfo\Tools\logs\2021_05_07__14_45_50__RJMQBVDN_state.snp
MD5
8488f4422b0223fc5294ee7976dceaa9

SHA1
751f05f2a0de6550b5819fd226db9560116691b9

SHA256
fcdc8f9193c37d4531ec02b85f22d404a17af0f69bac07003c36ff9b9d8754c9

SHA512
b53b3c05ee22def8ac8c3f1dd3221dfa9f0ef50867b753dafbd875620fd13981b2282f5123678c33e28e30c33f9b23d546902897ed1495c343aec96aa12e8847

Download Submit
\Users\Admin\AppData\Local\Temp\nsx27C3.tmp\System.dll
MD5
6f5257c0b8c0ef4d440f4f4fce85fb1b

SHA1
b6ac111dfb0d1fc75ad09c56bde7830232395785

SHA256
b7ccb923387cc346731471b20fc3df1ead13ec8c2e3147353c71bb0bd59bc8b1

SHA512
a3cc27f1efb52fb8ecda54a7c36ada39cefeabb7b16f2112303ea463b0e1a4d745198d413eebb3551e012c84a20dcdf4359e511e51bc3f1a60b13f1e3bad1aa8

Download Submit
\Users\Admin\AppData\Local\Temp\nsx27C3.tmp\nsProcess.dll
MD5
05450face243b3a7472407b999b03a72

SHA1
ffd88af2e338ae606c444390f7eaaf5f4aef2cd9

SHA256
95fe9d92512ff2318cc2520311ef9145b2cee01209ab0e1b6e45c7ce1d4d0e89

SHA512
f4cbe30166aff20a226a7150d93a876873ba699d80d7e9f46f32a9b4753fa7966c3113a3124340b39ca67a13205463a413e740e541e742903e3f89af5a53ad3b

Download Submit
\Users\Admin\AppData\Local\Temp\nsx27C3.tmp\nsProcess.dll
MD5
05450face243b3a7472407b999b03a72

SHA1
ffd88af2e338ae606c444390f7eaaf5f4aef2cd9

SHA256
95fe9d92512ff2318cc2520311ef9145b2cee01209ab0e1b6e45c7ce1d4d0e89

SHA512
f4cbe30166aff20a226a7150d93a876873ba699d80d7e9f46f32a9b4753fa7966c3113a3124340b39ca67a13205463a413e740e541e742903e3f89af5a53ad3b

Download Submit
memory/204-126-0x0000000000000000-mapping.dmp

Download
memory/204-224-0x0000000000000000-mapping.dmp

Download
memory/500-193-0x0000000000000000-mapping.dmp

Download
memory/732-140-0x0000000000000000-mapping.dmp

Download
memory/1364-202-0x0000000000000000-mapping.dmp

Download
memory/1388-174-0x0000000000000000-mapping.dmp

Download
memory/1412-143-0x0000000000000000-mapping.dmp

Download
memory/1536-132-0x0000000000000000-mapping.dmp

Download
memory/1856-168-0x0000000000000000-mapping.dmp

Download
memory/1944-115-0x0000000000000000-mapping.dmp

Download
memory/1968-162-0x0000000000000000-mapping.dmp

Download
memory/1968-205-0x0000000000000000-mapping.dmp

Download
memory/1980-182-0x0000000000000000-mapping.dmp

Download
memory/1980-189-0x0000000000DD0000-0x0000000000DD1000-memory.dmp

Filesize
4KB

Download
memory/1980-191-0x0000000008750000-0x0000000008D90000-memory.dmp

Filesize
6.2MB

Download
memory/2116-135-0x0000000000000000-mapping.dmp

Download
memory/2392-192-0x0000000000000000-mapping.dmp

Download
memory/2512-176-0x0000000000000000-mapping.dmp

Download
memory/2652-201-0x0000000000000000-mapping.dmp

Download
memory/2692-155-0x0000000000000000-mapping.dmp

Download
memory/2744-129-0x0000000000000000-mapping.dmp

Download
memory/2744-163-0x0000000000000000-mapping.dmp

Download
memory/2772-178-0x0000000000000000-mapping.dmp

Download
memory/2804-170-0x0000000000000000-mapping.dmp

Download
memory/2848-175-0x0000000000000000-mapping.dmp

Download
memory/2868-203-0x0000000000000000-mapping.dmp

Download
memory/2868-223-0x0000000000000000-mapping.dmp

Download
memory/2884-137-0x0000000000000000-mapping.dmp

Download
memory/3064-169-0x0000000000000000-mapping.dmp

Download
memory/3076-153-0x0000000000000000-mapping.dmp

Download
memory/3148-222-0x0000000000660000-0x0000000000661000-memory.dmp

Filesize
4KB

Download
memory/3148-198-0x0000000000000000-mapping.dmp

Download
memory/3212-177-0x0000000000000000-mapping.dmp

Download
memory/3220-158-0x0000000000000000-mapping.dmp

Download
memory/3332-157-0x0000000000000000-mapping.dmp

Download
memory/3448-180-0x0000000000000000-mapping.dmp

Download
memory/3588-118-0x0000000000000000-mapping.dmp

Download
memory/3600-179-0x0000000000000000-mapping.dmp

Download
memory/3612-165-0x0000000000000000-mapping.dmp

Download
memory/3624-164-0x0000000000000000-mapping.dmp

Download
memory/3712-172-0x0000000000000000-mapping.dmp

Download
memory/3768-171-0x0000000000000000-mapping.dmp

Download
memory/3808-181-0x0000000000000000-mapping.dmp

Download
memory/3880-173-0x0000000000000000-mapping.dmp

Download
memory/3884-124-0x0000000000000000-mapping.dmp

Download
memory/3900-150-0x0000000000000000-mapping.dmp

Download
memory/4016-121-0x0000000000000000-mapping.dmp

Download