svcstealer | e9351ddc6fed8b30ea643f8a1c689138290f4ad73948a684f1735a4f85c6c668

Analysis

max time kernel
153s
max time network
156s
platform
windows10-ltsc_2021_x64
resource
win10ltsc2021-20250314-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250314-enlocale:en-usos:windows10-ltsc_2021-x64system
submitted
06/04/2025, 04:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

lang/lang.exe
Size

762.9MB
MD5

0937bd480f16b2dfc6f939d4bf26016d
SHA1

12fe85a77737afa5a75fb16d7047e997ca183ae0
SHA256

05e041cacd46f389e456c633ee9ad897300aa025edd3cf0b795240c9f8e9e12b
SHA512

48cd1b35d8f01589cb57a15ed4d69dbeedc2623e0383adb0044d2f588ea0f54dc683997a7af45666cf6f51e3a1ab55005ea4ca2f4b7401bff825a3b562371ce5
SSDEEP

49152:V6qWnJqevKBuMMW/sMPd7SgpBjIQZVwaLliXN/FHoUg/9z1vWRJLo:ApPY/OKxB5bYrHoUi1vW3o

Score

10^/10

svcstealer discovery downloader execution persistence stealer

Malware Config

Signatures

Detects SvcStealer Payload 7 IoCs

SvcStealer aka Diamotrix Clipper is a stealer/downloader written in C++.

resource	yara_rule
behavioral5/memory/4780-81-0x00000000023F0000-0x00000000024F5000-memory.dmp	family_svcstealer
behavioral5/memory/3552-88-0x000000000B730000-0x000000000B83B000-memory.dmp	family_svcstealer
behavioral5/memory/3552-87-0x000000000B730000-0x000000000B83B000-memory.dmp	family_svcstealer
behavioral5/memory/3552-121-0x00000000023D0000-0x0000000002403000-memory.dmp	family_svcstealer
behavioral5/memory/3552-123-0x000000000B730000-0x000000000B83B000-memory.dmp	family_svcstealer
behavioral5/memory/3552-126-0x000000000B730000-0x000000000B83B000-memory.dmp	family_svcstealer
behavioral5/memory/3552-120-0x000000000B730000-0x000000000B83B000-memory.dmp	family_svcstealer

SvcStealer, Diamotrix
SvcStealer aka Diamotrix Clipper is a stealer/downloader written in C++.
stealer downloader svcstealer
Svcstealer family
svcstealer

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000\Control Panel\International\Geo\Nation	lang.tmp

Executes dropped EXE 6 IoCs

pid	Process
2992	lang.tmp
3828	lang.tmp
892	948A.tmp.exe
5164	948A.tmp.exe
3124	winserv.exe
4480	935E.tmp.exe

Loads dropped DLL 3 IoCs

pid	Process
4696	regsvr32.exe
4780	regsvr32.exe
5324	regsvr32.EXE

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SystemServices = "C:\\Users\\Admin\\AppData\\Local\\Temp\\948A.tmp.exe"	948A.tmp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SystemServices = "C:\\Users\\Admin\\AppData\\Roaming\\Winserv\\winserv.exe"	948A.tmp.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to execute payload.

execution

PowerShell

T1059.001

pid	Process
4860	powershell.exe
936	powershell.exe
1232	powershell.exe
3528	powershell.exe
3928	PowerShell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lang.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	948A.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winserv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	948A.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lang.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lang.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lang.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
3828	lang.tmp
3828	lang.tmp
4780	regsvr32.exe
4780	regsvr32.exe
4860	powershell.exe
4860	powershell.exe
3928	PowerShell.exe
3928	PowerShell.exe
4780	regsvr32.exe
4780	regsvr32.exe
936	powershell.exe
936	powershell.exe
4780	regsvr32.exe
4780	regsvr32.exe
5324	regsvr32.EXE
5324	regsvr32.EXE
1232	powershell.exe
1232	powershell.exe
5324	regsvr32.EXE
5324	regsvr32.EXE
3528	powershell.exe
3528	powershell.exe
5324	regsvr32.EXE
5324	regsvr32.EXE
3552	Explorer.EXE
3552	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3552	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4860	powershell.exe
Token: SeIncreaseQuotaPrivilege	4860	powershell.exe
Token: SeSecurityPrivilege	4860	powershell.exe
Token: SeTakeOwnershipPrivilege	4860	powershell.exe
Token: SeLoadDriverPrivilege	4860	powershell.exe
Token: SeSystemProfilePrivilege	4860	powershell.exe
Token: SeSystemtimePrivilege	4860	powershell.exe
Token: SeProfSingleProcessPrivilege	4860	powershell.exe
Token: SeIncBasePriorityPrivilege	4860	powershell.exe
Token: SeCreatePagefilePrivilege	4860	powershell.exe
Token: SeBackupPrivilege	4860	powershell.exe
Token: SeRestorePrivilege	4860	powershell.exe
Token: SeShutdownPrivilege	4860	powershell.exe
Token: SeDebugPrivilege	4860	powershell.exe
Token: SeSystemEnvironmentPrivilege	4860	powershell.exe
Token: SeRemoteShutdownPrivilege	4860	powershell.exe
Token: SeUndockPrivilege	4860	powershell.exe
Token: SeManageVolumePrivilege	4860	powershell.exe
Token: 33	4860	powershell.exe
Token: 34	4860	powershell.exe
Token: 35	4860	powershell.exe
Token: 36	4860	powershell.exe
Token: SeDebugPrivilege	3928	PowerShell.exe
Token: SeIncreaseQuotaPrivilege	3928	PowerShell.exe
Token: SeSecurityPrivilege	3928	PowerShell.exe
Token: SeTakeOwnershipPrivilege	3928	PowerShell.exe
Token: SeLoadDriverPrivilege	3928	PowerShell.exe
Token: SeSystemProfilePrivilege	3928	PowerShell.exe
Token: SeSystemtimePrivilege	3928	PowerShell.exe
Token: SeProfSingleProcessPrivilege	3928	PowerShell.exe
Token: SeIncBasePriorityPrivilege	3928	PowerShell.exe
Token: SeCreatePagefilePrivilege	3928	PowerShell.exe
Token: SeBackupPrivilege	3928	PowerShell.exe
Token: SeRestorePrivilege	3928	PowerShell.exe
Token: SeShutdownPrivilege	3928	PowerShell.exe
Token: SeDebugPrivilege	3928	PowerShell.exe
Token: SeSystemEnvironmentPrivilege	3928	PowerShell.exe
Token: SeRemoteShutdownPrivilege	3928	PowerShell.exe
Token: SeUndockPrivilege	3928	PowerShell.exe
Token: SeManageVolumePrivilege	3928	PowerShell.exe
Token: 33	3928	PowerShell.exe
Token: 34	3928	PowerShell.exe
Token: 35	3928	PowerShell.exe
Token: 36	3928	PowerShell.exe
Token: SeIncreaseQuotaPrivilege	3928	PowerShell.exe
Token: SeSecurityPrivilege	3928	PowerShell.exe
Token: SeTakeOwnershipPrivilege	3928	PowerShell.exe
Token: SeLoadDriverPrivilege	3928	PowerShell.exe
Token: SeSystemProfilePrivilege	3928	PowerShell.exe
Token: SeSystemtimePrivilege	3928	PowerShell.exe
Token: SeProfSingleProcessPrivilege	3928	PowerShell.exe
Token: SeIncBasePriorityPrivilege	3928	PowerShell.exe
Token: SeCreatePagefilePrivilege	3928	PowerShell.exe
Token: SeBackupPrivilege	3928	PowerShell.exe
Token: SeRestorePrivilege	3928	PowerShell.exe
Token: SeShutdownPrivilege	3928	PowerShell.exe
Token: SeDebugPrivilege	3928	PowerShell.exe
Token: SeSystemEnvironmentPrivilege	3928	PowerShell.exe
Token: SeRemoteShutdownPrivilege	3928	PowerShell.exe
Token: SeUndockPrivilege	3928	PowerShell.exe
Token: SeManageVolumePrivilege	3928	PowerShell.exe
Token: 33	3928	PowerShell.exe
Token: 34	3928	PowerShell.exe
Token: 35	3928	PowerShell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3828	lang.tmp

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 2724 wrote to memory of 2992	2724	lang.exe	86
PID 2724 wrote to memory of 2992	2724	lang.exe	86
PID 2724 wrote to memory of 2992	2724	lang.exe	86
PID 2992 wrote to memory of 5672	2992	lang.tmp	87
PID 2992 wrote to memory of 5672	2992	lang.tmp	87
PID 2992 wrote to memory of 5672	2992	lang.tmp	87
PID 5672 wrote to memory of 3828	5672	lang.exe	88
PID 5672 wrote to memory of 3828	5672	lang.exe	88
PID 5672 wrote to memory of 3828	5672	lang.exe	88
PID 3828 wrote to memory of 4696	3828	lang.tmp	89
PID 3828 wrote to memory of 4696	3828	lang.tmp	89
PID 3828 wrote to memory of 4696	3828	lang.tmp	89
PID 4696 wrote to memory of 4780	4696	regsvr32.exe	90
PID 4696 wrote to memory of 4780	4696	regsvr32.exe	90
PID 4780 wrote to memory of 4860	4780	regsvr32.exe	92
PID 4780 wrote to memory of 4860	4780	regsvr32.exe	92
PID 4780 wrote to memory of 3928	4780	regsvr32.exe	94
PID 4780 wrote to memory of 3928	4780	regsvr32.exe	94
PID 4780 wrote to memory of 936	4780	regsvr32.exe	96
PID 4780 wrote to memory of 936	4780	regsvr32.exe	96
PID 4780 wrote to memory of 3552	4780	regsvr32.exe	57
PID 5324 wrote to memory of 1232	5324	regsvr32.EXE	102
PID 5324 wrote to memory of 1232	5324	regsvr32.EXE	102
PID 5324 wrote to memory of 3528	5324	regsvr32.EXE	104
PID 5324 wrote to memory of 3528	5324	regsvr32.EXE	104
PID 3552 wrote to memory of 892	3552	Explorer.EXE	106
PID 3552 wrote to memory of 892	3552	Explorer.EXE	106
PID 3552 wrote to memory of 892	3552	Explorer.EXE	106
PID 3552 wrote to memory of 2860	3552	Explorer.EXE	107
PID 3552 wrote to memory of 2860	3552	Explorer.EXE	107
PID 3552 wrote to memory of 4128	3552	Explorer.EXE	109
PID 3552 wrote to memory of 4128	3552	Explorer.EXE	109
PID 2860 wrote to memory of 5164	2860	cmd.exe	111
PID 2860 wrote to memory of 5164	2860	cmd.exe	111
PID 2860 wrote to memory of 5164	2860	cmd.exe	111
PID 4128 wrote to memory of 3124	4128	cmd.exe	112
PID 4128 wrote to memory of 3124	4128	cmd.exe	112
PID 4128 wrote to memory of 3124	4128	cmd.exe	112
PID 3552 wrote to memory of 4480	3552	Explorer.EXE	113
PID 3552 wrote to memory of 4480	3552	Explorer.EXE	113

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3552
- C:\Users\Admin\AppData\Local\Temp\lang\lang.exe
  "C:\Users\Admin\AppData\Local\Temp\lang\lang.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2724
- - C:\Users\Admin\AppData\Local\Temp\is-T7VNO.tmp\lang.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-T7VNO.tmp\lang.tmp" /SL5="$501D0,2695233,175616,C:\Users\Admin\AppData\Local\Temp\lang\lang.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2992
  - - C:\Users\Admin\AppData\Local\Temp\lang\lang.exe
      "C:\Users\Admin\AppData\Local\Temp\lang\lang.exe" /VERYSILENT
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:5672
    - - C:\Users\Admin\AppData\Local\Temp\is-6DV26.tmp\lang.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-6DV26.tmp\lang.tmp" /SL5="$B0264,2695233,175616,C:\Users\Admin\AppData\Local\Temp\lang\lang.exe" /VERYSILENT
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:3828
      - C:\Windows\SysWOW64\regsvr32.exe
        
        "regsvr32.exe" /s /i:INSTALL "C:\Users\Admin\AppData\Roaming\\d3d118.drv"
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4696
        
        C:\Windows\system32\regsvr32.exe
        
        /s /i:INSTALL "C:\Users\Admin\AppData\Roaming\\d3d118.drv"
        7⤵
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4780
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/s /i:INSTALL \"%APPDATA%\d3d118.drv\"' }) { exit 0 } else { exit 1 }"
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4860
        
        C:\Windows\System32\WindowsPowerShell\v1.0\PowerShell.exe
        
        "PowerShell.exe" -NoProfile -NonInteractive -Command -
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3928
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/s /i:INSTALL \"%APPDATA%\d3d118.drv\"' }) { exit 0 } else { exit 1 }"
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:936
- C:\Users\Admin\AppData\Local\Temp\948A.tmp.exe
  C:\Users\Admin\AppData\Local\Temp\948A.tmp.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:892
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\948A.tmp.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2860
- - C:\Users\Admin\AppData\Local\Temp\948A.tmp.exe
    C:\Users\Admin\AppData\Local\Temp\948A.tmp.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5164
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Winserv\winserv.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4128
- - C:\Users\Admin\AppData\Roaming\Winserv\winserv.exe
    C:\Users\Admin\AppData\Roaming\Winserv\winserv.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3124
- C:\Users\Admin\AppData\Local\Temp\935E.tmp.exe
  C:\Users\Admin\AppData\Local\Temp\935E.tmp.exe
  2⤵
  - Executes dropped EXE
  PID:4480

C:\Windows\system32\regsvr32.EXE
"C:\Windows\system32\regsvr32.EXE" /s /i:INSTALL "C:\Users\Admin\AppData\Roaming\d3d118.drv"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5324
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/s /i:INSTALL \"%APPDATA%\d3d118.drv\"' }) { exit 0 } else { exit 1 }"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:1232
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/s /i:INSTALL \"%APPDATA%\d3d118.drv\"' }) { exit 0 } else { exit 1 }"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:3528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\PowerShell.exe.log

Filesize
3KB

MD5
3eb3833f769dd890afc295b977eab4b4

SHA1
e857649b037939602c72ad003e5d3698695f436f

SHA256
c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

SHA512
c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
703019b652679054651571593c66d5ed

SHA1
c8217aed127ed87e1ae06311082508bc2008d779

SHA256
ca2263536d221f18cbf62b141c1fb6cbf130bab958118c9148e011a9befcdbcf

SHA512
c76ec6a9e48f357cd9741c6ce8a906a66d582ea6c8f0798689cbb276a3023691d29568001a36946b58e1adfd77d2e5efec686cff9bbc32e2e958926011ebbde1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d8d7aa0fa134f748201458c017b5682f

SHA1
eab823b449a0926042f47f97039aad611aff3bc3

SHA256
7f5640202e6963b46d96139c361ebb7b6949951b9bac1c771d329cad75199324

SHA512
2f0b9e67c8362b536b25fd47e74a17c0693b0c0b9509cf1e70011da0d16fa70b080111fc0992884ec6e6da4a4fb7304a3b49acf88d334672c960235620078d43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
bfb3be58c609e292914d9de9ad618a01

SHA1
638ccc3765a035e4895a4636561fef22b8cab72f

SHA256
c9ad365eb1b82774a0847e3618ae6b931a6521264b0f9d527bf1120c6627cebd

SHA512
8ea5303317046f76ee44867c3c87150d2bb8cb077206a08001642dc8704ccd5021c7d177e09fd684e8e7f8729b639f9718517ecba909fcbe12d45912796f56c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
10eba7be6fa7b79f14ad882d2bdc72ef

SHA1
e1a2c8b9433943189a17264bbda9d529c50afed9

SHA256
b864d7a60276f342cf107e0da34f683eb779719202d05225d7148934904b12ec

SHA512
9e7daab81f62e7a5f0226ef92d09c6221763d5c192731df8531e7b80fa2c74caf9c6df9f54b7ab44135967c36107c68305cb09553da615b36a068bc19576691f

Download Submit
C:\Users\Admin\AppData\Local\Temp\935E.tmp.exe

Filesize
253KB

MD5
a763e95afd333105b08aaf33f7fb1bea

SHA1
0ff903c6cace210ca3dda53eadbcdaa26a3f229c

SHA256
fb195f7313f9e00520e7ba6767665c0e1c24fc5135bff6f6af59d5d008f141bc

SHA512
0c9ae565e261cebf49105d17b8a06b004009cd882a17c854a5bd0d6390fdfb47433eac8e8a33c8de2740695d0ddec105fef7dc4f0a8ed66a714f6c6bf24d076d

Download Submit
C:\Users\Admin\AppData\Local\Temp\948A.tmp.exe

Filesize
177KB

MD5
3b127ebb1071fe3d90fe545aa1698700

SHA1
dadb18a698f8b76022446945e19410a633816a0b

SHA256
ed4d7c0d28ce4fb03726b009ab5a8035291d2f5026b1e2a8d6f0ee478c7a5a26

SHA512
5e58a8a3e3b1621cd8158f664652cf6bfa87b93052ec4af29b7ff17d3d33055fa8f939592032a57a7fbd0dd90c9485fa26d5cb5185899af76c7cf1015148a817

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cebs3kw2.nbr.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-57KA6.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-T7VNO.tmp\lang.tmp

Filesize
1.1MB

MD5
8aff8eda5770ce3ad2eda9dabad45149

SHA1
4d0986d27ea911125de35f334c5520643799863b

SHA256
c7f83b8e3f156dafaa203997e26e6fcf3ec1eca88c305e11173bd1704d1d5cd0

SHA512
6009158a30705c61c94ce2fe46ab11e5bf2ed451b40043e7959c875c964843b3caadddecaa78e6df459e5ad45b33907e0e0d3397ad2cabc372758be99f659e26

Download Submit
C:\Users\Admin\AppData\Roaming\d3d118.drv

Filesize
10.3MB

MD5
8aca52db833d1ba385e1e859a59bdbd4

SHA1
e09a789a9ff49190051040d2eef2a185e65448e4

SHA256
017f3c01c61deadc93b7e8ecc84816bc3cb4a6456f4c21d96958ccc20c4e913e

SHA512
b9ff193bc0c3489785de241fee91f0746c127b111e9730c9fc35dddcbeb60fa269407ac0236e5f0f4f0fd2827e14a160d3d798f451f1478dd01ace974945876e

Download Submit
memory/2724-2-0x0000000000401000-0x0000000000417000-memory.dmp

Filesize
88KB

Download
memory/2724-20-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2724-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2992-18-0x0000000000400000-0x0000000000530000-memory.dmp

Filesize
1.2MB

Download
memory/2992-7-0x0000000000400000-0x0000000000530000-memory.dmp

Filesize
1.2MB

Download
memory/3552-121-0x00000000023D0000-0x0000000002403000-memory.dmp

Filesize
204KB

Download
memory/3552-135-0x00000000009B0000-0x00000000009B1000-memory.dmp

Filesize
4KB

Download
memory/3552-88-0x000000000B730000-0x000000000B83B000-memory.dmp

Filesize
1.0MB

Download
memory/3552-123-0x000000000B730000-0x000000000B83B000-memory.dmp

Filesize
1.0MB

Download
memory/3552-120-0x000000000B730000-0x000000000B83B000-memory.dmp

Filesize
1.0MB

Download
memory/3552-126-0x000000000B730000-0x000000000B83B000-memory.dmp

Filesize
1.0MB

Download
memory/3552-87-0x000000000B730000-0x000000000B83B000-memory.dmp

Filesize
1.0MB

Download
memory/3552-136-0x00000000023C0000-0x00000000023C1000-memory.dmp

Filesize
4KB

Download
memory/3828-26-0x0000000000400000-0x0000000000530000-memory.dmp

Filesize
1.2MB

Download
memory/3828-39-0x0000000000400000-0x0000000000530000-memory.dmp

Filesize
1.2MB

Download
memory/4780-81-0x00000000023F0000-0x00000000024F5000-memory.dmp

Filesize
1.0MB

Download
memory/4780-89-0x00007FFB7C200000-0x00007FFB7CBFB000-memory.dmp

Filesize
10.0MB

Download
memory/4780-80-0x00007FFB7C200000-0x00007FFB7CBFB000-memory.dmp

Filesize
10.0MB

Download
memory/4860-43-0x00000213D1CB0000-0x00000213D1CD2000-memory.dmp

Filesize
136KB

Download
memory/5324-113-0x00007FFB7C200000-0x00007FFB7CBFB000-memory.dmp

Filesize
10.0MB

Download
memory/5324-141-0x00007FFB7C200000-0x00007FFB7CBFB000-memory.dmp

Filesize
10.0MB

Download
memory/5672-16-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5672-41-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5672-14-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download