Overview

overview

10

Static

static

5

jopik.exe

windows10-ltsc_2021-x64

10

Analysis

  • max time kernel
    899s
  • max time network
    867s
  • platform
    windows10-ltsc_2021_x64
  • resource
    win10ltsc2021-20250314-uk
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20250314-uklocale:uk-uaos:windows10-ltsc_2021-x64systemwindows
  • submitted
    30/03/2025, 11:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    jopik.exe

  • Size

    3.1MB

  • MD5

    25af61a744bdfb7be6e811a1119d55f6

  • SHA1

    c4352f21b66710e390592d50ae5914ce0c33cf56

  • SHA256

    babed92f8fa49db0ca046162e82f7e2403f33c4ca9ea5097ba981a5d3d365793

  • SHA512

    3b7bc8129c5fec44139d502b2c410680724bac368aa17094f6191d57e4f8fac182f28e86f8db512d0472e088540449171602a4f3b0db96b6811b7fb73f4580dc

  • SSDEEP

    98304:jqmG8KBY7G6G6GCKuuhjtdtyDzPcuBol:2mv/G6Yad7a

Score
10/10
dcratsalatstealercredential_accessdiscoveryinfostealerpersistenceratspywarestealerupx

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Detect SalatStealer payload 47 IoCs
  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Process spawned unexpected child process 24 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Salatstealer family
    salatstealer
  • salatstealer

    SalatStealer is a stealer that takes sceenshot written in Golang.

    stealersalatstealer
  • DCRat payload 3 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 17 IoCs
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • UPX packed file 55 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 1 IoCs
  • Modifies system certificate store 2 TTPs 3 IoCs
    defense_evasionspywaretrojan
  • Scheduled Task/Job: Scheduled Task 1 TTPs 24 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\jopik.exe
    "C:\Users\Admin\AppData\Local\Temp\jopik.exe"
    1⤵
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:5524
    • C:\Program Files (x86)\Windows Multimedia Platform\winlogon.exe
      "C:\Program Files (x86)\Windows Multimedia Platform\winlogon.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Modifies system certificate store
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:5492
      • C:\Program Files (x86)\Microsoft\Edge\Application\winlogon.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\winlogon.exe" -
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:5148
      • C:\Program Files\Google\Chrome\Application\winlogon.exe
        "C:\Program Files\Google\Chrome\Application\winlogon.exe" -
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:1632
      • C:\Program Files (x86)\Windows Multimedia Platform\winlogon.exe
        "C:\Program Files (x86)\Windows Multimedia Platform\winlogon.exe" -
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:5056
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jopa.exe
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3836
        • C:\Users\Admin\AppData\Local\Temp\jopa.exe
          C:\Users\Admin\AppData\Local\Temp\jopa.exe
          4⤵
          • Modifies WinLogon for persistence
          • Executes dropped EXE
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          PID:5728
      • C:\Program Files (x86)\Windows Multimedia Platform\winlogon.exe
        "C:\Program Files (x86)\Windows Multimedia Platform\winlogon.exe" -
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:4604
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hitler.exe
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1888
        • C:\Users\Admin\AppData\Local\Temp\hitler.exe
          C:\Users\Admin\AppData\Local\Temp\hitler.exe
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:1700
          • C:\Users\Admin\AppData\Local\Temp\NVIDIA Container.exe
            "C:\Users\Admin\AppData\Local\Temp\NVIDIA Container.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Modifies registry class
            • Suspicious use of WriteProcessMemory
            PID:1020
            • C:\Windows\SysWOW64\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\NVIDIA\DisplayDriver\535.21\zajaYJ4rqwpmDK2a6yrvwdV.vbe"
              6⤵
              • Checks computer location settings
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:5080
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c ""C:\NVIDIA\DisplayDriver\535.21\mxJne99RtKqQDunPUGdos.bat" "
                7⤵
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:5920
                • C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe
                  "C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe"
                  8⤵
                  • Checks computer location settings
                  • Executes dropped EXE
                  • Drops file in Program Files directory
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:344
                  • C:\NVIDIA\DisplayDriver\535.21\OfficeClickToRun.exe
                    "C:\NVIDIA\DisplayDriver\535.21\OfficeClickToRun.exe"
                    9⤵
                    • Executes dropped EXE
                    • Suspicious use of AdjustPrivilegeToken
                    PID:5052
  • C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
    "C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
    1⤵
      PID:4496
    • C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
      "C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
      1⤵
        PID:4660
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jopa.exe
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:1168
        • C:\Users\Admin\AppData\Local\Temp\jopa.exe
          C:\Users\Admin\AppData\Local\Temp\jopa.exe
          2⤵
          • Modifies WinLogon for persistence
          • Executes dropped EXE
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Suspicious use of FindShellTrayWindow
          PID:4260
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
          PID:2716
        • C:\Users\Admin\AppData\Local\Comms\RuntimeBroker.exe
          "C:\Users\Admin\AppData\Local\Comms\RuntimeBroker.exe"
          1⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:1788
        • C:\Program Files (x86)\Windows Multimedia Platform\winlogon.exe
          "C:\Program Files (x86)\Windows Multimedia Platform\winlogon.exe"
          1⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:3876
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\sysmon.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1836
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\sysmon.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4904
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\sysmon.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2868
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\425e4b9c48bf9566ebce35\sihost.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2668
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\425e4b9c48bf9566ebce35\sihost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:864
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\425e4b9c48bf9566ebce35\sihost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:748
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\425e4b9c48bf9566ebce35\smss.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4360
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\425e4b9c48bf9566ebce35\smss.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4496
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\425e4b9c48bf9566ebce35\smss.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1524
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\425e4b9c48bf9566ebce35\sppsvc.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4500
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\425e4b9c48bf9566ebce35\sppsvc.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:5292
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\425e4b9c48bf9566ebce35\sppsvc.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4656
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Office\PackageManifests\conhost.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4912
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\PackageManifests\conhost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2432
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Office\PackageManifests\conhost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1460
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files\Google\Chrome\Application\133.0.6943.60\RuntimeBroker.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2324
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\133.0.6943.60\RuntimeBroker.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:5924
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files\Google\Chrome\Application\133.0.6943.60\RuntimeBroker.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4848
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Multimedia Platform\OfficeClickToRun.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:5468
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\OfficeClickToRun.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:5476
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Multimedia Platform\OfficeClickToRun.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:5984
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 11 /tr "'C:\NVIDIA\DisplayDriver\535.21\OfficeClickToRun.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1984
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\NVIDIA\DisplayDriver\535.21\OfficeClickToRun.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4700
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\NVIDIA\DisplayDriver\535.21\OfficeClickToRun.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1088
        • C:\Program Files\Microsoft Office\PackageManifests\conhost.exe
          "C:\Program Files\Microsoft Office\PackageManifests\conhost.exe"
          1⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:4796
        • C:\Program Files (x86)\Mozilla Maintenance Service\logs\sysmon.exe
          "C:\Program Files (x86)\Mozilla Maintenance Service\logs\sysmon.exe"
          1⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:2436
        • C:\NVIDIA\DisplayDriver\535.21\OfficeClickToRun.exe
          "C:\NVIDIA\DisplayDriver\535.21\OfficeClickToRun.exe"
          1⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:2644
        • C:\Program Files\Microsoft Office\PackageManifests\conhost.exe
          "C:\Program Files\Microsoft Office\PackageManifests\conhost.exe"
          1⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:5308

        Network

        MITRE ATT&CK Enterprise v15

        Reconnaissance

        Resource Development

        Initial Access

        Execution

        Scheduled Task/Job

        1
        T1053

        Scheduled Task

        1
        T1053.005

        Persistence

        Boot or Logon Autostart Execution

        2
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Winlogon Helper DLL

        1
        T1547.004

        Scheduled Task/Job

        1
        T1053

        Scheduled Task

        1
        T1053.005

        Privilege Escalation

        Boot or Logon Autostart Execution

        2
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Winlogon Helper DLL

        1
        T1547.004

        Scheduled Task/Job

        1
        T1053

        Scheduled Task

        1
        T1053.005

        Defense Evasion

        Modify Registry

        3
        T1112

        Subvert Trust Controls

        1
        T1553

        Install Root Certificate

        1
        T1553.004

        Credential Access

        Credentials from Password Stores

        1
        T1555

        Credentials from Web Browsers

        1
        T1555.003

        Unsecured Credentials

        4
        T1552

        Credentials In Files

        4
        T1552.001

        Discovery

        Query Registry

        2
        T1012

        System Information Discovery

        2
        T1082

        System Location Discovery

        1
        T1614

        System Language Discovery

        1
        T1614.001

        Lateral Movement

        Collection

        Data from Local System

        3
        T1005

        Command and Control

        Exfiltration

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe
          Filesize

          1.4MB

          MD5

          4a591f46c87b49a7de93f5ac771cd4ab

          SHA1

          e0992350818e5c56d3f2e3a6db340d1f5b8f3314

          SHA256

          b495e22042b08f27b690da18986ec74d5054a65d05d5cf41fdecd5751482ccbd

          SHA512

          b498445d1e427853690250aebff35cbd7e28e85a89ad868e3483930b16ec13198357cfcd5feb45567b1bc8f3d9f97c5ecf2d242c8a5e9d758a536d0498ba7955

          Download Submit

        • C:\NVIDIA\DisplayDriver\535.21\mxJne99RtKqQDunPUGdos.bat
          Filesize

          53B

          MD5

          7784d810f5ff3afa8df50e360eb90e7d

          SHA1

          f04802a991ff6461aa1c35b7c0f68e43d5a114c6

          SHA256

          0385dbf94fc27705560cf0b6b04e9a37181db486ee8f7573c5ad2217d18f4ca0

          SHA512

          80038ae2bfd5f8ca3f4812ab5c342878f98978007125c9dca5edb915701a5383916131cdc3082c054c49c508cd210aff70319ac0fc498cbdd6cee776df672cac

          Download Submit

        • C:\NVIDIA\DisplayDriver\535.21\zajaYJ4rqwpmDK2a6yrvwdV.vbe
          Filesize

          225B

          MD5

          d7df2670ad0c6c7b9cc48122f20f086c

          SHA1

          e69bf8c214d8c4b768125ca03e402e1c871cc233

          SHA256

          d3bf5c54de984dd2d1d779494deb8a995cc062eb5f25c465d0de78d99b8cc52b

          SHA512

          05ed88410790bf74dc7ab880f893e555c4859c133e79a89f28b5e1a68c36f4a4f28d3b7b6532953c04b6d23a21faf53e60107efde9e6acb492a9235d48943f03

          Download Submit

        • C:\Program Files (x86)\Windows Multimedia Platform\winlogon.exe
          Filesize

          3.1MB

          MD5

          25af61a744bdfb7be6e811a1119d55f6

          SHA1

          c4352f21b66710e390592d50ae5914ce0c33cf56

          SHA256

          babed92f8fa49db0ca046162e82f7e2403f33c4ca9ea5097ba981a5d3d365793

          SHA512

          3b7bc8129c5fec44139d502b2c410680724bac368aa17094f6191d57e4f8fac182f28e86f8db512d0472e088540449171602a4f3b0db96b6811b7fb73f4580dc

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\OfficeClickToRun.exe.log
          Filesize

          1KB

          MD5

          12a813ec669d9480f522198c50939fb3

          SHA1

          8183507eb58e6d4a2681cc13371ab673f92b644f

          SHA256

          049951a35a57119f9057c912a8ce26ef4aeea74c8442693cc8ba99527c2483fb

          SHA512

          f02a15dc78a391966f0f7c86c9663469a1c8e47dab6b7b4f47fcf45f4587b66008bec68e598fee9d690e7a749a974e86bde0a3c5b17f0d2e6ca6445816b3983d

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\NVIDIA Container.exe
          Filesize

          1.8MB

          MD5

          531bf67134a7c1fb4096113ca58cc648

          SHA1

          99e0fc1fb7a07c0685e426b327921d3e6c34498c

          SHA256

          67942630366d114efa35f3f4a79741a4a4eb2c3b0c8ffaac07af527f84d4489a

          SHA512

          8facae8335a4f33f54e48c64814946eb8b480800b4453612fffcef64117946a35d493f433d4e27186ee864603da756319f816e70c3bfc08b8bb1861fc7030ff4

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\hitler.exe
          Filesize

          10.4MB

          MD5

          3a1733f19b9ca74fe793df23700c3519

          SHA1

          31cf4474f0ac00d45c19b7e31e7dc9fde3054091

          SHA256

          1b2a026beda12eff88e2397931018031e4358de05aa449e3441434e6cf5dad6c

          SHA512

          0cd23dce1880c0b11d19f7d58102020baba7033e828aee233f8ed6b7d11c622d1dcec38c4a3e6c4691e07f7a1609fe550a30517e662236e164e550e87bea777b

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\jopa.exe
          Filesize

          436KB

          MD5

          713e18e3fc579e73a1926d06729d9687

          SHA1

          cdaf86e6ebac8b52a43709f8fdbfb29b15c65513

          SHA256

          effaa8fb70619158f6d2263ef45e328db84c49a20658a82621e28d0f03c4723a

          SHA512

          497682193b5924f5ab8579e07a1c7cfdb179f4858f6460c139da9afa7d0d2858df79a5fad0680c1d83335bf8b639c8f9d91365e79d84465bd076fdfacd8dbdd9

          Download Submit

        • memory/344-171-0x000000001B9E0000-0x000000001B9EE000-memory.dmp

          Filesize

          56KB

          Download

        • memory/344-166-0x000000001B990000-0x000000001B9AC000-memory.dmp

          Filesize

          112KB

          Download

        • memory/344-168-0x000000001B9B0000-0x000000001B9C6000-memory.dmp

          Filesize

          88KB

          Download

        • memory/344-169-0x0000000001700000-0x0000000001710000-memory.dmp

          Filesize

          64KB

          Download

        • memory/344-167-0x000000001C050000-0x000000001C0A0000-memory.dmp

          Filesize

          320KB

          Download

        • memory/344-165-0x0000000000D20000-0x0000000000E8A000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/344-170-0x000000001B9D0000-0x000000001B9DE000-memory.dmp

          Filesize

          56KB

          Download

        • memory/344-172-0x000000001B9F0000-0x000000001B9FC000-memory.dmp

          Filesize

          48KB

          Download

        • memory/1632-22-0x0000000000670000-0x00000000011ED000-memory.dmp

          Filesize

          11.5MB

          Download

        • memory/1632-21-0x0000000000670000-0x00000000011ED000-memory.dmp

          Filesize

          11.5MB

          Download

        • memory/1700-133-0x0000000000280000-0x0000000000CE0000-memory.dmp

          Filesize

          10.4MB

          Download

        • memory/1788-94-0x0000000000330000-0x0000000000EAD000-memory.dmp

          Filesize

          11.5MB

          Download

        • memory/1788-92-0x0000000000330000-0x0000000000EAD000-memory.dmp

          Filesize

          11.5MB

          Download

        • memory/3876-95-0x0000000000C40000-0x00000000017BD000-memory.dmp

          Filesize

          11.5MB

          Download

        • memory/3876-93-0x0000000000C40000-0x00000000017BD000-memory.dmp

          Filesize

          11.5MB

          Download

        • memory/4260-89-0x0000000000400000-0x0000000000474000-memory.dmp

          Filesize

          464KB

          Download

        • memory/4260-52-0x0000000000400000-0x0000000000474000-memory.dmp

          Filesize

          464KB

          Download

        • memory/4260-48-0x0000000000400000-0x0000000000474000-memory.dmp

          Filesize

          464KB

          Download

        • memory/4260-80-0x0000000000400000-0x0000000000474000-memory.dmp

          Filesize

          464KB

          Download

        • memory/4260-56-0x0000000000400000-0x0000000000474000-memory.dmp

          Filesize

          464KB

          Download

        • memory/4604-199-0x0000000000C40000-0x00000000017BD000-memory.dmp

          Filesize

          11.5MB

          Download

        • memory/4604-120-0x0000000000C40000-0x00000000017BD000-memory.dmp

          Filesize

          11.5MB

          Download

        • memory/5056-65-0x0000000000C40000-0x00000000017BD000-memory.dmp

          Filesize

          11.5MB

          Download

        • memory/5056-45-0x0000000000C40000-0x00000000017BD000-memory.dmp

          Filesize

          11.5MB

          Download

        • memory/5056-26-0x0000000000C40000-0x00000000017BD000-memory.dmp

          Filesize

          11.5MB

          Download

        • memory/5056-28-0x0000000000C40000-0x00000000017BD000-memory.dmp

          Filesize

          11.5MB

          Download

        • memory/5056-29-0x0000000000C40000-0x00000000017BD000-memory.dmp

          Filesize

          11.5MB

          Download

        • memory/5056-57-0x0000000000C40000-0x00000000017BD000-memory.dmp

          Filesize

          11.5MB

          Download

        • memory/5056-31-0x0000000000C40000-0x00000000017BD000-memory.dmp

          Filesize

          11.5MB

          Download

        • memory/5056-61-0x0000000000C40000-0x00000000017BD000-memory.dmp

          Filesize

          11.5MB

          Download

        • memory/5056-33-0x0000000000C40000-0x00000000017BD000-memory.dmp

          Filesize

          11.5MB

          Download

        • memory/5056-35-0x0000000000C40000-0x00000000017BD000-memory.dmp

          Filesize

          11.5MB

          Download

        • memory/5056-118-0x0000000000C40000-0x00000000017BD000-memory.dmp

          Filesize

          11.5MB

          Download

        • memory/5056-69-0x0000000000C40000-0x00000000017BD000-memory.dmp

          Filesize

          11.5MB

          Download

        • memory/5056-96-0x0000000000C40000-0x00000000017BD000-memory.dmp

          Filesize

          11.5MB

          Download

        • memory/5056-73-0x0000000000C40000-0x00000000017BD000-memory.dmp

          Filesize

          11.5MB

          Download

        • memory/5056-38-0x0000000000C40000-0x00000000017BD000-memory.dmp

          Filesize

          11.5MB

          Download

        • memory/5056-77-0x0000000000C40000-0x00000000017BD000-memory.dmp

          Filesize

          11.5MB

          Download

        • memory/5056-53-0x0000000000C40000-0x00000000017BD000-memory.dmp

          Filesize

          11.5MB

          Download

        • memory/5056-49-0x0000000000C40000-0x00000000017BD000-memory.dmp

          Filesize

          11.5MB

          Download

        • memory/5056-81-0x0000000000C40000-0x00000000017BD000-memory.dmp

          Filesize

          11.5MB

          Download

        • memory/5056-85-0x0000000000C40000-0x00000000017BD000-memory.dmp

          Filesize

          11.5MB

          Download

        • memory/5148-16-0x0000000000160000-0x0000000000CDD000-memory.dmp

          Filesize

          11.5MB

          Download

        • memory/5148-14-0x0000000000160000-0x0000000000CDD000-memory.dmp

          Filesize

          11.5MB

          Download

        • memory/5492-62-0x0000000000C40000-0x00000000017BD000-memory.dmp

          Filesize

          11.5MB

          Download

        • memory/5492-197-0x0000000000C40000-0x00000000017BD000-memory.dmp

          Filesize

          11.5MB

          Download

        • memory/5492-8-0x0000000000C40000-0x00000000017BD000-memory.dmp

          Filesize

          11.5MB

          Download

        • memory/5492-78-0x0000000000C40000-0x00000000017BD000-memory.dmp

          Filesize

          11.5MB

          Download

        • memory/5492-40-0x0000000000C40000-0x00000000017BD000-memory.dmp

          Filesize

          11.5MB

          Download

        • memory/5492-74-0x0000000000C40000-0x00000000017BD000-memory.dmp

          Filesize

          11.5MB

          Download

        • memory/5492-70-0x0000000000C40000-0x00000000017BD000-memory.dmp

          Filesize

          11.5MB

          Download

        • memory/5492-97-0x0000000000C40000-0x00000000017BD000-memory.dmp

          Filesize

          11.5MB

          Download

        • memory/5492-66-0x0000000000C40000-0x00000000017BD000-memory.dmp

          Filesize

          11.5MB

          Download

        • memory/5492-36-0x0000000000C40000-0x00000000017BD000-memory.dmp

          Filesize

          11.5MB

          Download

        • memory/5492-32-0x0000000000C40000-0x00000000017BD000-memory.dmp

          Filesize

          11.5MB

          Download

        • memory/5492-58-0x0000000000C40000-0x00000000017BD000-memory.dmp

          Filesize

          11.5MB

          Download

        • memory/5492-46-0x0000000000C40000-0x00000000017BD000-memory.dmp

          Filesize

          11.5MB

          Download

        • memory/5492-82-0x0000000000C40000-0x00000000017BD000-memory.dmp

          Filesize

          11.5MB

          Download

        • memory/5492-34-0x0000000000C40000-0x00000000017BD000-memory.dmp

          Filesize

          11.5MB

          Download

        • memory/5492-30-0x0000000000C40000-0x00000000017BD000-memory.dmp

          Filesize

          11.5MB

          Download

        • memory/5492-50-0x0000000000C40000-0x00000000017BD000-memory.dmp

          Filesize

          11.5MB

          Download

        • memory/5492-54-0x0000000000C40000-0x00000000017BD000-memory.dmp

          Filesize

          11.5MB

          Download

        • memory/5492-27-0x0000000000C40000-0x00000000017BD000-memory.dmp

          Filesize

          11.5MB

          Download

        • memory/5492-86-0x0000000000C40000-0x00000000017BD000-memory.dmp

          Filesize

          11.5MB

          Download

        • memory/5492-24-0x0000000000C40000-0x00000000017BD000-memory.dmp

          Filesize

          11.5MB

          Download

        • memory/5492-23-0x0000000000C40000-0x00000000017BD000-memory.dmp

          Filesize

          11.5MB

          Download

        • memory/5524-0-0x0000000000740000-0x00000000012BD000-memory.dmp

          Filesize

          11.5MB

          Download

        • memory/5524-9-0x0000000000740000-0x00000000012BD000-memory.dmp

          Filesize

          11.5MB

          Download

        • memory/5728-55-0x0000000000400000-0x0000000000474000-memory.dmp

          Filesize

          464KB

          Download

        • memory/5728-83-0x0000000000400000-0x0000000000474000-memory.dmp

          Filesize

          464KB

          Download

        • memory/5728-47-0x0000000000400000-0x0000000000474000-memory.dmp

          Filesize

          464KB

          Download