73b7648081dfbe7fe76e6af38d7e761d0ada7f562cb8a62d9c78eadc2e5a0aa5

Analysis

max time kernel
1s
max time network
51s
platform
windows11-21h2_x64
resource
win11-20240611-en
resource tags

arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
submitted
16/06/2024, 11:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

code.vbs
Size

1004B
MD5

75de9ae8e71b63a23053673cc11390bc
SHA1

325b5a1af627bd5a167af8b691fa62c04dedee2e
SHA256

73b7648081dfbe7fe76e6af38d7e761d0ada7f562cb8a62d9c78eadc2e5a0aa5
SHA512

f02bf9727ba9035ac4a683e4ab9e6e8d2006ff6b6d0aa893e621db25f043df867230dfc018cf4658af40ea0d470635946953c4d0d20e64936004d3d26c8dd9af

Score

10^/10

Malware Config

Extracted

Language

xlm4.0

Source

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings	WScript.exe

Opens file in notepad (likely ransom note) 2 IoCs

ransomware

pid	Process
7336	NOTEPAD.EXE
7528	NOTEPAD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
4616	vlc.exe
4064	EXCEL.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4616	vlc.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4616	vlc.exe
4616	vlc.exe
4616	vlc.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
4616	vlc.exe
4616	vlc.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
4064	EXCEL.EXE
4616	vlc.exe
4064	EXCEL.EXE
4064	EXCEL.EXE
4064	EXCEL.EXE
2236	EXCEL.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1412 wrote to memory of 3332	1412	WScript.exe	80
PID 1412 wrote to memory of 3332	1412	WScript.exe	80
PID 3332 wrote to memory of 2712	3332	WScript.exe	84
PID 3332 wrote to memory of 2712	3332	WScript.exe	84
PID 2712 wrote to memory of 4692	2712	WScript.exe	87
PID 2712 wrote to memory of 4692	2712	WScript.exe	87
PID 4692 wrote to memory of 5076	4692	WScript.exe	89
PID 4692 wrote to memory of 5076	4692	WScript.exe	89
PID 5076 wrote to memory of 3104	5076	WScript.exe	90
PID 5076 wrote to memory of 3104	5076	WScript.exe	90
PID 3104 wrote to memory of 1220	3104	WScript.exe	92
PID 3104 wrote to memory of 1220	3104	WScript.exe	92

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1412
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3332
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"
    3⤵
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2712
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"
      4⤵
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4692
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"
        5⤵
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5076
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"
        6⤵
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3104
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"
        7⤵
        
        PID:1220
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"
        8⤵
        
        PID:3076
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"
        9⤵
        
        PID:4712
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"
        10⤵
        
        PID:1108
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"
        11⤵
        
        PID:1044
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"
        12⤵
        
        PID:3852
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"
        13⤵
        
        PID:2664
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"
        14⤵
        
        PID:4660
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"
        15⤵
        
        PID:3336
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"
        16⤵
        
        PID:4076
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"
        17⤵
        
        PID:3088
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"
        18⤵
        
        PID:3420
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"
        19⤵
        
        PID:5036
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"
        20⤵
        
        PID:5248
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"
        21⤵
        
        PID:5316
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"
        22⤵
        
        PID:5376
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"
        23⤵
        
        PID:5468
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"
        24⤵
        
        PID:5620
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"
        25⤵
        
        PID:5688
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"
        26⤵
        
        PID:5784
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"
        27⤵
        
        PID:5920
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"
        28⤵
        
        PID:5996
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"
        29⤵
        
        PID:6092
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"
        30⤵
        
        PID:5156
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"
        31⤵
        
        PID:5348
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"
        32⤵
        
        PID:5684
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"
        33⤵
        
        PID:2384
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"
        34⤵
        
        PID:6172
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"
        35⤵
        
        PID:6320
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"
        36⤵
        
        PID:6372
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"
        37⤵
        
        PID:6424
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"
        38⤵
        
        PID:6524
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"
        39⤵
        
        PID:6680
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"
        40⤵
        
        PID:6748
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"
        41⤵
        
        PID:6816
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"
        42⤵
        
        PID:6924
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"
        43⤵
        
        PID:7060
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"
        44⤵
        
        PID:7128
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"
        45⤵
        
        PID:6780
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"
        46⤵
        
        PID:7248
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"
        47⤵
        
        PID:7512
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"
        48⤵
        
        PID:7656
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"
        49⤵
        
        PID:7712
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"
        50⤵
        
        PID:7800
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"
        51⤵
        
        PID:7968
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"
        52⤵
        
        PID:8036
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"
        53⤵
        
        PID:8128
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"
        54⤵
        
        PID:7396
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"
        55⤵
        
        PID:8152
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"
        56⤵
        
        PID:8556
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"
        57⤵
        
        PID:8752
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"
        58⤵
        
        PID:8816
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"
        59⤵
        
        PID:8892
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"
        60⤵
        
        PID:8972
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"
        61⤵
        
        PID:9152
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"
        62⤵
        
        PID:9212
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"
        63⤵
        
        PID:8448
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"
        64⤵
        
        PID:8916
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"
        65⤵
        
        PID:9088
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"
        66⤵
        
        PID:8444
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"
        67⤵
        
        PID:9316
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"
        68⤵
        
        PID:9476
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"
        69⤵
        
        PID:9692
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"
        70⤵
        
        PID:9776
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"
        71⤵
        
        PID:9876
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"
        72⤵
        
        PID:10040
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"
        73⤵
        
        PID:10124
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"
        74⤵
        
        PID:3528
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"
        75⤵
        
        PID:3656
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"
        76⤵
        
        PID:9848
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"
        77⤵
        
        PID:10276
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"
        78⤵
        
        PID:10372
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"
        79⤵
        
        PID:10452
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"
        80⤵
        
        PID:10592
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"
        81⤵
        
        PID:10700
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"
        82⤵
        
        PID:10976
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"
        83⤵
        
        PID:11088
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"
        84⤵
        
        PID:11244
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"
        85⤵
        
        PID:8352
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"
        86⤵
        
        PID:10800
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"
        87⤵
        
        PID:11124
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"
        88⤵
        
        PID:11056
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"
        89⤵
        
        PID:11316
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"
        90⤵
        
        PID:11452
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"
        91⤵
        
        PID:11576
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"
        92⤵
        
        PID:11792
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"
        93⤵
        
        PID:11948
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"
        94⤵
        
        PID:12116
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"
        95⤵
        
        PID:12192
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"
        96⤵
        
        PID:12272
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"
        97⤵
        
        PID:11508
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"
        98⤵
        
        PID:11744
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"
        99⤵
        
        PID:11896
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"
        100⤵
        
        PID:11272
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"
        101⤵
        
        PID:4544
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"
        102⤵
        
        PID:4168
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"
        103⤵
        
        PID:12400
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"
        104⤵
        
        PID:12564
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"
        105⤵
        
        PID:12616
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"
        106⤵
        
        PID:12672
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"
        107⤵
        
        PID:12756
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"
        108⤵
        
        PID:12936
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"
        109⤵
        
        PID:12996
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"
        110⤵
        
        PID:13076
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"
        111⤵
        
        PID:13236
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"
        112⤵
        
        PID:4736
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"
        113⤵
        
        PID:12296
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"
        114⤵
        
        PID:12560
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"
        115⤵
        
        PID:5532
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"
        116⤵
        
        PID:5816
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"
        117⤵
        
        PID:13116
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"
        118⤵
        
        PID:5524
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"
        119⤵
        
        PID:2008
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"
        120⤵
        
        PID:3128
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"
        121⤵
        
        PID:7604
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"
        122⤵
        
        PID:8004
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"
        123⤵
        
        PID:13456
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"
        124⤵
        
        PID:13588
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"
        125⤵
        
        PID:13648
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"
        126⤵
        
        PID:13748
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"
        127⤵
        
        PID:14008
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"
        128⤵
        
        PID:14072
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"
        129⤵
        
        PID:14136
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"
        130⤵
        
        PID:14252
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"
        131⤵
        
        PID:8064
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"
        132⤵
        
        PID:13372
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"
        133⤵
        
        PID:7944
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"
        134⤵
        
        PID:13780
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"
        135⤵
        
        PID:8812
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"
        136⤵
        
        PID:14200
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"
        137⤵
        
        PID:8908
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"
        138⤵
        
        PID:14340
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"
        139⤵
        
        PID:14488
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"
        140⤵
        
        PID:14544
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"
        141⤵
        
        PID:14600
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"
        142⤵
        
        PID:14720
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"
        143⤵
        
        PID:14880
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"
        144⤵
        
        PID:14952
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"
        145⤵
        
        PID:15020
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"
        146⤵
        
        PID:15120
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"
        147⤵
        
        PID:15268
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"
        148⤵
        
        PID:15332

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4064

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\ApproveOpen.wmv"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4616

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:2236

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
PID:404

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
PID:3864

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
PID:4408

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
PID:3308

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
PID:5400

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
PID:5748

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
PID:6076

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
PID:2168

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
PID:6468

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
PID:6804

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
PID:1356

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"
1⤵
PID:2676
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  PID:8140
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=2A2F13D914B2223EF92EC33E7BAA9297 --mojo-platform-channel-handle=1720 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:7808
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=E0DD2B8BAD6AD0601BE44D257CE787E4 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=E0DD2B8BAD6AD0601BE44D257CE787E4 --renderer-client-id=2 --mojo-platform-channel-handle=1732 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:7940
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=0C8F051C77A04EB354F8E659D5E6896E --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=0C8F051C77A04EB354F8E659D5E6896E --renderer-client-id=4 --mojo-platform-channel-handle=2308 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:8376
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=2D040FAD949892BD64B520128ABD5465 --mojo-platform-channel-handle=1796 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:6664
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=56807AC66A44E865B3EC941FBD2F590B --mojo-platform-channel-handle=2892 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:11172
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=6241647FD762C3ED2774EEDCA3487901 --mojo-platform-channel-handle=1932 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:10736

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\CompleteEnable.aif"
1⤵
PID:6900

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\MountReset.ps1xml
1⤵
- Opens file in notepad (likely ransom note)
PID:7336

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\MountReset.ps1xml
1⤵
- Opens file in notepad (likely ransom note)
PID:7528

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
PID:7756

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
PID:8096

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
PID:8296

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
PID:8872

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
PID:8252

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
PID:8372

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
PID:9508

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
PID:9800

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
PID:10108

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
PID:9604

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
PID:10356

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
PID:10692

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
PID:11156

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:10420

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
PID:3400

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
PID:11476

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
PID:11932

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
PID:12256

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
PID:11860

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
PID:11912

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
PID:12732

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
PID:13060

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
PID:12392

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
PID:5592

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
PID:7912

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
PID:13688

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
PID:14152

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
PID:5840

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
PID:8328

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
PID:14628

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
PID:15060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
56KB

MD5
752a1f26b18748311b691c7d8fc20633

SHA1
c1f8e83eebc1cc1e9b88c773338eb09ff82ab862

SHA256
111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131

SHA512
a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
20227235e64304b41bb58bea7cb5b0bf

SHA1
7df351057b8ca6013ced0eb15cd47c884d0f0589

SHA256
701cd9b1fdc3de31d829b9288e13992f58387222d5c489a7540af7f6dff29a8e

SHA512
e356d3b4c5ccd65eb97058dbd9eef5e1340ae750c060e7c080b885f88b47f2446c5314d47d51f80507605d0bffd23ce206ea36b23a8a29464ac999e3ef689eeb

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents

Filesize
12KB

MD5
b607c89103c75c1f2a3f10aa805a9596

SHA1
e9e7ce12fdd5b00aeaa465acfe77b29b82d6c82e

SHA256
ea9950c0d585c314bcbb78ad31368d635970b664dd7db5b4c3a75ed6754d48ee

SHA512
015be2a8b7d9eded558ed216687b65aad7ef6e011b3fcb98bc698ac12497bd703011e6b77c5aba6179a556948f92301b0c54879c3c9cbf4f7f484ea5d95bf4b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\88B0C6F4-3E98-4B17-A9FD-C72F01779C51

Filesize
167KB

MD5
89bf3855d689b7d2a9a6182e60914557

SHA1
e487cec521c60f7444107c80999f5b175cf49dd4

SHA256
12185c3ef99b870d521a906a38dd599ff843939c5f0ae531fc5a522545d8c146

SHA512
3ca2414af10575fc4b812ffb0478437f087217e16c2ecec5ac75478fa7191f19571af44cc09af4cc63eaf4e07ee9a88b55ed9616171adda5b016fc28ba46a942

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

Filesize
323KB

MD5
67f36f3c0ac40b3318b0241f929fe06b

SHA1
7b9aee92f248b674b974a8469fd0b0ddddf6243d

SHA256
59f39c79c6f4ce39372c39f194fea499d0bf1eef2ecb2f2b7a941898fd7200f2

SHA512
d58458e054b4c202a887c57b234cdce0913ed83481237700d70ac51412273289d49dcf79c29f06a1b87749020a66a4b7b3a280886ff8ae0c60e5cbc9debef279

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db

Filesize
24KB

MD5
8665de22b67e46648a5a147c1ed296ca

SHA1
b289a96fee9fa77dd8e045ae8fd161debd376f48

SHA256
b5cbae5c48721295a51896f05abd4c9566be7941cda7b8c2aecb762e6e94425f

SHA512
bb03ea9347d302abf3b6fece055cdae0ad2d7c074e8517f230a90233f628e5803928b9ba7ba79c343e58dacb3e7a6fc16b94690a5ab0c71303959654a18bb5da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db-wal

Filesize
8KB

MD5
4c60e335403f67b426a46aad85a0031c

SHA1
880a402796f2e3cf7fe73755531d348f984016a9

SHA256
0e54dcec1877b34c996f72c23e03141fe7721726c43ba17679e574751cd13aa1

SHA512
7c4c32fcf57ca337c96d83bed360f2cae540a23470db10224fff20b50253012673907eea65fa70683f837d05399cf746be452c3f3922054e7a8673bc704245c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db-wal

Filesize
12KB

MD5
1d9db4d89cce6322f9b671b828eec273

SHA1
b174e94258bf3663b5ad2d37e5559e4fbd158d79

SHA256
a3a7577887d9a9e6c1c01f2cf0779bf97df17b416f7a9d29e0c0f6a8d2a4aca7

SHA512
ff14c3a6ab8f5313127195463ae42aa666f13e0f65f4c7b08826d56930cb979c1baddf93e18af23adc9740c2d4a212b8eb2802e09e4677f5e9ad3f8c74b170af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db-wal

Filesize
16KB

MD5
a9106822e53a7962ac7d9a4cf6b3d362

SHA1
e227d71e46ccef6611fc770851be72a68ae22361

SHA256
9cc368868e247526f045de1200c5d9ebd778485c080a66850362fdc95f712aea

SHA512
d9bfb6ed12366b7eacd22c605468ed426b1fdfc71f6916e6175a2859092e64cbf66f9a38b8a7b37020ade0c261a60cd6a2e90abed1edeb668e4a0d6a78e26941

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db-wal

Filesize
20KB

MD5
328ca628181a1b50a72aca4a73a45e21

SHA1
302166c909ea0af1ae870b5b0957aefd8c0ea543

SHA256
2168be57d759c268c1d816572e0e6d955423688ca7137965627af642e8ece2e3

SHA512
d3db3d852d6429bb305450bcd3c768622c0cb3617008ac92fc85e8154770bba43d8d7eaf434930b6b4b9a0060c926ab2927358a685388536a58b108550a04bb3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db-wal

Filesize
24KB

MD5
5271c950b5f0844469420b01a678a288

SHA1
8eda3f8406d465cf6ce34111de4fe75fbf3aa13d

SHA256
f8650cba30b47292d77106b76ff917b5544dc0c301ab895d1cf4d8df50c30f30

SHA512
fa5baec8a7744434ce1ea10c3fd3dbbd303b6554a9ced3b3b92ba4cdd131dde054d78bfe07e4530e0b01de1c67c35babf46dcd6ab05d524b968c7652c5881d34

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db-wal

Filesize
28KB

MD5
ec36fb4ec2cd24a7f08946e04f2f96cf

SHA1
3e3f3d11082d94b9add8d9824236ae87e5ce75e4

SHA256
ed9241fea8229da732c4b2e76133754d14aff5c40a9e0569ccfafb9a64044e34

SHA512
73ee6fefd9e90d700aa6d67e05bf1ba4816f6fe3b9401245571e7d6cf63b6da64aa76004abab1ecfd4dcb8c444e84e9d88ad883cae39af58a6be61674b92ca5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db-wal

Filesize
32KB

MD5
7b4080936339911498da2752f21706b2

SHA1
3233b10eba5b382c2253f7c32c4fe8341aa9f58e

SHA256
1838e8762a76533ed02f165db1904f052722b0a726f94401be01351eff03928f

SHA512
e5daf01d395b497c72212fb2bcc57c8e9793aa721ebc42a88dbcf0de621261a64eda25a9a4e4c08da0552b8699cfd028723be571055d8e81b53fb375c9a86842

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db-wal

Filesize
36KB

MD5
37066d943bcfc8a1ca6e4e24fc6b3641

SHA1
7d5dc55d779c6401c24c7ffb93a50a0e84456588

SHA256
1523aeec42d43580a289f474e993fafdccad6259fe3d0f76eb94683ceb643f88

SHA512
6b2b217f0dbc1ba5637533d77e61c2926e324b63ffbb10252cb68b9db8e915ebd1083b73bab840d5acf6fa2c7daebb5295f93bbb3bcedc6a8844719ddd5e312b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db-wal

Filesize
40KB

MD5
33f853d9fc50f9e86b6da22d796a2416

SHA1
be37c3a07be5fa7a556350824b6974f52136ccab

SHA256
5ba6a2cee09a1de07f48060a43ddede5a2fc91038519d768592d3704929e3bd8

SHA512
0fc70586ff2a0801058f17f2d16424290f30b155509f5d9055968247099b9eed8d177b6ac154b134af3cb579ebbb17ff253d3febd3cf6027249334d081529116

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db-wal

Filesize
44KB

MD5
dfc82e6d31aedbbd7a67816fab67ef3e

SHA1
5fe8ce3a2e1993ec6ed4046f599057597c5a1d09

SHA256
c35fffc9fb5afac033cffa918c2ddae6c2b19141d31c0fc9774ac87a8123f6c9

SHA512
7c98ab1cd91e626f77c6aa71e97598424202f4f4db6698221f9c21c879a929e295bc15ae0c101076de13278bd8b1057a43e1d75ab0ed535310e141d4945f77e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db-wal

Filesize
48KB

MD5
168a540f49b8adee534b9903ba582e7e

SHA1
04e095ecd9ccf8d6fa6c4d5edd3fd1efca51c521

SHA256
e43af96fab3313b4a23741480cf52b29f1568f4b2e9ea623453594b82a64a0ba

SHA512
4c319a9b01ddf7dccb704925e7b317a053601a4f27a42020fcaac12e9b600e21ddcf0cb2685464e144adc76c4f90e98f10f8aa4ccb9974872293512ce80e30fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db-wal

Filesize
52KB

MD5
50335c02c780b0b40ab1d251d6ed2261

SHA1
f3dd830fef4e303b3bc9c612841f01fe36fda4e4

SHA256
008cc863afc6709588e0d0458620642f316dddca4bc7914e8ffca75bf81e0887

SHA512
0dedc035630e54403f4bf3f5e184857936e5050d6c7fd68f7093f50629d6d1155f1714334dd1b957dbc7b893e37b6caa982c4ecc757b38e50e2bc23284dd5748

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db-wal

Filesize
56KB

MD5
bec9bb1afddeb70f2e72ce53986be947

SHA1
55f9ef8c7dae3ea5ec622d4332ddeee8f06458d6

SHA256
76f3729a8b66e3f1ebb2354c81b8c3334cdb42401aef632ac5b35afd6b164846

SHA512
84c9e198be0aa0a2e6728ccd9f419dd2572c04d145eaeb026267eb10100b813ba86c06ffe74d6203c1a5f1b82f1c4b907a4cce461adf554e7ff5ffc4e3d0107c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db-wal

Filesize
60KB

MD5
f1dee65205094c4d231b534f9d361d03

SHA1
2ece6a7ca583d744235e50172c9cda6ec62eede4

SHA256
7c7ede5c1bde3bd964bce3bdf65713a8e777ab76f9af92923ebdb3f178fd3b26

SHA512
6825f7edb987cce51de3433a39c010b29d5ad6439526a1c647f7907cfb7737dcb4f1e27321f2b30e362fc3bdd9fda98b5e1e1b98277368efe8725f346925f41f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db-wal

Filesize
64KB

MD5
72fe459448fe8cb556ee9aead9c0c4ab

SHA1
e098534bb8baf3ecdc7c6652db774c361c63bcf7

SHA256
b3bb9fdb1651d2c3d7c207b62295d443970aa9d71d420773c361b587f8eedf96

SHA512
fd03c81fef1ca1055a0dcf2eacde3dadb3ab30866b69f7132f99c6232643fc826461c83343d2a8519ab12a475cb0953fd977ee24fb3ac8bc143ebb206160c271

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db-wal

Filesize
68KB

MD5
99df181cc519cf963eafbaf8abd32b64

SHA1
e1ee287a1602059efc09b7f310e40f934b19de17

SHA256
124f6e74264e66a650930043838c3b8d88e42d9e0efad65433a3384691957c4c

SHA512
4fa6411af030e0f99f9f04231c0660e5532ccf0087a5551907583636bf56c87d93c1e20f099c19fa0d1c5bed3d66aed5c722d01b670f19279644b4a1faff3471

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db-wal

Filesize
72KB

MD5
f8fd9b7cd9310164ca17b4a9d9b826b7

SHA1
6ba807816ec6a014044ad6459767bc674fe8c4c7

SHA256
57fe915fdb37e87df0ea1e33361031fc972b99c72bbf5fd6850d6515b9252bca

SHA512
0e6c59fdf15cbe3463632e61a55d6d9a3612b0f91cfe1e0e922454ce90c17f1adc84a55f5aeca804f6f2c4d88f99331e2fc0f5075ac5d5bf5cb6d0b40a4916e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db-wal

Filesize
76KB

MD5
7483f956a4d74750da8e5757aa1698ec

SHA1
b2de99c30c6a729710286d10d67158ebcf656a6d

SHA256
71639675582ac55798bae9fe7bf1dbe18f31951badfaa48b8f8bd7ecf2ebcee3

SHA512
d57cecc4d436bd20663478b432f43c8ce952233c746a911431810474f6a7227b1269b08c86039d5d5d14c686b3cd24dcf374d4a2f164894a7362998ec9c8399e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db-wal

Filesize
80KB

MD5
10205f3d4841128dce29effdcbec5b96

SHA1
9e550e4d6916c5ee0dea81c06025eefb09bbbcd1

SHA256
e13f974eca479de50df52db8af8262237a457246e74e8415515a331bb888adb6

SHA512
04b119c5c401e2d1acccb2512d1ce11c8a23cab79d0c647455f318616ac75abb223da014304ea4574036cf42e7fe90223345b5aab83295e52110f8fc496241f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db-wal

Filesize
84KB

MD5
a3485fb85ab4e2f9aac59af2a3565cc6

SHA1
c962d5b648a9a1e60b45ee7c7993e96044279f60

SHA256
4928cbec723164bfb101457fbfb3dc459c5ab6453250de8f65f6715d78e98668

SHA512
eaec1030d2a1ce395ccf154cd57139dc5470e69005819b4b5c16d7c8783ccca9e59a734ea9fea578e5cdc8bcddf2f1bbf869d4d9ab0ed5e40c69d8017bf2a702

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db-wal

Filesize
88KB

MD5
7c50f920e730c2a0d3cd0642f3c89878

SHA1
0da6bae087fa1932b72f9be8b5f375ac987df7d4

SHA256
920adfcd0217e578c02beac271a23a291707f1f29118328d79083f055406848c

SHA512
c029be3e9e91399539022adceae06ee6c45e41038d407fd4a27bdf7dccde6be369132f7b1f7d10abb5934f4f2f0b8acefedfc9bf131eda94f981695c4aaa52bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db-wal

Filesize
92KB

MD5
8334ce1f37cd7bd7e6ba39ba3f89e20c

SHA1
e3c9f18957800dc96ae1ba0017703a2eea41bddd

SHA256
08c71f6d5855283e95f0e7d5eb96f0ce3349a6425f3a3ee7141a180ba7945772

SHA512
0abc582c6576b858bc26f1a7e10978707875d419d0d7d179069dd562cc1b2a818fdd7ede0d77ba6dc43e44b1a444c522ac2c72bb21e5d1e653fabb05c3dd7a78

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db-wal

Filesize
96KB

MD5
e25cb21351599461f632bd56a42a1ce5

SHA1
aa946d471e66a9f59655d9e7520308482739290e

SHA256
fa0ae658176687bb2598f5fbad062d74146a052e95fd0b3aadd999106d409f6b

SHA512
cab7ecdbc22d61cedf6858193f12de5d8c9dc036c24e84d3f7dc98861edcb800762f98e905ccc2d493b8ba167453bb087e5d4885c6646f367055b052d7f0a5c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db-wal

Filesize
100KB

MD5
aabadcca7e188fe6ac8a67fd706ff27e

SHA1
d9d70fb2203b74f8a304c0dfaccb8c77901e6888

SHA256
3e404f3949a1a1e6edf81115ffdadd40d643ac320ae8f9e7a1782367a0296606

SHA512
7c6a68a4c193e044ba36bbb9ebcc20ac16b4830d4c2c30d54452e71a5f5753b17e1605fdfd742d33c0b6dcd3907eb5c2e56c51fbcf7f558d4754f77b2b37ec1d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db-wal

Filesize
104KB

MD5
6aa8b1432ad9ddeb7a4727a5083d620f

SHA1
971f15323808dd10948bc8caac6ed0653fd8fc56

SHA256
86a2c27622b1df8ca596fcb61193f6dd987fa648a0885e79c0bf083c7c528596

SHA512
6c5e4823dd8453cc3dc61321d80ff8a5fdad0c9ccbbbd7368cfd6b9d4e0ee28924fbf8fe112c4c8597811b38059a5c449a8c1e336800e97335c4c056f8b360c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db-wal

Filesize
108KB

MD5
a5c3c8954f454b1330eec61ce403d3bd

SHA1
cb7049007ead7808540c1d0bf418267b0d558df4

SHA256
ccb1e1347a3a45ef2ab3f2111c701af863dc36ce8ee021c7eac222425f4eea3b

SHA512
aa239824455b2ab6784679423785a142f7a4d9b8a8505c85245053722353b310f1358cab8756f741cb30e72e6bac186de11a9a8360e10d2e3367ead0b289f2d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db-wal

Filesize
112KB

MD5
2be982964030c17950a5f800463649cb

SHA1
00e05d81feef4f12f0e0da5c7f4f13a69a1a8a2c

SHA256
f8c8c119dba484b89650f64ce302e19cc1e6c74c8eb7f2aa3fc6273544572e82

SHA512
38c143b03e9be5917a46f52b797ad3469ace68a6d3fb223af0404791c016c3d9d0accf0fdbd89d9c4b46508766aadba8ff831123eb8711f8679d55ace4fb6dd8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db-wal

Filesize
116KB

MD5
c1ad7f5a19941179c9ef7f0905a64842

SHA1
084729aec9a1d7720789e9a8eb078386d559ec78

SHA256
c9c2c592a3a9574ae610c99ea4dc1c2f736f7686776326ed8481ed3220f14e3f

SHA512
666019b3c0e4521ad4501a76e7bd9e7d56f06b2a3ac0ffe42e6aa21f19b8f669c8e91340bff39fc499d58b925e455186a526d167748d5e7d4d8f31c04bb964c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db-wal

Filesize
120KB

MD5
e01d6b99625add515919fe12b4f9ec69

SHA1
5cd1a89cbbdfaf852ec5ddfb0c899a7122708c8b

SHA256
169e684aae521e2aed49694a64079d8fd7f14685ec60f0ed2a904e9837fd2098

SHA512
b68ad61a5d1f5651aa8091e507e33254096e085dd006025b70d11fd8ed8855301a3d13ef8e4948207eef20de9e1fc729d168225472116463f81da9be4851cf60

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db-wal

Filesize
124KB

MD5
827d032d3cdf09e9bafd579114ed6a79

SHA1
aecc1830d5383976115c57a33a5c326e7acbba55

SHA256
3b8752a320424f3183a9d64f9c1db495f5af35e3bd1f1a2faa73834430e944b2

SHA512
be9c8316112131bfb9e4b0c29a71a7d50320388a4228c6687c78ebd8a2687c199226f8cdf382af0a46e1b6e7544762bb04bf10001909bcad4474d444128ff450

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db-wal

Filesize
128KB

MD5
f9d5a851d15819a741440b702c28ca3a

SHA1
ebdaae3173ace9a7adc2345a3b83bc465d562cff

SHA256
0f2b0958c53c16a49e43b7325ae3808e9313968d2a95a77125cf9316e38544a4

SHA512
094c208051a56e4b5660211543cc102bb260721c38a04c56f2e18c52106b3ca5f9f63b1bc5ed4ad2f72494ab6edd2d9127ffabc4b6c5226ee0548ae719802122

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db-wal

Filesize
132KB

MD5
8215bdff9bac99f1f51c27e2879bc346

SHA1
66540b98e1a4465f272254f243a5b3a1c861de35

SHA256
21788966aa5c1333afcfd7a6ac30f03f560e0d3de457c5c62bec50a8fa2532e3

SHA512
d5433a944aed18d22ca40b54db10b7d3e081b2c001601d610d4650e27b45391dec0e8519244a92715d7e1ff120c458142aa056f6c70803bd05e6441b0826dcc6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db-wal

Filesize
136KB

MD5
9d2edef6fb85333ff03af25d0769c385

SHA1
ca0f5dca19d6cd5d3ef38d18a8fa8ffdf2e4e09d

SHA256
3ecdd404076d59f9ed08185d2410a49cc9aefd29c3ed2bb1fdec3ae50c345132

SHA512
3ecb02b8e56c05f9d7f4a20de8e8625102403fa624610390c93ac302852751b96c67b4ddbafe558284ee54f585bc6e9e0b360831ff7e36ec1a2ea7539fea2d0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db-wal

Filesize
140KB

MD5
12c130e8be4571fd38c40c58fcd56cb0

SHA1
e29ccc73b7319ea5db8d7ff3ed84716fb940a8b2

SHA256
9b0dad9dd20888eb8dd4c30861ee588e569fdb6c273653f0559d89ae5a3b13d9

SHA512
55a88f9394ca74d66ea00ef27375ba3c25a252b4ec41584e6fd51e95bcad8f4be26c584dbae817a5cf0c77c5318b47ecfc1e299e994c8900b58a0c7b5faf9811

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db-wal

Filesize
144KB

MD5
6380cc373829484b1eec98ff4aea7afe

SHA1
20724bc84f44178166ab51211e3800f6e779847c

SHA256
a09aaddc8a03a0122cf58eec93377401408f8242d9614e6659cfe0883f513655

SHA512
77c2cbc3e9b452bd415f80438a1d28204ac37d0b5cc0ede99ba0f80ed3b967a559ff522355d7477d17f2bf40afdbc4ad3b75233d139de67f64d93106afd645b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db-wal

Filesize
148KB

MD5
367e054cc5770aa5eca30e7799487fa2

SHA1
ad267f6c2bfc53fb4fe7147684f6c69507043255

SHA256
972fe7f4466de1f36564a09e646aa8eba98b3cf709c43660b65115a08b012b98

SHA512
5a95abedfb2b13ec1aa1bc01855446e062dfc5e5ef8a33ae59f48a60aa6132528906f519e044c0d4c0b702c90e6b8f499e4110ee801df21f6a43dea3c2ca7c8f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db-wal

Filesize
152KB

MD5
54d20f612c76629f3dc65bf6e1ecd378

SHA1
0c83b5c8ed791141b3eb5b4a4e60499b399eb961

SHA256
6eb35d5dac3499ee7c8f9f169725a3e1b74a106434049cf52dfcad035ac0fba7

SHA512
d67c59b88115f50c3cc415ee262ad4dc25dd6c760af0857b3b253f551c5d1cbe722949da51de1cbfb63d49a99754837eabd3713b130b2ed330ccab1b0199a406

Download Submit
C:\Users\Admin\AppData\Local\Temp\acrocef_low\f2099ed0-1585-4d84-a2e4-7f98cec916d6.tmp

Filesize
404KB

MD5
21c3dd2c30b5eefe898f133515496337

SHA1
4c9ef61b5eaa356918f3e09f5e9110e3c78ddd2e

SHA256
1359a07be2f8b4e6afb0d11ec64f2eab448a068ec2cfcfcd8344b7d07d8d4576

SHA512
5470f3c5446f34d5c506426786d6c2687e8472061e8563e8a342e935bb4142f2035fca8dac41628e4b3755f1976e1f9e11c3f057a1f0e58349ac20081a70d6b0

Download Submit
C:\Users\Admin\AppData\Roaming\vlc\vlc-qt-interface.ini

Filesize
77B

MD5
dfa84db0454042524b24cb3f3d9e35c8

SHA1
e94f551a243828b75d186a995fc8457413978f86

SHA256
3114d9650a545a76f93e5b4eee0641c0387049271d27a74e414e52bbe9f7d946

SHA512
55620d4bc992c697cf71813ec1a84d76d4da7f590f61245cb869cf91e6d0be87613e5ab3367fa3974bf5343c52faa61cc1fa61ca9a8ea32d58dc5e0fe511c218

Download Submit
C:\Users\Admin\AppData\Roaming\vlc\vlcrc

Filesize
94KB

MD5
7b37c4f352a44c8246bf685258f75045

SHA1
817dacb245334f10de0297e69c98b4c9470f083e

SHA256
ec45f6e952b43eddc214dba703cf7f31398f3c9f535aad37f42237c56b9b778e

SHA512
1e8d675b3c6c9ba257b616da268cac7f1c7a9db12ffb831ed5f8d43c0887d711c197ebc9daf735e3da9a0355bf21c2b29a2fb38a46482a2c5c8cd5628fea4c02

Download Submit
C:\Users\Admin\Desktop\InstallApprove.xml

Filesize
593KB

MD5
bac28c183a6dac98737e94dff1c41136

SHA1
ec2a977177c4aaf87331168d08e61471c96a5ebc

SHA256
59c84189b81ef7169124182b34c0b1fbee891f379f908e4ef6d9175509b146d3

SHA512
597fc91d42dcd21eb4ff9e5e8214dc4a51f75979421a5c9f55fc4c8c0c7c87b82ae68c061d4b6caa8c3907fa3c14eb5b565ad519dd5c60755076ce1aba12c154

Download Submit
C:\Users\Admin\Desktop\Microsoft Edge.lnk

Filesize
2KB

MD5
9149360c686c35c3eaf4a347607d7073

SHA1
2d02e9a8d224b1cfaf09cd9b9180bc81a6dc38ee

SHA256
d48d1863d87f357571471246a6e0aa80a3b0ac52b5f1746572c017eb76dda27c

SHA512
6bf31761f2373574f90255c6d8290ac442c8cd280f48b979bfc4298d89b7c4fc203f5fd9d255507e05e0f3a142c0919f4fb5cdb1b4126c92f9aed89fc4532dc1

Download Submit
C:\Users\Admin\Desktop\MountExport.pub

Filesize
445KB

MD5
3e234184735531e05f918a2752dbc152

SHA1
45560c0f3fad86724c5ddf4f02e90c211bbb0479

SHA256
93a2ac652ea7dc52ffabf55960603ff4cadb9b8377000a8d8323a416c2019d74

SHA512
80f9f672c24fbd098ed5ed423732194210f9982c9cd75cb725ffcd7a8ad543f70f3bf2d8e74ba80824237a67843bb5e6f67bc865b44a25574a3935dacdd6926a

Download Submit
C:\Users\Admin\Desktop\MountReset.ps1xml

Filesize
530KB

MD5
dcfbe7fa5aeb00346c949e64024901bb

SHA1
e78dbcb324801a552551afe97837a4428dab95db

SHA256
48645e25fd8db48bfbb9f207cc834b665cebc14e33eb9d17eb4ebd8b0a84ee71

SHA512
4295e6768abacbf976e2e8400ada1d86f7d24ad9530817bcf10ed2aa512d171f1383991032dd1b136c5aaf51c8caf62c1a88b58aabbcf6d1e4048894be58e4f3

Download Submit
C:\Users\Admin\Desktop\PushComplete.easmx

Filesize
636KB

MD5
f5c84412cafbac59d3275c2af7182a99

SHA1
90763bd5492401bef9e011f5cbf59cee285043a9

SHA256
42a6752b39895c164e1a2d36285f5b45116f44875fd58c7917805e543d1a7c97

SHA512
bcd79a07f8113d7e8d67a580abb49a630fe8cf70ce4670c522430c994b212f745b525604ff1195b10aceeb91ac549068748d9e34a089eda00c7371bb49ff5145

Download Submit
C:\Users\Admin\Desktop\SendRevoke.mpv2

Filesize
742KB

MD5
031823885aa5d64b299f0c24acbe6676

SHA1
f60ff8ab0cf3071f38ae82bbc300b8a04ffc1c8c

SHA256
bdc802cddef405d8b162ffc5fc2ed9b7918fec6edfa744d938faa49756df78ba

SHA512
288db772bc5dbdbb0dad2b0987711ecfde3cc4899b89a4c506a14e1e20aa7ad159f64755507400d76095c0e3fc5344412e24fed8b7407f1db5f27e6cf054e584

Download Submit
memory/4064-76-0x00007FFA00B50000-0x00007FFA00B60000-memory.dmp

Filesize
64KB

Download
memory/4064-2-0x00007FFA00B50000-0x00007FFA00B60000-memory.dmp

Filesize
64KB

Download
memory/4064-3-0x00007FFA00B50000-0x00007FFA00B60000-memory.dmp

Filesize
64KB

Download
memory/4064-4-0x00007FFA00B50000-0x00007FFA00B60000-memory.dmp

Filesize
64KB

Download
memory/4064-5-0x00007FFA00B50000-0x00007FFA00B60000-memory.dmp

Filesize
64KB

Download
memory/4064-6-0x00007FFA00B50000-0x00007FFA00B60000-memory.dmp

Filesize
64KB

Download
memory/4064-7-0x00007FF9FE8B0000-0x00007FF9FE8C0000-memory.dmp

Filesize
64KB

Download
memory/4064-8-0x00007FF9FE8B0000-0x00007FF9FE8C0000-memory.dmp

Filesize
64KB

Download