epsilon | f9cf48c044d90c94f4814a0577cc36a7ba1ac5dbc9652b2e0e498162a042494d

Analysis

max time kernel
77s
max time network
157s
platform
windows10-1703_x64
resource
win10-20240221-en
resource tags

arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system
submitted
19-03-2024 09:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Launcher.exe
Size

168.6MB
MD5

71598bb3157d11573761bda2392adfb0
SHA1

fb505e666e4075151aae16aaab549310facbe3ad
SHA256

cadd70e3070ab72a953f924fa8854ea92727b2f8c664a5cebc69188065d4244f
SHA512

c77f2743aa81c56c8c72180f43db37868abe330295c60c097c9f45dae85a454bd6a666055afe197926e9ed3e7fce22b117d8f79876c8beb47df4274f77bde00f
SSDEEP

1572864:qXic4qb6IXgDaJfpEQHgelkLK4z34xGWw0TwW1T/qWhehZvmCtS3JPfyzG49FndX:0VKvWZ8tyx4u

Score

10^/10

epsilon spyware stealer

Malware Config

Signatures

Epsilon Stealer
Information stealer.
stealer epsilon

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1104443672-3570440473-4052989528-1000\Control Panel\International\Geo\Nation	Launcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1104443672-3570440473-4052989528-1000\Control Panel\International\Geo\Nation	Launcher.exe

Executes dropped EXE 64 IoCs

pid	Process
7140	screenCapture_1.3.2.exe
6572	screenCapture_1.3.2.exe
6488	screenCapture_1.3.2.exe
6752	screenCapture_1.3.2.exe
6440	screenCapture_1.3.2.exe
6716	screenCapture_1.3.2.exe
6640	screenCapture_1.3.2.exe
6744	screenCapture_1.3.2.exe
6452	screenCapture_1.3.2.exe
6492	screenCapture_1.3.2.exe
6288	screenCapture_1.3.2.exe
6868	screenCapture_1.3.2.exe
6908	screenCapture_1.3.2.exe
6832	screenCapture_1.3.2.exe
6376	screenCapture_1.3.2.exe
6956	screenCapture_1.3.2.exe
7016	screenCapture_1.3.2.exe
2352	screenCapture_1.3.2.exe
5540	screenCapture_1.3.2.exe
6860	screenCapture_1.3.2.exe
6928	screenCapture_1.3.2.exe
7084	screenCapture_1.3.2.exe
7048	screenCapture_1.3.2.exe
6336	screenCapture_1.3.2.exe
6392	screenCapture_1.3.2.exe
7020	screenCapture_1.3.2.exe
7148	screenCapture_1.3.2.exe
6900	screenCapture_1.3.2.exe
7128	screenCapture_1.3.2.exe
7104	screenCapture_1.3.2.exe
6828	screenCapture_1.3.2.exe
6364	screenCapture_1.3.2.exe
6892	screenCapture_1.3.2.exe
6708	screenCapture_1.3.2.exe
1912	screenCapture_1.3.2.exe
6976	screenCapture_1.3.2.exe
6844	screenCapture_1.3.2.exe
6984	screenCapture_1.3.2.exe
7164	screenCapture_1.3.2.exe
6656	screenCapture_1.3.2.exe
7288	screenCapture_1.3.2.exe
7300	screenCapture_1.3.2.exe
7272	screenCapture_1.3.2.exe
7280	screenCapture_1.3.2.exe
7308	screenCapture_1.3.2.exe
7740	screenCapture_1.3.2.exe
7752	screenCapture_1.3.2.exe
2260	screenCapture_1.3.2.exe
7720	screenCapture_1.3.2.exe
6660	screenCapture_1.3.2.exe
7196	screenCapture_1.3.2.exe
6824	screenCapture_1.3.2.exe
7372	screenCapture_1.3.2.exe
8068	screenCapture_1.3.2.exe
7808	screenCapture_1.3.2.exe
6464	screenCapture_1.3.2.exe
7996	screenCapture_1.3.2.exe
5428	screenCapture_1.3.2.exe
6672	screenCapture_1.3.2.exe
5164	screenCapture_1.3.2.exe
5092	screenCapture_1.3.2.exe
5488	screenCapture_1.3.2.exe
840	screenCapture_1.3.2.exe
6088	screenCapture_1.3.2.exe

Loads dropped DLL 2 IoCs

pid	Process
316	Launcher.exe
316	Launcher.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	ipinfo.io
31	ipinfo.io
2	ipinfo.io

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
7224	WMIC.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4960	WMIC.exe
Token: SeSecurityPrivilege	4960	WMIC.exe
Token: SeTakeOwnershipPrivilege	4960	WMIC.exe
Token: SeLoadDriverPrivilege	4960	WMIC.exe
Token: SeSystemProfilePrivilege	4960	WMIC.exe
Token: SeSystemtimePrivilege	4960	WMIC.exe
Token: SeProfSingleProcessPrivilege	4960	WMIC.exe
Token: SeIncBasePriorityPrivilege	4960	WMIC.exe
Token: SeCreatePagefilePrivilege	4960	WMIC.exe
Token: SeBackupPrivilege	4960	WMIC.exe
Token: SeRestorePrivilege	4960	WMIC.exe
Token: SeShutdownPrivilege	4960	WMIC.exe
Token: SeDebugPrivilege	4960	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4960	WMIC.exe
Token: SeRemoteShutdownPrivilege	4960	WMIC.exe
Token: SeUndockPrivilege	4960	WMIC.exe
Token: SeManageVolumePrivilege	4960	WMIC.exe
Token: 33	4960	WMIC.exe
Token: 34	4960	WMIC.exe
Token: 35	4960	WMIC.exe
Token: 36	4960	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4960	WMIC.exe
Token: SeSecurityPrivilege	4960	WMIC.exe
Token: SeTakeOwnershipPrivilege	4960	WMIC.exe
Token: SeLoadDriverPrivilege	4960	WMIC.exe
Token: SeSystemProfilePrivilege	4960	WMIC.exe
Token: SeSystemtimePrivilege	4960	WMIC.exe
Token: SeProfSingleProcessPrivilege	4960	WMIC.exe
Token: SeIncBasePriorityPrivilege	4960	WMIC.exe
Token: SeCreatePagefilePrivilege	4960	WMIC.exe
Token: SeBackupPrivilege	4960	WMIC.exe
Token: SeRestorePrivilege	4960	WMIC.exe
Token: SeShutdownPrivilege	4960	WMIC.exe
Token: SeDebugPrivilege	4960	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4960	WMIC.exe
Token: SeRemoteShutdownPrivilege	4960	WMIC.exe
Token: SeUndockPrivilege	4960	WMIC.exe
Token: SeManageVolumePrivilege	4960	WMIC.exe
Token: 33	4960	WMIC.exe
Token: 34	4960	WMIC.exe
Token: 35	4960	WMIC.exe
Token: 36	4960	WMIC.exe
Token: SeShutdownPrivilege	316	Launcher.exe
Token: SeCreatePagefilePrivilege	316	Launcher.exe
Token: SeShutdownPrivilege	316	Launcher.exe
Token: SeCreatePagefilePrivilege	316	Launcher.exe
Token: SeShutdownPrivilege	316	Launcher.exe
Token: SeCreatePagefilePrivilege	316	Launcher.exe
Token: SeShutdownPrivilege	316	Launcher.exe
Token: SeCreatePagefilePrivilege	316	Launcher.exe
Token: SeShutdownPrivilege	316	Launcher.exe
Token: SeCreatePagefilePrivilege	316	Launcher.exe
Token: SeShutdownPrivilege	316	Launcher.exe
Token: SeCreatePagefilePrivilege	316	Launcher.exe
Token: SeShutdownPrivilege	316	Launcher.exe
Token: SeCreatePagefilePrivilege	316	Launcher.exe
Token: SeShutdownPrivilege	316	Launcher.exe
Token: SeCreatePagefilePrivilege	316	Launcher.exe
Token: SeShutdownPrivilege	316	Launcher.exe
Token: SeCreatePagefilePrivilege	316	Launcher.exe
Token: SeShutdownPrivilege	316	Launcher.exe
Token: SeCreatePagefilePrivilege	316	Launcher.exe
Token: SeShutdownPrivilege	316	Launcher.exe
Token: SeCreatePagefilePrivilege	316	Launcher.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
316	Launcher.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 316 wrote to memory of 1300	316	Launcher.exe	74
PID 316 wrote to memory of 1300	316	Launcher.exe	74
PID 1300 wrote to memory of 4960	1300	cmd.exe	76
PID 1300 wrote to memory of 4960	1300	cmd.exe	76
PID 316 wrote to memory of 4532	316	Launcher.exe	78
PID 316 wrote to memory of 4532	316	Launcher.exe	78
PID 316 wrote to memory of 4532	316	Launcher.exe	78
PID 316 wrote to memory of 4532	316	Launcher.exe	78
PID 316 wrote to memory of 4532	316	Launcher.exe	78
PID 316 wrote to memory of 4532	316	Launcher.exe	78
PID 316 wrote to memory of 4532	316	Launcher.exe	78
PID 316 wrote to memory of 4532	316	Launcher.exe	78
PID 316 wrote to memory of 4532	316	Launcher.exe	78
PID 316 wrote to memory of 4532	316	Launcher.exe	78
PID 316 wrote to memory of 4532	316	Launcher.exe	78
PID 316 wrote to memory of 4532	316	Launcher.exe	78
PID 316 wrote to memory of 4532	316	Launcher.exe	78
PID 316 wrote to memory of 4532	316	Launcher.exe	78
PID 316 wrote to memory of 4532	316	Launcher.exe	78
PID 316 wrote to memory of 4532	316	Launcher.exe	78
PID 316 wrote to memory of 4532	316	Launcher.exe	78
PID 316 wrote to memory of 4532	316	Launcher.exe	78
PID 316 wrote to memory of 4532	316	Launcher.exe	78
PID 316 wrote to memory of 4532	316	Launcher.exe	78
PID 316 wrote to memory of 4532	316	Launcher.exe	78
PID 316 wrote to memory of 4532	316	Launcher.exe	78
PID 316 wrote to memory of 4532	316	Launcher.exe	78
PID 316 wrote to memory of 4532	316	Launcher.exe	78
PID 316 wrote to memory of 4532	316	Launcher.exe	78
PID 316 wrote to memory of 4532	316	Launcher.exe	78
PID 316 wrote to memory of 4532	316	Launcher.exe	78
PID 316 wrote to memory of 4532	316	Launcher.exe	78
PID 316 wrote to memory of 4532	316	Launcher.exe	78
PID 316 wrote to memory of 4532	316	Launcher.exe	78
PID 316 wrote to memory of 5036	316	Launcher.exe	79
PID 316 wrote to memory of 5036	316	Launcher.exe	79
PID 316 wrote to memory of 1820	316	Launcher.exe	80
PID 316 wrote to memory of 1820	316	Launcher.exe	80
PID 316 wrote to memory of 4148	316	Launcher.exe	443
PID 316 wrote to memory of 4148	316	Launcher.exe	443
PID 316 wrote to memory of 5064	316	Launcher.exe	82
PID 316 wrote to memory of 5064	316	Launcher.exe	82
PID 316 wrote to memory of 4792	316	Launcher.exe	83
PID 316 wrote to memory of 4792	316	Launcher.exe	83
PID 316 wrote to memory of 3008	316	Launcher.exe	84
PID 316 wrote to memory of 3008	316	Launcher.exe	84
PID 316 wrote to memory of 4196	316	Launcher.exe	85
PID 316 wrote to memory of 4196	316	Launcher.exe	85
PID 316 wrote to memory of 1352	316	Launcher.exe	672
PID 316 wrote to memory of 1352	316	Launcher.exe	672
PID 316 wrote to memory of 1116	316	Launcher.exe	679
PID 316 wrote to memory of 1116	316	Launcher.exe	679
PID 316 wrote to memory of 1112	316	Launcher.exe	88
PID 316 wrote to memory of 1112	316	Launcher.exe	88
PID 316 wrote to memory of 5056	316	Launcher.exe	442
PID 316 wrote to memory of 5056	316	Launcher.exe	442
PID 316 wrote to memory of 2676	316	Launcher.exe	90
PID 316 wrote to memory of 2676	316	Launcher.exe	90
PID 316 wrote to memory of 760	316	Launcher.exe	92
PID 316 wrote to memory of 760	316	Launcher.exe	92
PID 316 wrote to memory of 4120	316	Launcher.exe	93
PID 316 wrote to memory of 4120	316	Launcher.exe	93
PID 316 wrote to memory of 1484	316	Launcher.exe	96
PID 316 wrote to memory of 1484	316	Launcher.exe	96

C:\Users\Admin\AppData\Local\Temp\Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\Launcher.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:316
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic CsProduct Get UUID"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1300
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic CsProduct Get UUID
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4960
- C:\Users\Admin\AppData\Local\Temp\Launcher.exe
  "C:\Users\Admin\AppData\Local\Temp\Launcher.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\Launcher" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1824 --field-trial-handle=1828,i,9485400543562405587,2561247085738740591,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:2
  2⤵
  PID:4532
- C:\Users\Admin\AppData\Local\Temp\Launcher.exe
  "C:\Users\Admin\AppData\Local\Temp\Launcher.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\Launcher" --mojo-platform-channel-handle=2948 --field-trial-handle=1828,i,9485400543562405587,2561247085738740591,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:8
  2⤵
  PID:5036
- C:\Users\Admin\AppData\Local\Temp\Launcher.exe
  "C:\Users\Admin\AppData\Local\Temp\Launcher.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\Launcher" --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --no-sandbox --no-zygote --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2964 --field-trial-handle=1828,i,9485400543562405587,2561247085738740591,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:1
  2⤵
  - Checks computer location settings
  PID:1820
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-14tm4on.xprq.jpg" "
  2⤵
  PID:4148
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /nologo /r:"Microsoft.VisualBasic.dll" /win32manifest:"app.manifest" /out:"screenCapture_1.3.2.exe" "C:\Users\Admin\AppData\Local\Temp\SCREEN~1\SCREEN~1.BAT"
    3⤵
    PID:6848
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3D43.tmp" "c:\Users\Admin\AppData\Local\Temp\screenCapture\CSC54DCE443414E44C3B566A77D72E4AED4.TMP"
      4⤵
      PID:8
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-1e0600t.jifzl.jpg" "
  2⤵
  PID:5064
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /nologo /r:"Microsoft.VisualBasic.dll" /win32manifest:"app.manifest" /out:"screenCapture_1.3.2.exe" "C:\Users\Admin\AppData\Local\Temp\SCREEN~1\SCREEN~1.BAT"
    3⤵
    PID:6348
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3A16.tmp" "c:\Users\Admin\AppData\Local\Temp\screenCapture\CSC34AFA92EE9D4C73AA5DBB3D753A5BA6.TMP"
      4⤵
      PID:6872
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-1aaltl0.ifmgg.jpg" "
  2⤵
  PID:4792
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /nologo /r:"Microsoft.VisualBasic.dll" /win32manifest:"app.manifest" /out:"screenCapture_1.3.2.exe" "C:\Users\Admin\AppData\Local\Temp\SCREEN~1\SCREEN~1.BAT"
    3⤵
    PID:6304
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES389F.tmp" "c:\Users\Admin\AppData\Local\Temp\screenCapture\CSCECE50C54D835437FB1E97326795669AA.TMP"
      4⤵
      PID:6616
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-1aaltl0.ifmgg.jpg"
    3⤵
    - Executes dropped EXE
    PID:2352
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-k70qet.bq7zl.jpg" "
  2⤵
  PID:3008
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /nologo /r:"Microsoft.VisualBasic.dll" /win32manifest:"app.manifest" /out:"screenCapture_1.3.2.exe" "C:\Users\Admin\AppData\Local\Temp\SCREEN~1\SCREEN~1.BAT"
    3⤵
    PID:6200
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES39C8.tmp" "c:\Users\Admin\AppData\Local\Temp\screenCapture\CSC1A417E6FAFEA477FBB40D42419C6DA1.TMP"
      4⤵
      PID:6836
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-1t6x5hm.s9qu.jpg" "
  2⤵
  PID:4196
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /nologo /r:"Microsoft.VisualBasic.dll" /win32manifest:"app.manifest" /out:"screenCapture_1.3.2.exe" "C:\Users\Admin\AppData\Local\Temp\SCREEN~1\SCREEN~1.BAT"
    3⤵
    PID:6356
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3803.tmp" "c:\Users\Admin\AppData\Local\Temp\screenCapture\CSC9349D7A44A56459890776085FDB9C4F.TMP"
      4⤵
      PID:6576
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-1t6x5hm.s9qu.jpg"
    3⤵
    - Executes dropped EXE
    PID:6900
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-1yvola3.kl2g.jpg" "
  2⤵
  PID:1352
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /nologo /r:"Microsoft.VisualBasic.dll" /win32manifest:"app.manifest" /out:"screenCapture_1.3.2.exe" "C:\Users\Admin\AppData\Local\Temp\SCREEN~1\SCREEN~1.BAT"
    3⤵
    PID:7092
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4198.tmp" "c:\Users\Admin\AppData\Local\Temp\screenCapture\CSCDE4368FBDD03499589D2FDB41F0759B.TMP"
      4⤵
      PID:7648
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-1wd5688.sm4d.jpg" "
  2⤵
  PID:1116
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-1wd5688.sm4d.jpg"
    3⤵
    - Executes dropped EXE
    PID:6376
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-65krb3.hkc2p.jpg" "
  2⤵
  PID:1112
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-65krb3.hkc2p.jpg"
    3⤵
    - Executes dropped EXE
    PID:6744
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-phkry0.6d3r.jpg" "
  2⤵
  PID:5056
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /nologo /r:"Microsoft.VisualBasic.dll" /win32manifest:"app.manifest" /out:"screenCapture_1.3.2.exe" "C:\Users\Admin\AppData\Local\Temp\SCREEN~1\SCREEN~1.BAT"
    3⤵
    PID:5236
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3748.tmp" "c:\Users\Admin\AppData\Local\Temp\screenCapture\CSCB00B615B1D694120B9C8A9863060F09B.TMP"
      4⤵
      PID:6492
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-phkry0.6d3r.jpg"
    3⤵
    - Executes dropped EXE
    PID:6868
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-6utrxn.k3i4s.jpg" "
  2⤵
  PID:2676
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-6utrxn.k3i4s.jpg"
    3⤵
    - Executes dropped EXE
    PID:6828
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-1iwc0em.ebvj.jpg" "
  2⤵
  PID:760
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-1iwc0em.ebvj.jpg"
    3⤵
    - Executes dropped EXE
    PID:6452
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-62oaky.2zuc.jpg" "
  2⤵
  PID:4120
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-62oaky.2zuc.jpg"
    3⤵
    - Executes dropped EXE
    PID:6492
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-1wfvivi.5yvch.jpg" "
  2⤵
  PID:1484
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /nologo /r:"Microsoft.VisualBasic.dll" /win32manifest:"app.manifest" /out:"screenCapture_1.3.2.exe" "C:\Users\Admin\AppData\Local\Temp\SCREEN~1\SCREEN~1.BAT"
    3⤵
    PID:6728
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3CB6.tmp" "c:\Users\Admin\AppData\Local\Temp\screenCapture\CSCE93CF9EB50174DBB821810E5C3C73598.TMP"
      4⤵
      PID:7160
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-cmsyvy.jrcr.jpg" "
  2⤵
  PID:4752
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /nologo /r:"Microsoft.VisualBasic.dll" /win32manifest:"app.manifest" /out:"screenCapture_1.3.2.exe" "C:\Users\Admin\AppData\Local\Temp\SCREEN~1\SCREEN~1.BAT"
    3⤵
    PID:6252
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES37B5.tmp" "c:\Users\Admin\AppData\Local\Temp\screenCapture\CSCDE9C6BEBDF34C98B49CA18809E9752.TMP"
      4⤵
      PID:6548
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-cmsyvy.jrcr.jpg"
    3⤵
    - Executes dropped EXE
    PID:6908
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-wf8nds.y2zic.jpg" "
  2⤵
  PID:3108
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-wf8nds.y2zic.jpg"
    3⤵
    - Executes dropped EXE
    PID:6440
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-1ans9ur.xrp.jpg" "
  2⤵
  PID:2884
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-1ans9ur.xrp.jpg"
    3⤵
    - Executes dropped EXE
    PID:7140
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-1vm6esf.ibkqj.jpg" "
  2⤵
  PID:2124
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /nologo /r:"Microsoft.VisualBasic.dll" /win32manifest:"app.manifest" /out:"screenCapture_1.3.2.exe" "C:\Users\Admin\AppData\Local\Temp\SCREEN~1\SCREEN~1.BAT"
    3⤵
    PID:5540
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3747.tmp" "c:\Users\Admin\AppData\Local\Temp\screenCapture\CSC6AB840892A8C4BADAE64B8AA2487D8D7.TMP"
      4⤵
      PID:6480
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-1vm6esf.ibkqj.jpg"
    3⤵
    - Executes dropped EXE
    PID:7084
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-z4vbkb.godpl.jpg" "
  2⤵
  PID:4456
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-z4vbkb.godpl.jpg"
    3⤵
    - Executes dropped EXE
    PID:6716
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-g5ji3z.bdfc.jpg" "
  2⤵
  PID:2916
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /nologo /r:"Microsoft.VisualBasic.dll" /win32manifest:"app.manifest" /out:"screenCapture_1.3.2.exe" "C:\Users\Admin\AppData\Local\Temp\SCREEN~1\SCREEN~1.BAT"
    3⤵
    PID:6940
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES40AE.tmp" "c:\Users\Admin\AppData\Local\Temp\screenCapture\CSC7B24F86AE82640A4886F83ED219F9767.TMP"
      4⤵
      PID:7468
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-1e38fkx.8wxnj.jpg" "
  2⤵
  PID:2752
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-1e38fkx.8wxnj.jpg"
    3⤵
    - Executes dropped EXE
    PID:6288
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-1y08esm.vkhu.jpg" "
  2⤵
  PID:3620
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-1y08esm.vkhu.jpg"
    3⤵
    - Executes dropped EXE
    PID:6832
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-1grd33i.v2u8.jpg" "
  2⤵
  PID:4812
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-1grd33i.v2u8.jpg"
    3⤵
    - Executes dropped EXE
    PID:1912
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-mbdd0l.1nt3f.jpg" "
  2⤵
  PID:816
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-mbdd0l.1nt3f.jpg"
    3⤵
    - Executes dropped EXE
    PID:6956
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-1gjrsmf.dbx8.jpg" "
  2⤵
  PID:2436
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-1gjrsmf.dbx8.jpg"
    3⤵
    - Executes dropped EXE
    PID:6752
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-fthqjt.2yj3.jpg" "
  2⤵
  PID:2120
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-fthqjt.2yj3.jpg"
    3⤵
    - Executes dropped EXE
    PID:6928
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-7gea7y.g66sm.jpg" "
  2⤵
  PID:4972
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-7gea7y.g66sm.jpg"
    3⤵
    - Executes dropped EXE
    PID:7308
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-13moxuj.2m4w.jpg" "
  2⤵
  PID:1924
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-13moxuj.2m4w.jpg"
    3⤵
    - Executes dropped EXE
    PID:6572
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-1b45md8.jcnm.jpg" "
  2⤵
  PID:5080
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /nologo /r:"Microsoft.VisualBasic.dll" /win32manifest:"app.manifest" /out:"screenCapture_1.3.2.exe" "C:\Users\Admin\AppData\Local\Temp\SCREEN~1\SCREEN~1.BAT"
    3⤵
    PID:6336
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES38DE.tmp" "c:\Users\Admin\AppData\Local\Temp\screenCapture\CSC5E2306FADCB643C3901884F774DCFB1.TMP"
      4⤵
      PID:6656
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-1b45md8.jcnm.jpg"
    3⤵
    - Executes dropped EXE
    PID:7148
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-1dhr1uz.yfzd.jpg" "
  2⤵
  PID:1028
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-1dhr1uz.yfzd.jpg"
    3⤵
    - Executes dropped EXE
    PID:6336
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-19mv7uo.o7rr.jpg" "
  2⤵
  PID:1888
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-19mv7uo.o7rr.jpg"
    3⤵
    - Executes dropped EXE
    PID:6392
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-1a5m25d.ijjgk.jpg" "
  2⤵
  PID:4236
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /nologo /r:"Microsoft.VisualBasic.dll" /win32manifest:"app.manifest" /out:"screenCapture_1.3.2.exe" "C:\Users\Admin\AppData\Local\Temp\SCREEN~1\SCREEN~1.BAT"
    3⤵
    PID:6400
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3BBC.tmp" "c:\Users\Admin\AppData\Local\Temp\screenCapture\CSC7DA83A5B624FF4A61983C37A6B2994.TMP"
      4⤵
      PID:1884
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-1b41sns.twl8.jpg" "
  2⤵
  PID:2280
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /nologo /r:"Microsoft.VisualBasic.dll" /win32manifest:"app.manifest" /out:"screenCapture_1.3.2.exe" "C:\Users\Admin\AppData\Local\Temp\SCREEN~1\SCREEN~1.BAT"
    3⤵
    PID:6556
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3B5E.tmp" "c:\Users\Admin\AppData\Local\Temp\screenCapture\CSCFA212B9640504A52AB85FF18BC6EFB.TMP"
      4⤵
      PID:6252
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-damblt.xt1f.jpg" "
  2⤵
  PID:2684
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-damblt.xt1f.jpg"
    3⤵
    - Executes dropped EXE
    PID:7164
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-1pxpz1v.6vm7.jpg" "
  2⤵
  PID:4696
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-1pxpz1v.6vm7.jpg"
    3⤵
    - Executes dropped EXE
    PID:5540
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-10jjwmf.t46p.jpg" "
  2⤵
  PID:4992
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-10jjwmf.t46p.jpg"
    3⤵
    - Executes dropped EXE
    PID:6364
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-11g42id.yvbl.jpg" "
  2⤵
  PID:3396
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-11g42id.yvbl.jpg"
    3⤵
    - Executes dropped EXE
    PID:7272
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-1jyttp6.xkiw.jpg" "
  2⤵
  PID:236
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /nologo /r:"Microsoft.VisualBasic.dll" /win32manifest:"app.manifest" /out:"screenCapture_1.3.2.exe" "C:\Users\Admin\AppData\Local\Temp\SCREEN~1\SCREEN~1.BAT"
    3⤵
    PID:6280
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3AC2.tmp" "c:\Users\Admin\AppData\Local\Temp\screenCapture\CSC9DCCAF7F89F74ADD9E068D3C17A307B.TMP"
      4⤵
      PID:7056
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-ep92bc.hufn.jpg" "
  2⤵
  PID:3636
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-ep92bc.hufn.jpg"
    3⤵
    - Executes dropped EXE
    PID:6984
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-gye001.n3adj.jpg" "
  2⤵
  PID:3816
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /nologo /r:"Microsoft.VisualBasic.dll" /win32manifest:"app.manifest" /out:"screenCapture_1.3.2.exe" "C:\Users\Admin\AppData\Local\Temp\SCREEN~1\SCREEN~1.BAT"
    3⤵
    PID:6320
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3A83.tmp" "c:\Users\Admin\AppData\Local\Temp\screenCapture\CSC330E9BB02F994474A0B45F2FC6EB91F5.TMP"
      4⤵
      PID:6988
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-1fzvpeu.0jyw.jpg" "
  2⤵
  PID:4200
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-1fzvpeu.0jyw.jpg"
    3⤵
    - Executes dropped EXE
    PID:6860
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-ke24fp.qhtcm.jpg" "
  2⤵
  PID:2552
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-ke24fp.qhtcm.jpg"
    3⤵
    - Executes dropped EXE
    PID:7288
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-1ihr37v.qbw1k.jpg" "
  2⤵
  PID:2732
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-1ihr37v.qbw1k.jpg"
    3⤵
    - Executes dropped EXE
    PID:7020
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-1jz5lsa.awow.jpg" "
  2⤵
  PID:4364
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /nologo /r:"Microsoft.VisualBasic.dll" /win32manifest:"app.manifest" /out:"screenCapture_1.3.2.exe" "C:\Users\Admin\AppData\Local\Temp\SCREEN~1\SCREEN~1.BAT"
    3⤵
    PID:7008
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES414A.tmp" "c:\Users\Admin\AppData\Local\Temp\screenCapture\CSCF95D6BA1BD0D4D75BE856456278CE85.TMP"
      4⤵
      PID:7560
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-dtduux.4pu3g.jpg" "
  2⤵
  PID:4408
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-dtduux.4pu3g.jpg"
    3⤵
    - Executes dropped EXE
    PID:7048
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-1xenuh1.mqc2l.jpg" "
  2⤵
  PID:4668
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /nologo /r:"Microsoft.VisualBasic.dll" /win32manifest:"app.manifest" /out:"screenCapture_1.3.2.exe" "C:\Users\Admin\AppData\Local\Temp\SCREEN~1\SCREEN~1.BAT"
    3⤵
    PID:6408
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3A64.tmp" "c:\Users\Admin\AppData\Local\Temp\screenCapture\CSCB5CD4B15BCAC49789F90DB78DD34717C.TMP"
      4⤵
      PID:6932
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-3l626n.05b3r.jpg" "
  2⤵
  PID:5000
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /nologo /r:"Microsoft.VisualBasic.dll" /win32manifest:"app.manifest" /out:"screenCapture_1.3.2.exe" "C:\Users\Admin\AppData\Local\Temp\SCREEN~1\SCREEN~1.BAT"
    3⤵
    PID:6244
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3709.tmp" "c:\Users\Admin\AppData\Local\Temp\screenCapture\CSC32BAEF8DA4B4801A691A43ED21C77D1.TMP"
      4⤵
      PID:6452
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-3l626n.05b3r.jpg"
    3⤵
    - Executes dropped EXE
    PID:6640
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-sx9c8u.x30w.jpg" "
  2⤵
  PID:4440
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-sx9c8u.x30w.jpg"
    3⤵
    - Executes dropped EXE
    PID:6976
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-1h4azeg.9ny1e.jpg" "
  2⤵
  PID:5020
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-1h4azeg.9ny1e.jpg"
    3⤵
    - Executes dropped EXE
    PID:7016
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-1wl58ox.zfbp.jpg" "
  2⤵
  PID:5012
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /nologo /r:"Microsoft.VisualBasic.dll" /win32manifest:"app.manifest" /out:"screenCapture_1.3.2.exe" "C:\Users\Admin\AppData\Local\Temp\SCREEN~1\SCREEN~1.BAT"
    3⤵
    PID:6524
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3CA6.tmp" "c:\Users\Admin\AppData\Local\Temp\screenCapture\CSC5AAB02A053F34FAC98582DF8EA9054BD.TMP"
      4⤵
      PID:7032
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-1mqwdo8.y518j.jpg" "
  2⤵
  PID:4016
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /nologo /r:"Microsoft.VisualBasic.dll" /win32manifest:"app.manifest" /out:"screenCapture_1.3.2.exe" "C:\Users\Admin\AppData\Local\Temp\SCREEN~1\SCREEN~1.BAT"
    3⤵
    PID:6272
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES38FD.tmp" "c:\Users\Admin\AppData\Local\Temp\screenCapture\CSC370C74DF72A14DE4AB7F6DEAF79410FA.TMP"
      4⤵
      PID:6708
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-1mqwdo8.y518j.jpg"
    3⤵
    - Executes dropped EXE
    PID:7128
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-nv6huu.2gwl.jpg" "
  2⤵
  PID:3412
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-nv6huu.2gwl.jpg"
    3⤵
    - Executes dropped EXE
    PID:6844
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-j1e26b.ad2e.jpg" "
  2⤵
  PID:1216
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-j1e26b.ad2e.jpg"
    3⤵
    - Executes dropped EXE
    PID:7280
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-s3ji0g.phxd.jpg" "
  2⤵
  PID:4324
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-s3ji0g.phxd.jpg"
    3⤵
    - Executes dropped EXE
    PID:7300
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-11mllql.jjpx.jpg" "
  2⤵
  PID:792
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-11mllql.jjpx.jpg"
    3⤵
    - Executes dropped EXE
    PID:6892
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-1x9f48n.k4iw.jpg" "
  2⤵
  PID:5108
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /nologo /r:"Microsoft.VisualBasic.dll" /win32manifest:"app.manifest" /out:"screenCapture_1.3.2.exe" "C:\Users\Admin\AppData\Local\Temp\SCREEN~1\SCREEN~1.BAT"
    3⤵
    PID:6600
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES409E.tmp" "c:\Users\Admin\AppData\Local\Temp\screenCapture\CSC553421C1CEA1434F8799C46B46D4369B.TMP"
      4⤵
      PID:7452
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-1qxqwca.oq6s.jpg" "
  2⤵
  PID:3532
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /nologo /r:"Microsoft.VisualBasic.dll" /win32manifest:"app.manifest" /out:"screenCapture_1.3.2.exe" "C:\Users\Admin\AppData\Local\Temp\SCREEN~1\SCREEN~1.BAT"
    3⤵
    PID:6632
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3D91.tmp" "c:\Users\Admin\AppData\Local\Temp\screenCapture\CSC93C72F9099834A43BA38088C272EF37.TMP"
      4⤵
      PID:6316
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-dyw6s3.5i6g.jpg" "
  2⤵
  PID:3740
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-dyw6s3.5i6g.jpg"
    3⤵
    - Executes dropped EXE
    PID:6488
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-tsi716.2d4z.jpg" "
  2⤵
  PID:4628
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-tsi716.2d4z.jpg"
    3⤵
    - Executes dropped EXE
    PID:7740
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-4778s8.6hx6q.jpg" "
  2⤵
  PID:2320
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-4778s8.6hx6q.jpg"
    3⤵
    - Executes dropped EXE
    PID:7752
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-3eylsh.efrld.jpg" "
  2⤵
  PID:4152
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-3eylsh.efrld.jpg"
    3⤵
    - Executes dropped EXE
    PID:2260
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-wkgoa5.3khm8.jpg" "
  2⤵
  PID:396
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-wkgoa5.3khm8.jpg"
    3⤵
    - Executes dropped EXE
    PID:6656
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-uzwcvi.6zhjm.jpg" "
  2⤵
  PID:2536
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /nologo /r:"Microsoft.VisualBasic.dll" /win32manifest:"app.manifest" /out:"screenCapture_1.3.2.exe" "C:\Users\Admin\AppData\Local\Temp\SCREEN~1\SCREEN~1.BAT"
    3⤵
    PID:6380
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES38ED.tmp" "c:\Users\Admin\AppData\Local\Temp\screenCapture\CSC5D6C1C6949724BD79D5B7B3D524DBC85.TMP"
      4⤵
      PID:6684
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-uzwcvi.6zhjm.jpg"
    3⤵
    - Executes dropped EXE
    PID:7104
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-1d726oo.7a3j.jpg" "
  2⤵
  PID:4344
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /nologo /r:"Microsoft.VisualBasic.dll" /win32manifest:"app.manifest" /out:"screenCapture_1.3.2.exe" "C:\Users\Admin\AppData\Local\Temp\SCREEN~1\SCREEN~1.BAT"
    3⤵
    PID:6292
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3A55.tmp" "c:\Users\Admin\AppData\Local\Temp\screenCapture\CSCC414ECF1DFBC487C882A17DA7E303C57.TMP"
      4⤵
      PID:6900
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-gyaqq0.r24r4.jpg" "
  2⤵
  PID:3012
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-gyaqq0.r24r4.jpg"
    3⤵
    - Executes dropped EXE
    PID:6708
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-1bvscoy.jkfq.jpg" "
  2⤵
  PID:1696
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /nologo /r:"Microsoft.VisualBasic.dll" /win32manifest:"app.manifest" /out:"screenCapture_1.3.2.exe" "C:\Users\Admin\AppData\Local\Temp\SCREEN~1\SCREEN~1.BAT"
    3⤵
    PID:6624
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3EBA.tmp" "c:\Users\Admin\AppData\Local\Temp\screenCapture\CSCFB69AE00C83C437EAEA620267E0ABD4.TMP"
      4⤵
      PID:6996
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-1tz2jzv.wx37.jpg" "
  2⤵
  PID:5968
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /nologo /r:"Microsoft.VisualBasic.dll" /win32manifest:"app.manifest" /out:"screenCapture_1.3.2.exe" "C:\Users\Admin\AppData\Local\Temp\SCREEN~1\SCREEN~1.BAT"
    3⤵
    PID:6796
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3D71.tmp" "c:\Users\Admin\AppData\Local\Temp\screenCapture\CSC161C8478661E4F8F8F80EB7FADE7E4D5.TMP"
      4⤵
      PID:6680
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-4bpgql.vwz0a.jpg" "
  2⤵
  PID:6148
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-4bpgql.vwz0a.jpg"
    3⤵
    - Executes dropped EXE
    PID:7720
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-knh1zl.hpluf.jpg" "
  2⤵
  PID:6516
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-knh1zl.hpluf.jpg"
    3⤵
    - Executes dropped EXE
    PID:6824
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-k41d0c.1argd.jpg" "
  2⤵
  PID:6768
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-k41d0c.1argd.jpg"
    3⤵
    - Executes dropped EXE
    PID:7372
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-o3q4kq.lnfc.jpg" "
  2⤵
  PID:6620
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-o3q4kq.lnfc.jpg"
    3⤵
    - Executes dropped EXE
    PID:6660
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-1dhmiqi.zv1j.jpg" "
  2⤵
  PID:6420
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-1dhmiqi.zv1j.jpg"
    3⤵
    - Executes dropped EXE
    PID:7196
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""
  2⤵
  PID:6460
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"
    3⤵
    PID:6472
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath"
  2⤵
  PID:6652
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath
    3⤵
    PID:8124
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List"
  2⤵
  PID:6432
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
    3⤵
    PID:1980
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:7176
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:7224
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "cmd /c chcp 65001>nul && netsh wlan show profiles"
  2⤵
  PID:7980
- - C:\Windows\system32\cmd.exe
    cmd /c chcp 65001
    3⤵
    PID:7484
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:5920
- - C:\Windows\system32\netsh.exe
    netsh wlan show profiles
    3⤵
    PID:6720
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-vk2a0b.hxc5q.jpg" "
  2⤵
  PID:7376
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-vk2a0b.hxc5q.jpg"
    3⤵
    - Executes dropped EXE
    PID:8068
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-1p0eu47.ygjp.jpg" "
  2⤵
  PID:8056
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-1p0eu47.ygjp.jpg"
    3⤵
    - Executes dropped EXE
    PID:7808
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-1csihc2.7roaf.jpg" "
  2⤵
  PID:7816
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-1csihc2.7roaf.jpg"
    3⤵
    - Executes dropped EXE
    PID:6464
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-11y4xdm.zl86.jpg" "
  2⤵
  PID:6024
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-11y4xdm.zl86.jpg"
    3⤵
    - Executes dropped EXE
    PID:7996
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-j65pl1.1eqi.jpg" "
  2⤵
  PID:7724
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-j65pl1.1eqi.jpg"
    3⤵
    - Executes dropped EXE
    PID:5428
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-3t8m81.rheu9.jpg" "
  2⤵
  PID:6264
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-3t8m81.rheu9.jpg"
    3⤵
    - Executes dropped EXE
    PID:6672
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-148r5bo.cjgh.jpg" "
  2⤵
  PID:4132
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-148r5bo.cjgh.jpg"
    3⤵
    - Executes dropped EXE
    PID:5164
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-1jdid9z.b41z.jpg" "
  2⤵
  PID:4928
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-1jdid9z.b41z.jpg"
    3⤵
    - Executes dropped EXE
    PID:5092
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-1fzup5o.zrd2l.jpg" "
  2⤵
  PID:7180
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-1fzup5o.zrd2l.jpg"
    3⤵
    - Executes dropped EXE
    PID:5488
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-1lqxavu.oa8u.jpg" "
  2⤵
  PID:5132
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-1lqxavu.oa8u.jpg"
    3⤵
    - Executes dropped EXE
    PID:840
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-1bzci34.c525.jpg" "
  2⤵
  PID:5800
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-1bzci34.c525.jpg"
    3⤵
    - Executes dropped EXE
    PID:6088
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-jocgnu.lpib.jpg" "
  2⤵
  PID:1992
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-jocgnu.lpib.jpg"
    3⤵
    PID:4540
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-1e14xgp.w6uj.jpg" "
  2⤵
  PID:4208
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-1e14xgp.w6uj.jpg"
    3⤵
    PID:6108
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-cb6p4u.sghdj.jpg" "
  2⤵
  PID:6192
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-cb6p4u.sghdj.jpg"
    3⤵
    PID:6068
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-slqb5r.7a9l.jpg" "
  2⤵
  PID:5376
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-slqb5r.7a9l.jpg"
    3⤵
    PID:3504
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-tttg76.kdc8.jpg" "
  2⤵
  PID:3000
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-tttg76.kdc8.jpg"
    3⤵
    PID:6220
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-1xm3rvx.w8w7.jpg" "
  2⤵
  PID:1856
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-1xm3rvx.w8w7.jpg"
    3⤵
    PID:4076
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-yduggm.2f4lr.jpg" "
  2⤵
  PID:5900
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-yduggm.2f4lr.jpg"
    3⤵
    PID:6188
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-1vclxig.eplf.jpg" "
  2⤵
  PID:5636
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-1vclxig.eplf.jpg"
    3⤵
    PID:5464
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-16oum8y.35vx.jpg" "
  2⤵
  PID:5692
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-16oum8y.35vx.jpg"
    3⤵
    PID:5388
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-180qp64.i8q9k.jpg" "
  2⤵
  PID:4784
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-180qp64.i8q9k.jpg"
    3⤵
    PID:5896
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-1je4f42.qy68j.jpg" "
  2⤵
  PID:5748
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-1je4f42.qy68j.jpg"
    3⤵
    PID:5876
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-i4d641.l74mp.jpg" "
  2⤵
  PID:5472
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-i4d641.l74mp.jpg"
    3⤵
    PID:5860
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-1jujs3f.331xj.jpg" "
  2⤵
  PID:6344
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-1jujs3f.331xj.jpg"
    3⤵
    PID:6236
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-k3lgnb.anng.jpg" "
  2⤵
  PID:6356
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-k3lgnb.anng.jpg"
    3⤵
    PID:7056
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-1xzfcor.0r7n.jpg" "
  2⤵
  PID:8096
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-1xzfcor.0r7n.jpg"
    3⤵
    PID:6332
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-5c7g3z.wrxac.jpg" "
  2⤵
  PID:6536
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-5c7g3z.wrxac.jpg"
    3⤵
    PID:7244
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-1vfd2rd.1yegi.jpg" "
  2⤵
  PID:5920
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:7484
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-1vfd2rd.1yegi.jpg"
    3⤵
    PID:6468
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-1uvyyhv.csl4.jpg" "
  2⤵
  PID:6308
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-1uvyyhv.csl4.jpg"
    3⤵
    PID:6604
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-y9y3g4.7sn9f.jpg" "
  2⤵
  PID:6452
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:6488
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-y9y3g4.7sn9f.jpg"
    3⤵
    PID:6492
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-5u8vuo.5z0yb.jpg" "
  2⤵
  PID:7104
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:6376
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-5u8vuo.5z0yb.jpg"
    3⤵
    PID:7048
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-1c2jb7s.gmu8.jpg" "
  2⤵
  PID:6632
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:7740
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-1c2jb7s.gmu8.jpg"
    3⤵
    PID:5056
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-qw21f6.p8ugh.jpg" "
  2⤵
  PID:4148
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3816
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-qw21f6.p8ugh.jpg"
    3⤵
    PID:7248
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-14dc8vm.scdj.jpg" "
  2⤵
  PID:7388
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-14dc8vm.scdj.jpg"
    3⤵
    PID:7580
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-1gckuve.agkd.jpg" "
  2⤵
  PID:6612
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-1gckuve.agkd.jpg"
    3⤵
    PID:8032
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-tmkg3z.5b3uk.jpg" "
  2⤵
  PID:6760
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-tmkg3z.5b3uk.jpg"
    3⤵
    PID:7720
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-dx9yvd.ikou9.jpg" "
  2⤵
  PID:1888
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-dx9yvd.ikou9.jpg"
    3⤵
    PID:4016
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-1b60k4j.6of8.jpg" "
  2⤵
  PID:2124
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3108
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-1b60k4j.6of8.jpg"
    3⤵
    PID:4696
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-1s018fv.xyvfi.jpg" "
  2⤵
  PID:7156
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-1s018fv.xyvfi.jpg"
    3⤵
    PID:5504
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-1dz35yv.l4xp.jpg" "
  2⤵
  PID:7256
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-1dz35yv.l4xp.jpg"
    3⤵
    PID:6884
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-py88pr.e3xc.jpg" "
  2⤵
  PID:7004
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-py88pr.e3xc.jpg"
    3⤵
    PID:7824
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-1weyxxb.2foo.jpg" "
  2⤵
  PID:7292
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-1weyxxb.2foo.jpg"
    3⤵
    PID:7852
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-1lhclvt.hpxf.jpg" "
  2⤵
  PID:6024
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-1lhclvt.hpxf.jpg"
    3⤵
    PID:8116
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-1naa3su.s67d.jpg" "
  2⤵
  PID:6820
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-1naa3su.s67d.jpg"
    3⤵
    PID:7764
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-1ldl0an.1lh2.jpg" "
  2⤵
  PID:5032
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-1ldl0an.1lh2.jpg"
    3⤵
    PID:6404
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-1219btx.x15pf.jpg" "
  2⤵
  PID:5584
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-1219btx.x15pf.jpg"
    3⤵
    PID:2428
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-3d1zfc.i62ww.jpg" "
  2⤵
  PID:6284
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-3d1zfc.i62ww.jpg"
    3⤵
    PID:2772
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-ce9104.avyo5.jpg" "
  2⤵
  PID:5848
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-ce9104.avyo5.jpg"
    3⤵
    PID:436
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-o0jqwd.hqsx.jpg" "
  2⤵
  PID:6388
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-o0jqwd.hqsx.jpg"
    3⤵
    PID:5440
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-3x092h.gzdza.jpg" "
  2⤵
  PID:68
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-3x092h.gzdza.jpg"
    3⤵
    PID:2544
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-1g6fd1m.8lz9.jpg" "
  2⤵
  PID:5320
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-1g6fd1m.8lz9.jpg"
    3⤵
    PID:6988
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-1wot8jw.85kf.jpg" "
  2⤵
  PID:6164
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-1wot8jw.85kf.jpg"
    3⤵
    PID:5432
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-1utse47.p00bk.jpg" "
  2⤵
  PID:4340
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-1utse47.p00bk.jpg"
    3⤵
    PID:2932
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-vmtdku.suoo.jpg" "
  2⤵
  PID:2956
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-vmtdku.suoo.jpg"
    3⤵
    PID:1712
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-1wad04x.9ozt.jpg" "
  2⤵
  PID:6220
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-1wad04x.9ozt.jpg"
    3⤵
    PID:5460
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-cm96j7.smqyo.jpg" "
  2⤵
  PID:4076
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-cm96j7.smqyo.jpg"
    3⤵
    PID:2488
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-19mp2wv.5mez.jpg" "
  2⤵
  PID:5784
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-19mp2wv.5mez.jpg"
    3⤵
    PID:4960
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-mox0aa.jsko.jpg" "
  2⤵
  PID:5612
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-mox0aa.jsko.jpg"
    3⤵
    PID:5592
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-1oflwt5.w3wl.jpg" "
  2⤵
  PID:5528
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-1oflwt5.w3wl.jpg"
    3⤵
    PID:5656
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-1pv97se.z2in.jpg" "
  2⤵
  PID:5260
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-1pv97se.z2in.jpg"
    3⤵
    PID:5128
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-1iygn7n.ak47.jpg" "
  2⤵
  PID:2828
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-1iygn7n.ak47.jpg"
    3⤵
    PID:6116
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-fyqwqr.risjh.jpg" "
  2⤵
  PID:5880
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-fyqwqr.risjh.jpg"
    3⤵
    PID:6304
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-1pajuc.g4iuz.jpg" "
  2⤵
  PID:5744
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-1pajuc.g4iuz.jpg"
    3⤵
    PID:600
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-ddok03.oyn8s.jpg" "
  2⤵
  PID:6176
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-ddok03.oyn8s.jpg"
    3⤵
    PID:6576
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-1ljrftd.5c5l.jpg" "
  2⤵
  PID:7512
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-1ljrftd.5c5l.jpg"
    3⤵
    PID:7432
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-1fxi5qh.y2nbf.jpg" "
  2⤵
  PID:7296
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-1fxi5qh.y2nbf.jpg"
    3⤵
    PID:6700
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-1mtxuf5.ks2dh.jpg" "
  2⤵
  PID:6996
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:7224
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-1mtxuf5.ks2dh.jpg"
    3⤵
    PID:6208
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-y7f6zt.tjrn.jpg" "
  2⤵
  PID:7392
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:7560
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-y7f6zt.tjrn.jpg"
    3⤵
    PID:5944
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-hq6882.9zr1v.jpg" "
  2⤵
  PID:6348
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-hq6882.9zr1v.jpg"
    3⤵
    PID:6308
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-14vwsz4.vrrn.jpg" "
  2⤵
  PID:6716
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:6928
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-14vwsz4.vrrn.jpg"
    3⤵
    PID:6832
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-42uzid.37bfr.jpg" "
  2⤵
  PID:7308
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:6892
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-42uzid.37bfr.jpg"
    3⤵
    PID:7008
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-1a88dx3.wtec.jpg" "
  2⤵
  PID:2436
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:7272
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-1a88dx3.wtec.jpg"
    3⤵
    PID:5424
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-1mfwyd2.45f6f.jpg" "
  2⤵
  PID:7072
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4344
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-1mfwyd2.45f6f.jpg"
    3⤵
    PID:7700
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-711ty3.tafvp.jpg" "
  2⤵
  PID:7580
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-711ty3.tafvp.jpg"
    3⤵
    PID:7440
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-1rk2nik.gma4.jpg" "
  2⤵
  PID:7968
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-1rk2nik.gma4.jpg"
    3⤵
    PID:6620
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-1ge7j5t.gq5m.jpg" "
  2⤵
  PID:6460
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5080
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-1ge7j5t.gq5m.jpg"
    3⤵
    PID:2320
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-1uklh0t.c9qm.jpg" "
  2⤵
  PID:4456
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5000
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-1uklh0t.c9qm.jpg"
    3⤵
    PID:816
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-k9ut6d.bug1.jpg" "
  2⤵
  PID:7948
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-k9ut6d.bug1.jpg"
    3⤵
    PID:5400
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-1ti37va.uh8q.jpg" "
  2⤵
  PID:7616
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-1ti37va.uh8q.jpg"
    3⤵
    PID:6480
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-168moaj.hk45l.jpg" "
  2⤵
  PID:6416
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-168moaj.hk45l.jpg"
    3⤵
    PID:7668
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-1z0b57c.j4q8.jpg" "
  2⤵
  PID:7928
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-1z0b57c.j4q8.jpg"
    3⤵
    PID:7144
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-18ilb8u.ndjl.jpg" "
  2⤵
  PID:5776
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:6024
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-18ilb8u.ndjl.jpg"
    3⤵
    PID:6888
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-19f7j17.v414.jpg" "
  2⤵
  PID:7764
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-19f7j17.v414.jpg"
    3⤵
    PID:5304
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-18ay9mh.tihd.jpg" "
  2⤵
  PID:5032
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-18ay9mh.tihd.jpg"
    3⤵
    PID:5092
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-tfmgbk.dedl.jpg" "
  2⤵
  PID:5584
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-tfmgbk.dedl.jpg"
    3⤵
    PID:7136
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-phowpk.pzz1.jpg" "
  2⤵
  PID:8136
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-phowpk.pzz1.jpg"
    3⤵
    PID:5144
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-jahjhl.lrn4.jpg" "
  2⤵
  PID:7460
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-jahjhl.lrn4.jpg"
    3⤵
    PID:5736
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-11km7g3.eihe.jpg" "
  2⤵
  PID:3716
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-11km7g3.eihe.jpg"
    3⤵
    PID:5140
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-1b6n4ya.rt1l.jpg" "
  2⤵
  PID:4920
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:6872
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-1b6n4ya.rt1l.jpg"
    3⤵
    PID:4588
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-km3pov.d8kom.jpg" "
  2⤵
  PID:7664
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-km3pov.d8kom.jpg"
    3⤵
    PID:4388
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-olt3si.u5628.jpg" "
  2⤵
  PID:6204
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3504
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-olt3si.u5628.jpg"
    3⤵
    PID:5988
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-1fftf88.0a9j.jpg" "
  2⤵
  PID:6780
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-1fftf88.0a9j.jpg"
    3⤵
    PID:3544
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-16poycx.gop8h.jpg" "
  2⤵
  PID:7448
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-16poycx.gop8h.jpg"
    3⤵
    PID:3000
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-eh0e22.hb2t6.jpg" "
  2⤵
  PID:5960
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-eh0e22.hb2t6.jpg"
    3⤵
    PID:8188
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-1e2wja9.d59xe.jpg" "
  2⤵
  PID:4168
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-1e2wja9.d59xe.jpg"
    3⤵
    PID:7424
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-108cez2.5b4yl.jpg" "
  2⤵
  PID:5924
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-108cez2.5b4yl.jpg"
    3⤵
    PID:5872
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-1chcsa9.msn2.jpg" "
  2⤵
  PID:5224
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-1chcsa9.msn2.jpg"
    3⤵
    PID:4192
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-15m24xg.og4.jpg" "
  2⤵
  PID:420
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-15m24xg.og4.jpg"
    3⤵
    PID:6064
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-7vu3wv.bcxpr.jpg" "
  2⤵
  PID:6004
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-7vu3wv.bcxpr.jpg"
    3⤵
    PID:5516
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-cwwaxb.764xc.jpg" "
  2⤵
  PID:7220
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-cwwaxb.764xc.jpg"
    3⤵
    PID:7412
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-50cx1e.v6dpf.jpg" "
  2⤵
  PID:8020
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-50cx1e.v6dpf.jpg"
    3⤵
    PID:4428
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-16j7arw.mf8c.jpg" "
  2⤵
  PID:8048
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-16j7arw.mf8c.jpg"
    3⤵
    PID:6316
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-1muy3lr.t2rb.jpg" "
  2⤵
  PID:7120
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-1muy3lr.t2rb.jpg"
    3⤵
    PID:7316
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-1fa5wx8.gea2.jpg" "
  2⤵
  PID:7408
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-1fa5wx8.gea2.jpg"
    3⤵
    PID:6816
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-1omhds5.n239.jpg" "
  2⤵
  PID:7032
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-1omhds5.n239.jpg"
    3⤵
    PID:4108
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-w7seji.8ptzj.jpg" "
  2⤵
  PID:8112
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-w7seji.8ptzj.jpg"
    3⤵
    PID:7012
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-ff9stw.x5xt8.jpg" "
  2⤵
  PID:5648
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-ff9stw.x5xt8.jpg"
    3⤵
    PID:7396
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-1l6vbq4.63g2.jpg" "
  2⤵
  PID:6440
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:6984
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-1l6vbq4.63g2.jpg"
    3⤵
    PID:6452
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-1tj1cfg.9o5v.jpg" "
  2⤵
  PID:7048
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1352
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-1tj1cfg.9o5v.jpg"
    3⤵
    PID:6364
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-1465oiu.w74r.jpg" "
  2⤵
  PID:7196
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-1465oiu.w74r.jpg"
    3⤵
    PID:6336
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-1ftccjx.n6pa.jpg" "
  2⤵
  PID:7480
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:8
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-1ftccjx.n6pa.jpg"
    3⤵
    PID:1116
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-yu9k8g.tfgj.jpg" "
  2⤵
  PID:7184
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-yu9k8g.tfgj.jpg"
    3⤵
    PID:7656
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-ibi9e3.brnih.jpg" "
  2⤵
  PID:7608
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-ibi9e3.brnih.jpg"
    3⤵
    PID:6612
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-172oua2.bn4l.jpg" "
  2⤵
  PID:396
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4972
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-172oua2.bn4l.jpg"
    3⤵
    PID:1028
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-1j49tm.h3803.jpg" "
  2⤵
  PID:6800
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-1j49tm.h3803.jpg"
    3⤵
    PID:4752
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-1sn15v1.lw7u.jpg" "
  2⤵
  PID:7376
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-1sn15v1.lw7u.jpg"
    3⤵
    PID:6932
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-5yaer3.70hjh.jpg" "
  2⤵
  PID:7920
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-5yaer3.70hjh.jpg"
    3⤵
    PID:1384
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-14o1exn.zjml.jpg" "
  2⤵
  PID:7312
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-14o1exn.zjml.jpg"
    3⤵
    PID:8092
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-mvrkj0.7d8y.jpg" "
  2⤵
  PID:6416
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-mvrkj0.7d8y.jpg"
    3⤵
    PID:7068
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-1jaa4nk.bmde.jpg" "
  2⤵
  PID:7064
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-1jaa4nk.bmde.jpg"
    3⤵
    PID:5772
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-18vlg8a.1gqi.jpg" "
  2⤵
  PID:7800
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-18vlg8a.1gqi.jpg"
    3⤵
    PID:6820
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-68ioyq.229ok.jpg" "
  2⤵
  PID:6104
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-68ioyq.229ok.jpg"
    3⤵
    PID:5312
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-yozafq.m2rs.jpg" "
  2⤵
  PID:5712
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-yozafq.m2rs.jpg"
    3⤵
    PID:5964
- C:\Users\Admin\AppData\Local\Temp\Launcher.exe
  "C:\Users\Admin\AppData\Local\Temp\Launcher.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --user-data-dir="C:\Users\Admin\AppData\Roaming\Launcher" --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=4772 --field-trial-handle=1828,i,9485400543562405587,2561247085738740591,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:8
  2⤵
  PID:7464
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-bqqi6b.9ggra.jpg" "
  2⤵
  PID:5340
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-bqqi6b.9ggra.jpg"
    3⤵
    PID:924
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-p3fl8.oycyrb.jpg" "
  2⤵
  PID:6100
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:6680
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-p3fl8.oycyrb.jpg"
    3⤵
    PID:4952
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-1fu0eud.8mop.jpg" "
  2⤵
  PID:5696
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-1fu0eud.8mop.jpg"
    3⤵
    PID:1968
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-y52glj.jzffm.jpg" "
  2⤵
  PID:68
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-y52glj.jzffm.jpg"
    3⤵
    PID:2328
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-kvh9ue.zv2f.jpg" "
  2⤵
  PID:3708
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-kvh9ue.zv2f.jpg"
    3⤵
    PID:5272
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-1vx6sat.umnb.jpg" "
  2⤵
  PID:5680
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-1vx6sat.umnb.jpg"
    3⤵
    PID:4072
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-1mrmprq.7fkv.jpg" "
  2⤵
  PID:3348
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-1mrmprq.7fkv.jpg"
    3⤵
    PID:2524
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-pkysxj.f1s8.jpg" "
  2⤵
  PID:5124
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-pkysxj.f1s8.jpg"
    3⤵
    PID:5384
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-ygzx0o.iwttl.jpg" "
  2⤵
  PID:6428
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-ygzx0o.iwttl.jpg"
    3⤵
    PID:5832
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-gb6ddi.jukm4.jpg" "
  2⤵
  PID:5100
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-gb6ddi.jukm4.jpg"
    3⤵
    PID:5752
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-1odyma.zizxk.jpg" "
  2⤵
  PID:5332
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-1odyma.zizxk.jpg"
    3⤵
    PID:1848
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-17kits4.j9mh.jpg" "
  2⤵
  PID:4192
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-17kits4.j9mh.jpg"
    3⤵
    PID:5856
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-sfjnqz.wouun.jpg" "
  2⤵
  PID:4784
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-sfjnqz.wouun.jpg"
    3⤵
    PID:6048
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-khd2zq.d2fog.jpg" "
  2⤵
  PID:5516
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-khd2zq.d2fog.jpg"
    3⤵
    PID:3372
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-j6d1hy.esvzr.jpg" "
  2⤵
  PID:1928
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-j6d1hy.esvzr.jpg"
    3⤵
    PID:7916
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-wuej86.mox4j.jpg" "
  2⤵
  PID:4948
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-wuej86.mox4j.jpg"
    3⤵
    PID:5472
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-1o0y1f1.kbci.jpg" "
  2⤵
  PID:8148
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:6236
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-1o0y1f1.kbci.jpg"
    3⤵
    PID:1300
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-82mmyg.k5ipb.jpg" "
  2⤵
  PID:7512
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:6332
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-82mmyg.k5ipb.jpg"
    3⤵
    PID:6668
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-1bualeb.9m8s.jpg" "
  2⤵
  PID:7088
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-1bualeb.9m8s.jpg"
    3⤵
    PID:6360
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-18m4n50.hzoc.jpg" "
  2⤵
  PID:7192
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:6536
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-18m4n50.hzoc.jpg"
    3⤵
    PID:7260
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-120e2a1.p6pz.jpg" "
  2⤵
  PID:7012
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:6292
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-120e2a1.p6pz.jpg"
    3⤵
    PID:5540
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-nbiayh.hmy.jpg" "
  2⤵
  PID:6276
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:6824
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-nbiayh.hmy.jpg"
    3⤵
    PID:6752
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-b7yrca.1b8o9.jpg" "
  2⤵
  PID:6848
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:6728
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-b7yrca.1b8o9.jpg"
    3⤵
    PID:6600
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-1wxk0ll.5yj2.jpg" "
  2⤵
  PID:4236
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:7048
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-1wxk0ll.5yj2.jpg"
    3⤵
    PID:7372
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-13pyl6n.fcxp.jpg" "
  2⤵
  PID:5056
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-13pyl6n.fcxp.jpg"
    3⤵
    PID:7400
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-1jzcrjy.1b9vi.jpg" "
  2⤵
  PID:4148
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-1jzcrjy.1b9vi.jpg"
    3⤵
    PID:7536
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-1juo1b8.u5c9.jpg" "
  2⤵
  PID:7640
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-1juo1b8.u5c9.jpg"
    3⤵
    PID:7896
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-ykhm16.hkv7h.jpg" "
  2⤵
  PID:8036
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-ykhm16.hkv7h.jpg"
    3⤵
    PID:4016
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-aoyfjb.omd0f.jpg" "
  2⤵
  PID:2732
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:6652
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-aoyfjb.omd0f.jpg"
    3⤵
    PID:4196
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-vktwm0.ngvf.jpg" "
  2⤵
  PID:6412
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-vktwm0.ngvf.jpg"
    3⤵
    PID:7860
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-1qvt3e4.t3x8.jpg" "
  2⤵
  PID:8156
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:7376
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-1qvt3e4.t3x8.jpg"
    3⤵
    PID:7844
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-oobteg.14gr.jpg" "
  2⤵
  PID:7888
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-oobteg.14gr.jpg"
    3⤵
    PID:7004
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-17z7zgq.lhwr.jpg" "
  2⤵
  PID:7796
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-17z7zgq.lhwr.jpg"
    3⤵
    PID:1984
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-1ogr680.1im8.jpg" "
  2⤵
  PID:6416
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-1ogr680.1im8.jpg"
    3⤵
    PID:5236
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-acg9mt.9nawh.jpg" "
  2⤵
  PID:7292
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-acg9mt.9nawh.jpg"
    3⤵
    PID:6888
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-18fcaey.hub4.jpg" "
  2⤵
  PID:6764
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-18fcaey.hub4.jpg"
    3⤵
    PID:5552
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-fv84x3.hemid.jpg" "
  2⤵
  PID:6404
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-fv84x3.hemid.jpg"
    3⤵
    PID:5740
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-oh4dg7.6flhq.jpg" "
  2⤵
  PID:3672
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-oh4dg7.6flhq.jpg"
    3⤵
    PID:5144
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-v8dmp0.2n1v.jpg" "
  2⤵
  PID:5992
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5800
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-v8dmp0.2n1v.jpg"
    3⤵
    PID:7592
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-19176s6.u5bug.jpg" "
  2⤵
  PID:5420
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-19176s6.u5bug.jpg"
    3⤵
    PID:2544
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-1mvsqvi.sjjq.jpg" "
  2⤵
  PID:5252
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-1mvsqvi.sjjq.jpg"
    3⤵
    PID:5548
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-1tsuvxz.n7r3.jpg" "
  2⤵
  PID:3660
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-1tsuvxz.n7r3.jpg"
    3⤵
    PID:2600
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-wdr7oc.bv9pd.jpg" "
  2⤵
  PID:5336
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-wdr7oc.bv9pd.jpg"
    3⤵
    PID:3112
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-1k4i17s.nzgsk.jpg" "
  2⤵
  PID:1356
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-1k4i17s.nzgsk.jpg"
    3⤵
    PID:4384
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-95ssao.x7bc.jpg" "
  2⤵
  PID:3632
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-95ssao.x7bc.jpg"
    3⤵
    PID:5024
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-xpdput.ggo5j.jpg" "
  2⤵
  PID:5460
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-xpdput.ggo5j.jpg"
    3⤵
    PID:3392
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-s7xeko.2f42j.jpg" "
  2⤵
  PID:6016
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-s7xeko.2f42j.jpg"
    3⤵
    PID:5864
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-yn0f0t.awas.jpg" "
  2⤵
  PID:7552
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-yn0f0t.awas.jpg"
    3⤵
    PID:5100
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-stsr26.219f.jpg" "
  2⤵
  PID:5612
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-stsr26.219f.jpg"
    3⤵
    PID:5656
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-1zc4e1.6aybr.jpg" "
  2⤵
  PID:7508
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-1zc4e1.6aybr.jpg"
    3⤵
    PID:6596
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-fv0fqs.uakq5.jpg" "
  2⤵
  PID:6116
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-fv0fqs.uakq5.jpg"
    3⤵
    PID:6528
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-cyfrqa.gzzs6.jpg" "
  2⤵
  PID:5760
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-cyfrqa.gzzs6.jpg"
    3⤵
    PID:5516
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-24ufj5.bmqow.jpg" "
  2⤵
  PID:7228
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-24ufj5.bmqow.jpg"
    3⤵
    PID:828
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-kr9hag.ljzv.jpg" "
  2⤵
  PID:6176
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-kr9hag.ljzv.jpg"
    3⤵
    PID:6224
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-8pwwpx.5ikwo.jpg" "
  2⤵
  PID:6544
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-8pwwpx.5ikwo.jpg"
    3⤵
    PID:8128
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-150ubv1.ynso.jpg" "
  2⤵
  PID:7472
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-150ubv1.ynso.jpg"
    3⤵
    PID:6584
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-1gormub.mq7.jpg" "
  2⤵
  PID:6028
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-1gormub.mq7.jpg"
    3⤵
    PID:7216
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024219-316-1x4jvsf.8q63.jpg" "
  2⤵
  PID:5944
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024219-316-1x4jvsf.8q63.jpg"
    3⤵
    PID:964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2024219-316-dyw6s3.5i6g.jpg

Filesize
71KB

MD5
a8cceec2c6c716f6d081de012fa1af0a

SHA1
00dad3c2e961073d122fdf55ed4d339f9bdb9b82

SHA256
25f882bfaf842abc79be332d9112c7400ce104c10579052b1c80a34a7b20c24f

SHA512
582065f4cc3d6d535580ef43157a7ce5205d728b580c7a4e699543e5c4c8369b000c93a56d1ed6f942a6cf81c530cae4218a7bda5db45fe2544f8b4212d4f02f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3709.tmp

Filesize
1KB

MD5
1f2d812d8080a2b29c7c1627fbe8c17a

SHA1
384d8bdc081ba645458eaca12587bbacb317133d

SHA256
0cd8855399947274a2f42aad856310f2007de2239997d40b335b46175f0e11b1

SHA512
7f4454a0d703d798ab3009a0f4ffc231c1f238ee32794aa954e3fbb8f76be47ac0e7d1e140b435dfb0e8b6fdc496d938df8060c77ebd467805a965b1bf4dc3a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3747.tmp

Filesize
1KB

MD5
af3bf282c9fb70e99259ca930464381b

SHA1
7552e1a4e1dd1127fe09e69efdddfb21a3c80f76

SHA256
779e31f4cece2fb9fc7f42d45a5faaad073476044792e0a3fb2a2927e1fc0b59

SHA512
c6c35eac85c49bf79aa97d412b0dcb7ab27ec9dd33eba7be1d3acb9a505d570850f19548bfd47a68fc748d0844e527bebac5359fd7484d382e73b4fcebe9cb81

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3748.tmp

Filesize
1KB

MD5
0801fbcb2b829287f7748d497e84e1cb

SHA1
9f0a96b2c36f06d320c13ab64fc057de140078d6

SHA256
6838d68ef9ca5c5d4ef13c2675cefc272645c7a3bf99def6b3c2753feff93300

SHA512
e7ead2f3a73753399308a3f63db1b95bba360f6ebc9d75db58827ff2120328f04533931a0ca5105a802865df9bea79b8a2621eacc672093ef2f7ebb06e468279

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES37B5.tmp

Filesize
1KB

MD5
d0dda5c1358dec369dfd22c95fd06ab5

SHA1
8c65fd37c0e3b1107ae50117bd2ce9d80aadd48b

SHA256
a1a61816c287ba28a55cfc80a485e199b0e8180f8736aafbd2ed0035da287083

SHA512
0b18b2f6fb81d5e96f740dc2d82b54172ef67a12d562d2fd2a64ea9f87b276cd5b89f491961a2c58f3a4ca1151224b122c37fbbb22f5f873cff1094c25a48262

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3803.tmp

Filesize
1KB

MD5
95df0ee3d68ee79c6d78d78d7a41e77c

SHA1
6eb6360224d965e910adb55a3a140ffc8186ccb1

SHA256
d0138b260b8b189aae9b53ccbfcd38c68e6902b815818bb2b17f5b1ef727955b

SHA512
71bcee55d1628d65098a292085485c917cf43d5e2a74882152935f7221cab532a81785fb6c4ccbcb5159f313a6e6e33a8bb0967ac5a1ef167213f0c7a49fef7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES389F.tmp

Filesize
1KB

MD5
72e4648ad58b917f4a6191585cb20cec

SHA1
efc7d3ce75cf4de8b83890fa4fb3ebb97a83c29a

SHA256
900f0184622555516e67c2c547734e086d7acfeba822cfdda330c93d89d627f8

SHA512
f07928740a387638ff636c895baf27114ac662f8dd701eee790db78b97b261d13b4e9b6c9829baea75224caf7fcec6dc4ee3f18f718380efb20d5b2e95ca084f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES38DE.tmp

Filesize
1KB

MD5
a0d1d555544bd5289d8b8eca5361e5b1

SHA1
29b0a5f74df52936d37fd31f113034920d67b74d

SHA256
9d22efaae065bd354b3f1b41977220cd88490560091564e48098a5d5aec22f25

SHA512
b6661339bc10705fe41a11f07d467b5bdf7df8cfc3f0b6e0355216fd5a2d376966a2e595e783c61223b891d083163e223b88a8af53ae704a10001a64cbd940ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES38ED.tmp

Filesize
1KB

MD5
8026ccb81e9fb0afbf9916b3b7cb9864

SHA1
e9f0ba75d0559fc9edca6ee77f91c92f3fc77340

SHA256
565c6ade5d09e112657b7d4371c0671814d503f1939e9b6caad249edb4dafbd7

SHA512
6c50bc5c1b030f0c9cdfe03e0d03c7731387845d38e2667e88680dcaddbd865415c08e85ea005f9b3d4e0984427bc417269bc3281e04a6ea68b5d287110c6e2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES38FD.tmp

Filesize
1KB

MD5
a38dc4fc8cc2b50cb496001be5cb2bd8

SHA1
6513c9efdbbc15cb92d91207b85edb59b499bf6e

SHA256
8c96ba6d6cdd10690d6f5b55db20aaa323ea57a920872a7bb58f590cc2298b7d

SHA512
a7f4bf862a670f653db1355133947fe2aba05915a34a6eeb94ec4ec8f0c90b150882d4ab76b5dce16a2ca868fba8e1d03a3eddab99129722fa3e50beb77a28fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES39C8.tmp

Filesize
1KB

MD5
37ced1410d258c8cd0164d56e1cca3aa

SHA1
750840f92870f86f91c914d3448f59ffad7652db

SHA256
6a813f4098e5db131ac72d71814570d47f40c52f1756da15be4e264dcb3a3f7c

SHA512
89056552eef8a9dd4b656ffa4f84264ce126a9a35c784eb7d246db221fba3d87a50eec618ce9e904823da2edf7f820efc5200292ad393e9c9f66a2861df878e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3A16.tmp

Filesize
1KB

MD5
7d4d86ccd9b9254fb59d7c00f39928e1

SHA1
ba40a6f466148fac9e3bb182fa99a7571e36dee5

SHA256
3661384c1ce298c598c1436e289f3862c27172d86471356eab95578bbd444f85

SHA512
b04eb79a0de9b477ed200598d3c0cdf6ccfb09921b42aa8a84d6e9d140dad347c6a87d54d00afe75ab1e534ec9a81645459e8719dcb78adca9274b36bd7e290d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3A55.tmp

Filesize
1KB

MD5
885d384d75218815c15a638c3d01655e

SHA1
b9eca9831ab4da191aaa205413b6b1f38a145168

SHA256
3958dbdcc48575a9494c4578c33609c431ba0115e8afde430ee7af9f3446836b

SHA512
21db1ccb7622ec64ca147449f9f85e405f2c5b541c2f18b0db65f2df203dada0513444b950437bc27e8f0325a620ee3d28e382640ea32646df8c83d8a1089f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3A64.tmp

Filesize
1KB

MD5
800d4216108e821e7e5190fac19600c2

SHA1
360f1a2c7c647d3245b04794a7ebff15237c0a88

SHA256
8d7ec6e618eb02c5403f59eb56c009bc210ccfddb91352608c136ff331930de6

SHA512
31422e2b91fec06ec6ec32c6e47ea027b5962c976a29a6325f46236242afba13a500fcf436df6df1cfa97f793b2063493ddd284a9b44d7dd5b16347ea27a34b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3AC2.tmp

Filesize
1KB

MD5
30ded497246d971aa072e763efac0878

SHA1
dbf9e1c43cd5d5b597b39445cd9222e1fa643a29

SHA256
e8379b748da17c3e082fac4697aed856b4a4b8f1c914ea5f965c76232c713a0d

SHA512
48052274162a360b23b4518304a54a3cfd6571cc131875eb0625da366ee9202fffabdbf866e53621920fb19c9edf4e09120eebec98ef09e4d132522eb945c1b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\epsilon-Admin\Antivirus.txt

Filesize
231B

MD5
dec2be4f1ec3592cea668aa279e7cc9b

SHA1
327cf8ab0c895e10674e00ea7f437784bb11d718

SHA256
753b99d2b4e8c58bfd10995d0c2c19255fe9c8f53703bb27d1b6f76f1f4e83cc

SHA512
81728e3d31b72905b3a09c79d1e307c4e8e79d436fcfe7560a8046b46ca4ae994fdfaeb1bc2328e35f418b8128f2e7239289e84350e142146df9cde86b20bb66

Download Submit
C:\Users\Admin\AppData\Local\Temp\epsilon-Admin\AutoFill Data\All Autofill Data.txt

Filesize
249B

MD5
cf7e4a12f932a3fddddacc8b10e1f1b0

SHA1
db6f9bc2be5e0905086b7b7b07109ef8d67b24ee

SHA256
1b6d3f6ad849e115bf20175985bed9bcfc6ec206e288b97ac14c3a23b5d28a4b

SHA512
fab79f26c1841310cc61e2f8336ca05281a9252a34a3c240e500c8775840374edb0a42094c64aa38a29ca79e1cafa114d6f1bbe3009060d32f8c1df9f088c12c

Download Submit
C:\Users\Admin\AppData\Local\Temp\screenCapture\CSCB00B615B1D694120B9C8A9863060F09B.TMP

Filesize
1KB

MD5
a6f2d21624678f54a2abed46e9f3ab17

SHA1
a2a6f07684c79719007d434cbd1cd2164565734a

SHA256
ab96911d094b6070cbfb48e07407371ddb41b86e36628b6a10cdb11478192344

SHA512
0b286df41c3887eecff5c38cbd6818078313b555ef001151b41ac11b80466b2f4f39da518ab9c51eeff35295cb39d52824de13e026c35270917d7274f764c676

Download Submit
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat

Filesize
13KB

MD5
da0f40d84d72ae3e9324ad9a040a2e58

SHA1
4ca7f6f90fb67dce8470b67010aa19aa0fd6253f

SHA256
818350a4fb4146072a25f0467c5c99571c854d58bec30330e7db343bceca008b

SHA512
30b7d4921f39c2601d94a3e3bb0e3be79b4b7b505e52523d2562f2e2f32154d555a593df87a71cddb61b98403265f42e0d6705950b37a155dc1d64113c719fd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe

Filesize
12KB

MD5
9422f9c88fbb4ceac79155e3f5f4a989

SHA1
5fd45bc6cdd3ed9a754b48790c8979479e34ea0e

SHA256
41f144e8375cf3be4ba7b7fba8289f3ad64f547149e3a5f7c52a69808be34258

SHA512
37c94ceded9482314c359c3c0f67f5e011dd0143af66adc4aea375c7c1f44851ae0121ec250c9930c9a26bbc5bd6d2b1b4aad0984248d93a88595f5b464d45d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe

Filesize
12KB

MD5
59ab283ac2540f714c1d9addd97fb228

SHA1
683979d9763f7be4d84a530e1b7819dd593ee14f

SHA256
0877631d03e7b8017940dcdb4929381b7e89f6763fabb079b808cf270a89e8e0

SHA512
3dd92252e2dbe8d1487bc5b092e9f8f8053b74aa3e2a1090f714b2505f678ae15a9592da6911a99e5a0340d50c8be1e95a31a93265145589583612ea63a19c58

Download Submit
C:\Users\Admin\AppData\Roaming\Launcher\Network\Network Persistent State

Filesize
300B

MD5
89c729281469245fe3b50b7abfcc2976

SHA1
49a14103de6b9dbebdb32c925b2387a7ee3d98c1

SHA256
2560ecee64b69756757ca0fdea21440d6497bd3e310d23ceee0a86852f4487ed

SHA512
6af77413cd644adde9323575e8dd2b984ed000b7dedc15da5d0b37a7943f449095f770a8d8483d18b02d78d4cdf735df0de3499a806e3ff8f47b11129c9b58a1

Download Submit
C:\Users\Admin\AppData\Roaming\Launcher\Network\Network Persistent State~RFe590bbe.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\screenCapture\app.manifest

Filesize
350B

MD5
8951565428aa6644f1505edb592ab38f

SHA1
9c4bee78e7338f4f8b2c8b6c0e187f43cfe88bf2

SHA256
8814db9e125d0c2b7489f8c7c3e95adf41f992d4397ed718bda8573cb8fb0e83

SHA512
7577bad37b67bf13a0d7f9b8b7d6c077ecdfb81a5bee94e06dc99e84cb20db2d568f74d1bb2cef906470b4f6859e00214beacca7d82e2b99126d27820bf3b8f5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe

Filesize
12KB

MD5
6d6e0e5a21fd59c481ad9bc1dd5d4194

SHA1
456de34540e639164b06db1e6664cb4e4e48ffe3

SHA256
aad4fb630f3f2a7b08fa15d717e58a771ab6b1d4c6548f0f416e2510a0f52943

SHA512
bb006f27dc3b5b83a0c3f7cce04afcdde79456781b1c148b9981cd7c0fef69fd16095de1371075fb15742d9bd6b66d7cd2a4ec38d7a42b439f81e2fcd02cc8f3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe

Filesize
12KB

MD5
21b6484743a5f9d05dbfc94155c5ff0d

SHA1
e65370ae11c4bce35e165b892ed06aa5518e2380

SHA256
0e9c29fb44e04508145ce8dae43d0cd70e28cc720b464347c50437f92b507760

SHA512
50107c3058b61a174feb37afe7d35fff7fc7235b0480cad2ef08b68b8f6f7bf77ac71cc20c9c1a8d6988d5d150cec409216758575ff0a29ea457def27370e367

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe

Filesize
12KB

MD5
4bf935c3d27a65dd4c90ff2ec52d64c3

SHA1
c753cd09120b5184809c0a3c9151fbdae14e7d2d

SHA256
32145f69993e1b03f843ff860fd410679d17a07bee40f724a6396d32005ea190

SHA512
06c092c658d7d7f8b6b28dd7569fa02e4f14c68a240f7cd46e460b6cc57f1de3de1fb80ef41deb5e614fd2a94d3e3337387480b69b4d623ea144e91369b0e473

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe

Filesize
12KB

MD5
7b99457702d426a9b5c1ff3ed8a382cd

SHA1
072752393965529a527c9af8996af393292583cf

SHA256
2af595e320ac43c1bb7b10766663503a8231b9dcabcf374b74d58a09e1964b0f

SHA512
021a3cbe8839f870a1bf22a7ff9579851461872676bdf302456e96d0ba289f9a7e464b6a5c9733162a0daf0b7780df813cb1c8d69859137dd50d1cedafe8025b

Download Submit
\Users\Admin\AppData\Local\Temp\3bb25e0c-a676-4d9f-b378-2312778f2808.tmp.node

Filesize
122KB

MD5
7208be374320a2c691ee7e15655afbc3

SHA1
f1a09eb40caecb3e97c0b67712681b1955625d6b

SHA256
733dd401ed791379a13e77f6b8dd3602615c47e83c4e3c0c84f25e2db8a0b7f1

SHA512
df659bfa39a39dabdca7fcc88f12bcaacd35f03d431fb655f63f45ee78ec7c4af3fe181a15db1c0829c13788186313004ad5f63a1d17dc809d9bc065681f6629

Download Submit
memory/1912-449-0x00007FFF10420000-0x00007FFF10E0C000-memory.dmp

Filesize
9.9MB

Download
memory/2260-468-0x00007FFF10420000-0x00007FFF10E0C000-memory.dmp

Filesize
9.9MB

Download
memory/2260-470-0x00007FFF10420000-0x00007FFF10E0C000-memory.dmp

Filesize
9.9MB

Download
memory/2352-371-0x00007FFF10420000-0x00007FFF10E0C000-memory.dmp

Filesize
9.9MB

Download
memory/5540-374-0x00007FFF10420000-0x00007FFF10E0C000-memory.dmp

Filesize
9.9MB

Download
memory/6288-313-0x00007FFF10420000-0x00007FFF10E0C000-memory.dmp

Filesize
9.9MB

Download
memory/6288-367-0x00007FFF10420000-0x00007FFF10E0C000-memory.dmp

Filesize
9.9MB

Download
memory/6336-393-0x00007FFF10420000-0x00007FFF10E0C000-memory.dmp

Filesize
9.9MB

Download
memory/6364-446-0x00007FFF10420000-0x00007FFF10E0C000-memory.dmp

Filesize
9.9MB

Download
memory/6376-406-0x00007FFF10420000-0x00007FFF10E0C000-memory.dmp

Filesize
9.9MB

Download
memory/6392-388-0x00007FFF10420000-0x00007FFF10E0C000-memory.dmp

Filesize
9.9MB

Download
memory/6440-364-0x00007FFF10420000-0x00007FFF10E0C000-memory.dmp

Filesize
9.9MB

Download
memory/6452-375-0x00007FFF10420000-0x00007FFF10E0C000-memory.dmp

Filesize
9.9MB

Download
memory/6452-302-0x00007FFF10420000-0x00007FFF10E0C000-memory.dmp

Filesize
9.9MB

Download
memory/6488-376-0x00007FFF10420000-0x00007FFF10E0C000-memory.dmp

Filesize
9.9MB

Download
memory/6492-370-0x00007FFF10420000-0x00007FFF10E0C000-memory.dmp

Filesize
9.9MB

Download
memory/6572-301-0x00007FFF10420000-0x00007FFF10E0C000-memory.dmp

Filesize
9.9MB

Download
memory/6572-324-0x00007FFF10420000-0x00007FFF10E0C000-memory.dmp

Filesize
9.9MB

Download
memory/6640-365-0x00007FFF10420000-0x00007FFF10E0C000-memory.dmp

Filesize
9.9MB

Download
memory/6656-444-0x00007FFF10420000-0x00007FFF10E0C000-memory.dmp

Filesize
9.9MB

Download
memory/6660-475-0x00007FFF10420000-0x00007FFF10E0C000-memory.dmp

Filesize
9.9MB

Download
memory/6708-447-0x00007FFF10420000-0x00007FFF10E0C000-memory.dmp

Filesize
9.9MB

Download
memory/6716-381-0x00007FFF10420000-0x00007FFF10E0C000-memory.dmp

Filesize
9.9MB

Download
memory/6744-377-0x00007FFF10420000-0x00007FFF10E0C000-memory.dmp

Filesize
9.9MB

Download
memory/6752-322-0x00007FFF10420000-0x00007FFF10E0C000-memory.dmp

Filesize
9.9MB

Download
memory/6752-291-0x00007FFF10420000-0x00007FFF10E0C000-memory.dmp

Filesize
9.9MB

Download
memory/6824-477-0x00007FFF10420000-0x00007FFF10E0C000-memory.dmp

Filesize
9.9MB

Download
memory/6828-433-0x00007FFF10420000-0x00007FFF10E0C000-memory.dmp

Filesize
9.9MB

Download
memory/6832-359-0x00007FFF10420000-0x00007FFF10E0C000-memory.dmp

Filesize
9.9MB

Download
memory/6844-428-0x00007FFF10420000-0x00007FFF10E0C000-memory.dmp

Filesize
9.9MB

Download
memory/6860-403-0x00007FFF10420000-0x00007FFF10E0C000-memory.dmp

Filesize
9.9MB

Download
memory/6868-363-0x00007FFF10420000-0x00007FFF10E0C000-memory.dmp

Filesize
9.9MB

Download
memory/6868-323-0x00007FFF10420000-0x00007FFF10E0C000-memory.dmp

Filesize
9.9MB

Download
memory/6892-455-0x00007FFF10420000-0x00007FFF10E0C000-memory.dmp

Filesize
9.9MB

Download
memory/6892-408-0x00007FFF10420000-0x00007FFF10E0C000-memory.dmp

Filesize
9.9MB

Download
memory/6900-409-0x00007FFF10420000-0x00007FFF10E0C000-memory.dmp

Filesize
9.9MB

Download
memory/6908-372-0x00007FFF10420000-0x00007FFF10E0C000-memory.dmp

Filesize
9.9MB

Download
memory/6928-378-0x00007FFF10420000-0x00007FFF10E0C000-memory.dmp

Filesize
9.9MB

Download
memory/6956-366-0x00007FFF10420000-0x00007FFF10E0C000-memory.dmp

Filesize
9.9MB

Download
memory/6976-456-0x00007FFF10420000-0x00007FFF10E0C000-memory.dmp

Filesize
9.9MB

Download
memory/6984-431-0x00007FFF10420000-0x00007FFF10E0C000-memory.dmp

Filesize
9.9MB

Download
memory/7016-382-0x00007FFF10420000-0x00007FFF10E0C000-memory.dmp

Filesize
9.9MB

Download
memory/7020-405-0x00007FFF10420000-0x00007FFF10E0C000-memory.dmp

Filesize
9.9MB

Download
memory/7048-429-0x00007FFF10420000-0x00007FFF10E0C000-memory.dmp

Filesize
9.9MB

Download
memory/7084-394-0x00007FFF10420000-0x00007FFF10E0C000-memory.dmp

Filesize
9.9MB

Download
memory/7104-407-0x00007FFF10420000-0x00007FFF10E0C000-memory.dmp

Filesize
9.9MB

Download
memory/7128-404-0x00007FFF10420000-0x00007FFF10E0C000-memory.dmp

Filesize
9.9MB

Download
memory/7140-282-0x00007FFF10420000-0x00007FFF10E0C000-memory.dmp

Filesize
9.9MB

Download
memory/7140-270-0x00000000006A0000-0x00000000006AA000-memory.dmp

Filesize
40KB

Download
memory/7140-358-0x00007FFF10420000-0x00007FFF10E0C000-memory.dmp

Filesize
9.9MB

Download
memory/7148-430-0x00007FFF10420000-0x00007FFF10E0C000-memory.dmp

Filesize
9.9MB

Download
memory/7164-445-0x00007FFF10420000-0x00007FFF10E0C000-memory.dmp

Filesize
9.9MB

Download
memory/7196-476-0x00007FFF10420000-0x00007FFF10E0C000-memory.dmp

Filesize
9.9MB

Download
memory/7196-480-0x00007FFF10420000-0x00007FFF10E0C000-memory.dmp

Filesize
9.9MB

Download
memory/7272-469-0x00007FFF10420000-0x00007FFF10E0C000-memory.dmp

Filesize
9.9MB

Download
memory/7280-457-0x00007FFF10420000-0x00007FFF10E0C000-memory.dmp

Filesize
9.9MB

Download
memory/7288-448-0x00007FFF10420000-0x00007FFF10E0C000-memory.dmp

Filesize
9.9MB

Download
memory/7300-454-0x00007FFF10420000-0x00007FFF10E0C000-memory.dmp

Filesize
9.9MB

Download
memory/7308-432-0x00007FFF10420000-0x00007FFF10E0C000-memory.dmp

Filesize
9.9MB

Download
memory/7372-487-0x00007FFF10420000-0x00007FFF10E0C000-memory.dmp

Filesize
9.9MB

Download
memory/7720-471-0x00007FFF10420000-0x00007FFF10E0C000-memory.dmp

Filesize
9.9MB

Download
memory/7720-474-0x00007FFF10420000-0x00007FFF10E0C000-memory.dmp

Filesize
9.9MB

Download
memory/7740-465-0x00007FFF10420000-0x00007FFF10E0C000-memory.dmp

Filesize
9.9MB

Download
memory/7752-460-0x00007FFF10420000-0x00007FFF10E0C000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads