epsilon | 79ae38d3832ab7d48543039eff6078538465eb83d8fbb124db2e319295ab5e68

Analysis

max time kernel
153s
max time network
164s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
08-04-2024 12:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Node-js.exe
Size

134.3MB
MD5

06295a324f405a3c7082f1fbadc35f1e
SHA1

513108b3aeb2ad8491c6dd1ad74d4711bc85b2f8
SHA256

80770adbb4d1c5d6736eb80e2aa0246965a76ea99517f0e1a77c16d0f0fc4957
SHA512

41205e55908be61c0bd81fe904710b88dfb1e37d06b1c48d5b66b16f4c52ce2101991f158da3fa228e9b5511cc30563fdf6329c75a4c49554ce294c5ca0d48c7
SSDEEP

1572864:94T4NPd8vk0E4UmdhRhPoXFzcwkqwBWKEFM:v1TJXzV+

Score

10^/10

epsilon persistence spyware stealer

Malware Config

Signatures

Epsilon Stealer
Information stealer.
stealer epsilon

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Control Panel\International\Geo\Nation	Node-js.exe

Executes dropped EXE 64 IoCs

pid	Process
2540	screenCapture_1.3.2.exe
2580	screenCapture_1.3.2.exe
3068	screenCapture_1.3.2.exe
2516	screenCapture_1.3.2.exe
2384	screenCapture_1.3.2.exe
2748	screenCapture_1.3.2.exe
1700	screenCapture_1.3.2.exe
888	screenCapture_1.3.2.exe
592	screenCapture_1.3.2.exe
1620	screenCapture_1.3.2.exe
1796	screenCapture_1.3.2.exe
1280	screenCapture_1.3.2.exe
1848	screenCapture_1.3.2.exe
2324	screenCapture_1.3.2.exe
2976	screenCapture_1.3.2.exe
2092	screenCapture_1.3.2.exe
2636	screenCapture_1.3.2.exe
2796	screenCapture_1.3.2.exe
1712	screenCapture_1.3.2.exe
112	screenCapture_1.3.2.exe
1912	screenCapture_1.3.2.exe
2660	screenCapture_1.3.2.exe
2000	screenCapture_1.3.2.exe
1824	screenCapture_1.3.2.exe
648	screenCapture_1.3.2.exe
1736	screenCapture_1.3.2.exe
2244	screenCapture_1.3.2.exe
1328	screenCapture_1.3.2.exe
1240	screenCapture_1.3.2.exe
1848	screenCapture_1.3.2.exe
1560	screenCapture_1.3.2.exe
432	screenCapture_1.3.2.exe
2324	screenCapture_1.3.2.exe
1524	screenCapture_1.3.2.exe
2732	screenCapture_1.3.2.exe
1632	screenCapture_1.3.2.exe
2084	screenCapture_1.3.2.exe
112	screenCapture_1.3.2.exe
3052	screenCapture_1.3.2.exe
1936	screenCapture_1.3.2.exe
1736	screenCapture_1.3.2.exe
2108	screenCapture_1.3.2.exe
2216	screenCapture_1.3.2.exe
1324	screenCapture_1.3.2.exe
2436	screenCapture_1.3.2.exe
2212	screenCapture_1.3.2.exe
2968	screenCapture_1.3.2.exe
588	screenCapture_1.3.2.exe
1976	screenCapture_1.3.2.exe
932	screenCapture_1.3.2.exe
804	screenCapture_1.3.2.exe
520	screenCapture_1.3.2.exe
2584	screenCapture_1.3.2.exe
1368	screenCapture_1.3.2.exe
1320	screenCapture_1.3.2.exe
2696	screenCapture_1.3.2.exe
1980	screenCapture_1.3.2.exe
1856	screenCapture_1.3.2.exe
2428	screenCapture_1.3.2.exe
2264	screenCapture_1.3.2.exe
2776	screenCapture_1.3.2.exe
2348	screenCapture_1.3.2.exe
1612	screenCapture_1.3.2.exe
1632	screenCapture_1.3.2.exe

Loads dropped DLL 2 IoCs

pid	Process
1184	Node-js.exe
1184	Node-js.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsBootManager = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\0\\WindowsBootManager.exe"	reg.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	ipinfo.io
3	ipinfo.io

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
2280	WMIC.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery

T1057

pid	Process
2044	tasklist.exe
880	tasklist.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 5 IoCs

pid	Process
2104	csc.exe
1680	csc.exe
832	csc.exe
2120	csc.exe
2352	csc.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
3016	Node-js.exe
1184	Node-js.exe
1184	Node-js.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2604	WMIC.exe
Token: SeSecurityPrivilege	2604	WMIC.exe
Token: SeTakeOwnershipPrivilege	2604	WMIC.exe
Token: SeLoadDriverPrivilege	2604	WMIC.exe
Token: SeSystemProfilePrivilege	2604	WMIC.exe
Token: SeSystemtimePrivilege	2604	WMIC.exe
Token: SeProfSingleProcessPrivilege	2604	WMIC.exe
Token: SeIncBasePriorityPrivilege	2604	WMIC.exe
Token: SeCreatePagefilePrivilege	2604	WMIC.exe
Token: SeBackupPrivilege	2604	WMIC.exe
Token: SeRestorePrivilege	2604	WMIC.exe
Token: SeShutdownPrivilege	2604	WMIC.exe
Token: SeDebugPrivilege	2604	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2604	WMIC.exe
Token: SeRemoteShutdownPrivilege	2604	WMIC.exe
Token: SeUndockPrivilege	2604	WMIC.exe
Token: SeManageVolumePrivilege	2604	WMIC.exe
Token: 33	2604	WMIC.exe
Token: 34	2604	WMIC.exe
Token: 35	2604	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2604	WMIC.exe
Token: SeSecurityPrivilege	2604	WMIC.exe
Token: SeTakeOwnershipPrivilege	2604	WMIC.exe
Token: SeLoadDriverPrivilege	2604	WMIC.exe
Token: SeSystemProfilePrivilege	2604	WMIC.exe
Token: SeSystemtimePrivilege	2604	WMIC.exe
Token: SeProfSingleProcessPrivilege	2604	WMIC.exe
Token: SeIncBasePriorityPrivilege	2604	WMIC.exe
Token: SeCreatePagefilePrivilege	2604	WMIC.exe
Token: SeBackupPrivilege	2604	WMIC.exe
Token: SeRestorePrivilege	2604	WMIC.exe
Token: SeShutdownPrivilege	2604	WMIC.exe
Token: SeDebugPrivilege	2604	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2604	WMIC.exe
Token: SeRemoteShutdownPrivilege	2604	WMIC.exe
Token: SeUndockPrivilege	2604	WMIC.exe
Token: SeManageVolumePrivilege	2604	WMIC.exe
Token: 33	2604	WMIC.exe
Token: 34	2604	WMIC.exe
Token: 35	2604	WMIC.exe
Token: SeDebugPrivilege	2044	tasklist.exe
Token: SeIncreaseQuotaPrivilege	676	WMIC.exe
Token: SeSecurityPrivilege	676	WMIC.exe
Token: SeTakeOwnershipPrivilege	676	WMIC.exe
Token: SeLoadDriverPrivilege	676	WMIC.exe
Token: SeSystemProfilePrivilege	676	WMIC.exe
Token: SeSystemtimePrivilege	676	WMIC.exe
Token: SeProfSingleProcessPrivilege	676	WMIC.exe
Token: SeIncBasePriorityPrivilege	676	WMIC.exe
Token: SeCreatePagefilePrivilege	676	WMIC.exe
Token: SeBackupPrivilege	676	WMIC.exe
Token: SeRestorePrivilege	676	WMIC.exe
Token: SeShutdownPrivilege	676	WMIC.exe
Token: SeDebugPrivilege	676	WMIC.exe
Token: SeSystemEnvironmentPrivilege	676	WMIC.exe
Token: SeRemoteShutdownPrivilege	676	WMIC.exe
Token: SeUndockPrivilege	676	WMIC.exe
Token: SeManageVolumePrivilege	676	WMIC.exe
Token: 33	676	WMIC.exe
Token: 34	676	WMIC.exe
Token: 35	676	WMIC.exe
Token: SeIncreaseQuotaPrivilege	676	WMIC.exe
Token: SeSecurityPrivilege	676	WMIC.exe
Token: SeTakeOwnershipPrivilege	676	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1184 wrote to memory of 2496	1184	Node-js.exe	28
PID 1184 wrote to memory of 2496	1184	Node-js.exe	28
PID 1184 wrote to memory of 2496	1184	Node-js.exe	28
PID 1184 wrote to memory of 2644	1184	Node-js.exe	30
PID 1184 wrote to memory of 2644	1184	Node-js.exe	30
PID 1184 wrote to memory of 2644	1184	Node-js.exe	30
PID 2496 wrote to memory of 2604	2496	cmd.exe	31
PID 2496 wrote to memory of 2604	2496	cmd.exe	31
PID 2496 wrote to memory of 2604	2496	cmd.exe	31
PID 1184 wrote to memory of 2644	1184	Node-js.exe	30
PID 1184 wrote to memory of 2644	1184	Node-js.exe	30
PID 1184 wrote to memory of 2644	1184	Node-js.exe	30
PID 1184 wrote to memory of 2644	1184	Node-js.exe	30
PID 1184 wrote to memory of 2644	1184	Node-js.exe	30
PID 1184 wrote to memory of 2644	1184	Node-js.exe	30
PID 1184 wrote to memory of 2644	1184	Node-js.exe	30
PID 1184 wrote to memory of 2644	1184	Node-js.exe	30
PID 1184 wrote to memory of 2644	1184	Node-js.exe	30
PID 1184 wrote to memory of 2644	1184	Node-js.exe	30
PID 1184 wrote to memory of 2644	1184	Node-js.exe	30
PID 1184 wrote to memory of 2644	1184	Node-js.exe	30
PID 1184 wrote to memory of 2644	1184	Node-js.exe	30
PID 1184 wrote to memory of 2644	1184	Node-js.exe	30
PID 1184 wrote to memory of 2644	1184	Node-js.exe	30
PID 1184 wrote to memory of 2644	1184	Node-js.exe	30
PID 1184 wrote to memory of 2644	1184	Node-js.exe	30
PID 1184 wrote to memory of 2644	1184	Node-js.exe	30
PID 1184 wrote to memory of 2644	1184	Node-js.exe	30
PID 1184 wrote to memory of 2644	1184	Node-js.exe	30
PID 1184 wrote to memory of 2644	1184	Node-js.exe	30
PID 1184 wrote to memory of 2644	1184	Node-js.exe	30
PID 1184 wrote to memory of 2644	1184	Node-js.exe	30
PID 1184 wrote to memory of 2644	1184	Node-js.exe	30
PID 1184 wrote to memory of 2644	1184	Node-js.exe	30
PID 1184 wrote to memory of 2644	1184	Node-js.exe	30
PID 1184 wrote to memory of 2644	1184	Node-js.exe	30
PID 1184 wrote to memory of 2644	1184	Node-js.exe	30
PID 1184 wrote to memory of 2644	1184	Node-js.exe	30
PID 1184 wrote to memory of 2644	1184	Node-js.exe	30
PID 1184 wrote to memory of 2644	1184	Node-js.exe	30
PID 1184 wrote to memory of 2644	1184	Node-js.exe	30
PID 1184 wrote to memory of 2644	1184	Node-js.exe	30
PID 1184 wrote to memory of 2644	1184	Node-js.exe	30
PID 1184 wrote to memory of 2644	1184	Node-js.exe	30
PID 1184 wrote to memory of 2644	1184	Node-js.exe	30
PID 1184 wrote to memory of 2644	1184	Node-js.exe	30
PID 1184 wrote to memory of 2644	1184	Node-js.exe	30
PID 1184 wrote to memory of 2716	1184	Node-js.exe	33
PID 1184 wrote to memory of 2716	1184	Node-js.exe	33
PID 1184 wrote to memory of 2716	1184	Node-js.exe	33
PID 1184 wrote to memory of 2140	1184	Node-js.exe	34
PID 1184 wrote to memory of 2140	1184	Node-js.exe	34
PID 1184 wrote to memory of 2140	1184	Node-js.exe	34
PID 1184 wrote to memory of 328	1184	Node-js.exe	35
PID 1184 wrote to memory of 328	1184	Node-js.exe	35
PID 1184 wrote to memory of 328	1184	Node-js.exe	35
PID 1184 wrote to memory of 2716	1184	Node-js.exe	33
PID 1184 wrote to memory of 1824	1184	Node-js.exe	37
PID 1184 wrote to memory of 1824	1184	Node-js.exe	37
PID 1184 wrote to memory of 1824	1184	Node-js.exe	37
PID 1184 wrote to memory of 2716	1184	Node-js.exe	33
PID 1184 wrote to memory of 2716	1184	Node-js.exe	33
PID 1824 wrote to memory of 2044	1824	cmd.exe	40
PID 1824 wrote to memory of 2044	1824	cmd.exe	40

C:\Users\Admin\AppData\Local\Temp\Node-js.exe
"C:\Users\Admin\AppData\Local\Temp\Node-js.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1184
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic CsProduct Get UUID"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2496
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic CsProduct Get UUID
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2604
- C:\Users\Admin\AppData\Local\Temp\Node-js.exe
  "C:\Users\Admin\AppData\Local\Temp\Node-js.exe" --type=gpu-process --field-trial-handle=1068,3550203540164706208,1417463853522039480,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --user-data-dir="C:\Users\Admin\AppData\Roaming\Node-js" --gpu-preferences=UAAAAAAAAADgAAAIAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1108 /prefetch:2
  2⤵
  PID:2644
- C:\Users\Admin\AppData\Local\Temp\Node-js.exe
  "C:\Users\Admin\AppData\Local\Temp\Node-js.exe" --type=gpu-process --field-trial-handle=1068,3550203540164706208,1417463853522039480,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --user-data-dir="C:\Users\Admin\AppData\Roaming\Node-js" --gpu-preferences=UAAAAAAAAADgAAAIAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1384 /prefetch:2
  2⤵
  PID:2716
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""
  2⤵
  PID:2140
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"
    3⤵
    PID:2200
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath"
  2⤵
  PID:328
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath
    3⤵
    PID:1940
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1824
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2044
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List"
  2⤵
  PID:320
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:676
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:2440
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:2280
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "cmd /c chcp 65001>nul && netsh wlan show profiles"
  2⤵
  PID:2276
- - C:\Windows\system32\cmd.exe
    cmd /c chcp 65001
    3⤵
    PID:2500
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2836
- - C:\Windows\system32\netsh.exe
    netsh wlan show profiles
    3⤵
    PID:2244
- C:\Users\Admin\AppData\Local\Temp\Node-js.exe
  "C:\Users\Admin\AppData\Local\Temp\Node-js.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1068,3550203540164706208,1417463853522039480,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\Node-js" --mojo-platform-channel-handle=1552 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3016
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v WindowsBootManager /t REG_SZ /d C:\Users\Admin\AppData\Local\Microsoft\Windows\0\WindowsBootManager.exe /f"
  2⤵
  PID:1960
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v WindowsBootManager /t REG_SZ /d C:\Users\Admin\AppData\Local\Microsoft\Windows\0\WindowsBootManager.exe /f
    3⤵
    - Adds Run key to start application
    PID:636
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2012
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:880
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-py86ls.60cvg.jpg" "
  2⤵
  PID:1416
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /nologo /r:"Microsoft.VisualBasic.dll" /win32manifest:"app.manifest" /out:"screenCapture_1.3.2.exe" "C:\Users\Admin\AppData\Local\Temp\SCREEN~1\SCREEN~1.BAT"
    3⤵
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:2104
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES865F.tmp" "c:\Users\Admin\AppData\Local\Temp\screenCapture\CSC871F6EDB20CC4F219AEA6E4A9EEABE.TMP"
      4⤵
      PID:2288
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-py86ls.60cvg.jpg"
    3⤵
    - Executes dropped EXE
    PID:3068
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-86j721.26r8q.jpg" "
  2⤵
  PID:760
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /nologo /r:"Microsoft.VisualBasic.dll" /win32manifest:"app.manifest" /out:"screenCapture_1.3.2.exe" "C:\Users\Admin\AppData\Local\Temp\SCREEN~1\SCREEN~1.BAT"
    3⤵
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:1680
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8640.tmp" "c:\Users\Admin\AppData\Local\Temp\screenCapture\CSC5E211B12189341A0B557367A1E654F2.TMP"
      4⤵
      PID:1600
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-86j721.26r8q.jpg"
    3⤵
    - Executes dropped EXE
    PID:2540
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-1mb5nhi.q17fj.jpg" "
  2⤵
  PID:960
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /nologo /r:"Microsoft.VisualBasic.dll" /win32manifest:"app.manifest" /out:"screenCapture_1.3.2.exe" "C:\Users\Admin\AppData\Local\Temp\SCREEN~1\SCREEN~1.BAT"
    3⤵
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:832
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES86AE.tmp" "c:\Users\Admin\AppData\Local\Temp\screenCapture\CSCC7BD249F546549E58BD6DB4FF03ACBDF.TMP"
      4⤵
      PID:2408
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-b1bkya.85tpi.jpg" "
  2⤵
  PID:1532
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /nologo /r:"Microsoft.VisualBasic.dll" /win32manifest:"app.manifest" /out:"screenCapture_1.3.2.exe" "C:\Users\Admin\AppData\Local\Temp\SCREEN~1\SCREEN~1.BAT"
    3⤵
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:2120
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES86AD.tmp" "c:\Users\Admin\AppData\Local\Temp\screenCapture\CSCED626FAAEC4349CE8D48CC1198A6820.TMP"
      4⤵
      PID:2664
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-b1bkya.85tpi.jpg"
    3⤵
    - Executes dropped EXE
    PID:2580
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-nv2urs.r81fr.jpg" "
  2⤵
  PID:1956
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /nologo /r:"Microsoft.VisualBasic.dll" /win32manifest:"app.manifest" /out:"screenCapture_1.3.2.exe" "C:\Users\Admin\AppData\Local\Temp\SCREEN~1\SCREEN~1.BAT"
    3⤵
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:2352
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES86AF.tmp" "c:\Users\Admin\AppData\Local\Temp\screenCapture\CSCB32967F6E35C4C9D8134DBF7CFC9734F.TMP"
      4⤵
      PID:2968
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-l6v6v0.711sa.jpg" "
  2⤵
  PID:1992
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-l6v6v0.711sa.jpg"
    3⤵
    - Executes dropped EXE
    PID:2516
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-kz6izo.j806q.jpg" "
  2⤵
  PID:1648
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-kz6izo.j806q.jpg"
    3⤵
    - Executes dropped EXE
    PID:2384
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-qfhdpu.18ft.jpg" "
  2⤵
  PID:2736
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-qfhdpu.18ft.jpg"
    3⤵
    - Executes dropped EXE
    PID:2748
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-1kskgc1.u402.jpg" "
  2⤵
  PID:732
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-1kskgc1.u402.jpg"
    3⤵
    - Executes dropped EXE
    PID:1700
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-8xmvs8.ili2n.jpg" "
  2⤵
  PID:2388
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-8xmvs8.ili2n.jpg"
    3⤵
    - Executes dropped EXE
    PID:592
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-1v2t9ob.inin.jpg" "
  2⤵
  PID:2720
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-1v2t9ob.inin.jpg"
    3⤵
    - Executes dropped EXE
    PID:888
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-1lydjwj.cvoe.jpg" "
  2⤵
  PID:1572
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-1lydjwj.cvoe.jpg"
    3⤵
    - Executes dropped EXE
    PID:1620
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-kvy2mt.p1gc.jpg" "
  2⤵
  PID:2068
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-kvy2mt.p1gc.jpg"
    3⤵
    - Executes dropped EXE
    PID:1796
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-1wc2huk.mp41.jpg" "
  2⤵
  PID:2836
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-1wc2huk.mp41.jpg"
    3⤵
    - Executes dropped EXE
    PID:2976
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-1bbor3k.05hc.jpg" "
  2⤵
  PID:1856
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-1bbor3k.05hc.jpg"
    3⤵
    - Executes dropped EXE
    PID:1280
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-vvql3x.91dnm.jpg" "
  2⤵
  PID:2828
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-vvql3x.91dnm.jpg"
    3⤵
    - Executes dropped EXE
    PID:1848
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-gafv7q.q937v.jpg" "
  2⤵
  PID:1524
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-gafv7q.q937v.jpg"
    3⤵
    - Executes dropped EXE
    PID:2324
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-1ee4xrw.lmdak.jpg" "
  2⤵
  PID:1612
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-1ee4xrw.lmdak.jpg"
    3⤵
    - Executes dropped EXE
    PID:2092
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-1sz4o97.1uyy.jpg" "
  2⤵
  PID:1552
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-1sz4o97.1uyy.jpg"
    3⤵
    - Executes dropped EXE
    PID:2796
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-13qeaoy.06gpg.jpg" "
  2⤵
  PID:2528
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-13qeaoy.06gpg.jpg"
    3⤵
    - Executes dropped EXE
    PID:2636
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-nmo9k1.fje3a.jpg" "
  2⤵
  PID:1988
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-nmo9k1.fje3a.jpg"
    3⤵
    - Executes dropped EXE
    PID:1712
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-yswbpr.wpq4q.jpg" "
  2⤵
  PID:2152
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-yswbpr.wpq4q.jpg"
    3⤵
    - Executes dropped EXE
    PID:1912
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-131buq2.xdbuf.jpg" "
  2⤵
  PID:1684
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-131buq2.xdbuf.jpg"
    3⤵
    - Executes dropped EXE
    PID:112
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-1mfapfr.lz70i.jpg" "
  2⤵
  PID:1952
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-1mfapfr.lz70i.jpg"
    3⤵
    - Executes dropped EXE
    PID:2660
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-hilg3n.0eiet.jpg" "
  2⤵
  PID:776
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-hilg3n.0eiet.jpg"
    3⤵
    - Executes dropped EXE
    PID:2000
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-e7nf7i.2l3k.jpg" "
  2⤵
  PID:2916
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-e7nf7i.2l3k.jpg"
    3⤵
    - Executes dropped EXE
    PID:1824
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-x3uad3.ks1m9.jpg" "
  2⤵
  PID:1732
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-x3uad3.ks1m9.jpg"
    3⤵
    - Executes dropped EXE
    PID:648
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-1sm0ymy.eyxe.jpg" "
  2⤵
  PID:1932
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-1sm0ymy.eyxe.jpg"
    3⤵
    - Executes dropped EXE
    PID:1736
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-jp4k37.w7b2l.jpg" "
  2⤵
  PID:2100
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-jp4k37.w7b2l.jpg"
    3⤵
    - Executes dropped EXE
    PID:2244
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-1vy7cty.jtmm.jpg" "
  2⤵
  PID:2388
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-1vy7cty.jtmm.jpg"
    3⤵
    - Executes dropped EXE
    PID:1560
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-1mdkhe.zil2k.jpg" "
  2⤵
  PID:2672
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-1mdkhe.zil2k.jpg"
    3⤵
    - Executes dropped EXE
    PID:432
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-1ke5w1l.0m0a.jpg" "
  2⤵
  PID:2644
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-1ke5w1l.0m0a.jpg"
    3⤵
    - Executes dropped EXE
    PID:1328
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-1d6q8sg.9wzr.jpg" "
  2⤵
  PID:2936
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-1d6q8sg.9wzr.jpg"
    3⤵
    - Executes dropped EXE
    PID:1848
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-l7pjl9.3zoq.jpg" "
  2⤵
  PID:1872
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-l7pjl9.3zoq.jpg"
    3⤵
    - Executes dropped EXE
    PID:1240
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-e6il5p.c6r8k.jpg" "
  2⤵
  PID:2068
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-e6il5p.c6r8k.jpg"
    3⤵
    - Executes dropped EXE
    PID:2324
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-elq0t.6wemaw.jpg" "
  2⤵
  PID:2764
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-elq0t.6wemaw.jpg"
    3⤵
    - Executes dropped EXE
    PID:2732
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-50loox.y14l7.jpg" "
  2⤵
  PID:932
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-50loox.y14l7.jpg"
    3⤵
    - Executes dropped EXE
    PID:1524
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-19us4fh.9duvg.jpg" "
  2⤵
  PID:2604
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-19us4fh.9duvg.jpg"
    3⤵
    - Executes dropped EXE
    PID:1632
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-sq0cyq.nk37.jpg" "
  2⤵
  PID:2536
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-sq0cyq.nk37.jpg"
    3⤵
    - Executes dropped EXE
    PID:112
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-1r0gbwk.qm5kk.jpg" "
  2⤵
  PID:1536
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-1r0gbwk.qm5kk.jpg"
    3⤵
    - Executes dropped EXE
    PID:2084
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-zfi6t3.cnbn.jpg" "
  2⤵
  PID:1684
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-zfi6t3.cnbn.jpg"
    3⤵
    - Executes dropped EXE
    PID:1936
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-1d63gik.8egwj.jpg" "
  2⤵
  PID:2712
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-1d63gik.8egwj.jpg"
    3⤵
    - Executes dropped EXE
    PID:3052
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-cbeh8m.t7upj.jpg" "
  2⤵
  PID:2040
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-cbeh8m.t7upj.jpg"
    3⤵
    - Executes dropped EXE
    PID:1736
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-53xzj3.gyl8j.jpg" "
  2⤵
  PID:2280
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-53xzj3.gyl8j.jpg"
    3⤵
    - Executes dropped EXE
    PID:2108
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-1co6sdf.rv4i.jpg" "
  2⤵
  PID:748
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-1co6sdf.rv4i.jpg"
    3⤵
    - Executes dropped EXE
    PID:2216
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-1cmxpnp.kv0ml.jpg" "
  2⤵
  PID:2024
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-1cmxpnp.kv0ml.jpg"
    3⤵
    - Executes dropped EXE
    PID:1324
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-thfwt1.s0uvh.jpg" "
  2⤵
  PID:2004
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-thfwt1.s0uvh.jpg"
    3⤵
    - Executes dropped EXE
    PID:2436
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-7z2vn8.evo3t.jpg" "
  2⤵
  PID:832
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-7z2vn8.evo3t.jpg"
    3⤵
    - Executes dropped EXE
    PID:2968
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-btooft.s3yyf.jpg" "
  2⤵
  PID:1240
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-btooft.s3yyf.jpg"
    3⤵
    - Executes dropped EXE
    PID:2212
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-3rrpfc.fq57k.jpg" "
  2⤵
  PID:1848
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-3rrpfc.fq57k.jpg"
    3⤵
    - Executes dropped EXE
    PID:588
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-1ot2cc9.cq3r.jpg" "
  2⤵
  PID:2956
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-1ot2cc9.cq3r.jpg"
    3⤵
    - Executes dropped EXE
    PID:1976
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-10q68iu.uqej.jpg" "
  2⤵
  PID:1532
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-10q68iu.uqej.jpg"
    3⤵
    - Executes dropped EXE
    PID:932
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-1nxgiz6.28in.jpg" "
  2⤵
  PID:2796
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-1nxgiz6.28in.jpg"
    3⤵
    - Executes dropped EXE
    PID:804
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-13qvpoa.8svl.jpg" "
  2⤵
  PID:2424
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-13qvpoa.8svl.jpg"
    3⤵
    - Executes dropped EXE
    PID:520
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-1y5dljd.4kil.jpg" "
  2⤵
  PID:2868
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-1y5dljd.4kil.jpg"
    3⤵
    - Executes dropped EXE
    PID:2584
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-u5yd6n.pi66.jpg" "
  2⤵
  PID:2376
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-u5yd6n.pi66.jpg"
    3⤵
    - Executes dropped EXE
    PID:1368
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-nj3d2d.n3ft.jpg" "
  2⤵
  PID:1200
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-nj3d2d.n3ft.jpg"
    3⤵
    - Executes dropped EXE
    PID:1320
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-1g37ex7.qmkk.jpg" "
  2⤵
  PID:1028
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-1g37ex7.qmkk.jpg"
    3⤵
    - Executes dropped EXE
    PID:2696
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-cux08z.coekr.jpg" "
  2⤵
  PID:2812
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-cux08z.coekr.jpg"
    3⤵
    - Executes dropped EXE
    PID:1980
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-ty9mgt.51q6g.jpg" "
  2⤵
  PID:1328
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-ty9mgt.51q6g.jpg"
    3⤵
    - Executes dropped EXE
    PID:1856
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-sncd3a.u1o6q.jpg" "
  2⤵
  PID:868
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-sncd3a.u1o6q.jpg"
    3⤵
    - Executes dropped EXE
    PID:2428
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-103v5zy.4qtc.jpg" "
  2⤵
  PID:820
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-103v5zy.4qtc.jpg"
    3⤵
    - Executes dropped EXE
    PID:2264
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-4zcoh6.6gpze.jpg" "
  2⤵
  PID:2676
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-4zcoh6.6gpze.jpg"
    3⤵
    - Executes dropped EXE
    PID:2776
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-10ko201.1qxm.jpg" "
  2⤵
  PID:2840
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-10ko201.1qxm.jpg"
    3⤵
    - Executes dropped EXE
    PID:2348
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-pe4fis.b89j.jpg" "
  2⤵
  PID:1300
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-pe4fis.b89j.jpg"
    3⤵
    - Executes dropped EXE
    PID:1612
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-d9yk8g.313ga.jpg" "
  2⤵
  PID:2248
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-d9yk8g.313ga.jpg"
    3⤵
    - Executes dropped EXE
    PID:1632
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-1veifwu.fcf2.jpg" "
  2⤵
  PID:2196
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-1veifwu.fcf2.jpg"
    3⤵
    PID:804
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-qlpb0m.o4ci.jpg" "
  2⤵
  PID:1620
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-qlpb0m.o4ci.jpg"
    3⤵
    PID:332
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-1oz9cku.kxxn.jpg" "
  2⤵
  PID:1316
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-1oz9cku.kxxn.jpg"
    3⤵
    PID:736
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-1rh4h4y.rzmx.jpg" "
  2⤵
  PID:2200
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-1rh4h4y.rzmx.jpg"
    3⤵
    PID:1200
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-7fj4gc.laepw.jpg" "
  2⤵
  PID:1628
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-7fj4gc.laepw.jpg"
    3⤵
    PID:1408
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-15ur9w2.nzg3.jpg" "
  2⤵
  PID:2492
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-15ur9w2.nzg3.jpg"
    3⤵
    PID:1624
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-1c9dikk.zsu7.jpg" "
  2⤵
  PID:2684
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-1c9dikk.zsu7.jpg"
    3⤵
    PID:1732
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-1a1d6wu.pue9l.jpg" "
  2⤵
  PID:2216
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-1a1d6wu.pue9l.jpg"
    3⤵
    PID:328
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-1mw3um1.iyzy.jpg" "
  2⤵
  PID:2792
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-1mw3um1.iyzy.jpg"
    3⤵
    PID:2052
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-18uu6ch.1wq9.jpg" "
  2⤵
  PID:2912
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-18uu6ch.1wq9.jpg"
    3⤵
    PID:1244
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-1cdsfqw.2zh6.jpg" "
  2⤵
  PID:2340
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-1cdsfqw.2zh6.jpg"
    3⤵
    PID:2936
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-fm9x80.01kib.jpg" "
  2⤵
  PID:1712
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-fm9x80.01kib.jpg"
    3⤵
    PID:1740
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-1pgw2hk.9vez.jpg" "
  2⤵
  PID:1968
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-1pgw2hk.9vez.jpg"
    3⤵
    PID:2596
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-q8q2yf.ojrxg.jpg" "
  2⤵
  PID:1372
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-q8q2yf.ojrxg.jpg"
    3⤵
    PID:268
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-fjfpfb.7y8ae.jpg" "
  2⤵
  PID:2120
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-fjfpfb.7y8ae.jpg"
    3⤵
    PID:1552
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-1ep4ext.9ly2.jpg" "
  2⤵
  PID:2488
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-1ep4ext.9ly2.jpg"
    3⤵
    PID:1576
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-1t10ix6.uasc.jpg" "
  2⤵
  PID:3048
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-1t10ix6.uasc.jpg"
    3⤵
    PID:2668
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-10hz4qn.rgy9.jpg" "
  2⤵
  PID:1684
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-10hz4qn.rgy9.jpg"
    3⤵
    PID:1064
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-1ue5yby.8pwh.jpg" "
  2⤵
  PID:2420
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-1ue5yby.8pwh.jpg"
    3⤵
    PID:2076
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-5gd4an.tvmio.jpg" "
  2⤵
  PID:1040
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-5gd4an.tvmio.jpg"
    3⤵
    PID:1596
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-fqh85l.omhq8.jpg" "
  2⤵
  PID:1128
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-fqh85l.omhq8.jpg"
    3⤵
    PID:2104
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-ahnqce.mkvt.jpg" "
  2⤵
  PID:2592
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-ahnqce.mkvt.jpg"
    3⤵
    PID:2632
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-8515oh.d60ra.jpg" "
  2⤵
  PID:1664
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-8515oh.d60ra.jpg"
    3⤵
    PID:1680
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-1brxvl6.bh7e.jpg" "
  2⤵
  PID:1228
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-1brxvl6.bh7e.jpg"
    3⤵
    PID:1288
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-edodty.f6aw5.jpg" "
  2⤵
  PID:2792
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-edodty.f6aw5.jpg"
    3⤵
    PID:2212
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-19oriwn.kyaq.jpg" "
  2⤵
  PID:2404
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-19oriwn.kyaq.jpg"
    3⤵
    PID:2636
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-1mwstjb.c8j5.jpg" "
  2⤵
  PID:1668
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-1mwstjb.c8j5.jpg"
    3⤵
    PID:2676
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-16uusvj.64sx.jpg" "
  2⤵
  PID:2968
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-16uusvj.64sx.jpg"
    3⤵
    PID:832
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-1652fje.buj3h.jpg" "
  2⤵
  PID:532
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-1652fje.buj3h.jpg"
    3⤵
    PID:2764
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-troxxq.qrogn.jpg" "
  2⤵
  PID:2520
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-troxxq.qrogn.jpg"
    3⤵
    PID:604
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-cvlkti.iyoqp.jpg" "
  2⤵
  PID:2248
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-cvlkti.iyoqp.jpg"
    3⤵
    PID:592
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-6pptx7.4snes.jpg" "
  2⤵
  PID:880
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-6pptx7.4snes.jpg"
    3⤵
    PID:2732
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-1jghz38.gpye.jpg" "
  2⤵
  PID:464
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-1jghz38.gpye.jpg"
    3⤵
    PID:2668
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-150g80p.899mj.jpg" "
  2⤵
  PID:1000
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-150g80p.899mj.jpg"
    3⤵
    PID:1064
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-6ne748.owdbv.jpg" "
  2⤵
  PID:2516
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-6ne748.owdbv.jpg"
    3⤵
    PID:2420
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-1f5lhf.b8n6oh.jpg" "
  2⤵
  PID:2780
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-1f5lhf.b8n6oh.jpg"
    3⤵
    PID:2000
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-1u8qynt.og4i.jpg" "
  2⤵
  PID:2456
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-1u8qynt.og4i.jpg"
    3⤵
    PID:776
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-larccv.rsesq.jpg" "
  2⤵
  PID:1856
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-larccv.rsesq.jpg"
    3⤵
    PID:3008
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-1rpyopc.pcmx.jpg" "
  2⤵
  PID:2984
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-1rpyopc.pcmx.jpg"
    3⤵
    PID:2216
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-11vdxz7.7gl9f.jpg" "
  2⤵
  PID:1680
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-11vdxz7.7gl9f.jpg"
    3⤵
    PID:432
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-2ej3yj.vltst.jpg" "
  2⤵
  PID:1828
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-2ej3yj.vltst.jpg"
    3⤵
    PID:2540
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-hh5471.ccm3i.jpg" "
  2⤵
  PID:1676
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-hh5471.ccm3i.jpg"
    3⤵
    PID:2232
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-g5an15.s8pok.jpg" "
  2⤵
  PID:2656
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-g5an15.s8pok.jpg"
    3⤵
    PID:636
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-66dicm.47uar.jpg" "
  2⤵
  PID:2440
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-66dicm.47uar.jpg"
    3⤵
    PID:2968
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-7b8qr1.bdiw8.jpg" "
  2⤵
  PID:2396
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-7b8qr1.bdiw8.jpg"
    3⤵
    PID:1748
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-1tfb8pc.o22bk.jpg" "
  2⤵
  PID:1868
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-1tfb8pc.o22bk.jpg"
    3⤵
    PID:112
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-1o88bwy.25pu.jpg" "
  2⤵
  PID:2804
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-1o88bwy.25pu.jpg"
    3⤵
    PID:2196
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-1fjoizb.7g2g.jpg" "
  2⤵
  PID:1952
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-1fjoizb.7g2g.jpg"
    3⤵
    PID:1704
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-1577sa2.c82t.jpg" "
  2⤵
  PID:1768
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-1577sa2.c82t.jpg"
    3⤵
    PID:2496
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-jq82h.j116xk.jpg" "
  2⤵
  PID:1000
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-jq82h.j116xk.jpg"
    3⤵
    PID:1800
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-1sh6hvg.slna.jpg" "
  2⤵
  PID:1672
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-1sh6hvg.slna.jpg"
    3⤵
    PID:1116
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-11azzkw.u4wd.jpg" "
  2⤵
  PID:320
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-11azzkw.u4wd.jpg"
    3⤵
    PID:2580
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-gi8u5n.v9fx.jpg" "
  2⤵
  PID:1128
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-gi8u5n.v9fx.jpg"
    3⤵
    PID:2592
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-1atqwk.hfyvj.jpg" "
  2⤵
  PID:1856
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-1atqwk.hfyvj.jpg"
    3⤵
    PID:1664
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-lzr1eq.424tm.jpg" "
  2⤵
  PID:2052
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-lzr1eq.424tm.jpg"
    3⤵
    PID:1044
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-1h1y0h6.jrf7.jpg" "
  2⤵
  PID:1228
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-1h1y0h6.jrf7.jpg"
    3⤵
    PID:2068
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-1tlz3nd.08cm.jpg" "
  2⤵
  PID:2428
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-1tlz3nd.08cm.jpg"
    3⤵
    PID:2756
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-cz3h8c.00z5f.jpg" "
  2⤵
  PID:1676
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-cz3h8c.00z5f.jpg"
    3⤵
    PID:1756
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-i6dpmv.fc8af.jpg" "
  2⤵
  PID:2080
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-i6dpmv.fc8af.jpg"
    3⤵
    PID:636
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-1t4jbik.xpv2.jpg" "
  2⤵
  PID:1300
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-1t4jbik.xpv2.jpg"
    3⤵
    PID:2440
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-1bkisqp.jwbw.jpg" "
  2⤵
  PID:3040
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-1bkisqp.jwbw.jpg"
    3⤵
    PID:268
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-18a34xp.ngqs.jpg" "
  2⤵
  PID:1996
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-18a34xp.ngqs.jpg"
    3⤵
    PID:2704
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-i0zs2x.8d3lq.jpg" "
  2⤵
  PID:804
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-i0zs2x.8d3lq.jpg"
    3⤵
    PID:592
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-z5qpms.ou5gm.jpg" "
  2⤵
  PID:520
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-z5qpms.ou5gm.jpg"
    3⤵
    PID:2036
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-6e1sur.kn3y8.jpg" "
  2⤵
  PID:1704
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-6e1sur.kn3y8.jpg"
    3⤵
    PID:1952
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-ksrdqf.jl66s.jpg" "
  2⤵
  PID:1616
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-ksrdqf.jl66s.jpg"
    3⤵
    PID:2908
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-1nadssx.qxmg.jpg" "
  2⤵
  PID:1800
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-1nadssx.qxmg.jpg"
    3⤵
    PID:2100
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-1e2kifr.cuak.jpg" "
  2⤵
  PID:2040
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-1e2kifr.cuak.jpg"
    3⤵
    PID:2280
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-18lae83.uxcrf.jpg" "
  2⤵
  PID:612
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-18lae83.uxcrf.jpg"
    3⤵
    PID:2788
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-1fziwrk.85nkg.jpg" "
  2⤵
  PID:1960
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-1fziwrk.85nkg.jpg"
    3⤵
    PID:1328
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-jf8wcc.t9s2r.jpg" "
  2⤵
  PID:2608
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-jf8wcc.t9s2r.jpg"
    3⤵
    PID:1872
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-14uv6jh.86pnl.jpg" "
  2⤵
  PID:2728
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-14uv6jh.86pnl.jpg"
    3⤵
    PID:1168
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-1m47761.evms.jpg" "
  2⤵
  PID:2008
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-1m47761.evms.jpg"
    3⤵
    PID:1788
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-13c4k9s.vy8b.jpg" "
  2⤵
  PID:2092
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-13c4k9s.vy8b.jpg"
    3⤵
    PID:2828
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-6ylll8.b6fzh.jpg" "
  2⤵
  PID:2128
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-6ylll8.b6fzh.jpg"
    3⤵
    PID:1668
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-u835rl.h9rc.jpg" "
  2⤵
  PID:2884
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-u835rl.h9rc.jpg"
    3⤵
    PID:2596
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-hgmpw7.6qymc.jpg" "
  2⤵
  PID:2080
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-hgmpw7.6qymc.jpg"
    3⤵
    PID:2440
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-114xxgw.p2ry.jpg" "
  2⤵
  PID:1216
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-114xxgw.p2ry.jpg"
    3⤵
    PID:2512
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-2moxut.lxnz3.jpg" "
  2⤵
  PID:2120
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-2moxut.lxnz3.jpg"
    3⤵
    PID:2152
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-a8nvip.kzyqm.jpg" "
  2⤵
  PID:3028
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-a8nvip.kzyqm.jpg"
    3⤵
    PID:2392
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-g24x0p.wiw7j.jpg" "
  2⤵
  PID:2732
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-g24x0p.wiw7j.jpg"
    3⤵
    PID:2044
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-7oi2oe.azl3.jpg" "
  2⤵
  PID:2660
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-7oi2oe.azl3.jpg"
    3⤵
    PID:1320
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-13p9owr.pb0y.jpg" "
  2⤵
  PID:2720
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-13p9owr.pb0y.jpg"
    3⤵
    PID:1616
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-t2e0vt.y5nz.jpg" "
  2⤵
  PID:2712
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-t2e0vt.y5nz.jpg"
    3⤵
    PID:1116
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-ttk3dm.cp508.jpg" "
  2⤵
  PID:1780
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-ttk3dm.cp508.jpg"
    3⤵
    PID:2040
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-1yjx1q4.z1s6.jpg" "
  2⤵
  PID:2104
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-1yjx1q4.z1s6.jpg"
    3⤵
    PID:2288
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-15sry88.6yol.jpg" "
  2⤵
  PID:556
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-15sry88.6yol.jpg"
    3⤵
    PID:1796
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-15r9dz2.7yli.jpg" "
  2⤵
  PID:2736
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-15r9dz2.7yli.jpg"
    3⤵
    PID:2316
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-ltgplp.y8ltq.jpg" "
  2⤵
  PID:2212
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-ltgplp.y8ltq.jpg"
    3⤵
    PID:2540
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-4dfe0f.8mcc1.jpg" "
  2⤵
  PID:1044
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-4dfe0f.8mcc1.jpg"
    3⤵
    PID:2232
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-vvn9ew.1dwp.jpg" "
  2⤵
  PID:868
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-vvn9ew.1dwp.jpg"
    3⤵
    PID:2872
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-tyeg1y.mee1.jpg" "
  2⤵
  PID:2348
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-tyeg1y.mee1.jpg"
    3⤵
    PID:2596
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-1lwivdl.123s.jpg" "
  2⤵
  PID:1372
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-1lwivdl.123s.jpg"
    3⤵
    PID:2440
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-hncyyy.qerek.jpg" "
  2⤵
  PID:2384
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-hncyyy.qerek.jpg"
    3⤵
    PID:2512
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-ev2aba.gkaat.jpg" "
  2⤵
  PID:1832
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-ev2aba.gkaat.jpg"
    3⤵
    PID:2704
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-11ycx6u.i83g.jpg" "
  2⤵
  PID:3048
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-11ycx6u.i83g.jpg"
    3⤵
    PID:2196
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-1gm9vk2.zrpb.jpg" "
  2⤵
  PID:2868
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-1gm9vk2.zrpb.jpg"
    3⤵
    PID:1684
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-1od2mze.rudv.jpg" "
  2⤵
  PID:1408
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-1od2mze.rudv.jpg"
    3⤵
    PID:2696
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-a0dzsx.h84va.jpg" "
  2⤵
  PID:1084
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-a0dzsx.h84va.jpg"
    3⤵
    PID:1496
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-1j6fipj.k26z.jpg" "
  2⤵
  PID:2648
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-1j6fipj.k26z.jpg"
    3⤵
    PID:2280
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-1nni3c9.emq8.jpg" "
  2⤵
  PID:2040
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-1nni3c9.emq8.jpg"
    3⤵
    PID:2788
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-dyr32d.wv7wr.jpg" "
  2⤵
  PID:1280
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-dyr32d.wv7wr.jpg"
    3⤵
    PID:1920
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-k5f3a1.exp6.jpg" "
  2⤵
  PID:1572
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-k5f3a1.exp6.jpg"
    3⤵
    PID:328
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-1cui8wm.k87h.jpg" "
  2⤵
  PID:748
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-1cui8wm.k87h.jpg"
    3⤵
    PID:1816
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-wn1m3f.dkwx.jpg" "
  2⤵
  PID:648
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-wn1m3f.dkwx.jpg"
    3⤵
    PID:1456
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-1gtbt2w.xhj9.jpg" "
  2⤵
  PID:2052
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-1gtbt2w.xhj9.jpg"
    3⤵
    PID:1240
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-1qeczfb.6tv3.jpg" "
  2⤵
  PID:2664
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-1qeczfb.6tv3.jpg"
    3⤵
    PID:1668
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-71jxqo.p4c8b.jpg" "
  2⤵
  PID:2692
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-71jxqo.p4c8b.jpg"
    3⤵
    PID:1524
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-twht0l.jahb.jpg" "
  2⤵
  PID:1756
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-twht0l.jahb.jpg"
    3⤵
    PID:1300
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-r4h547.sfd7.jpg" "
  2⤵
  PID:456
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-r4h547.sfd7.jpg"
    3⤵
    PID:2512
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-12ndgcj.ldmel.jpg" "
  2⤵
  PID:2248
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-12ndgcj.ldmel.jpg"
    3⤵
    PID:2704
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-nog1hc.qhje.jpg" "
  2⤵
  PID:1576
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-nog1hc.qhje.jpg"
    3⤵
    PID:2196
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-j09fli.83qln.jpg" "
  2⤵
  PID:1704
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-j09fli.83qln.jpg"
    3⤵
    PID:2496
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-1if5dbg.wx55.jpg" "
  2⤵
  PID:1012
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-1if5dbg.wx55.jpg"
    3⤵
    PID:2376
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-8a8ke3.yb03n.jpg" "
  2⤵
  PID:2240
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-8a8ke3.yb03n.jpg"
    3⤵
    PID:1736
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-1u5tto0.2zhz.jpg" "
  2⤵
  PID:2580
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-1u5tto0.2zhz.jpg"
    3⤵
    PID:2280
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-10bi6zn.lv2o.jpg" "
  2⤵
  PID:2892
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-10bi6zn.lv2o.jpg"
    3⤵
    PID:1760
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-8jd0it.ndvlt.jpg" "
  2⤵
  PID:1732
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-8jd0it.ndvlt.jpg"
    3⤵
    PID:1864
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-1sqcv6z.ui4jk.jpg" "
  2⤵
  PID:2932
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-1sqcv6z.ui4jk.jpg"
    3⤵
    PID:556
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-ijljl7.q0i9.jpg" "
  2⤵
  PID:2316
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-ijljl7.q0i9.jpg"
    3⤵
    PID:1984
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-bhjv2e.zz0w6.jpg" "
  2⤵
  PID:2960
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-bhjv2e.zz0w6.jpg"
    3⤵
    PID:2088
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-1nw8g3d.v719.jpg" "
  2⤵
  PID:2936
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-1nw8g3d.v719.jpg"
    3⤵
    PID:1504
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-1qdbepp.w6vt.jpg" "
  2⤵
  PID:2872
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-1qdbepp.w6vt.jpg"
    3⤵
    PID:1608
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-fdfoch.wchol.jpg" "
  2⤵
  PID:1968
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-fdfoch.wchol.jpg"
    3⤵
    PID:916
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-g1sijh.xdpwl.jpg" "
  2⤵
  PID:1612
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-g1sijh.xdpwl.jpg"
    3⤵
    PID:932
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-iaepwf.o2hbd.jpg" "
  2⤵
  PID:1756
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-iaepwf.o2hbd.jpg"
    3⤵
    PID:772
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-red1di.3q4va.jpg" "
  2⤵
  PID:3040
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-red1di.3q4va.jpg"
    3⤵
    PID:2120
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-2ws7rn.bbky6.jpg" "
  2⤵
  PID:2036
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-2ws7rn.bbky6.jpg"
    3⤵
    PID:3028
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-3pkh58.86ae6.jpg" "
  2⤵
  PID:2556
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-3pkh58.86ae6.jpg"
    3⤵
    PID:1912
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-1ctmrf6.nr3nj.jpg" "
  2⤵
  PID:2496
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-1ctmrf6.nr3nj.jpg"
    3⤵
    PID:2908
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-ff3tij.grjb.jpg" "
  2⤵
  PID:736
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-ff3tij.grjb.jpg"
    3⤵
    PID:1012
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-1lffb1q.89p1.jpg" "
  2⤵
  PID:1084
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-1lffb1q.89p1.jpg"
    3⤵
    PID:1672
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-k3enhf.21npa.jpg" "
  2⤵
  PID:2108
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-k3enhf.21npa.jpg"
    3⤵
    PID:2632
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-qn2ytq.4x8o.jpg" "
  2⤵
  PID:1760
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-qn2ytq.4x8o.jpg"
    3⤵
    PID:1960
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-cdfw96.vjabh.jpg" "
  2⤵
  PID:1864
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-cdfw96.vjabh.jpg"
    3⤵
    PID:1600
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-1fzn84w.yvoa.jpg" "
  2⤵
  PID:1108
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-1fzn84w.yvoa.jpg"
    3⤵
    PID:1244
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-7u5gk8.k39q.jpg" "
  2⤵
  PID:2208
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-7u5gk8.k39q.jpg"
    3⤵
    PID:820
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-r9t7rf.62o4g.jpg" "
  2⤵
  PID:1828
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-r9t7rf.62o4g.jpg"
    3⤵
    PID:1688
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-1h1448z.nz5y.jpg" "
  2⤵
  PID:2936
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-1h1448z.nz5y.jpg"
    3⤵
    PID:2676
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-155nb0z.hrm5.jpg" "
  2⤵
  PID:2656
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-155nb0z.hrm5.jpg"
    3⤵
    PID:760
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-16rljkz.ontyl.jpg" "
  2⤵
  PID:2700
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-16rljkz.ontyl.jpg"
    3⤵
    PID:1372
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-18kkcpq.nrjt.jpg" "
  2⤵
  PID:604
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-18kkcpq.nrjt.jpg"
    3⤵
    PID:2396
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-owxrd3.l2n9.jpg" "
  2⤵
  PID:2500
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-owxrd3.l2n9.jpg"
    3⤵
    PID:1536
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-1ox9p3a.ys8i.jpg" "
  2⤵
  PID:3040
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-1ox9p3a.ys8i.jpg"
    3⤵
    PID:3048
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-100u808.3g93.jpg" "
  2⤵
  PID:2196
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-100u808.3g93.jpg"
    3⤵
    PID:2732
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-1qxpdv6.5o62g.jpg" "
  2⤵
  PID:2132
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-1qxpdv6.5o62g.jpg"
    3⤵
    PID:3024
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-1jf51sa.gfkx.jpg" "
  2⤵
  PID:956
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-1jf51sa.gfkx.jpg"
    3⤵
    PID:2368
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-lzrl5h.c0uyc.jpg" "
  2⤵
  PID:2376
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-lzrl5h.c0uyc.jpg"
    3⤵
    PID:668
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-rs6w2i.ozb8.jpg" "
  2⤵
  PID:1672
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-rs6w2i.ozb8.jpg"
    3⤵
    PID:2580
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-rzdz8g.hv0wq.jpg" "
  2⤵
  PID:2176
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-rzdz8g.hv0wq.jpg"
    3⤵
    PID:2784
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-1wf76y5.rpz5.jpg" "
  2⤵
  PID:2916
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-1wf76y5.rpz5.jpg"
    3⤵
    PID:2672
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-1v9eytd.bkt8h.jpg" "
  2⤵
  PID:556
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-1v9eytd.bkt8h.jpg"
    3⤵
    PID:2736
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-zadrzs.qc94i.jpg" "
  2⤵
  PID:1244
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-zadrzs.qc94i.jpg"
    3⤵
    PID:2608
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-nerp2r.7sxrg.jpg" "
  2⤵
  PID:2232
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-nerp2r.7sxrg.jpg"
    3⤵
    PID:1720
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-706hk5.m5rdb.jpg" "
  2⤵
  PID:1396
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-706hk5.m5rdb.jpg"
    3⤵
    PID:868
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-142aky1.3wuni.jpg" "
  2⤵
  PID:2404
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-142aky1.3wuni.jpg"
    3⤵
    PID:2676
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-1hyn06f.bm3x.jpg" "
  2⤵
  PID:904
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-1hyn06f.bm3x.jpg"
    3⤵
    PID:1976
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-12aia41.8ixt.jpg" "
  2⤵
  PID:268
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-12aia41.8ixt.jpg"
    3⤵
    PID:2440
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-hu9yq9.fg4l.jpg" "
  2⤵
  PID:2896
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-hu9yq9.fg4l.jpg"
    3⤵
    PID:2796
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-aewi5c.jhaap.jpg" "
  2⤵
  PID:1832
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-aewi5c.jhaap.jpg"
    3⤵
    PID:1472
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-1octojd.j16w.jpg" "
  2⤵
  PID:3028
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-1octojd.j16w.jpg"
    3⤵
    PID:3040
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-eixevl.ny8vl.jpg" "
  2⤵
  PID:1912
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-eixevl.ny8vl.jpg"
    3⤵
    PID:2236
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-3ktu4j.fytlu.jpg" "
  2⤵
  PID:1704
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-3ktu4j.fytlu.jpg"
    3⤵
    PID:2036
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-imq22g.7eroc.jpg" "
  2⤵
  PID:2660
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-imq22g.7eroc.jpg"
    3⤵
    PID:1568
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-1bvr2rr.mxuy.jpg" "
  2⤵
  PID:668
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-1bvr2rr.mxuy.jpg"
    3⤵
    PID:1084
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-za1rtu.4xf4.jpg" "
  2⤵
  PID:340
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-za1rtu.4xf4.jpg"
    3⤵
    PID:2124
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-1ul2xdl.m6qp.jpg" "
  2⤵
  PID:1280
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-1ul2xdl.m6qp.jpg"
    3⤵
    PID:2924
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-1nexojy.zcvs.jpg" "
  2⤵
  PID:2948
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-1nexojy.zcvs.jpg"
    3⤵
    PID:2812
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-15qwz1c.cya5.jpg" "
  2⤵
  PID:612
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-15qwz1c.cya5.jpg"
    3⤵
    PID:1288
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-4d8otc.tm9c7.jpg" "
  2⤵
  PID:2932
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-4d8otc.tm9c7.jpg"
    3⤵
    PID:1456
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-3ib963.v7hb.jpg" "
  2⤵
  PID:1696
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-3ib963.v7hb.jpg"
    3⤵
    PID:1752
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-1rsdo7i.z6vz.jpg" "
  2⤵
  PID:2232
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-1rsdo7i.z6vz.jpg"
    3⤵
    PID:1564
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-1n1zyik.6lxr.jpg" "
  2⤵
  PID:868
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-1n1zyik.6lxr.jpg"
    3⤵
    PID:1668
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-w9jwjv.yv8u.jpg" "
  2⤵
  PID:1940
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-w9jwjv.yv8u.jpg"
    3⤵
    PID:1660
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-2snzva.3xl7s.jpg" "
  2⤵
  PID:1944
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-2snzva.3xl7s.jpg"
    3⤵
    PID:1332
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-19m0xit.g8rnl.jpg" "
  2⤵
  PID:3068
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-19m0xit.g8rnl.jpg"
    3⤵
    PID:988
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-ewow8o.kv0ps.jpg" "
  2⤵
  PID:1340
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-ewow8o.kv0ps.jpg"
    3⤵
    PID:2972
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-hr0qjh.96xhc.jpg" "
  2⤵
  PID:1472
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-hr0qjh.96xhc.jpg"
    3⤵
    PID:2804
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-1h8d3l8.7b6di.jpg" "
  2⤵
  PID:1628
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-1h8d3l8.7b6di.jpg"
    3⤵
    PID:332
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-1p4zlq1.yrhr.jpg" "
  2⤵
  PID:2408
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-1p4zlq1.yrhr.jpg"
    3⤵
    PID:2760
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-11q6xmx.yfu1.jpg" "
  2⤵
  PID:2688
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-11q6xmx.yfu1.jpg"
    3⤵
    PID:2496
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-ndjdwg.8vtx.jpg" "
  2⤵
  PID:1000
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-ndjdwg.8vtx.jpg"
    3⤵
    PID:2200
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-du8tl1.asdtb.jpg" "
  2⤵
  PID:2464
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-du8tl1.asdtb.jpg"
    3⤵
    PID:3012
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-1nmvihz.drcih.jpg" "
  2⤵
  PID:2100
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-1nmvihz.drcih.jpg"
    3⤵
    PID:2536
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-1aho8le.0em7.jpg" "
  2⤵
  PID:2104
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-1aho8le.0em7.jpg"
    3⤵
    PID:2216
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-nq92ru.smti.jpg" "
  2⤵
  PID:1560
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-nq92ru.smti.jpg"
    3⤵
    PID:2672
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-110d9tb.tgbo.jpg" "
  2⤵
  PID:1816
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-110d9tb.tgbo.jpg"
    3⤵
    PID:2736
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-qo5ile.y5jcg.jpg" "
  2⤵
  PID:2636
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-qo5ile.y5jcg.jpg"
    3⤵
    PID:588
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-1pkhs36.7hy4.jpg" "
  2⤵
  PID:1044
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-1pkhs36.7hy4.jpg"
    3⤵
    PID:2052
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-psuv9f.16spr.jpg" "
  2⤵
  PID:2720
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-psuv9f.16spr.jpg"
    3⤵
    PID:2828
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-4v3z1e.7zoyx.jpg" "
  2⤵
  PID:2808
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-4v3z1e.7zoyx.jpg"
    3⤵
    PID:1540
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-5yamk1.42lzx.jpg" "
  2⤵
  PID:2872
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-5yamk1.42lzx.jpg"
    3⤵
    PID:904
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-pammdc.p824.jpg" "
  2⤵
  PID:2700
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-pammdc.p824.jpg"
    3⤵
    PID:2656
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-k5coi6.j09yn.jpg" "
  2⤵
  PID:3068
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-k5coi6.j09yn.jpg"
    3⤵
    PID:1776
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-9dfx45.zyjga.jpg" "
  2⤵
  PID:2896
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-9dfx45.zyjga.jpg"
    3⤵
    PID:1620
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-cbufl.v2capm.jpg" "
  2⤵
  PID:2272
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-cbufl.v2capm.jpg"
    3⤵
    PID:592
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-1po3pj2.dw1q.jpg" "
  2⤵
  PID:1628
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-1po3pj2.dw1q.jpg"
    3⤵
    PID:1768
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-f3watv.2ut5h.jpg" "
  2⤵
  PID:3040
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-f3watv.2ut5h.jpg"
    3⤵
    PID:1808
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-ku69fr.ccg8.jpg" "
  2⤵
  PID:2244
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-ku69fr.ccg8.jpg"
    3⤵
    PID:1000
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-57xsrk.g95ej.jpg" "
  2⤵
  PID:2376
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-57xsrk.g95ej.jpg"
    3⤵
    PID:2464
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-16bns77.iyd9g.jpg" "
  2⤵
  PID:2580
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-16bns77.iyd9g.jpg"
    3⤵
    PID:2684
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-p254td.2qvhc.jpg" "
  2⤵
  PID:2892
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-p254td.2qvhc.jpg"
    3⤵
    PID:1972
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-atdoeh.9m0g6.jpg" "
  2⤵
  PID:2288
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-atdoeh.9m0g6.jpg"
    3⤵
    PID:2920
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-m6c3tz.k719.jpg" "
  2⤵
  PID:2916
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-m6c3tz.k719.jpg"
    3⤵
    PID:2092
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-zxzz6a.84e7.jpg" "
  2⤵
  PID:1240
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-zxzz6a.84e7.jpg"
    3⤵
    PID:2332
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-1p46fj9.a4fv.jpg" "
  2⤵
  PID:1720
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-1p46fj9.a4fv.jpg"
    3⤵
    PID:2776
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-13xi2ed.as0h.jpg" "
  2⤵
  PID:2936
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-13xi2ed.as0h.jpg"
    3⤵
    PID:2664
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-ndvjm8.smbe.jpg" "
  2⤵
  PID:2596
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-ndvjm8.smbe.jpg"
    3⤵
    PID:1668
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-1fktqdh.jm8t.jpg" "
  2⤵
  PID:864
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-1fktqdh.jm8t.jpg"
    3⤵
    PID:1632
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-n5q5xa.pt3jp.jpg" "
  2⤵
  PID:932
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-n5q5xa.pt3jp.jpg"
    3⤵
    PID:2396
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202438-1184-1x0npd1.cizk.jpg" "
  2⤵
  PID:2520
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202438-1184-1x0npd1.cizk.jpg"
    3⤵
    PID:2552

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1390660288701929901-11120293981074595357305790223-776837148895447545-820031191"
1⤵
PID:2408

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-148746198818507658891898604110181438266712215694231496782642892673052-1003217195"
1⤵
PID:2288

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1915970101-926863811-912031410413356617-1211453020-31825253860025108121061283"
1⤵
PID:2660

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2287985647411462771576588833248765081-678710452870895755123305918-540496857"
1⤵
PID:2000

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1138645684-11746978009661092961081448571-2015875496-12288875841941277986414171339"
1⤵
PID:2916

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-835899565-164628960220768153991456804346-820918856-1041741829-9682774571271552959"
1⤵
PID:2644

C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
1⤵
PID:1956

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1342689862-892618792789651934-87194425194823854915907408151170289222-1501014583"
1⤵
PID:2736

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "272767144-9919328621086838078-620614762-11571115759254417-9003082991247864701"
1⤵
PID:2324

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-821216625-127421257510740361672058508003-1223577960-1833849867404516550-159376406"
1⤵
PID:2968

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "15903933318147790701397869580-1396237230-581025646-4079790851817766641-266517051"
1⤵
PID:2384

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "19001946901320869306-22017333619494108291062236521-1932315489-15514909461017032846"
1⤵
PID:1952

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "96220166020935856441950580243-497532681-21224376331955177114194236365-1574425745"
1⤵
PID:2720

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1094909754-11216129611699515501864267994-1910768820-973400534-19736536521296258419"
1⤵
PID:2040

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-88299912612088293081486043863-302921605-1964358713-20115163241698717329-1857286793"
1⤵
PID:1324

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-722485005-1802656232-1575017864712180026-1846131317508984664-221480749965573906"
1⤵
PID:1648

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-3294971941241939696302025681-1901118427506161051462337151628584151666659738"
1⤵
PID:2428

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-790608816-18721156504654741341269223065-945171304484221474-1920255775-1671006200"
1⤵
PID:1824

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1073475545-423539806121205795214718005961324272297-125473912-444408593-1435910746"
1⤵
PID:2528

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1436379277-6833393581802314671050966155-18212480631833022043-234768866-2083577235"
1⤵
PID:736

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-395112252-553869214-19239881943409372718151863971247180479-1977324615-1173495686"
1⤵
PID:1848

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1920554351268590743-156386384-246256415-16756909591980151720-2248233381150478974"
1⤵
PID:1620

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1634319692-1947296818-620784034-1256473535-655247559-1168279871499330279-912954788"
1⤵
PID:1328

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-220254894-962159915508562145-1887347571-1718106185-1046197813346179661007999333"
1⤵
PID:748

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "192603024915017650491795304210-17244283311008553423100447155-1042555320287370149"
1⤵
PID:1240

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-125822822715529728905690384526039689261093722630215622569-1656198465-1269131388"
1⤵
PID:604

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-185996109086214571516854240121799221389-1093383855993032542-17066936751807441971"
1⤵
PID:1828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\202438-1184-py86ls.60cvg.jpg

Filesize
66KB

MD5
b6fdf73a72b204bbd9e4cc7c1f0b3da5

SHA1
bfc07cd18697af9d2c1f8b896de719baccbbe443

SHA256
7968dda27479ee8b3cbc3abc7523e42234a6854782e49ee98ea1405d527b3495

SHA512
5de6eb47e38cae06160e59185f2ea5475b7991d919b1f27fdf37f1ad48d29f21d05a6b80d541613ef66ebbf0a82df04ef5f1f9c789d215b68f49dfaa11ea894e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8640.tmp

Filesize
1KB

MD5
51d258cd08750e75f16a4f1fb791fa99

SHA1
3de2eb432b554d513fed67beb220469c7da80aab

SHA256
35d7a7b33f2f7dd505d44a33ffa34d117556e265f9ccfb4befcc607a9db9726c

SHA512
2994829148da7bd411a802b7fca882465c8d554bb02a4b5a7d6c61a73695a7a5b66064ab076b12239f2196d925a21a7facc31a3f7eb1056f1ed704b069051a38

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES865F.tmp

Filesize
1KB

MD5
196e90a6e9968e34e34582233144d063

SHA1
05cdcb3838c39b3a457789f6ce8192b8f7651e24

SHA256
c5b078f163f211a3a79054c31b1f46bcbf5bedc468a9fbbeae8c4905fb0d27fd

SHA512
5ff5ea281889ca800f4118374e93672a0253a378fcf4c55099810a1b88f2f28fbf10298919239fd125413bac02001f6aff12e8ec4ea79762b33741d558655343

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES86AD.tmp

Filesize
1KB

MD5
f387b9f24ebec14c2e96bec2ebbdc6e0

SHA1
c24ea0fd40a502bad969ad8f6eb9e6508fe96300

SHA256
710094f940ac81215c2b3cc8cdf4829703bfa63d599620844396adad89e9564d

SHA512
8d994bb1a8f9217e044b32f342f510924eb55657618c936bca9e682fe732e13607da145f16f46471a4f81882b7ce7dc95fd26f730df53814353b7c9dbcff9e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES86AE.tmp

Filesize
1KB

MD5
6b2b032747dba1bd01d3ce04b97baf48

SHA1
fdda947a5ba3a94f8e2cef0d07d54a9d4df4061d

SHA256
6241b149c191545585ce18bf6ff6933e19657e8966a34cde78c0064976245270

SHA512
333768c444fe8d2cb547ee9c9e83d52c59745997b214513f39bb2e4fa89df7f64749e5044c3b4ca1a968d28a4ee2ded8fd876b338b361dcaa464a612c81dc94d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES86AF.tmp

Filesize
1KB

MD5
6b1640bdec0284b05a25329f107bf09b

SHA1
86bb38655acb9d5dccbe08f4d41ef8ded675db5d

SHA256
3218fc2e608e54f5e5d28b27b9b2035bc8250864d9ded75f012796d70e038076

SHA512
6a91d681f0c5b036c938ee417b92205850b1e7d3ec926ccb029841ec175bf0e2c61633a494d16065c8d03c5acb87d133aed20f3b734595ee620c18a3f218e423

Download Submit
C:\Users\Admin\AppData\Local\Temp\epsilon-Admin\AutoFill Data\All Autofill Data.txt

Filesize
240B

MD5
810ae82f863a5ffae14d3b3944252a4e

SHA1
5393e27113753191436b14f0cafa8acabcfe6b2a

SHA256
453478914b72d9056472fb1e44c69606c62331452f47a1f3c02190f26501785c

SHA512
2421a397dd2ebb17947167addacd3117f666ddab388e3678168075f58dc8eee15bb49a4aac2290140ae5102924852d27b538740a859d0b35245f505b20f29112

Download Submit
C:\Users\Admin\AppData\Local\Temp\epsilon-Admin\Credit Cards\All Credit Cards.txt

Filesize
231B

MD5
dec2be4f1ec3592cea668aa279e7cc9b

SHA1
327cf8ab0c895e10674e00ea7f437784bb11d718

SHA256
753b99d2b4e8c58bfd10995d0c2c19255fe9c8f53703bb27d1b6f76f1f4e83cc

SHA512
81728e3d31b72905b3a09c79d1e307c4e8e79d436fcfe7560a8046b46ca4ae994fdfaeb1bc2328e35f418b8128f2e7239289e84350e142146df9cde86b20bb66

Download Submit
C:\Users\Admin\AppData\Local\Temp\screenCapture\CSCED626FAAEC4349CE8D48CC1198A6820.TMP

Filesize
1KB

MD5
a6f2d21624678f54a2abed46e9f3ab17

SHA1
a2a6f07684c79719007d434cbd1cd2164565734a

SHA256
ab96911d094b6070cbfb48e07407371ddb41b86e36628b6a10cdb11478192344

SHA512
0b286df41c3887eecff5c38cbd6818078313b555ef001151b41ac11b80466b2f4f39da518ab9c51eeff35295cb39d52824de13e026c35270917d7274f764c676

Download Submit
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat

Filesize
13KB

MD5
da0f40d84d72ae3e9324ad9a040a2e58

SHA1
4ca7f6f90fb67dce8470b67010aa19aa0fd6253f

SHA256
818350a4fb4146072a25f0467c5c99571c854d58bec30330e7db343bceca008b

SHA512
30b7d4921f39c2601d94a3e3bb0e3be79b4b7b505e52523d2562f2e2f32154d555a593df87a71cddb61b98403265f42e0d6705950b37a155dc1d64113c719fd9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\screenCapture\app.manifest

Filesize
350B

MD5
8951565428aa6644f1505edb592ab38f

SHA1
9c4bee78e7338f4f8b2c8b6c0e187f43cfe88bf2

SHA256
8814db9e125d0c2b7489f8c7c3e95adf41f992d4397ed718bda8573cb8fb0e83

SHA512
7577bad37b67bf13a0d7f9b8b7d6c077ecdfb81a5bee94e06dc99e84cb20db2d568f74d1bb2cef906470b4f6859e00214beacca7d82e2b99126d27820bf3b8f5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe

Filesize
12KB

MD5
e9c3f8d68ea1582e54d1dffc2c5408ac

SHA1
18e463c1c02af09175423a8e5b91f0b8b9010f63

SHA256
eed14a62aafc15c627dd0c56f9c551648be5d136edc914f812ef6a66eb6f726f

SHA512
72051e902253bd6e46fc18f3d45d8744f4f8a43a216d32d27e7ac9a838c017c659cd656ac32c0eb699ec0df00bfdac0972ffa637501224219040c7b30cee17cb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe

Filesize
12KB

MD5
de84e425e0f0d034882d28b68298cae7

SHA1
af1f3d3667da76c48a559d127413c73eb75e1e5c

SHA256
6715506baa734be2f2b70c73a73800d0a05f49bdfe5181297d21594054ce5f0c

SHA512
8b9839f345092e387c6770bbc9e8d65cdf9cfa5c7d71a31c340500c7965798753635443da3f5d8b5d0c6f54b7a20fd03e300ab7720523d212ffe17425d4819ed

Download Submit
\Users\Admin\AppData\Local\Temp\3fefb00a-7199-4ff3-a098-556ae83f30b0.tmp.node

Filesize
2.7MB

MD5
30af610789f7032760077d9c1197d0f3

SHA1
b57027046f9c7b3d4cda0aef5c8baa334b6fc339

SHA256
64d0ead558c2ad1676574a0603111bf683286ea151daa2733c64739764de4722

SHA512
457dfb6de5b0ea065a8736447c3d63eb70161dffb1a4b5e2e0f9cdc579c5422cf305ffa48f90a847c5d98cf7888cb7022494c4e280ba7fe49c1e3035a81ca0a4

Download Submit
\Users\Admin\AppData\Local\Temp\a9dc2ca7-5023-465f-8f1b-de82c74c40e4.tmp.node

Filesize
652KB

MD5
8982448cb4f28b82876befe6e8af25d1

SHA1
4d3b2fb5b42fc27c1ac9363003abc16ada188581

SHA256
78734316565f73b735bc3acb4c8bc6b41fe886ca20ee81e620dbea1e23e1fb38

SHA512
3edef33d5cd40f3432aeae603e725f0aacd6e7e387cc6723eac8d3030c3c78e43539a5e6e63c75a4acfd24e9c9fc8913d204ba6523be01ca31cca9a181a49a4b

Download Submit
memory/112-317-0x000007FEF2C20000-0x000007FEF360C000-memory.dmp

Filesize
9.9MB

Download
memory/112-326-0x000007FEF2C20000-0x000007FEF360C000-memory.dmp

Filesize
9.9MB

Download
memory/112-454-0x000007FEF2C20000-0x000007FEF360C000-memory.dmp

Filesize
9.9MB

Download
memory/112-460-0x000007FEF2C20000-0x000007FEF360C000-memory.dmp

Filesize
9.9MB

Download
memory/432-420-0x000007FEF2C20000-0x000007FEF360C000-memory.dmp

Filesize
9.9MB

Download
memory/432-417-0x000007FEF2C20000-0x000007FEF360C000-memory.dmp

Filesize
9.9MB

Download
memory/592-221-0x000007FEF2C20000-0x000007FEF360C000-memory.dmp

Filesize
9.9MB

Download
memory/592-233-0x000007FEF2C20000-0x000007FEF360C000-memory.dmp

Filesize
9.9MB

Download
memory/648-371-0x000007FEF2C20000-0x000007FEF360C000-memory.dmp

Filesize
9.9MB

Download
memory/648-390-0x000007FEF2C20000-0x000007FEF360C000-memory.dmp

Filesize
9.9MB

Download
memory/888-319-0x000007FEF2C20000-0x000007FEF360C000-memory.dmp

Filesize
9.9MB

Download
memory/888-227-0x000007FEF2C20000-0x000007FEF360C000-memory.dmp

Filesize
9.9MB

Download
memory/1240-419-0x000007FEF2C20000-0x000007FEF360C000-memory.dmp

Filesize
9.9MB

Download
memory/1240-405-0x000007FEF2C20000-0x000007FEF360C000-memory.dmp

Filesize
9.9MB

Download
memory/1280-271-0x000007FEF2C20000-0x000007FEF360C000-memory.dmp

Filesize
9.9MB

Download
memory/1280-263-0x000007FEF2C20000-0x000007FEF360C000-memory.dmp

Filesize
9.9MB

Download
memory/1328-393-0x000007FEF2C20000-0x000007FEF360C000-memory.dmp

Filesize
9.9MB

Download
memory/1328-396-0x000007FEF2C20000-0x000007FEF360C000-memory.dmp

Filesize
9.9MB

Download
memory/1524-435-0x000007FEF2C20000-0x000007FEF360C000-memory.dmp

Filesize
9.9MB

Download
memory/1560-421-0x000007FEF2C20000-0x000007FEF360C000-memory.dmp

Filesize
9.9MB

Download
memory/1560-402-0x000007FEF2C20000-0x000007FEF360C000-memory.dmp

Filesize
9.9MB

Download
memory/1620-245-0x000007FEF2C20000-0x000007FEF360C000-memory.dmp

Filesize
9.9MB

Download
memory/1620-331-0x000007FEF2C20000-0x000007FEF360C000-memory.dmp

Filesize
9.9MB

Download
memory/1632-444-0x000007FEF2C20000-0x000007FEF360C000-memory.dmp

Filesize
9.9MB

Download
memory/1700-241-0x000007FEF2C20000-0x000007FEF360C000-memory.dmp

Filesize
9.9MB

Download
memory/1700-207-0x000007FEF2C20000-0x000007FEF360C000-memory.dmp

Filesize
9.9MB

Download
memory/1712-310-0x000007FEF2C20000-0x000007FEF360C000-memory.dmp

Filesize
9.9MB

Download
memory/1736-449-0x000007FEF2C20000-0x000007FEF360C000-memory.dmp

Filesize
9.9MB

Download
memory/1736-368-0x000007FEF2C20000-0x000007FEF360C000-memory.dmp

Filesize
9.9MB

Download
memory/1796-257-0x000007FEF2C20000-0x000007FEF360C000-memory.dmp

Filesize
9.9MB

Download
memory/1796-352-0x000007FEF2C20000-0x000007FEF360C000-memory.dmp

Filesize
9.9MB

Download
memory/1824-370-0x000007FEF2C20000-0x000007FEF360C000-memory.dmp

Filesize
9.9MB

Download
memory/1824-361-0x000007FEF2C20000-0x000007FEF360C000-memory.dmp

Filesize
9.9MB

Download
memory/1848-275-0x000007FEF2C20000-0x000007FEF360C000-memory.dmp

Filesize
9.9MB

Download
memory/1848-400-0x000007FEF2C20000-0x000007FEF360C000-memory.dmp

Filesize
9.9MB

Download
memory/1848-418-0x000007FEF2C20000-0x000007FEF360C000-memory.dmp

Filesize
9.9MB

Download
memory/1848-265-0x000007FEF2C20000-0x000007FEF360C000-memory.dmp

Filesize
9.9MB

Download
memory/1912-337-0x000007FEF2C20000-0x000007FEF360C000-memory.dmp

Filesize
9.9MB

Download
memory/2000-355-0x000007FEF2C20000-0x000007FEF360C000-memory.dmp

Filesize
9.9MB

Download
memory/2000-341-0x000007FEF2C20000-0x000007FEF360C000-memory.dmp

Filesize
9.9MB

Download
memory/2084-458-0x000007FEF2C20000-0x000007FEF360C000-memory.dmp

Filesize
9.9MB

Download
memory/2084-446-0x000007FEF2C20000-0x000007FEF360C000-memory.dmp

Filesize
9.9MB

Download
memory/2092-285-0x000007FEF2C20000-0x000007FEF360C000-memory.dmp

Filesize
9.9MB

Download
memory/2244-377-0x000007FEF2C20000-0x000007FEF360C000-memory.dmp

Filesize
9.9MB

Download
memory/2244-383-0x000007FEF2C20000-0x000007FEF360C000-memory.dmp

Filesize
9.9MB

Download
memory/2324-429-0x000007FEF2C20000-0x000007FEF360C000-memory.dmp

Filesize
9.9MB

Download
memory/2324-283-0x000007FEF2C20000-0x000007FEF360C000-memory.dmp

Filesize
9.9MB

Download
memory/2384-206-0x000007FEF2C20000-0x000007FEF360C000-memory.dmp

Filesize
9.9MB

Download
memory/2516-208-0x000007FEF2C20000-0x000007FEF360C000-memory.dmp

Filesize
9.9MB

Download
memory/2540-305-0x000007FEF2C20000-0x000007FEF360C000-memory.dmp

Filesize
9.9MB

Download
memory/2540-205-0x000007FEF2C20000-0x000007FEF360C000-memory.dmp

Filesize
9.9MB

Download
memory/2540-186-0x0000000000F10000-0x0000000000F1A000-memory.dmp

Filesize
40KB

Download
memory/2580-203-0x000007FEF2C20000-0x000007FEF360C000-memory.dmp

Filesize
9.9MB

Download
memory/2636-304-0x000007FEF2C20000-0x000007FEF360C000-memory.dmp

Filesize
9.9MB

Download
memory/2636-289-0x000007FEF2C20000-0x000007FEF360C000-memory.dmp

Filesize
9.9MB

Download
memory/2644-5-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/2644-38-0x0000000077DD0000-0x0000000077DD1000-memory.dmp

Filesize
4KB

Download
memory/2660-346-0x000007FEF2C20000-0x000007FEF360C000-memory.dmp

Filesize
9.9MB

Download
memory/2732-445-0x000007FEF2C20000-0x000007FEF360C000-memory.dmp

Filesize
9.9MB

Download
memory/2732-437-0x000007FEF2C20000-0x000007FEF360C000-memory.dmp

Filesize
9.9MB

Download
memory/2748-202-0x000007FEF2C20000-0x000007FEF360C000-memory.dmp

Filesize
9.9MB

Download
memory/2796-291-0x000007FEF2C20000-0x000007FEF360C000-memory.dmp

Filesize
9.9MB

Download
memory/2796-422-0x000007FEF2C20000-0x000007FEF360C000-memory.dmp

Filesize
9.9MB

Download
memory/2976-278-0x000007FEF2C20000-0x000007FEF360C000-memory.dmp

Filesize
9.9MB

Download
memory/3052-464-0x000007FEF2C20000-0x000007FEF360C000-memory.dmp

Filesize
9.9MB

Download
memory/3068-204-0x000007FEF2C20000-0x000007FEF360C000-memory.dmp

Filesize
9.9MB

Download