epsilon | 0577b7e8c6a4d394e8be1eff342905b2f2c08490835716bd44e8e5158a3d7149

Analysis

max time kernel
136s
max time network
185s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
18-04-2024 01:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

EpsilonFruit.exe
Size

139.8MB
MD5

85f4bf8349f324f0ca541059a8e5a5e0
SHA1

685097888c606190c99c1321f970192158cd5121
SHA256

46aaa87d0bff37acb4950a172739283666e191e5570189f13a98f89d545c1d2a
SHA512

95e7d670b83f5256384f1cc14f1c70250ed1be1fc0eb3bd91386ebdab8177a8c782533f6d60a00fa0cf6eba8995005d9162bfe1395983625d1ec9eafd852be0a
SSDEEP

786432:sSfg0tbLs2cRE3FsdxwBFyAaZZiljQWohhjbj6S46P845IPD:sSj5szmFcxwBFyAaZ4jMhhXcyC

Score

10^/10

epsilon evasion persistence spyware stealer

Malware Config

Signatures

Epsilon Stealer
Information stealer.
stealer epsilon

Detects executables referencing combination of virtualization drivers 1 IoCs

Processes:

resource	yara_rule
behavioral8/files/0x0007000000023442-6.dat	INDICATOR_SUSPICIOUS_VM_Evasion_VirtDrvComb

Enumerates VirtualBox registry keys 2 TTPs 5 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

EpsilonFruit.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxMouse	EpsilonFruit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxService	EpsilonFruit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF	EpsilonFruit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxVideo	EpsilonFruit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest	EpsilonFruit.exe

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

EpsilonFruit.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	EpsilonFruit.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\FADT\VBOX__	EpsilonFruit.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\RSDT\VBOX__	EpsilonFruit.exe

Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

EpsilonFruit.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions	EpsilonFruit.exe

Looks for VMWare Tools registry key 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

EpsilonFruit.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools	EpsilonFruit.exe

Checks BIOS information in registry 2 TTPs 3 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EpsilonFruit.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	EpsilonFruit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	EpsilonFruit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	EpsilonFruit.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EpsilonFruit.exeEpsilonFruit.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\Control Panel\International\Geo\Nation	EpsilonFruit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\Control Panel\International\Geo\Nation	EpsilonFruit.exe

Executes dropped EXE 64 IoCs

Processes:

screenCapture_1.3.2.exescreenCapture_1.3.2.exescreenCapture_1.3.2.exescreenCapture_1.3.2.exescreenCapture_1.3.2.exescreenCapture_1.3.2.exescreenCapture_1.3.2.exescreenCapture_1.3.2.exescreenCapture_1.3.2.exescreenCapture_1.3.2.exescreenCapture_1.3.2.exescreenCapture_1.3.2.exescreenCapture_1.3.2.exescreenCapture_1.3.2.exescreenCapture_1.3.2.exescreenCapture_1.3.2.exescreenCapture_1.3.2.exescreenCapture_1.3.2.exescreenCapture_1.3.2.exescreenCapture_1.3.2.exescreenCapture_1.3.2.exescreenCapture_1.3.2.exescreenCapture_1.3.2.exescreenCapture_1.3.2.exescreenCapture_1.3.2.exescreenCapture_1.3.2.exescreenCapture_1.3.2.exescreenCapture_1.3.2.exescreenCapture_1.3.2.exescreenCapture_1.3.2.exescreenCapture_1.3.2.exescreenCapture_1.3.2.exescreenCapture_1.3.2.exescreenCapture_1.3.2.exescreenCapture_1.3.2.exescreenCapture_1.3.2.exescreenCapture_1.3.2.exescreenCapture_1.3.2.exescreenCapture_1.3.2.exescreenCapture_1.3.2.exescreenCapture_1.3.2.exescreenCapture_1.3.2.exescreenCapture_1.3.2.exescreenCapture_1.3.2.exescreenCapture_1.3.2.exescreenCapture_1.3.2.exescreenCapture_1.3.2.exescreenCapture_1.3.2.exescreenCapture_1.3.2.exescreenCapture_1.3.2.exescreenCapture_1.3.2.exescreenCapture_1.3.2.exescreenCapture_1.3.2.exescreenCapture_1.3.2.exescreenCapture_1.3.2.exescreenCapture_1.3.2.exescreenCapture_1.3.2.exescreenCapture_1.3.2.exescreenCapture_1.3.2.exescreenCapture_1.3.2.exescreenCapture_1.3.2.exescreenCapture_1.3.2.exescreenCapture_1.3.2.exescreenCapture_1.3.2.exe

pid	Process
4700	screenCapture_1.3.2.exe
4968	screenCapture_1.3.2.exe
2328	screenCapture_1.3.2.exe
2424	screenCapture_1.3.2.exe
1320	screenCapture_1.3.2.exe
5048	screenCapture_1.3.2.exe
3992	screenCapture_1.3.2.exe
3980	screenCapture_1.3.2.exe
2444	screenCapture_1.3.2.exe
3784	screenCapture_1.3.2.exe
3508	screenCapture_1.3.2.exe
4872	screenCapture_1.3.2.exe
32	screenCapture_1.3.2.exe
3100	screenCapture_1.3.2.exe
1332	screenCapture_1.3.2.exe
4836	screenCapture_1.3.2.exe
2656	screenCapture_1.3.2.exe
3724	screenCapture_1.3.2.exe
3936	screenCapture_1.3.2.exe
460	screenCapture_1.3.2.exe
3000	screenCapture_1.3.2.exe
1780	screenCapture_1.3.2.exe
1320	screenCapture_1.3.2.exe
4048	screenCapture_1.3.2.exe
2084	screenCapture_1.3.2.exe
4228	screenCapture_1.3.2.exe
3600	screenCapture_1.3.2.exe
1596	screenCapture_1.3.2.exe
4552	screenCapture_1.3.2.exe
1072	screenCapture_1.3.2.exe
556	screenCapture_1.3.2.exe
2848	screenCapture_1.3.2.exe
3448	screenCapture_1.3.2.exe
3536	screenCapture_1.3.2.exe
1756	screenCapture_1.3.2.exe
2640	screenCapture_1.3.2.exe
4184	screenCapture_1.3.2.exe
2476	screenCapture_1.3.2.exe
232	screenCapture_1.3.2.exe
556	screenCapture_1.3.2.exe
2588	screenCapture_1.3.2.exe
928	screenCapture_1.3.2.exe
2656	screenCapture_1.3.2.exe
1408	screenCapture_1.3.2.exe
492	screenCapture_1.3.2.exe
4564	screenCapture_1.3.2.exe
1740	screenCapture_1.3.2.exe
720	screenCapture_1.3.2.exe
5040	screenCapture_1.3.2.exe
224	screenCapture_1.3.2.exe
3320	screenCapture_1.3.2.exe
3724	screenCapture_1.3.2.exe
1712	screenCapture_1.3.2.exe
2200	screenCapture_1.3.2.exe
4344	screenCapture_1.3.2.exe
3012	screenCapture_1.3.2.exe
240	screenCapture_1.3.2.exe
1332	screenCapture_1.3.2.exe
1236	screenCapture_1.3.2.exe
4120	screenCapture_1.3.2.exe
1956	screenCapture_1.3.2.exe
2396	screenCapture_1.3.2.exe
4144	screenCapture_1.3.2.exe
1328	screenCapture_1.3.2.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

EpsilonFruit.exe

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\SOFTWARE\Wine	EpsilonFruit.exe

Loads dropped DLL 3 IoCs

Processes:

EpsilonFruit.exe

pid	Process
3620	EpsilonFruit.exe
3620	EpsilonFruit.exe
3620	EpsilonFruit.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsUpdater = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\0\\WindowsUpdater.exe"	reg.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
40	ipinfo.io
41	ipinfo.io

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

Processes:

EpsilonFruit.exe

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	EpsilonFruit.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

Processes:

WMIC.exe

pid	Process
1496	WMIC.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery

T1057

Processes:

tasklist.exetasklist.exe

pid	Process
5056	tasklist.exe
4924	tasklist.exe

Kills process with taskkill 1 IoCs

evasion

Processes:

taskkill.exe

pid	Process
2028	taskkill.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

EpsilonFruit.exeEpsilonFruit.exeEpsilonFruit.exe

pid	Process
3620	EpsilonFruit.exe
3620	EpsilonFruit.exe
4168	EpsilonFruit.exe
4168	EpsilonFruit.exe
4716	EpsilonFruit.exe
4716	EpsilonFruit.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WMIC.exeEpsilonFruit.exe

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4756	WMIC.exe
Token: SeSecurityPrivilege	4756	WMIC.exe
Token: SeTakeOwnershipPrivilege	4756	WMIC.exe
Token: SeLoadDriverPrivilege	4756	WMIC.exe
Token: SeSystemProfilePrivilege	4756	WMIC.exe
Token: SeSystemtimePrivilege	4756	WMIC.exe
Token: SeProfSingleProcessPrivilege	4756	WMIC.exe
Token: SeIncBasePriorityPrivilege	4756	WMIC.exe
Token: SeCreatePagefilePrivilege	4756	WMIC.exe
Token: SeBackupPrivilege	4756	WMIC.exe
Token: SeRestorePrivilege	4756	WMIC.exe
Token: SeShutdownPrivilege	4756	WMIC.exe
Token: SeDebugPrivilege	4756	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4756	WMIC.exe
Token: SeRemoteShutdownPrivilege	4756	WMIC.exe
Token: SeUndockPrivilege	4756	WMIC.exe
Token: SeManageVolumePrivilege	4756	WMIC.exe
Token: 33	4756	WMIC.exe
Token: 34	4756	WMIC.exe
Token: 35	4756	WMIC.exe
Token: 36	4756	WMIC.exe
Token: SeShutdownPrivilege	3620	EpsilonFruit.exe
Token: SeCreatePagefilePrivilege	3620	EpsilonFruit.exe
Token: SeShutdownPrivilege	3620	EpsilonFruit.exe
Token: SeCreatePagefilePrivilege	3620	EpsilonFruit.exe
Token: SeShutdownPrivilege	3620	EpsilonFruit.exe
Token: SeCreatePagefilePrivilege	3620	EpsilonFruit.exe
Token: SeIncreaseQuotaPrivilege	4756	WMIC.exe
Token: SeSecurityPrivilege	4756	WMIC.exe
Token: SeTakeOwnershipPrivilege	4756	WMIC.exe
Token: SeLoadDriverPrivilege	4756	WMIC.exe
Token: SeSystemProfilePrivilege	4756	WMIC.exe
Token: SeSystemtimePrivilege	4756	WMIC.exe
Token: SeProfSingleProcessPrivilege	4756	WMIC.exe
Token: SeIncBasePriorityPrivilege	4756	WMIC.exe
Token: SeCreatePagefilePrivilege	4756	WMIC.exe
Token: SeBackupPrivilege	4756	WMIC.exe
Token: SeRestorePrivilege	4756	WMIC.exe
Token: SeShutdownPrivilege	4756	WMIC.exe
Token: SeDebugPrivilege	4756	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4756	WMIC.exe
Token: SeRemoteShutdownPrivilege	4756	WMIC.exe
Token: SeUndockPrivilege	4756	WMIC.exe
Token: SeManageVolumePrivilege	4756	WMIC.exe
Token: 33	4756	WMIC.exe
Token: 34	4756	WMIC.exe
Token: 35	4756	WMIC.exe
Token: 36	4756	WMIC.exe
Token: SeShutdownPrivilege	3620	EpsilonFruit.exe
Token: SeCreatePagefilePrivilege	3620	EpsilonFruit.exe
Token: SeShutdownPrivilege	3620	EpsilonFruit.exe
Token: SeCreatePagefilePrivilege	3620	EpsilonFruit.exe
Token: SeShutdownPrivilege	3620	EpsilonFruit.exe
Token: SeCreatePagefilePrivilege	3620	EpsilonFruit.exe
Token: SeShutdownPrivilege	3620	EpsilonFruit.exe
Token: SeCreatePagefilePrivilege	3620	EpsilonFruit.exe
Token: SeShutdownPrivilege	3620	EpsilonFruit.exe
Token: SeCreatePagefilePrivilege	3620	EpsilonFruit.exe
Token: SeShutdownPrivilege	3620	EpsilonFruit.exe
Token: SeCreatePagefilePrivilege	3620	EpsilonFruit.exe
Token: SeShutdownPrivilege	3620	EpsilonFruit.exe
Token: SeCreatePagefilePrivilege	3620	EpsilonFruit.exe
Token: SeShutdownPrivilege	3620	EpsilonFruit.exe
Token: SeCreatePagefilePrivilege	3620	EpsilonFruit.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

EpsilonFruit.exe

pid	Process
3620	EpsilonFruit.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

EpsilonFruit.execmd.exe

description	pid	Process	procid_target
PID 3620 wrote to memory of 384	3620	EpsilonFruit.exe	86
PID 3620 wrote to memory of 384	3620	EpsilonFruit.exe	86
PID 384 wrote to memory of 4756	384	cmd.exe	88
PID 384 wrote to memory of 4756	384	cmd.exe	88
PID 3620 wrote to memory of 4468	3620	EpsilonFruit.exe	89
PID 3620 wrote to memory of 4468	3620	EpsilonFruit.exe	89
PID 3620 wrote to memory of 4468	3620	EpsilonFruit.exe	89
PID 3620 wrote to memory of 4468	3620	EpsilonFruit.exe	89
PID 3620 wrote to memory of 4468	3620	EpsilonFruit.exe	89
PID 3620 wrote to memory of 4468	3620	EpsilonFruit.exe	89
PID 3620 wrote to memory of 4468	3620	EpsilonFruit.exe	89
PID 3620 wrote to memory of 4468	3620	EpsilonFruit.exe	89
PID 3620 wrote to memory of 4468	3620	EpsilonFruit.exe	89
PID 3620 wrote to memory of 4468	3620	EpsilonFruit.exe	89
PID 3620 wrote to memory of 4468	3620	EpsilonFruit.exe	89
PID 3620 wrote to memory of 4468	3620	EpsilonFruit.exe	89
PID 3620 wrote to memory of 4468	3620	EpsilonFruit.exe	89
PID 3620 wrote to memory of 4468	3620	EpsilonFruit.exe	89
PID 3620 wrote to memory of 4468	3620	EpsilonFruit.exe	89
PID 3620 wrote to memory of 4468	3620	EpsilonFruit.exe	89
PID 3620 wrote to memory of 4468	3620	EpsilonFruit.exe	89
PID 3620 wrote to memory of 4468	3620	EpsilonFruit.exe	89
PID 3620 wrote to memory of 4468	3620	EpsilonFruit.exe	89
PID 3620 wrote to memory of 4468	3620	EpsilonFruit.exe	89
PID 3620 wrote to memory of 4468	3620	EpsilonFruit.exe	89
PID 3620 wrote to memory of 4468	3620	EpsilonFruit.exe	89
PID 3620 wrote to memory of 4468	3620	EpsilonFruit.exe	89
PID 3620 wrote to memory of 4468	3620	EpsilonFruit.exe	89
PID 3620 wrote to memory of 4468	3620	EpsilonFruit.exe	89
PID 3620 wrote to memory of 4468	3620	EpsilonFruit.exe	89
PID 3620 wrote to memory of 4468	3620	EpsilonFruit.exe	89
PID 3620 wrote to memory of 4468	3620	EpsilonFruit.exe	89
PID 3620 wrote to memory of 4468	3620	EpsilonFruit.exe	89
PID 3620 wrote to memory of 4468	3620	EpsilonFruit.exe	89
PID 3620 wrote to memory of 4468	3620	EpsilonFruit.exe	89
PID 3620 wrote to memory of 4468	3620	EpsilonFruit.exe	89
PID 3620 wrote to memory of 4468	3620	EpsilonFruit.exe	89
PID 3620 wrote to memory of 4468	3620	EpsilonFruit.exe	89
PID 3620 wrote to memory of 4468	3620	EpsilonFruit.exe	89
PID 3620 wrote to memory of 4468	3620	EpsilonFruit.exe	89
PID 3620 wrote to memory of 4468	3620	EpsilonFruit.exe	89
PID 3620 wrote to memory of 4468	3620	EpsilonFruit.exe	89
PID 3620 wrote to memory of 4468	3620	EpsilonFruit.exe	89
PID 3620 wrote to memory of 4468	3620	EpsilonFruit.exe	89
PID 3620 wrote to memory of 4168	3620	EpsilonFruit.exe	90
PID 3620 wrote to memory of 4168	3620	EpsilonFruit.exe	90
PID 3620 wrote to memory of 4716	3620	EpsilonFruit.exe	91
PID 3620 wrote to memory of 4716	3620	EpsilonFruit.exe	91
PID 3620 wrote to memory of 4272	3620	EpsilonFruit.exe	96
PID 3620 wrote to memory of 4272	3620	EpsilonFruit.exe	96
PID 3620 wrote to memory of 4272	3620	EpsilonFruit.exe	96
PID 3620 wrote to memory of 4272	3620	EpsilonFruit.exe	96
PID 3620 wrote to memory of 4272	3620	EpsilonFruit.exe	96
PID 3620 wrote to memory of 4272	3620	EpsilonFruit.exe	96
PID 3620 wrote to memory of 4272	3620	EpsilonFruit.exe	96
PID 3620 wrote to memory of 4272	3620	EpsilonFruit.exe	96
PID 3620 wrote to memory of 4272	3620	EpsilonFruit.exe	96
PID 3620 wrote to memory of 4272	3620	EpsilonFruit.exe	96
PID 3620 wrote to memory of 4272	3620	EpsilonFruit.exe	96
PID 3620 wrote to memory of 4272	3620	EpsilonFruit.exe	96
PID 3620 wrote to memory of 4272	3620	EpsilonFruit.exe	96
PID 3620 wrote to memory of 4272	3620	EpsilonFruit.exe	96
PID 3620 wrote to memory of 4272	3620	EpsilonFruit.exe	96
PID 3620 wrote to memory of 4272	3620	EpsilonFruit.exe	96

C:\Users\Admin\AppData\Local\Temp\EpsilonFruit.exe
"C:\Users\Admin\AppData\Local\Temp\EpsilonFruit.exe"
1⤵
- Enumerates VirtualBox registry keys
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Loads dropped DLL
- Checks for VirtualBox DLLs, possible anti-VM trick
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3620
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic CsProduct Get UUID"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:384
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic CsProduct Get UUID
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4756
- C:\Users\Admin\AppData\Local\Temp\EpsilonFruit.exe
  "C:\Users\Admin\AppData\Local\Temp\EpsilonFruit.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\EpsilonFruit" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1680 --field-trial-handle=1788,5462491129802724107,17930324767564362421,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  PID:4468
- C:\Users\Admin\AppData\Local\Temp\EpsilonFruit.exe
  "C:\Users\Admin\AppData\Local\Temp\EpsilonFruit.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\EpsilonFruit" --mojo-platform-channel-handle=1936 --field-trial-handle=1788,5462491129802724107,17930324767564362421,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4168
- C:\Users\Admin\AppData\Local\Temp\EpsilonFruit.exe
  "C:\Users\Admin\AppData\Local\Temp\EpsilonFruit.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\EpsilonFruit" --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --no-sandbox --no-zygote --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2272 --field-trial-handle=1788,5462491129802724107,17930324767564362421,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  PID:4716
- C:\Users\Admin\AppData\Local\Temp\EpsilonFruit.exe
  "C:\Users\Admin\AppData\Local\Temp\EpsilonFruit.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --user-data-dir="C:\Users\Admin\AppData\Roaming\EpsilonFruit" --mojo-platform-channel-handle=3228 --field-trial-handle=1788,5462491129802724107,17930324767564362421,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
  2⤵
  PID:4272
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "taskkill /IM chrome.exe /F"
  2⤵
  PID:1700
- - C:\Windows\system32\taskkill.exe
    taskkill /IM chrome.exe /F
    3⤵
    - Kills process with taskkill
    PID:2028
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""
  2⤵
  PID:4296
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"
    3⤵
    PID:1332
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath"
  2⤵
  PID:1184
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath
    3⤵
    PID:3244
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4548
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:5056
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List"
  2⤵
  PID:4796
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
    3⤵
    PID:2324
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:3220
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:1496
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "cmd /c chcp 65001>nul && netsh wlan show profiles"
  2⤵
  PID:1740
- - C:\Windows\system32\cmd.exe
    cmd /c chcp 65001
    3⤵
    PID:1020
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2196
- - C:\Windows\system32\netsh.exe
    netsh wlan show profiles
    3⤵
    PID:2588
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-kuh0px.ryrwg.jpg" "
  2⤵
  PID:3308
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /nologo /r:"Microsoft.VisualBasic.dll" /win32manifest:"app.manifest" /out:"screenCapture_1.3.2.exe" "C:\Users\Admin\AppData\Local\Temp\SCREEN~1\SCREEN~1.BAT"
    3⤵
    PID:460
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES754A.tmp" "c:\Users\Admin\AppData\Local\Temp\screenCapture\CSC7BE1E067972C4DDEB92E2CD4B95339CC.TMP"
      4⤵
      PID:3332
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-kuh0px.ryrwg.jpg"
    3⤵
    - Executes dropped EXE
    PID:4968
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v WindowsUpdater /t REG_SZ /d C:\Users\Admin\AppData\Local\Microsoft\Windows\0\WindowsUpdater.exe /f"
  2⤵
  PID:3764
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v WindowsUpdater /t REG_SZ /d C:\Users\Admin\AppData\Local\Microsoft\Windows\0\WindowsUpdater.exe /f
    3⤵
    - Adds Run key to start application
    PID:3936
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4300
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:4924
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-1hswhpr.7yie.jpg" "
  2⤵
  PID:1736
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /nologo /r:"Microsoft.VisualBasic.dll" /win32manifest:"app.manifest" /out:"screenCapture_1.3.2.exe" "C:\Users\Admin\AppData\Local\Temp\SCREEN~1\SCREEN~1.BAT"
    3⤵
    PID:3492
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES74DD.tmp" "c:\Users\Admin\AppData\Local\Temp\screenCapture\CSC6EC512EC47ED4466B57FB49D3674F5D.TMP"
      4⤵
      PID:1336
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-1hswhpr.7yie.jpg"
    3⤵
    - Executes dropped EXE
    PID:4700
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-uvriks.191h.jpg" "
  2⤵
  PID:4380
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /nologo /r:"Microsoft.VisualBasic.dll" /win32manifest:"app.manifest" /out:"screenCapture_1.3.2.exe" "C:\Users\Admin\AppData\Local\Temp\SCREEN~1\SCREEN~1.BAT"
    3⤵
    PID:2476
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7635.tmp" "c:\Users\Admin\AppData\Local\Temp\screenCapture\CSCD60DA840925E45FF9084FECE89647B12.TMP"
      4⤵
      PID:3132
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-7f8hux.si9uj.jpg" "
  2⤵
  PID:4768
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-7f8hux.si9uj.jpg"
    3⤵
    - Executes dropped EXE
    PID:2328
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-3ftxbo.talr5.jpg" "
  2⤵
  PID:1760
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-3ftxbo.talr5.jpg"
    3⤵
    - Executes dropped EXE
    PID:2424
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-1ib9okr.7da5.jpg" "
  2⤵
  PID:2200
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-1ib9okr.7da5.jpg"
    3⤵
    - Executes dropped EXE
    PID:5048
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-10v44gn.1x7s.jpg" "
  2⤵
  PID:4488
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-10v44gn.1x7s.jpg"
    3⤵
    - Executes dropped EXE
    PID:1320
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-1mn9zjd.hkve.jpg" "
  2⤵
  PID:3612
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-1mn9zjd.hkve.jpg"
    3⤵
    - Executes dropped EXE
    PID:3992
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-i5i626.us5cm.jpg" "
  2⤵
  PID:2088
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1756
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-i5i626.us5cm.jpg"
    3⤵
    - Executes dropped EXE
    PID:3980
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-40z3ne.eb8h5.jpg" "
  2⤵
  PID:4924
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-40z3ne.eb8h5.jpg"
    3⤵
    - Executes dropped EXE
    PID:2444
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-nq04s6.4izc.jpg" "
  2⤵
  PID:4212
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-nq04s6.4izc.jpg"
    3⤵
    - Executes dropped EXE
    PID:3784
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-1ltw6c8.4jkv.jpg" "
  2⤵
  PID:3492
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-1ltw6c8.4jkv.jpg"
    3⤵
    - Executes dropped EXE
    PID:3508
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-1ekjk2v.mv7ii.jpg" "
  2⤵
  PID:1780
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-1ekjk2v.mv7ii.jpg"
    3⤵
    - Executes dropped EXE
    PID:4872
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-19030y1.8ozti.jpg" "
  2⤵
  PID:1436
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-19030y1.8ozti.jpg"
    3⤵
    - Executes dropped EXE
    PID:32
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-1bmozuo.pt5a.jpg" "
  2⤵
  PID:1736
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-1bmozuo.pt5a.jpg"
    3⤵
    - Executes dropped EXE
    PID:3100
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-m1vssu.rvl2.jpg" "
  2⤵
  PID:5032
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-m1vssu.rvl2.jpg"
    3⤵
    - Executes dropped EXE
    PID:1332
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-1t4817h.z02jh.jpg" "
  2⤵
  PID:4328
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-1t4817h.z02jh.jpg"
    3⤵
    - Executes dropped EXE
    PID:4836
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-ce1o9f.w4tzs.jpg" "
  2⤵
  PID:2064
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-ce1o9f.w4tzs.jpg"
    3⤵
    - Executes dropped EXE
    PID:2656
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-v5mpgt.ikjjn.jpg" "
  2⤵
  PID:2640
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-v5mpgt.ikjjn.jpg"
    3⤵
    - Executes dropped EXE
    PID:3724
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-tu2s1b.u13l.jpg" "
  2⤵
  PID:2124
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-tu2s1b.u13l.jpg"
    3⤵
    - Executes dropped EXE
    PID:3936
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-1tba8rm.boxy.jpg" "
  2⤵
  PID:3324
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-1tba8rm.boxy.jpg"
    3⤵
    - Executes dropped EXE
    PID:460
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-1on89th.w4rc.jpg" "
  2⤵
  PID:4776
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-1on89th.w4rc.jpg"
    3⤵
    - Executes dropped EXE
    PID:3000
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-n2wzba.pft8a.jpg" "
  2⤵
  PID:1964
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-n2wzba.pft8a.jpg"
    3⤵
    - Executes dropped EXE
    PID:1780
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-56by2f.76q0l.jpg" "
  2⤵
  PID:2848
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-56by2f.76q0l.jpg"
    3⤵
    - Executes dropped EXE
    PID:1320
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-s0ob4b.wdjgi.jpg" "
  2⤵
  PID:1468
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-s0ob4b.wdjgi.jpg"
    3⤵
    - Executes dropped EXE
    PID:4048
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-1es3tdv.oshsl.jpg" "
  2⤵
  PID:4584
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-1es3tdv.oshsl.jpg"
    3⤵
    - Executes dropped EXE
    PID:2084
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-ylg4tb.mmmy.jpg" "
  2⤵
  PID:3340
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-ylg4tb.mmmy.jpg"
    3⤵
    - Executes dropped EXE
    PID:4228
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-i103yv.n72pg.jpg" "
  2⤵
  PID:3004
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-i103yv.n72pg.jpg"
    3⤵
    - Executes dropped EXE
    PID:3600
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-5kvtch.kvb7t.jpg" "
  2⤵
  PID:608
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-5kvtch.kvb7t.jpg"
    3⤵
    - Executes dropped EXE
    PID:1596
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-2nqzsr.vnod4.jpg" "
  2⤵
  PID:4700
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-2nqzsr.vnod4.jpg"
    3⤵
    - Executes dropped EXE
    PID:4552
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-1jxkiuv.67x3.jpg" "
  2⤵
  PID:4016
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4380
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-1jxkiuv.67x3.jpg"
    3⤵
    - Executes dropped EXE
    PID:1072
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-5j440s.gwgpf.jpg" "
  2⤵
  PID:1780
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-5j440s.gwgpf.jpg"
    3⤵
    - Executes dropped EXE
    PID:556
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-1vz4bj2.27tp.jpg" "
  2⤵
  PID:1776
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-1vz4bj2.27tp.jpg"
    3⤵
    - Executes dropped EXE
    PID:2848
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-idll57.d2ge.jpg" "
  2⤵
  PID:4156
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-idll57.d2ge.jpg"
    3⤵
    - Executes dropped EXE
    PID:3448
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-1nyan6.iib8d.jpg" "
  2⤵
  PID:2088
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-1nyan6.iib8d.jpg"
    3⤵
    - Executes dropped EXE
    PID:3536
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-x9ftk8.qc4gb.jpg" "
  2⤵
  PID:4328
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-x9ftk8.qc4gb.jpg"
    3⤵
    - Executes dropped EXE
    PID:1756
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-ko57qw.8hsgl.jpg" "
  2⤵
  PID:4924
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-ko57qw.8hsgl.jpg"
    3⤵
    - Executes dropped EXE
    PID:2640
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-1v1bk49.17ybg.jpg" "
  2⤵
  PID:1588
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-1v1bk49.17ybg.jpg"
    3⤵
    - Executes dropped EXE
    PID:4184
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-12wo6sw.q2mp.jpg" "
  2⤵
  PID:2184
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-12wo6sw.q2mp.jpg"
    3⤵
    - Executes dropped EXE
    PID:2476
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-1np63py.398o.jpg" "
  2⤵
  PID:1932
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-1np63py.398o.jpg"
    3⤵
    - Executes dropped EXE
    PID:232
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-g47hz7.22g.jpg" "
  2⤵
  PID:4700
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-g47hz7.22g.jpg"
    3⤵
    - Executes dropped EXE
    PID:556
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-4gb1tn.eacu9.jpg" "
  2⤵
  PID:3764
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-4gb1tn.eacu9.jpg"
    3⤵
    - Executes dropped EXE
    PID:2588
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-175ep2c.8j4h.jpg" "
  2⤵
  PID:1776
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-175ep2c.8j4h.jpg"
    3⤵
    - Executes dropped EXE
    PID:928
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-1qp31sl.zkygf.jpg" "
  2⤵
  PID:4772
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-1qp31sl.zkygf.jpg"
    3⤵
    - Executes dropped EXE
    PID:2656
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-lfg7sf.ksc1.jpg" "
  2⤵
  PID:2064
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-lfg7sf.ksc1.jpg"
    3⤵
    - Executes dropped EXE
    PID:1408
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-suz4wa.m2dy.jpg" "
  2⤵
  PID:2444
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-suz4wa.m2dy.jpg"
    3⤵
    - Executes dropped EXE
    PID:492
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-t66mqh.7syu.jpg" "
  2⤵
  PID:3980
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-t66mqh.7syu.jpg"
    3⤵
    - Executes dropped EXE
    PID:4564
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-1k8moig.509v.jpg" "
  2⤵
  PID:3236
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-1k8moig.509v.jpg"
    3⤵
    - Executes dropped EXE
    PID:1740
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-tbtcid.9bx4.jpg" "
  2⤵
  PID:1088
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-tbtcid.9bx4.jpg"
    3⤵
    - Executes dropped EXE
    PID:720
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-1qr5403.bna5.jpg" "
  2⤵
  PID:892
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-1qr5403.bna5.jpg"
    3⤵
    - Executes dropped EXE
    PID:5040
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-1xw6rxd.zt9y.jpg" "
  2⤵
  PID:3328
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-1xw6rxd.zt9y.jpg"
    3⤵
    - Executes dropped EXE
    PID:224
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-1tcjt2d.kl8g.jpg" "
  2⤵
  PID:1336
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4584
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-1tcjt2d.kl8g.jpg"
    3⤵
    - Executes dropped EXE
    PID:3320
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-mb0xvl.1wpy.jpg" "
  2⤵
  PID:1160
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-mb0xvl.1wpy.jpg"
    3⤵
    - Executes dropped EXE
    PID:3724
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-v3tsbc.ye51.jpg" "
  2⤵
  PID:1516
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-v3tsbc.ye51.jpg"
    3⤵
    - Executes dropped EXE
    PID:1712
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-ivsedl.vwpmb.jpg" "
  2⤵
  PID:908
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-ivsedl.vwpmb.jpg"
    3⤵
    - Executes dropped EXE
    PID:2200
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-144ubt6.dm9tg.jpg" "
  2⤵
  PID:1560
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-144ubt6.dm9tg.jpg"
    3⤵
    - Executes dropped EXE
    PID:4344
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-tpkz28.hya4.jpg" "
  2⤵
  PID:2688
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-tpkz28.hya4.jpg"
    3⤵
    - Executes dropped EXE
    PID:3012
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-w2pyxd.cb2z.jpg" "
  2⤵
  PID:3432
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-w2pyxd.cb2z.jpg"
    3⤵
    - Executes dropped EXE
    PID:240
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-qdlf2o.8r0e.jpg" "
  2⤵
  PID:720
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-qdlf2o.8r0e.jpg"
    3⤵
    - Executes dropped EXE
    PID:1332
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-34fgpc.kwe7.jpg" "
  2⤵
  PID:232
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-34fgpc.kwe7.jpg"
    3⤵
    - Executes dropped EXE
    PID:1236
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-1mh330u.vapu.jpg" "
  2⤵
  PID:1520
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-1mh330u.vapu.jpg"
    3⤵
    - Executes dropped EXE
    PID:4120
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-194l3w7.pe8g.jpg" "
  2⤵
  PID:4256
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3448
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-194l3w7.pe8g.jpg"
    3⤵
    - Executes dropped EXE
    PID:1956
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-1vba7t2.0el6.jpg" "
  2⤵
  PID:4924
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-1vba7t2.0el6.jpg"
    3⤵
    - Executes dropped EXE
    PID:2396
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-1gxq40u.xoy.jpg" "
  2⤵
  PID:1712
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-1gxq40u.xoy.jpg"
    3⤵
    - Executes dropped EXE
    PID:4144
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-1sagajc.t3x3.jpg" "
  2⤵
  PID:1876
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-1sagajc.t3x3.jpg"
    3⤵
    - Executes dropped EXE
    PID:1328
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-27r5q6.0ef93.jpg" "
  2⤵
  PID:4832
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1596
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-27r5q6.0ef93.jpg"
    3⤵
    PID:2028
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-ho3hkw.sxmk6.jpg" "
  2⤵
  PID:1152
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-ho3hkw.sxmk6.jpg"
    3⤵
    PID:1556
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-ebr1nc.vkz2.jpg" "
  2⤵
  PID:5052
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-ebr1nc.vkz2.jpg"
    3⤵
    PID:208
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-qpp7fd.l3o5.jpg" "
  2⤵
  PID:2988
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4776
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-qpp7fd.l3o5.jpg"
    3⤵
    PID:3604
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-vg48jq.ejb7c.jpg" "
  2⤵
  PID:2072
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-vg48jq.ejb7c.jpg"
    3⤵
    PID:2848
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-e21lqg.g0ntc.jpg" "
  2⤵
  PID:2508
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-e21lqg.g0ntc.jpg"
    3⤵
    PID:4120
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-1s3goju.zis8g.jpg" "
  2⤵
  PID:4756
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-1s3goju.zis8g.jpg"
    3⤵
    PID:2724
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-3nsc6q.75vsy.jpg" "
  2⤵
  PID:4044
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3340
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-3nsc6q.75vsy.jpg"
    3⤵
    PID:3004
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-1rxvti1.iuam.jpg" "
  2⤵
  PID:2088
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-1rxvti1.iuam.jpg"
    3⤵
    PID:2064
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-m7ivlj.krefp.jpg" "
  2⤵
  PID:2964
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3784
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-m7ivlj.krefp.jpg"
    3⤵
    PID:1712
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-1x886u8.y4ye.jpg" "
  2⤵
  PID:4316
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-1x886u8.y4ye.jpg"
    3⤵
    PID:4228
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-1gfjne3.ywf2.jpg" "
  2⤵
  PID:2952
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-1gfjne3.ywf2.jpg"
    3⤵
    PID:4244
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-kf728q.ulf2s.jpg" "
  2⤵
  PID:1636
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-kf728q.ulf2s.jpg"
    3⤵
    PID:1176
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-1cq6gfq.vjzd.jpg" "
  2⤵
  PID:2844
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-1cq6gfq.vjzd.jpg"
    3⤵
    PID:5052
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-zylkuo.82cq.jpg" "
  2⤵
  PID:2068
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-zylkuo.82cq.jpg"
    3⤵
    PID:608
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-19yiuxk.agdk.jpg" "
  2⤵
  PID:3116
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3308
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-19yiuxk.agdk.jpg"
    3⤵
    PID:5008
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-1kl240w.ohfp.jpg" "
  2⤵
  PID:2248
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-1kl240w.ohfp.jpg"
    3⤵
    PID:3220
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-qri9zx.g7rci.jpg" "
  2⤵
  PID:2508
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-qri9zx.g7rci.jpg"
    3⤵
    PID:4256
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-1rtr8v0.58a6f.jpg" "
  2⤵
  PID:1956
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-1rtr8v0.58a6f.jpg"
    3⤵
    PID:3724
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-kjpc9.whgi8b.jpg" "
  2⤵
  PID:952
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-kjpc9.whgi8b.jpg"
    3⤵
    PID:4888
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-15zj8iv.nvyx.jpg" "
  2⤵
  PID:2064
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2424
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-15zj8iv.nvyx.jpg"
    3⤵
    PID:2712
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-1s3l8f9.p2rl.jpg" "
  2⤵
  PID:1944
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-1s3l8f9.p2rl.jpg"
    3⤵
    PID:1512
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-2z0hdi.re1a4.jpg" "
  2⤵
  PID:2816
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-2z0hdi.re1a4.jpg"
    3⤵
    PID:4352
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-n5yjr2.m4mb.jpg" "
  2⤵
  PID:776
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4184
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-n5yjr2.m4mb.jpg"
    3⤵
    PID:3012
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-1vyc9jv.9uau.jpg" "
  2⤵
  PID:4344
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-1vyc9jv.9uau.jpg"
    3⤵
    PID:1152
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-3zo6dw.x7096.jpg" "
  2⤵
  PID:688
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-3zo6dw.x7096.jpg"
    3⤵
    PID:3720
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-1bjag10.p30pl.jpg" "
  2⤵
  PID:1464
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:208
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-1bjag10.p30pl.jpg"
    3⤵
    PID:4088
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-2902u3.cd3w8.jpg" "
  2⤵
  PID:2184
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-2902u3.cd3w8.jpg"
    3⤵
    PID:3044
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-rbqx6r.f3nq.jpg" "
  2⤵
  PID:4156
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-rbqx6r.f3nq.jpg"
    3⤵
    PID:3104
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-4k2pyl.95t63.jpg" "
  2⤵
  PID:2548
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-4k2pyl.95t63.jpg"
    3⤵
    PID:4828
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-1n1mqdq.kdeb.jpg" "
  2⤵
  PID:2612
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1336
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-1n1mqdq.kdeb.jpg"
    3⤵
    PID:2508
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-1g1dfy7.chwq.jpg" "
  2⤵
  PID:3736
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-1g1dfy7.chwq.jpg"
    3⤵
    PID:3724
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-um8wsj.6u55e.jpg" "
  2⤵
  PID:4768
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-um8wsj.6u55e.jpg"
    3⤵
    PID:1820
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-6csyh3.hbav4.jpg" "
  2⤵
  PID:780
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-6csyh3.hbav4.jpg"
    3⤵
    PID:2244
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-1pha1xn.9rgy.jpg" "
  2⤵
  PID:1712
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-1pha1xn.9rgy.jpg"
    3⤵
    PID:3136
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-1r44jm9.109r.jpg" "
  2⤵
  PID:792
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3132
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-1r44jm9.109r.jpg"
    3⤵
    PID:4228
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-1z0mao3.6y6v.jpg" "
  2⤵
  PID:1536
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1560
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-1z0mao3.6y6v.jpg"
    3⤵
    PID:4032
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-7yt79d.hejsn.jpg" "
  2⤵
  PID:2164
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-7yt79d.hejsn.jpg"
    3⤵
    PID:1176
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-1fvgbsk.duzt.jpg" "
  2⤵
  PID:3236
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1636
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-1fvgbsk.duzt.jpg"
    3⤵
    PID:4792
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-1opuxoa.6i4.jpg" "
  2⤵
  PID:3000
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-1opuxoa.6i4.jpg"
    3⤵
    PID:3688
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-1mntnxj.kxek.jpg" "
  2⤵
  PID:4988
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1780
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-1mntnxj.kxek.jpg"
    3⤵
    PID:2080
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-1ja8t5q.0dss.jpg" "
  2⤵
  PID:864
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-1ja8t5q.0dss.jpg"
    3⤵
    PID:928
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-91sacq.ksso5.jpg" "
  2⤵
  PID:2848
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1520
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-91sacq.ksso5.jpg"
    3⤵
    PID:2556
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-1v8094c.s57n.jpg" "
  2⤵
  PID:4384
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-1v8094c.s57n.jpg"
    3⤵
    PID:5048
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-pbjyms.7a7zb.jpg" "
  2⤵
  PID:1956
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-pbjyms.7a7zb.jpg"
    3⤵
    PID:1080
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-1c3sao9.prj3.jpg" "
  2⤵
  PID:1928
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2396
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-1c3sao9.prj3.jpg"
    3⤵
    PID:4328
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-xipula.nfcgr.jpg" "
  2⤵
  PID:3332
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-xipula.nfcgr.jpg"
    3⤵
    PID:2240
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-1nb14ht.dhty.jpg" "
  2⤵
  PID:384
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1512
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-1nb14ht.dhty.jpg"
    3⤵
    PID:2784
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-jqizth.n2f2.jpg" "
  2⤵
  PID:4520
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-jqizth.n2f2.jpg"
    3⤵
    PID:4772
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-1i8vkpv.8ogh.jpg" "
  2⤵
  PID:492
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-1i8vkpv.8ogh.jpg"
    3⤵
    PID:2320
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-opmev0.dlqs.jpg" "
  2⤵
  PID:4244
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-opmev0.dlqs.jpg"
    3⤵
    PID:4564
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-1rz6juh.1s0s.jpg" "
  2⤵
  PID:4344
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-1rz6juh.1s0s.jpg"
    3⤵
    PID:4948
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-xpejym.zjo8.jpg" "
  2⤵
  PID:1964
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1320
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-xpejym.zjo8.jpg"
    3⤵
    PID:5040
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-8kai9v.eflob.jpg" "
  2⤵
  PID:3764
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-8kai9v.eflob.jpg"
    3⤵
    PID:1180
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-6r7h1c.zftbb.jpg" "
  2⤵
  PID:3044
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-6r7h1c.zftbb.jpg"
    3⤵
    PID:2080
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-g2un3z.xkgpn.jpg" "
  2⤵
  PID:608
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-g2un3z.xkgpn.jpg"
    3⤵
    PID:884
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-1m2sxcy.yph6.jpg" "
  2⤵
  PID:224
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:892
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-1m2sxcy.yph6.jpg"
    3⤵
    PID:4800
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-1yhmg4u.d489.jpg" "
  2⤵
  PID:4216
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-1yhmg4u.d489.jpg"
    3⤵
    PID:2612
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-1jsuv9p.icsp.jpg" "
  2⤵
  PID:2084
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5048
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-1jsuv9p.icsp.jpg"
    3⤵
    PID:4120
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-mz1sr0.px9g.jpg" "
  2⤵
  PID:4924
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1160
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-mz1sr0.px9g.jpg"
    3⤵
    PID:4296
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-eoz80v.ane2.jpg" "
  2⤵
  PID:2424
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-eoz80v.ane2.jpg"
    3⤵
    PID:4892
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-1lohc8.zrxw8.jpg" "
  2⤵
  PID:2188
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-1lohc8.zrxw8.jpg"
    3⤵
    PID:2640
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-h08ki.06drq9.jpg" "
  2⤵
  PID:5072
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-h08ki.06drq9.jpg"
    3⤵
    PID:4352
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-15ouhph.ery3.jpg" "
  2⤵
  PID:3012
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-15ouhph.ery3.jpg"
    3⤵
    PID:4080
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-14jrimk.odkp.jpg" "
  2⤵
  PID:4844
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1176
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-14jrimk.odkp.jpg"
    3⤵
    PID:496
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-15xf76v.yaji.jpg" "
  2⤵
  PID:2028
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-15xf76v.yaji.jpg"
    3⤵
    PID:2196
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-sp9mf9.ko2x9.jpg" "
  2⤵
  PID:3100
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-sp9mf9.ko2x9.jpg"
    3⤵
    PID:5040
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-fnotch.1030r.jpg" "
  2⤵
  PID:1128
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-fnotch.1030r.jpg"
    3⤵
    PID:720
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-1kb86r0.uj6zj.jpg" "
  2⤵
  PID:2072
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2068
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-1kb86r0.uj6zj.jpg"
    3⤵
    PID:5060
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-1kk7h4j.jaqj.jpg" "
  2⤵
  PID:2184
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-1kk7h4j.jaqj.jpg"
    3⤵
    PID:608
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-uhfzyy.wnc3.jpg" "
  2⤵
  PID:3704
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2556
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-uhfzyy.wnc3.jpg"
    3⤵
    PID:3328
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-10owq4l.gi4o.jpg" "
  2⤵
  PID:2612
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-10owq4l.gi4o.jpg"
    3⤵
    PID:4396
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-jd32op.c11l.jpg" "
  2⤵
  PID:2316
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-jd32op.c11l.jpg"
    3⤵
    PID:4888
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-gxdnne.wy1sw.jpg" "
  2⤵
  PID:2088
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3004
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-gxdnne.wy1sw.jpg"
    3⤵
    PID:2000
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-mfjuj5.4oicq.jpg" "
  2⤵
  PID:4892
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2964
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-mfjuj5.4oicq.jpg"
    3⤵
    PID:1260
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-b08xat.w4um7.jpg" "
  2⤵
  PID:2464
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-b08xat.w4um7.jpg"
    3⤵
    PID:3540
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-14banrh.fzevi.jpg" "
  2⤵
  PID:3824
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5072
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-14banrh.fzevi.jpg"
    3⤵
    PID:2320
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-12ti1rv.2diy.jpg" "
  2⤵
  PID:3452
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-12ti1rv.2diy.jpg"
    3⤵
    PID:3084
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-qlye17.j5jf.jpg" "
  2⤵
  PID:1020
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-qlye17.j5jf.jpg"
    3⤵
    PID:4344
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-bjlam4.5rd9j.jpg" "
  2⤵
  PID:888
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-bjlam4.5rd9j.jpg"
    3⤵
    PID:4480
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-h31t3s.vb89b.jpg" "
  2⤵
  PID:4792
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-h31t3s.vb89b.jpg"
    3⤵
    PID:1780
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-1g4c21s.mlbx.jpg" "
  2⤵
  PID:4988
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1128
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-1g4c21s.mlbx.jpg"
    3⤵
    PID:1432
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-s73few.nwi88.jpg" "
  2⤵
  PID:2072
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-s73few.nwi88.jpg"
    3⤵
    PID:4584
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-1gfpy9y.gv8kf.jpg" "
  2⤵
  PID:884
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-1gfpy9y.gv8kf.jpg"
    3⤵
    PID:416
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-d7iy26.xxi4p.jpg" "
  2⤵
  PID:3596
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-d7iy26.xxi4p.jpg"
    3⤵
    PID:2724
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-f66mh8.kmwyr.jpg" "
  2⤵
  PID:4396
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-f66mh8.kmwyr.jpg"
    3⤵
    PID:5032
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-trnx7p.z2ng.jpg" "
  2⤵
  PID:4488
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-trnx7p.z2ng.jpg"
    3⤵
    PID:2260
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-1opa6mn.9i1o.jpg" "
  2⤵
  PID:2000
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-1opa6mn.9i1o.jpg"
    3⤵
    PID:1928
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-16jzrde.mrs3.jpg" "
  2⤵
  PID:4212
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-16jzrde.mrs3.jpg"
    3⤵
    PID:1820
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-g3nv90.4ucl9.jpg" "
  2⤵
  PID:4520
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-g3nv90.4ucl9.jpg"
    3⤵
    PID:2824
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-pgej1u.tm37.jpg" "
  2⤵
  PID:4220
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:492
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-pgej1u.tm37.jpg"
    3⤵
    PID:2320
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-10z783u.wfdpl.jpg" "
  2⤵
  PID:1144
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-10z783u.wfdpl.jpg"
    3⤵
    PID:4368
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-1wqylar.hcy6.jpg" "
  2⤵
  PID:1560
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4564
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-1wqylar.hcy6.jpg"
    3⤵
    PID:1636
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-6ctzca.64gi9.jpg" "
  2⤵
  PID:32
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1020
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-6ctzca.64gi9.jpg"
    3⤵
    PID:832
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-wnobww.a0vri.jpg" "
  2⤵
  PID:1088
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4480
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-wnobww.a0vri.jpg"
    3⤵
    PID:2232
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-3ypj2z.59rkl.jpg" "
  2⤵
  PID:444
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-3ypj2z.59rkl.jpg"
    3⤵
    PID:3920
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-1pbfznz.18w8.jpg" "
  2⤵
  PID:4744
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-1pbfznz.18w8.jpg"
    3⤵
    PID:2596
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-gmyqqb.igkt.jpg" "
  2⤵
  PID:4548
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:928
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-gmyqqb.igkt.jpg"
    3⤵
    PID:1724
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-1e001pj.h3vf.jpg" "
  2⤵
  PID:4256
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-1e001pj.h3vf.jpg"
    3⤵
    PID:2012
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-105h258.2run.jpg" "
  2⤵
  PID:2612
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-105h258.2run.jpg"
    3⤵
    PID:232
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-10wkm7b.zlbej.jpg" "
  2⤵
  PID:4120
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-10wkm7b.zlbej.jpg"
    3⤵
    PID:1012
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-19fs66i.2rkr.jpg" "
  2⤵
  PID:2076
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-19fs66i.2rkr.jpg"
    3⤵
    PID:2260
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-1uzdkts.bxh1.jpg" "
  2⤵
  PID:3136
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-1uzdkts.bxh1.jpg"
    3⤵
    PID:4960
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-11swnna.5wpo.jpg" "
  2⤵
  PID:2396
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-11swnna.5wpo.jpg"
    3⤵
    PID:1328
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-1ny7z2b.juzp.jpg" "
  2⤵
  PID:1736
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-1ny7z2b.juzp.jpg"
    3⤵
    PID:184
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-1b0kzqr.qa3kj.jpg" "
  2⤵
  PID:4432
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-1b0kzqr.qa3kj.jpg"
    3⤵
    PID:2320
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-1dntkso.6rawg.jpg" "
  2⤵
  PID:1936
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-1dntkso.6rawg.jpg"
    3⤵
    PID:4368
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-18oe16e.3ugp.jpg" "
  2⤵
  PID:4344
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-18oe16e.3ugp.jpg"
    3⤵
    PID:4872
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-1mn508y.a9ze.jpg" "
  2⤵
  PID:1256
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-1mn508y.a9ze.jpg"
    3⤵
    PID:1320
- C:\Users\Admin\AppData\Local\Temp\EpsilonFruit.exe
  "C:\Users\Admin\AppData\Local\Temp\EpsilonFruit.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\EpsilonFruit" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAIAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2328 --field-trial-handle=1788,5462491129802724107,17930324767564362421,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  PID:208
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-1gu5s49.dt3b.jpg" "
  2⤵
  PID:2232
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-1gu5s49.dt3b.jpg"
    3⤵
    PID:3612
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-xeb5ez.tq3t.jpg" "
  2⤵
  PID:3308
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-xeb5ez.tq3t.jpg"
    3⤵
    PID:4988
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-ur11zm.r2aek.jpg" "
  2⤵
  PID:1728
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-ur11zm.r2aek.jpg"
    3⤵
    PID:1180
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-wbja2u.w4qj.jpg" "
  2⤵
  PID:3892
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-wbja2u.w4qj.jpg"
    3⤵
    PID:1564
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-qoughi.8mvif.jpg" "
  2⤵
  PID:3948
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3596
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-qoughi.8mvif.jpg"
    3⤵
    PID:232
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-nyrs05.58r9i.jpg" "
  2⤵
  PID:1696
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-nyrs05.58r9i.jpg"
    3⤵
    PID:4756
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-1z0zpuc.570x.jpg" "
  2⤵
  PID:3736
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-1z0zpuc.570x.jpg"
    3⤵
    PID:836
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-1i5lnfa.3snk.jpg" "
  2⤵
  PID:4320
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-1i5lnfa.3snk.jpg"
    3⤵
    PID:1080
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-1oyretr.u8mm.jpg" "
  2⤵
  PID:2712
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-1oyretr.u8mm.jpg"
    3⤵
    PID:4840
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-1ojpe9y.90cn.jpg" "
  2⤵
  PID:2244
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-1ojpe9y.90cn.jpg"
    3⤵
    PID:3540
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-ynnfuj.tr7bf.jpg" "
  2⤵
  PID:2308
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-ynnfuj.tr7bf.jpg"
    3⤵
    PID:1768
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-1ikoy0.atmj5.jpg" "
  2⤵
  PID:2688
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-1ikoy0.atmj5.jpg"
    3⤵
    PID:3084
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-1pmp840.4fbi.jpg" "
  2⤵
  PID:4604
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-1pmp840.4fbi.jpg"
    3⤵
    PID:4032
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-buub50.nhdhb.jpg" "
  2⤵
  PID:4344
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-buub50.nhdhb.jpg"
    3⤵
    PID:4616
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-1rts012.cgp2.jpg" "
  2⤵
  PID:1964
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-1rts012.cgp2.jpg"
    3⤵
    PID:2276
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-24hcif.7igej.jpg" "
  2⤵
  PID:4048
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-24hcif.7igej.jpg"
    3⤵
    PID:4580
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-efrquk.bix2i.jpg" "
  2⤵
  PID:720
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-efrquk.bix2i.jpg"
    3⤵
    PID:4896
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-1o3jz6f.fwpb.jpg" "
  2⤵
  PID:1344
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-1o3jz6f.fwpb.jpg"
    3⤵
    PID:3308
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-ik7kv1.x08k.jpg" "
  2⤵
  PID:1520
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-ik7kv1.x08k.jpg"
    3⤵
    PID:224
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-t5vrhj.szlhg.jpg" "
  2⤵
  PID:4800
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-t5vrhj.szlhg.jpg"
    3⤵
    PID:4256
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-1e72udb.6o0c.jpg" "
  2⤵
  PID:2556
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-1e72udb.6o0c.jpg"
    3⤵
    PID:3596
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-1p2bw8.vavb6.jpg" "
  2⤵
  PID:1012
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-1p2bw8.vavb6.jpg"
    3⤵
    PID:4572
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-1ddnu9z.10ux.jpg" "
  2⤵
  PID:2076
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-1ddnu9z.10ux.jpg"
    3⤵
    PID:4384
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-878imt.s75ph.jpg" "
  2⤵
  PID:708
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-878imt.s75ph.jpg"
    3⤵
    PID:4320
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-bau9sa.j118j.jpg" "
  2⤵
  PID:3064
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-bau9sa.j118j.jpg"
    3⤵
    PID:2616
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-spx0o6.f9ged.jpg" "
  2⤵
  PID:1372
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-spx0o6.f9ged.jpg"
    3⤵
    PID:4832
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-1ohnf3f.gcmu.jpg" "
  2⤵
  PID:5012
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-1ohnf3f.gcmu.jpg"
    3⤵
    PID:2308
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-qamcav.j8bpl.jpg" "
  2⤵
  PID:2372
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-qamcav.j8bpl.jpg"
    3⤵
    PID:2512
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-11a8npi.atr9.jpg" "
  2⤵
  PID:4244
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-11a8npi.atr9.jpg"
    3⤵
    PID:4336
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-14y9pcn.eh34.jpg" "
  2⤵
  PID:1288
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-3620-14y9pcn.eh34.jpg"
    3⤵
    PID:4968
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-3620-1hx1dio.aiqef.jpg" "
  2⤵
  PID:4340

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2200

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x494 0x4b0
1⤵
PID:4928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\screenCapture_1.3.2.exe.log

Filesize
862B

MD5
f3ac7a0e31b9af1b495241eff29915ad

SHA1
286fe23eba741cd3fca3f3e9a919021946655392

SHA256
f134296c53650817d3b2bbd04fd77b8833b76e79a953a1d14f7a3484bab5f12a

SHA512
b21d4e091140025f7ef2e96a3e3228c788ecffe43f4bcc5d1a15826686a392d9e0ad4ead4ed19b88c92fc9fd470014b15a79b9a82878d03005da3681b8dd9210

Download Submit
C:\Users\Admin\AppData\Local\Temp\0fe914ed-1eb1-41a5-8857-071b1889826f.tmp.node

Filesize
163KB

MD5
b0e113443ddc1ee234acbf0eb0e6f8a0

SHA1
84cc562b82570ec05df6dbbfc8f29fbb16ec68c7

SHA256
8d6f5cab1d6a99ac49772080c6f383f33a9bb983e0f8d02d0f3de4b2bdd26215

SHA512
306e89ec66fdf8b0de19d5bcda01f69809d83f464a9c21fda4b470e81ad3b722aa6cb6086fb4c2af59504fe4332c1f9efff27168598cc00be0f28fed45dde8ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024318-3620-3ftxbo.talr5.jpg

Filesize
79KB

MD5
51c1e9d76ab8046bbea81f5282d27ae4

SHA1
40e132be064f293f6711943f0a4c87c73efb37b6

SHA256
08f23053efad4a896f4b264e74a16cc3ef6be72067109c52ff2f9646922276c9

SHA512
c1aa91468c50711a65ccc525799b6914b4aa9500b5f60b1ff4e2aefa6b60ff27eefa700d949c92bda8c1d31b7842f8dfc6db1d6c5781ad991b4d533129537897

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024318-3620-n2wzba.pft8a.jpg

Filesize
79KB

MD5
d54598ef75c08327c448c26f1eebbb9d

SHA1
0d4223ff48312b79f525623ff19b99fa6e6b75bd

SHA256
67d965fa133296fa7425fe7419074229609769c439b397701b66e9a5f3170df7

SHA512
1de4cb2785b9f05c6cc6d13f11763f90e275c9c4d35a8a05ddd5898097d504ae5597576e98a74fdcd9a03f4d110e44f870b9971d38aa3838898dfaf09c80f41e

Download Submit
C:\Users\Admin\AppData\Local\Temp\23205acc-e1d2-4d15-aef9-fb65f521cd1e.tmp.node

Filesize
2.7MB

MD5
08b28072c6d59fdf06a808182efed01f

SHA1
35253af00af3308a64cff1eda104fd7227abb2f4

SHA256
7c999c84852b1f46a48f75b130fea445280d7032a56359dffecf36730366abc5

SHA512
f2592ade5053b674dbe4191c7001748a801dca3b19e97e19b440a3e944011c87926b0ef21c87e98b48e038889a32e01c1d74949124be3144834e2f06d9781198

Download Submit
C:\Users\Admin\AppData\Local\Temp\4a5fd73d-7032-4d93-8d1e-f85bc49f65e0.tmp.node

Filesize
652KB

MD5
1f86d23226fffe71b8784029d8c5125b

SHA1
9cc9bc5a5ca25a682746480dff1677d0ff5ec16c

SHA256
265d11dea86267a478907b398b8b33aad69f0944784386c1795cc32b8c931ffd

SHA512
4f1aaee14c9cb0a76853a15030b525ee082a226ac67e9c90a96bbdbbb9229f6fe48192d63686f72c55e094de45c2a032bdd241fcacc190b71ffdc0fde80824ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES74DD.tmp

Filesize
1KB

MD5
c172b41e3df93db7717fe66051de0d9b

SHA1
baabedca3f8befb9c4988de1022839ea57923963

SHA256
9c08d1188e9acecb9fd6428d1ce7c8623ec4a682cd9b72dba2ab7b8596c18d69

SHA512
df8fc62d6419b07a8ff1fd2e58f189f7ed047678fb14c2e97d0d74b3808a6a68ce869f3d039df44ecebfe5f1a2b657e47dd1f3daca56f8cfa16fe6877b138dd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES754A.tmp

Filesize
1KB

MD5
56cdca03998346754784376b2c4a8e11

SHA1
e0cbff8b71872f53aa4dd030984bd3e2c85d80fd

SHA256
d21f12eb3a05238f61453309882cdb3605c5e5e57ed98f1ae5cef9a455d5db99

SHA512
ce5847495c3f7e0f9f24832aee80673ec3c9b20bca2c9cc9c31ca43227b068d3be07d53056a1310c0c027746b01bd7229cdecf8ca204d9922671ebcdc6005c80

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7635.tmp

Filesize
1KB

MD5
a67252e582f0df4a9f02e9a96f9ad28d

SHA1
8dacd183bc9d282bb4e59e6fc62f1e3f1e142bec

SHA256
e8634eb54e6ca60803089dbd1c600817a91661431f34c4019e6999d7190e7df9

SHA512
c111b89356074b9a9c51e2241b3dadcb6dec0732e5bcf3bac83686f9af70acd447ac0999cb5c2881deae422079a676259bea0aea666800c5d22f9638d3e4bc33

Download Submit
C:\Users\Admin\AppData\Local\Temp\epsilon-Admin\AutoFill Data\All Autofill Data.txt

Filesize
240B

MD5
810ae82f863a5ffae14d3b3944252a4e

SHA1
5393e27113753191436b14f0cafa8acabcfe6b2a

SHA256
453478914b72d9056472fb1e44c69606c62331452f47a1f3c02190f26501785c

SHA512
2421a397dd2ebb17947167addacd3117f666ddab388e3678168075f58dc8eee15bb49a4aac2290140ae5102924852d27b538740a859d0b35245f505b20f29112

Download Submit
C:\Users\Admin\AppData\Local\Temp\epsilon-Admin\Credit Cards\All Credit Cards.txt

Filesize
231B

MD5
dec2be4f1ec3592cea668aa279e7cc9b

SHA1
327cf8ab0c895e10674e00ea7f437784bb11d718

SHA256
753b99d2b4e8c58bfd10995d0c2c19255fe9c8f53703bb27d1b6f76f1f4e83cc

SHA512
81728e3d31b72905b3a09c79d1e307c4e8e79d436fcfe7560a8046b46ca4ae994fdfaeb1bc2328e35f418b8128f2e7239289e84350e142146df9cde86b20bb66

Download Submit
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat

Filesize
13KB

MD5
da0f40d84d72ae3e9324ad9a040a2e58

SHA1
4ca7f6f90fb67dce8470b67010aa19aa0fd6253f

SHA256
818350a4fb4146072a25f0467c5c99571c854d58bec30330e7db343bceca008b

SHA512
30b7d4921f39c2601d94a3e3bb0e3be79b4b7b505e52523d2562f2e2f32154d555a593df87a71cddb61b98403265f42e0d6705950b37a155dc1d64113c719fd9

Download Submit
C:\Users\Admin\AppData\Roaming\EpsilonFruit\Network\Network Persistent State

Filesize
393B

MD5
eacb6603ae9b1074d5b24ee957c83071

SHA1
bd31779d367ff60ae943c1a8a5611517afe9e45d

SHA256
874862dab51b319544f37c47d531d50e0333346ef4a239dbc0039606845a212e

SHA512
ca22203c9c09bfc42eae565cde88cfce9ec6705856fadb3726e66f4f2415bd437db11de9980575295ba158dd577a3ef6ca392c5bc0b8e2bcd35aea32eac04a0b

Download Submit
C:\Users\Admin\AppData\Roaming\EpsilonFruit\Network\Network Persistent State~RFe595700.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Roaming\EpsilonFruit\e17a55c4-6f2a-4f1f-aab5-50f9295f9740.tmp

Filesize
86B

MD5
d11dedf80b85d8d9be3fec6bb292f64b

SHA1
aab8783454819cd66ddf7871e887abdba138aef3

SHA256
8029940de92ae596278912bbbd6387d65f4e849d3c136287a1233f525d189c67

SHA512
6b7ec1ca5189124e0d136f561ca7f12a4653633e2d9452d290e658dfe545acf6600cc9496794757a43f95c91705e9549ef681d4cc9e035738b03a18bdc2e25f0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\screenCapture\CSC6EC512EC47ED4466B57FB49D3674F5D.TMP

Filesize
1KB

MD5
a6f2d21624678f54a2abed46e9f3ab17

SHA1
a2a6f07684c79719007d434cbd1cd2164565734a

SHA256
ab96911d094b6070cbfb48e07407371ddb41b86e36628b6a10cdb11478192344

SHA512
0b286df41c3887eecff5c38cbd6818078313b555ef001151b41ac11b80466b2f4f39da518ab9c51eeff35295cb39d52824de13e026c35270917d7274f764c676

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\screenCapture\app.manifest

Filesize
350B

MD5
8951565428aa6644f1505edb592ab38f

SHA1
9c4bee78e7338f4f8b2c8b6c0e187f43cfe88bf2

SHA256
8814db9e125d0c2b7489f8c7c3e95adf41f992d4397ed718bda8573cb8fb0e83

SHA512
7577bad37b67bf13a0d7f9b8b7d6c077ecdfb81a5bee94e06dc99e84cb20db2d568f74d1bb2cef906470b4f6859e00214beacca7d82e2b99126d27820bf3b8f5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe

Filesize
12KB

MD5
500bd82aafeb3d7824bf82fb0761be3c

SHA1
715a23e9bd368f101773e7baba5c7fcdeaa64185

SHA256
37ff721d47c8422b1e5b967ee09dfa64c67ba7d5a2ad758c5926e5b3dbee31d2

SHA512
a6aebdc6855f8b6010af2ac29860746f3483d5d71173efa1dd3fdd5fddee864844d2bd0e3663968d338060213743f10d14d04fc3d63408f260b78c6128399dee

Download Submit
memory/32-258-0x00007FFE0D2F0000-0x00007FFE0DDB1000-memory.dmp

Filesize
10.8MB

Download
memory/32-255-0x00007FFE0D2F0000-0x00007FFE0DDB1000-memory.dmp

Filesize
10.8MB

Download
memory/208-1069-0x00000209D5A10000-0x00000209D5A11000-memory.dmp

Filesize
4KB

Download
memory/208-1082-0x00000209D5A10000-0x00000209D5A11000-memory.dmp

Filesize
4KB

Download
memory/208-1070-0x00000209D5A10000-0x00000209D5A11000-memory.dmp

Filesize
4KB

Download
memory/208-1079-0x00000209D5A10000-0x00000209D5A11000-memory.dmp

Filesize
4KB

Download
memory/208-1080-0x00000209D5A10000-0x00000209D5A11000-memory.dmp

Filesize
4KB

Download
memory/208-1085-0x00000209D5A10000-0x00000209D5A11000-memory.dmp

Filesize
4KB

Download
memory/208-1083-0x00000209D5A10000-0x00000209D5A11000-memory.dmp

Filesize
4KB

Download
memory/208-1084-0x00000209D5A10000-0x00000209D5A11000-memory.dmp

Filesize
4KB

Download
memory/208-1071-0x00000209D5A10000-0x00000209D5A11000-memory.dmp

Filesize
4KB

Download
memory/208-1081-0x00000209D5A10000-0x00000209D5A11000-memory.dmp

Filesize
4KB

Download
memory/460-307-0x00007FFE0D2F0000-0x00007FFE0DDB1000-memory.dmp

Filesize
10.8MB

Download
memory/460-312-0x00007FFE0D2F0000-0x00007FFE0DDB1000-memory.dmp

Filesize
10.8MB

Download
memory/556-372-0x00007FFE0D670000-0x00007FFE0E131000-memory.dmp

Filesize
10.8MB

Download
memory/1072-368-0x00007FFE0D670000-0x00007FFE0E131000-memory.dmp

Filesize
10.8MB

Download
memory/1320-189-0x00007FFE0D2F0000-0x00007FFE0DDB1000-memory.dmp

Filesize
10.8MB

Download
memory/1320-331-0x00007FFE0D2F0000-0x00007FFE0DDB1000-memory.dmp

Filesize
10.8MB

Download
memory/1320-192-0x00007FFE0D2F0000-0x00007FFE0DDB1000-memory.dmp

Filesize
10.8MB

Download
memory/1332-269-0x00007FFE0D2F0000-0x00007FFE0DDB1000-memory.dmp

Filesize
10.8MB

Download
memory/1332-272-0x00007FFE0D2F0000-0x00007FFE0DDB1000-memory.dmp

Filesize
10.8MB

Download
memory/1596-357-0x00007FFE0D2F0000-0x00007FFE0DDB1000-memory.dmp

Filesize
10.8MB

Download
memory/1756-390-0x00007FFE0D670000-0x00007FFE0E131000-memory.dmp

Filesize
10.8MB

Download
memory/1756-387-0x00007FFE0D670000-0x00007FFE0E131000-memory.dmp

Filesize
10.8MB

Download
memory/1780-322-0x00007FFE0D2F0000-0x00007FFE0DDB1000-memory.dmp

Filesize
10.8MB

Download
memory/1780-319-0x00007FFE0D2F0000-0x00007FFE0DDB1000-memory.dmp

Filesize
10.8MB

Download
memory/2084-344-0x00007FFE0D2F0000-0x00007FFE0DDB1000-memory.dmp

Filesize
10.8MB

Download
memory/2084-341-0x00007FFE0D2F0000-0x00007FFE0DDB1000-memory.dmp

Filesize
10.8MB

Download
memory/2328-175-0x00007FFE0D2F0000-0x00007FFE0DDB1000-memory.dmp

Filesize
10.8MB

Download
memory/2328-178-0x00007FFE0D2F0000-0x00007FFE0DDB1000-memory.dmp

Filesize
10.8MB

Download
memory/2424-195-0x00007FFE0D2F0000-0x00007FFE0DDB1000-memory.dmp

Filesize
10.8MB

Download
memory/2424-279-0x00007FFE0D2F0000-0x00007FFE0DDB1000-memory.dmp

Filesize
10.8MB

Download
memory/2444-220-0x00007FFE0D2F0000-0x00007FFE0DDB1000-memory.dmp

Filesize
10.8MB

Download
memory/2444-215-0x00007FFE0D2F0000-0x00007FFE0DDB1000-memory.dmp

Filesize
10.8MB

Download
memory/2640-395-0x00007FFE0D670000-0x00007FFE0E131000-memory.dmp

Filesize
10.8MB

Download
memory/2656-358-0x00007FFE0D2F0000-0x00007FFE0DDB1000-memory.dmp

Filesize
10.8MB

Download
memory/2656-283-0x00007FFE0D2F0000-0x00007FFE0DDB1000-memory.dmp

Filesize
10.8MB

Download
memory/2848-376-0x00007FFE0D670000-0x00007FFE0E131000-memory.dmp

Filesize
10.8MB

Download
memory/3000-306-0x00007FFE0D2F0000-0x00007FFE0DDB1000-memory.dmp

Filesize
10.8MB

Download
memory/3000-313-0x00007FFE0D2F0000-0x00007FFE0DDB1000-memory.dmp

Filesize
10.8MB

Download
memory/3100-264-0x00007FFE0D2F0000-0x00007FFE0DDB1000-memory.dmp

Filesize
10.8MB

Download
memory/3100-268-0x00007FFE0D2F0000-0x00007FFE0DDB1000-memory.dmp

Filesize
10.8MB

Download
memory/3448-380-0x00007FFE0D670000-0x00007FFE0E131000-memory.dmp

Filesize
10.8MB

Download
memory/3508-328-0x00007FFE0D2F0000-0x00007FFE0DDB1000-memory.dmp

Filesize
10.8MB

Download
memory/3508-244-0x00007FFE0D2F0000-0x00007FFE0DDB1000-memory.dmp

Filesize
10.8MB

Download
memory/3536-386-0x00007FFE0D670000-0x00007FFE0E131000-memory.dmp

Filesize
10.8MB

Download
memory/3600-354-0x00007FFE0D2F0000-0x00007FFE0DDB1000-memory.dmp

Filesize
10.8MB

Download
memory/3600-400-0x00007FFE0D2F0000-0x00007FFE0DDB1000-memory.dmp

Filesize
10.8MB

Download
memory/3724-292-0x00007FFE0D2F0000-0x00007FFE0DDB1000-memory.dmp

Filesize
10.8MB

Download
memory/3724-362-0x00007FFE0D2F0000-0x00007FFE0DDB1000-memory.dmp

Filesize
10.8MB

Download
memory/3784-230-0x00007FFE0D2F0000-0x00007FFE0DDB1000-memory.dmp

Filesize
10.8MB

Download
memory/3784-225-0x00007FFE0D2F0000-0x00007FFE0DDB1000-memory.dmp

Filesize
10.8MB

Download
memory/3936-296-0x00007FFE0D2F0000-0x00007FFE0DDB1000-memory.dmp

Filesize
10.8MB

Download
memory/3936-301-0x00007FFE0D2F0000-0x00007FFE0DDB1000-memory.dmp

Filesize
10.8MB

Download
memory/3980-216-0x00007FFE0D2F0000-0x00007FFE0DDB1000-memory.dmp

Filesize
10.8MB

Download
memory/3980-212-0x00007FFE0D2F0000-0x00007FFE0DDB1000-memory.dmp

Filesize
10.8MB

Download
memory/3992-208-0x00007FFE0D2F0000-0x00007FFE0DDB1000-memory.dmp

Filesize
10.8MB

Download
memory/3992-200-0x00007FFE0D2F0000-0x00007FFE0DDB1000-memory.dmp

Filesize
10.8MB

Download
memory/4048-337-0x00007FFE0D2F0000-0x00007FFE0DDB1000-memory.dmp

Filesize
10.8MB

Download
memory/4048-382-0x00007FFE0D2F0000-0x00007FFE0DDB1000-memory.dmp

Filesize
10.8MB

Download
memory/4184-401-0x00007FFE0D670000-0x00007FFE0E131000-memory.dmp

Filesize
10.8MB

Download
memory/4228-347-0x00007FFE0D2F0000-0x00007FFE0DDB1000-memory.dmp

Filesize
10.8MB

Download
memory/4228-392-0x00007FFE0D2F0000-0x00007FFE0DDB1000-memory.dmp

Filesize
10.8MB

Download
memory/4272-241-0x0000024B2AC70000-0x0000024B2AD0B000-memory.dmp

Filesize
620KB

Download
memory/4468-10-0x00007FFE2E670000-0x00007FFE2E671000-memory.dmp

Filesize
4KB

Download
memory/4468-26-0x000002D10A930000-0x000002D10A9CB000-memory.dmp

Filesize
620KB

Download
memory/4552-363-0x00007FFE0D670000-0x00007FFE0E131000-memory.dmp

Filesize
10.8MB

Download
memory/4700-163-0x00007FFE0D2F0000-0x00007FFE0DDB1000-memory.dmp

Filesize
10.8MB

Download
memory/4700-174-0x00007FFE0D2F0000-0x00007FFE0DDB1000-memory.dmp

Filesize
10.8MB

Download
memory/4700-162-0x0000000000AB0000-0x0000000000ABA000-memory.dmp

Filesize
40KB

Download
memory/4836-280-0x00007FFE0D2F0000-0x00007FFE0DDB1000-memory.dmp

Filesize
10.8MB

Download
memory/4836-286-0x00007FFE0D2F0000-0x00007FFE0DDB1000-memory.dmp

Filesize
10.8MB

Download
memory/4872-248-0x00007FFE0D2F0000-0x00007FFE0DDB1000-memory.dmp

Filesize
10.8MB

Download
memory/4872-253-0x00007FFE0D2F0000-0x00007FFE0DDB1000-memory.dmp

Filesize
10.8MB

Download
memory/4968-173-0x00007FFE0D2F0000-0x00007FFE0DDB1000-memory.dmp

Filesize
10.8MB

Download
memory/5048-186-0x00007FFE0D2F0000-0x00007FFE0DDB1000-memory.dmp

Filesize
10.8MB

Download
memory/5048-199-0x00007FFE0D2F0000-0x00007FFE0DDB1000-memory.dmp

Filesize
10.8MB

Download