epsilon | 0577b7e8c6a4d394e8be1eff342905b2f2c08490835716bd44e8e5158a3d7149

Analysis

max time kernel
147s
max time network
156s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
18/04/2024, 07:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

EpsilonFruit.exe
Size

139.8MB
MD5

85f4bf8349f324f0ca541059a8e5a5e0
SHA1

685097888c606190c99c1321f970192158cd5121
SHA256

46aaa87d0bff37acb4950a172739283666e191e5570189f13a98f89d545c1d2a
SHA512

95e7d670b83f5256384f1cc14f1c70250ed1be1fc0eb3bd91386ebdab8177a8c782533f6d60a00fa0cf6eba8995005d9162bfe1395983625d1ec9eafd852be0a
SSDEEP

786432:sSfg0tbLs2cRE3FsdxwBFyAaZZiljQWohhjbj6S46P845IPD:sSj5szmFcxwBFyAaZ4jMhhXcyC

Score

10^/10

epsilon evasion persistence spyware stealer

Malware Config

Signatures

Epsilon Stealer
Information stealer.
stealer epsilon

Enumerates VirtualBox registry keys 2 TTPs 5 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF	EpsilonFruit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxVideo	EpsilonFruit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest	EpsilonFruit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxMouse	EpsilonFruit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxService	EpsilonFruit.exe

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	EpsilonFruit.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\FADT\VBOX__	EpsilonFruit.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\RSDT\VBOX__	EpsilonFruit.exe

Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions	EpsilonFruit.exe

Looks for VMWare Tools registry key 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools	EpsilonFruit.exe

Checks BIOS information in registry 2 TTPs 3 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	EpsilonFruit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	EpsilonFruit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	EpsilonFruit.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\International\Geo\Nation	EpsilonFruit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\International\Geo\Nation	EpsilonFruit.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\SOFTWARE\Wine	EpsilonFruit.exe

Loads dropped DLL 3 IoCs

pid	Process
1676	EpsilonFruit.exe
1676	EpsilonFruit.exe
1676	EpsilonFruit.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsUpdater = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\0\\WindowsUpdater.exe"	reg.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ipinfo.io
5	ipinfo.io

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	EpsilonFruit.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
576	WMIC.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery

T1057

pid	Process
2900	tasklist.exe
1188	tasklist.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 2 IoCs

pid	Process
2016	csc.exe
2788	csc.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1676	EpsilonFruit.exe
2424	EpsilonFruit.exe
2476	EpsilonFruit.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2572	WMIC.exe
Token: SeSecurityPrivilege	2572	WMIC.exe
Token: SeTakeOwnershipPrivilege	2572	WMIC.exe
Token: SeLoadDriverPrivilege	2572	WMIC.exe
Token: SeSystemProfilePrivilege	2572	WMIC.exe
Token: SeSystemtimePrivilege	2572	WMIC.exe
Token: SeProfSingleProcessPrivilege	2572	WMIC.exe
Token: SeIncBasePriorityPrivilege	2572	WMIC.exe
Token: SeCreatePagefilePrivilege	2572	WMIC.exe
Token: SeBackupPrivilege	2572	WMIC.exe
Token: SeRestorePrivilege	2572	WMIC.exe
Token: SeShutdownPrivilege	2572	WMIC.exe
Token: SeDebugPrivilege	2572	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2572	WMIC.exe
Token: SeRemoteShutdownPrivilege	2572	WMIC.exe
Token: SeUndockPrivilege	2572	WMIC.exe
Token: SeManageVolumePrivilege	2572	WMIC.exe
Token: 33	2572	WMIC.exe
Token: 34	2572	WMIC.exe
Token: 35	2572	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2572	WMIC.exe
Token: SeSecurityPrivilege	2572	WMIC.exe
Token: SeTakeOwnershipPrivilege	2572	WMIC.exe
Token: SeLoadDriverPrivilege	2572	WMIC.exe
Token: SeSystemProfilePrivilege	2572	WMIC.exe
Token: SeSystemtimePrivilege	2572	WMIC.exe
Token: SeProfSingleProcessPrivilege	2572	WMIC.exe
Token: SeIncBasePriorityPrivilege	2572	WMIC.exe
Token: SeCreatePagefilePrivilege	2572	WMIC.exe
Token: SeBackupPrivilege	2572	WMIC.exe
Token: SeRestorePrivilege	2572	WMIC.exe
Token: SeShutdownPrivilege	2572	WMIC.exe
Token: SeDebugPrivilege	2572	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2572	WMIC.exe
Token: SeRemoteShutdownPrivilege	2572	WMIC.exe
Token: SeUndockPrivilege	2572	WMIC.exe
Token: SeManageVolumePrivilege	2572	WMIC.exe
Token: 33	2572	WMIC.exe
Token: 34	2572	WMIC.exe
Token: 35	2572	WMIC.exe
Token: SeDebugPrivilege	1188	tasklist.exe
Token: SeShutdownPrivilege	1676	EpsilonFruit.exe
Token: SeShutdownPrivilege	1676	EpsilonFruit.exe
Token: SeIncreaseQuotaPrivilege	2888	WMIC.exe
Token: SeSecurityPrivilege	2888	WMIC.exe
Token: SeTakeOwnershipPrivilege	2888	WMIC.exe
Token: SeLoadDriverPrivilege	2888	WMIC.exe
Token: SeSystemProfilePrivilege	2888	WMIC.exe
Token: SeSystemtimePrivilege	2888	WMIC.exe
Token: SeProfSingleProcessPrivilege	2888	WMIC.exe
Token: SeIncBasePriorityPrivilege	2888	WMIC.exe
Token: SeCreatePagefilePrivilege	2888	WMIC.exe
Token: SeBackupPrivilege	2888	WMIC.exe
Token: SeRestorePrivilege	2888	WMIC.exe
Token: SeShutdownPrivilege	2888	WMIC.exe
Token: SeDebugPrivilege	2888	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2888	WMIC.exe
Token: SeRemoteShutdownPrivilege	2888	WMIC.exe
Token: SeUndockPrivilege	2888	WMIC.exe
Token: SeManageVolumePrivilege	2888	WMIC.exe
Token: 33	2888	WMIC.exe
Token: 34	2888	WMIC.exe
Token: 35	2888	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2888	WMIC.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1676	EpsilonFruit.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1676 wrote to memory of 2516	1676	EpsilonFruit.exe	28
PID 1676 wrote to memory of 2516	1676	EpsilonFruit.exe	28
PID 1676 wrote to memory of 2516	1676	EpsilonFruit.exe	28
PID 2516 wrote to memory of 2572	2516	cmd.exe	30
PID 2516 wrote to memory of 2572	2516	cmd.exe	30
PID 2516 wrote to memory of 2572	2516	cmd.exe	30
PID 1676 wrote to memory of 2624	1676	EpsilonFruit.exe	31
PID 1676 wrote to memory of 2624	1676	EpsilonFruit.exe	31
PID 1676 wrote to memory of 2624	1676	EpsilonFruit.exe	31
PID 1676 wrote to memory of 2624	1676	EpsilonFruit.exe	31
PID 1676 wrote to memory of 2624	1676	EpsilonFruit.exe	31
PID 1676 wrote to memory of 2624	1676	EpsilonFruit.exe	31
PID 1676 wrote to memory of 2624	1676	EpsilonFruit.exe	31
PID 1676 wrote to memory of 2624	1676	EpsilonFruit.exe	31
PID 1676 wrote to memory of 2624	1676	EpsilonFruit.exe	31
PID 1676 wrote to memory of 2624	1676	EpsilonFruit.exe	31
PID 1676 wrote to memory of 2624	1676	EpsilonFruit.exe	31
PID 1676 wrote to memory of 2624	1676	EpsilonFruit.exe	31
PID 1676 wrote to memory of 2624	1676	EpsilonFruit.exe	31
PID 1676 wrote to memory of 2624	1676	EpsilonFruit.exe	31
PID 1676 wrote to memory of 2624	1676	EpsilonFruit.exe	31
PID 1676 wrote to memory of 2624	1676	EpsilonFruit.exe	31
PID 1676 wrote to memory of 2624	1676	EpsilonFruit.exe	31
PID 1676 wrote to memory of 2624	1676	EpsilonFruit.exe	31
PID 1676 wrote to memory of 2624	1676	EpsilonFruit.exe	31
PID 1676 wrote to memory of 2624	1676	EpsilonFruit.exe	31
PID 1676 wrote to memory of 2624	1676	EpsilonFruit.exe	31
PID 1676 wrote to memory of 2624	1676	EpsilonFruit.exe	31
PID 1676 wrote to memory of 2624	1676	EpsilonFruit.exe	31
PID 1676 wrote to memory of 2624	1676	EpsilonFruit.exe	31
PID 1676 wrote to memory of 2624	1676	EpsilonFruit.exe	31
PID 1676 wrote to memory of 2624	1676	EpsilonFruit.exe	31
PID 1676 wrote to memory of 2624	1676	EpsilonFruit.exe	31
PID 1676 wrote to memory of 2624	1676	EpsilonFruit.exe	31
PID 1676 wrote to memory of 2624	1676	EpsilonFruit.exe	31
PID 1676 wrote to memory of 2624	1676	EpsilonFruit.exe	31
PID 1676 wrote to memory of 2624	1676	EpsilonFruit.exe	31
PID 1676 wrote to memory of 2624	1676	EpsilonFruit.exe	31
PID 1676 wrote to memory of 2624	1676	EpsilonFruit.exe	31
PID 1676 wrote to memory of 2624	1676	EpsilonFruit.exe	31
PID 1676 wrote to memory of 2624	1676	EpsilonFruit.exe	31
PID 1676 wrote to memory of 2624	1676	EpsilonFruit.exe	31
PID 1676 wrote to memory of 2624	1676	EpsilonFruit.exe	31
PID 1676 wrote to memory of 2624	1676	EpsilonFruit.exe	31
PID 1676 wrote to memory of 2624	1676	EpsilonFruit.exe	31
PID 1676 wrote to memory of 2624	1676	EpsilonFruit.exe	31
PID 1676 wrote to memory of 2624	1676	EpsilonFruit.exe	31
PID 1676 wrote to memory of 2424	1676	EpsilonFruit.exe	32
PID 1676 wrote to memory of 2424	1676	EpsilonFruit.exe	32
PID 1676 wrote to memory of 2424	1676	EpsilonFruit.exe	32
PID 1676 wrote to memory of 2476	1676	EpsilonFruit.exe	33
PID 1676 wrote to memory of 2476	1676	EpsilonFruit.exe	33
PID 1676 wrote to memory of 2476	1676	EpsilonFruit.exe	33
PID 1676 wrote to memory of 2044	1676	EpsilonFruit.exe	35
PID 1676 wrote to memory of 2044	1676	EpsilonFruit.exe	35
PID 1676 wrote to memory of 2044	1676	EpsilonFruit.exe	35
PID 1676 wrote to memory of 2520	1676	EpsilonFruit.exe	37
PID 1676 wrote to memory of 2520	1676	EpsilonFruit.exe	37
PID 1676 wrote to memory of 2520	1676	EpsilonFruit.exe	37
PID 1676 wrote to memory of 1984	1676	EpsilonFruit.exe	38
PID 1676 wrote to memory of 1984	1676	EpsilonFruit.exe	38
PID 1676 wrote to memory of 1984	1676	EpsilonFruit.exe	38
PID 2044 wrote to memory of 2056	2044	cmd.exe	41
PID 2044 wrote to memory of 2056	2044	cmd.exe	41

C:\Users\Admin\AppData\Local\Temp\EpsilonFruit.exe
"C:\Users\Admin\AppData\Local\Temp\EpsilonFruit.exe"
1⤵
- Enumerates VirtualBox registry keys
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Loads dropped DLL
- Checks for VirtualBox DLLs, possible anti-VM trick
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1676
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic CsProduct Get UUID"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2516
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic CsProduct Get UUID
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2572
- C:\Users\Admin\AppData\Local\Temp\EpsilonFruit.exe
  "C:\Users\Admin\AppData\Local\Temp\EpsilonFruit.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\EpsilonFruit" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1036 --field-trial-handle=1196,14624797897680127963,2135768061654857636,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  PID:2624
- C:\Users\Admin\AppData\Local\Temp\EpsilonFruit.exe
  "C:\Users\Admin\AppData\Local\Temp\EpsilonFruit.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\EpsilonFruit" --mojo-platform-channel-handle=1340 --field-trial-handle=1196,14624797897680127963,2135768061654857636,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2424
- C:\Users\Admin\AppData\Local\Temp\EpsilonFruit.exe
  "C:\Users\Admin\AppData\Local\Temp\EpsilonFruit.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\EpsilonFruit" --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --no-sandbox --no-zygote --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=1556 --field-trial-handle=1196,14624797897680127963,2135768061654857636,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  PID:2476
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2044
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"
    3⤵
    PID:2056
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath"
  2⤵
  PID:2520
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath
    3⤵
    PID:1716
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1984
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1188
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List"
  2⤵
  PID:2164
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2888
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:540
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:576
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "cmd /c chcp 65001>nul && netsh wlan show profiles"
  2⤵
  PID:1848
- - C:\Windows\system32\cmd.exe
    cmd /c chcp 65001
    3⤵
    PID:992
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:1528
- - C:\Windows\system32\netsh.exe
    netsh wlan show profiles
    3⤵
    PID:952
- C:\Users\Admin\AppData\Local\Temp\EpsilonFruit.exe
  "C:\Users\Admin\AppData\Local\Temp\EpsilonFruit.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\EpsilonFruit" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1220 --field-trial-handle=1196,14624797897680127963,2135768061654857636,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  PID:2392
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v WindowsUpdater /t REG_SZ /d C:\Users\Admin\AppData\Local\Microsoft\Windows\0\WindowsUpdater.exe /f"
  2⤵
  PID:608
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v WindowsUpdater /t REG_SZ /d C:\Users\Admin\AppData\Local\Microsoft\Windows\0\WindowsUpdater.exe /f
    3⤵
    - Adds Run key to start application
    PID:1604
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1500
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:2900
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-uecjdx.4k268.jpg" "
  2⤵
  PID:3020
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /nologo /r:"Microsoft.VisualBasic.dll" /win32manifest:"app.manifest" /out:"screenCapture_1.3.2.exe" "C:\Users\Admin\AppData\Local\Temp\SCREEN~1\SCREEN~1.BAT"
    3⤵
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:2016
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4DF1.tmp" "c:\Users\Admin\AppData\Local\Temp\screenCapture\CSCB4802849674B4A68A9D7CB6BEE18D45.TMP"
      4⤵
      PID:2780
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-1676-uecjdx.4k268.jpg"
    3⤵
    PID:1252
- C:\Users\Admin\AppData\Local\Temp\EpsilonFruit.exe
  "C:\Users\Admin\AppData\Local\Temp\EpsilonFruit.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\EpsilonFruit" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=2388 --field-trial-handle=1196,14624797897680127963,2135768061654857636,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  PID:2528
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-ewbamh.tizx.jpg" "
  2⤵
  PID:2308
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /nologo /r:"Microsoft.VisualBasic.dll" /win32manifest:"app.manifest" /out:"screenCapture_1.3.2.exe" "C:\Users\Admin\AppData\Local\Temp\SCREEN~1\SCREEN~1.BAT"
    3⤵
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:2788
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4DC2.tmp" "c:\Users\Admin\AppData\Local\Temp\screenCapture\CSC8F557D76D3D94D6DBBDE5493D45BD65.TMP"
      4⤵
      PID:2572
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-1676-ewbamh.tizx.jpg"
    3⤵
    PID:2464
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-2uod5x.xw6nl.jpg" "
  2⤵
  PID:2492
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-1676-2uod5x.xw6nl.jpg"
    3⤵
    PID:2064
- C:\Users\Admin\AppData\Local\Temp\EpsilonFruit.exe
  "C:\Users\Admin\AppData\Local\Temp\EpsilonFruit.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --user-data-dir="C:\Users\Admin\AppData\Roaming\EpsilonFruit" --mojo-platform-channel-handle=1608 --field-trial-handle=1196,14624797897680127963,2135768061654857636,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
  2⤵
  PID:1228
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-scemr8.mynyr.jpg" "
  2⤵
  PID:2104
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-1676-scemr8.mynyr.jpg"
    3⤵
    PID:1104
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-1wrp73s.g9jtj.jpg" "
  2⤵
  PID:1844
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-1676-1wrp73s.g9jtj.jpg"
    3⤵
    PID:452
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-zggbtp.euo5k.jpg" "
  2⤵
  PID:584
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-1676-zggbtp.euo5k.jpg"
    3⤵
    PID:1848
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-cq34gc.mbz4t.jpg" "
  2⤵
  PID:1860
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-1676-cq34gc.mbz4t.jpg"
    3⤵
    PID:1320
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-1kls9q5.5p7r.jpg" "
  2⤵
  PID:868
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-1676-1kls9q5.5p7r.jpg"
    3⤵
    PID:2668
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-8tqxod.4xsjw.jpg" "
  2⤵
  PID:2128
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-1676-8tqxod.4xsjw.jpg"
    3⤵
    PID:2588
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-8hdpj.5tk5ip.jpg" "
  2⤵
  PID:1820
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-1676-8hdpj.5tk5ip.jpg"
    3⤵
    PID:1496
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-l4ayef.34ut.jpg" "
  2⤵
  PID:1928
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-1676-l4ayef.34ut.jpg"
    3⤵
    PID:2656
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-t9dnpo.dmk2.jpg" "
  2⤵
  PID:2152
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-1676-t9dnpo.dmk2.jpg"
    3⤵
    PID:1704
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-dtqwiy.hbni.jpg" "
  2⤵
  PID:1052
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-1676-dtqwiy.hbni.jpg"
    3⤵
    PID:2204
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-1a7hu65.bsrk.jpg" "
  2⤵
  PID:1708
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-1676-1a7hu65.bsrk.jpg"
    3⤵
    PID:1124
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-e12xjg.lvqio.jpg" "
  2⤵
  PID:2416
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-1676-e12xjg.lvqio.jpg"
    3⤵
    PID:1264
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-1bto0oh.jew4.jpg" "
  2⤵
  PID:2196
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-1676-1bto0oh.jew4.jpg"
    3⤵
    PID:1360
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-19mctiu.b2ct.jpg" "
  2⤵
  PID:1564
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-1676-19mctiu.b2ct.jpg"
    3⤵
    PID:2252
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-f762ri.vr9kr.jpg" "
  2⤵
  PID:1792
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-1676-f762ri.vr9kr.jpg"
    3⤵
    PID:2064
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-6b2kuh.6jw78.jpg" "
  2⤵
  PID:2896
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-1676-6b2kuh.6jw78.jpg"
    3⤵
    PID:2520
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-1pufo5a.78ze.jpg" "
  2⤵
  PID:1284
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-1676-1pufo5a.78ze.jpg"
    3⤵
    PID:1388
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-1ugzzgw.m8m1.jpg" "
  2⤵
  PID:2552
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-1676-1ugzzgw.m8m1.jpg"
    3⤵
    PID:2044
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-197757s.5ixy.jpg" "
  2⤵
  PID:2688
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-1676-197757s.5ixy.jpg"
    3⤵
    PID:488
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-14dg9mi.wvdak.jpg" "
  2⤵
  PID:2700
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-1676-14dg9mi.wvdak.jpg"
    3⤵
    PID:1192
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-zrplrc.4d9q.jpg" "
  2⤵
  PID:2684
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-1676-zrplrc.4d9q.jpg"
    3⤵
    PID:1764
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-r1xbs2.tddk.jpg" "
  2⤵
  PID:2776
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-1676-r1xbs2.tddk.jpg"
    3⤵
    PID:2004
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-2t1tcn.xo6v3.jpg" "
  2⤵
  PID:2500
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-1676-2t1tcn.xo6v3.jpg"
    3⤵
    PID:3164
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-194xnkj.dios.jpg" "
  2⤵
  PID:1680
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-1676-194xnkj.dios.jpg"
    3⤵
    PID:1768
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-b6uy9u.s50s.jpg" "
  2⤵
  PID:2272
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-1676-b6uy9u.s50s.jpg"
    3⤵
    PID:2796
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-l9pq4t.mznm.jpg" "
  2⤵
  PID:2600
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-1676-l9pq4t.mznm.jpg"
    3⤵
    PID:1608
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-rb7sb2.551yi.jpg" "
  2⤵
  PID:336
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-1676-rb7sb2.551yi.jpg"
    3⤵
    PID:2244
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-1tf9smr.xwss.jpg" "
  2⤵
  PID:2368
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-1676-1tf9smr.xwss.jpg"
    3⤵
    PID:2024
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-1a9byqv.mxlh.jpg" "
  2⤵
  PID:2316
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-1676-1a9byqv.mxlh.jpg"
    3⤵
    PID:1596
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-uvlhdx.ggu4.jpg" "
  2⤵
  PID:1808
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-1676-uvlhdx.ggu4.jpg"
    3⤵
    PID:1600
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-1prk4rz.tzv.jpg" "
  2⤵
  PID:2356
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-1676-1prk4rz.tzv.jpg"
    3⤵
    PID:2744
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-88scbd.s8rn.jpg" "
  2⤵
  PID:1040
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-1676-88scbd.s8rn.jpg"
    3⤵
    PID:3080
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-zfjrzu.8xgao.jpg" "
  2⤵
  PID:2668
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-1676-zfjrzu.8xgao.jpg"
    3⤵
    PID:3484
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-1fgdsjb.x70b.jpg" "
  2⤵
  PID:1660
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-1676-1fgdsjb.x70b.jpg"
    3⤵
    PID:2900
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-sh5hkx.rfj7i.jpg" "
  2⤵
  PID:2080
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-1676-sh5hkx.rfj7i.jpg"
    3⤵
    PID:3716
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-c1izmy.f46bg.jpg" "
  2⤵
  PID:1716
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-1676-c1izmy.f46bg.jpg"
    3⤵
    PID:3732
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-h3n6ch.sh0ti.jpg" "
  2⤵
  PID:2220
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-1676-h3n6ch.sh0ti.jpg"
    3⤵
    PID:3724
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-1yctpsn.nxej.jpg" "
  2⤵
  PID:3108
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-1676-1yctpsn.nxej.jpg"
    3⤵
    PID:3780
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-sfbdcd.iire.jpg" "
  2⤵
  PID:3200
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-1676-sfbdcd.iire.jpg"
    3⤵
    PID:3916
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-1tn5crz.xkhx.jpg" "
  2⤵
  PID:3404
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-1676-1tn5crz.xkhx.jpg"
    3⤵
    PID:4048
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-1w90qgv.7zjbi.jpg" "
  2⤵
  PID:3576
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-1676-1w90qgv.7zjbi.jpg"
    3⤵
    PID:3772
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-d282gd.z64x5.jpg" "
  2⤵
  PID:3640
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-1676-d282gd.z64x5.jpg"
    3⤵
    PID:3844
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-19b3i0k.9rne.jpg" "
  2⤵
  PID:3668
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-1676-19b3i0k.9rne.jpg"
    3⤵
    PID:4012
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-15lto38.calkk.jpg" "
  2⤵
  PID:3796
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-1676-15lto38.calkk.jpg"
    3⤵
    PID:2216
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-156dwee.qt2s.jpg" "
  2⤵
  PID:3928
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-1676-156dwee.qt2s.jpg"
    3⤵
    PID:2664
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-bnome0.4mz3a.jpg" "
  2⤵
  PID:3948
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-1676-bnome0.4mz3a.jpg"
    3⤵
    PID:3148
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-1cfh3qa.ti3j.jpg" "
  2⤵
  PID:4064
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-1676-1cfh3qa.ti3j.jpg"
    3⤵
    PID:1944
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-1vmptdb.dk68.jpg" "
  2⤵
  PID:4084
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-1676-1vmptdb.dk68.jpg"
    3⤵
    PID:1952
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-6nf0d2.j1amj.jpg" "
  2⤵
  PID:2040
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-1676-6nf0d2.j1amj.jpg"
    3⤵
    PID:2676
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-ufkbo4.svrf.jpg" "
  2⤵
  PID:1568
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-1676-ufkbo4.svrf.jpg"
    3⤵
    PID:3332
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-dj6vme.8zdea.jpg" "
  2⤵
  PID:2140
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-1676-dj6vme.8zdea.jpg"
    3⤵
    PID:3532
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-ruafeb.hvdt9.jpg" "
  2⤵
  PID:2320
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-1676-ruafeb.hvdt9.jpg"
    3⤵
    PID:2292
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-4a881k.rbjra.jpg" "
  2⤵
  PID:3308
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-1676-4a881k.rbjra.jpg"
    3⤵
    PID:3504
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-148idbp.abbs.jpg" "
  2⤵
  PID:2868
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-1676-148idbp.abbs.jpg"
    3⤵
    PID:3524
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-14slb8b.wy7t.jpg" "
  2⤵
  PID:2796
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-1676-14slb8b.wy7t.jpg"
    3⤵
    PID:3564
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-10mkdu5.1bxc.jpg" "
  2⤵
  PID:2212
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-1676-10mkdu5.1bxc.jpg"
    3⤵
    PID:3468
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-14ab571.ff4g.jpg" "
  2⤵
  PID:3452
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-1676-14ab571.ff4g.jpg"
    3⤵
    PID:2152
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-tqxukd.26bja.jpg" "
  2⤵
  PID:3168
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-1676-tqxukd.26bja.jpg"
    3⤵
    PID:2712
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-9nlktu.kvcya.jpg" "
  2⤵
  PID:3768
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-1676-9nlktu.kvcya.jpg"
    3⤵
    PID:380
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-ymnpt7.eyr4b.jpg" "
  2⤵
  PID:3088
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-1676-ymnpt7.eyr4b.jpg"
    3⤵
    PID:2132
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-1ioaref.4bqy.jpg" "
  2⤵
  PID:3136
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-1676-1ioaref.4bqy.jpg"
    3⤵
    PID:1300
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-rf64zb.6n1xg.jpg" "
  2⤵
  PID:2280
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-1676-rf64zb.6n1xg.jpg"
    3⤵
    PID:836
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-1r5nfrd.jq68.jpg" "
  2⤵
  PID:3152
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-1676-1r5nfrd.jq68.jpg"
    3⤵
    PID:3840
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-1iot0nd.mu2i.jpg" "
  2⤵
  PID:3156
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-1676-1iot0nd.mu2i.jpg"
    3⤵
    PID:3740
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-1uowu9.bbqie.jpg" "
  2⤵
  PID:1640
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-1676-1uowu9.bbqie.jpg"
    3⤵
    PID:3672
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-1xcliet.jpoa.jpg" "
  2⤵
  PID:1052
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-1676-1xcliet.jpoa.jpg"
    3⤵
    PID:3148
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-14ftgpq.rxww.jpg" "
  2⤵
  PID:1652
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-1676-14ftgpq.rxww.jpg"
    3⤵
    PID:3832
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-1x77g9v.bgt9.jpg" "
  2⤵
  PID:2884
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-1676-1x77g9v.bgt9.jpg"
    3⤵
    PID:3948
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-1uprdpu.ca4e.jpg" "
  2⤵
  PID:3812
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-1676-1uprdpu.ca4e.jpg"
    3⤵
    PID:3232
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-11y2hhg.o9nu.jpg" "
  2⤵
  PID:4056
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-1676-11y2hhg.o9nu.jpg"
    3⤵
    PID:3780
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-r0urec.o3d8.jpg" "
  2⤵
  PID:1752
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-1676-r0urec.o3d8.jpg"
    3⤵
    PID:3112
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-1bn0t51.641f.jpg" "
  2⤵
  PID:2484
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-1676-1bn0t51.641f.jpg"
    3⤵
    PID:1264
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-cf6ag.tkpzj8.jpg" "
  2⤵
  PID:3028
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-1676-cf6ag.tkpzj8.jpg"
    3⤵
    PID:1944
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-9g4o42.0and6.jpg" "
  2⤵
  PID:2840
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-1676-9g4o42.0and6.jpg"
    3⤵
    PID:3612
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-1expgyy.9589.jpg" "
  2⤵
  PID:1124
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-1676-1expgyy.9589.jpg"
    3⤵
    PID:2896
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-1bp7mv1.wu74.jpg" "
  2⤵
  PID:1104
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-1676-1bp7mv1.wu74.jpg"
    3⤵
    PID:3552
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-1j2d039.3eq2.jpg" "
  2⤵
  PID:1980
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-1676-1j2d039.3eq2.jpg"
    3⤵
    PID:3916
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-1vq8a44.1xuh.jpg" "
  2⤵
  PID:896
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-1676-1vq8a44.1xuh.jpg"
    3⤵
    PID:2684
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-1e6e8zy.gqdm.jpg" "
  2⤵
  PID:3736
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-1676-1e6e8zy.gqdm.jpg"
    3⤵
    PID:2524
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-13ev7vi.iu7o.jpg" "
  2⤵
  PID:3976
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-1676-13ev7vi.iu7o.jpg"
    3⤵
    PID:3060
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-11ytjs5.3x83.jpg" "
  2⤵
  PID:1688
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-1676-11ytjs5.3x83.jpg"
    3⤵
    PID:2608
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-o3cxpd.4by8r.jpg" "
  2⤵
  PID:1268
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-1676-o3cxpd.4by8r.jpg"
    3⤵
    PID:3876
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-1tmny3q.390o.jpg" "
  2⤵
  PID:3716
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-1676-1tmny3q.390o.jpg"
    3⤵
    PID:2500
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-1xn3vr6.a2hu.jpg" "
  2⤵
  PID:2244
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-1676-1xn3vr6.a2hu.jpg"
    3⤵
    PID:4020
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-1li4kab.ksv7g.jpg" "
  2⤵
  PID:356
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-1676-1li4kab.ksv7g.jpg"
    3⤵
    PID:3644
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-2xf1xb.ljw2y.jpg" "
  2⤵
  PID:2368
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-1676-2xf1xb.ljw2y.jpg"
    3⤵
    PID:4072
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-mlqfca.jlcv.jpg" "
  2⤵
  PID:2828
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-1676-mlqfca.jlcv.jpg"
    3⤵
    PID:3968
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-1hgmek7.oh68.jpg" "
  2⤵
  PID:3412
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-1676-1hgmek7.oh68.jpg"
    3⤵
    PID:2572
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-5a2h3a.qems.jpg" "
  2⤵
  PID:3092
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-1676-5a2h3a.qems.jpg"
    3⤵
    PID:2184
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-iflctg.joazd.jpg" "
  2⤵
  PID:3560
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-1676-iflctg.joazd.jpg"
    3⤵
    PID:3224
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-v4fd4z.iv47.jpg" "
  2⤵
  PID:1764
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-1676-v4fd4z.iv47.jpg"
    3⤵
    PID:3556
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-1wpjkyq.pe0j.jpg" "
  2⤵
  PID:2552
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-1676-1wpjkyq.pe0j.jpg"
    3⤵
    PID:3872
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-pvg6uq.ifa9k.jpg" "
  2⤵
  PID:1908
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-1676-pvg6uq.ifa9k.jpg"
    3⤵
    PID:756
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-1as7imd.zg6xg.jpg" "
  2⤵
  PID:2636
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-1676-1as7imd.zg6xg.jpg"
    3⤵
    PID:2744
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-9k2cvk.cyqdg.jpg" "
  2⤵
  PID:3208
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-1676-9k2cvk.cyqdg.jpg"
    3⤵
    PID:3016
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-1jt85u0.kd1o.jpg" "
  2⤵
  PID:3176
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-1676-1jt85u0.kd1o.jpg"
    3⤵
    PID:2216
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-uozklo.l9j8.jpg" "
  2⤵
  PID:3276
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-1676-uozklo.l9j8.jpg"
    3⤵
    PID:1808
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-bhdwke.pmge.jpg" "
  2⤵
  PID:1932
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-1676-bhdwke.pmge.jpg"
    3⤵
    PID:1652
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-1bxd9sn.jt11g.jpg" "
  2⤵
  PID:3228
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-1676-1bxd9sn.jt11g.jpg"
    3⤵
    PID:3824
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-odsnmt.g4tum.jpg" "
  2⤵
  PID:2556
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-1676-odsnmt.g4tum.jpg"
    3⤵
    PID:844
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-1eq5l7g.2pchi.jpg" "
  2⤵
  PID:3636
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-1676-1eq5l7g.2pchi.jpg"
    3⤵
    PID:3832
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-1rzx4wg.5o53.jpg" "
  2⤵
  PID:3596
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-1676-1rzx4wg.5o53.jpg"
    3⤵
    PID:3420
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-1te769k.pm04.jpg" "
  2⤵
  PID:832
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-1676-1te769k.pm04.jpg"
    3⤵
    PID:540
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-1m9ulz3.3mm5.jpg" "
  2⤵
  PID:1068
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-1676-1m9ulz3.3mm5.jpg"
    3⤵
    PID:1712
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-qhdcr2.ptmwh.jpg" "
  2⤵
  PID:2316
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-1676-qhdcr2.ptmwh.jpg"
    3⤵
    PID:1684
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-lnoolj.yg37.jpg" "
  2⤵
  PID:2332
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-1676-lnoolj.yg37.jpg"
    3⤵
    PID:1640
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-11fw1m8.4bjm.jpg" "
  2⤵
  PID:1900
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-1676-11fw1m8.4bjm.jpg"
    3⤵
    PID:2328
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-coqk0b.k1m2.jpg" "
  2⤵
  PID:3456
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-1676-coqk0b.k1m2.jpg"
    3⤵
    PID:2004
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-jsd97d.6th3.jpg" "
  2⤵
  PID:3588
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-1676-jsd97d.6th3.jpg"
    3⤵
    PID:3264
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-17fh4vh.v2u3g.jpg" "
  2⤵
  PID:3940
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-1676-17fh4vh.v2u3g.jpg"
    3⤵
    PID:4036
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-1vg3t5e.is2ff.jpg" "
  2⤵
  PID:3516
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-1676-1vg3t5e.is2ff.jpg"
    3⤵
    PID:2308
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-1ynbk0z.3oy2.jpg" "
  2⤵
  PID:3120
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-1676-1ynbk0z.3oy2.jpg"
    3⤵
    PID:2700
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-40pfd4.xmv96.jpg" "
  2⤵
  PID:3076
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-1676-40pfd4.xmv96.jpg"
    3⤵
    PID:1248
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-r50oir.cuu9c.jpg" "
  2⤵
  PID:3056
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-1676-r50oir.cuu9c.jpg"
    3⤵
    PID:1628
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-1gpnlid.kpns.jpg" "
  2⤵
  PID:2444
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-1676-1gpnlid.kpns.jpg"
    3⤵
    PID:3888
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-aqlcdy.1vaad.jpg" "
  2⤵
  PID:3772
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-1676-aqlcdy.1vaad.jpg"
    3⤵
    PID:3780
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-1jzeaau.3nof.jpg" "
  2⤵
  PID:3992
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-1676-1jzeaau.3nof.jpg"
    3⤵
    PID:1764
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-5ke9yv.xs8d.jpg" "
  2⤵
  PID:3240
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-1676-5ke9yv.xs8d.jpg"
    3⤵
    PID:3916
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-id5agw.yqxlc.jpg" "
  2⤵
  PID:3524
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-1676-id5agw.yqxlc.jpg"
    3⤵
    PID:3096
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-grv0et.lcr1b.jpg" "
  2⤵
  PID:1920
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-1676-grv0et.lcr1b.jpg"
    3⤵
    PID:3576
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-1um1onx.okff.jpg" "
  2⤵
  PID:3904
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-1676-1um1onx.okff.jpg"
    3⤵
    PID:2772
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-1b91i31.ckf8.jpg" "
  2⤵
  PID:3712
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-1676-1b91i31.ckf8.jpg"
    3⤵
    PID:3412
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-1vfrck3.nrb.jpg" "
  2⤵
  PID:3760
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-1676-1vfrck3.nrb.jpg"
    3⤵
    PID:3644
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-18cv4pa.7jc8.jpg" "
  2⤵
  PID:2780
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-1676-18cv4pa.7jc8.jpg"
    3⤵
    PID:3112
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-1rlo178.tfv1.jpg" "
  2⤵
  PID:3020
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-1676-1rlo178.tfv1.jpg"
    3⤵
    PID:3032
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-wepbfh.bkglk.jpg" "
  2⤵
  PID:1660
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-1676-wepbfh.bkglk.jpg"
    3⤵
    PID:1784
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-7thue4.pjzks.jpg" "
  2⤵
  PID:2604
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-1676-7thue4.pjzks.jpg"
    3⤵
    PID:3416
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-1ddqs37.7i2z.jpg" "
  2⤵
  PID:2848
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-1676-1ddqs37.7i2z.jpg"
    3⤵
    PID:3876
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-qizvtx.leqw8.jpg" "
  2⤵
  PID:2280
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-1676-qizvtx.leqw8.jpg"
    3⤵
    PID:2160
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-18kpoke.jif2.jpg" "
  2⤵
  PID:3500
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-1676-18kpoke.jif2.jpg"
    3⤵
    PID:2216
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-12j8kj0.qbek.jpg" "
  2⤵
  PID:2484
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-1676-12j8kj0.qbek.jpg"
    3⤵
    PID:872
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-1ky7dfz.1yqu.jpg" "
  2⤵
  PID:3440
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-1676-1ky7dfz.1yqu.jpg"
    3⤵
    PID:268
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-1el3kys.vsq1.jpg" "
  2⤵
  PID:1768
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-1676-1el3kys.vsq1.jpg"
    3⤵
    PID:3892
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-1s3hpa1.52ld.jpg" "
  2⤵
  PID:2560
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-1676-1s3hpa1.52ld.jpg"
    3⤵
    PID:3308
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-1abq24.w0s52.jpg" "
  2⤵
  PID:2348
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-1676-1abq24.w0s52.jpg"
    3⤵
    PID:3268
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-1jsnxau.fdh5.jpg" "
  2⤵
  PID:1008
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-1676-1jsnxau.fdh5.jpg"
    3⤵
    PID:2896
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-u9jj9e.az8rc.jpg" "
  2⤵
  PID:3844
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-1676-u9jj9e.az8rc.jpg"
    3⤵
    PID:3728
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-1glwth0.8lt6.jpg" "
  2⤵
  PID:3200
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-1676-1glwth0.8lt6.jpg"
    3⤵
    PID:2272
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-ypygkc.bw6q.jpg" "
  2⤵
  PID:2056
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-lczgm.7l31kq.jpg" "
  2⤵
  PID:2012
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-1676-lczgm.7l31kq.jpg"
    3⤵
    PID:1036
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-js6pgx.llj9c.jpg" "
  2⤵
  PID:4024
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-1676-js6pgx.llj9c.jpg"
    3⤵
    PID:2024
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-1flde62.8cukk.jpg" "
  2⤵
  PID:1620
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-1676-1flde62.8cukk.jpg"
    3⤵
    PID:2136
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-1kz8pk8.sk9j.jpg" "
  2⤵
  PID:3140
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-1676-1kz8pk8.sk9j.jpg"
    3⤵
    PID:4032
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-1mv5l4y.46so.jpg" "
  2⤵
  PID:3360
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-1676-1mv5l4y.46so.jpg"
    3⤵
    PID:2984
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-xdt4ub.cussi.jpg" "
  2⤵
  PID:3000
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-1gjp3c3.5v3ol.jpg" "
  2⤵
  PID:488
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-k1czrv.1eimn.jpg" "
  2⤵
  PID:2368
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-pha15q.0c4w.jpg" "
  2⤵
  PID:2152
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-1676-pha15q.0c4w.jpg"
    3⤵
    PID:844
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-160uhoq.6qv9.jpg" "
  2⤵
  PID:2760
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-2yjqml.2z632.jpg" "
  2⤵
  PID:2672
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-js8e5y.5ixms.jpg" "
  2⤵
  PID:4072
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-tf2p1s.rhnu.jpg" "
  2⤵
  PID:3384
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-vbv4cc.9ssi.jpg" "
  2⤵
  PID:2716
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-17vjqpx.pbjl.jpg" "
  2⤵
  PID:2656
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-1676-17vjqpx.pbjl.jpg"
    3⤵
    PID:352
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-orra80.4b3ji.jpg" "
  2⤵
  PID:1532
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-1676-orra80.4b3ji.jpg"
    3⤵
    PID:3580
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-afy2xu.z9fd6.jpg" "
  2⤵
  PID:3108
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-6cawut.hnt0l.jpg" "
  2⤵
  PID:2776
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-1676-6cawut.hnt0l.jpg"
    3⤵
    PID:3788
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-x51keh.2c2ch.jpg" "
  2⤵
  PID:1388
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-1676-x51keh.2c2ch.jpg"
    3⤵
    PID:2668
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-1o2f9tg.oqd1h.jpg" "
  2⤵
  PID:4008
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-1ma3yez.08yri.jpg" "
  2⤵
  PID:2884
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-rwlt5q.rlor.jpg" "
  2⤵
  PID:3420
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-1676-rwlt5q.rlor.jpg"
    3⤵
    PID:2632
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-s73zxj.hnj8.jpg" "
  2⤵
  PID:2308
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-1676-s73zxj.hnj8.jpg"
    3⤵
    PID:3688
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-1ex3fey.zfi0g.jpg" "
  2⤵
  PID:3868
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-1676-1ex3fey.zfi0g.jpg"
    3⤵
    PID:3560
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-hn6mpq.l02e.jpg" "
  2⤵
  PID:2876
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-nqrwzg.0g98k.jpg" "
  2⤵
  PID:1268
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-mw7hwy.1sgb.jpg" "
  2⤵
  PID:3216
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-q2i6d2.sl2em.jpg" "
  2⤵
  PID:2840
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-1dumd16.qam.jpg" "
  2⤵
  PID:3936
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-1p6bbs5.a8pv.jpg" "
  2⤵
  PID:3432
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-1afr89e.3uyd.jpg" "
  2⤵
  PID:3336
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-tlzfuq.s8pa.jpg" "
  2⤵
  PID:3360
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-6frm5v.bw6bh.jpg" "
  2⤵
  PID:3008
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-svjnkk.rfn6.jpg" "
  2⤵
  PID:2128
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-15n4fam.xqjj.jpg" "
  2⤵
  PID:3556
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-qpquxe.7he9s.jpg" "
  2⤵
  PID:3676
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-1ozknk.crvyn.jpg" "
  2⤵
  PID:2512
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-1xlzxd1.054b.jpg" "
  2⤵
  PID:2636
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-lg47em.jtoef.jpg" "
  2⤵
  PID:2044
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-6pqlxu.cyyak.jpg" "
  2⤵
  PID:2780
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-jvl9mp.pj8e.jpg" "
  2⤵
  PID:1996
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024318-1676-11xjfl3.mx0fk.jpg" "
  2⤵
  PID:896

C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-1676-f7vz3k.u4gqt.jpg"
1⤵
PID:1248

C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024318-1676-1wgqh78.khkw.jpg"
1⤵
PID:3716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2024318-1676-1a7hu65.bsrk.jpg

Filesize
16KB

MD5
a54ba56f394a2e872c85f37dbe20e478

SHA1
c1a898fa8d68a6c0637b869b08f84c9e3a270680

SHA256
0bc13c24a77ba60a4101fe1574d81ddbd20fe1986dd9da2adff1eeb937c5c9e8

SHA512
2f17c571a54b687214dc4d6a900e470e0887da012998e647da481eb3a493d0fa86df3b980b1ed2f55b6125e5c14246d59188598838e60e43a154b1b271f5d07c

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024318-1676-1kls9q5.5p7r.jpg

Filesize
16KB

MD5
d8953d97e6d77f024a578b4dd3d4ac75

SHA1
127d5222ff1f469476cab5f2e5e3d8baebc8690a

SHA256
d593c5440e30f12b2e0c006f573ffb7df7c57ab519c9d564e2348a40ab1373ac

SHA512
5e1362013133166e638530dd08c22a3d1d25b75b8b50b7edc986a80334797de6afe2c0f3879d00fe5aac112d8d8b7c7335f85f414a2d6d487fbab0a7da3aa3d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024318-1676-6b2kuh.6jw78.jpg

Filesize
16KB

MD5
12df4ae3da0eb7fa5e5bbed485502fd3

SHA1
b11580bb06de2a954ffe3a303c204d82d722f7b6

SHA256
c0d517f801156ca39f9b01df7a10fe20c93950d2619cc9e7bbc8f44848410a8c

SHA512
a7b16721937c3f6d13fcdafec0f8a065fb58f1dc0da19393fa8e8bb8318dffb338dfddaf40fbc19350d2b4aacb071ebbe9c503bafc5eb728da4b9d64936932b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024318-1676-cq34gc.mbz4t.jpg

Filesize
16KB

MD5
d487072dee784c46b933ff1e0d6f6df1

SHA1
550b36056ec7b205b73a36f94a9c67734223c7b6

SHA256
15989ea16cceaf28dc572d6886394c93fe8ba0e1634befca195bd02b038d098c

SHA512
5cd731c0209a277695f5b21edc45efee3580fca2ecf3f8d4e420db1a0b95c2dced67eed25f8a7a215d13a1c931ac1c128314bc49e67b2901a6653736d3a51d32

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024318-1676-f762ri.vr9kr.jpg

Filesize
16KB

MD5
a84346a85a4c27a9577b66d0b2287e10

SHA1
3eeb60c96cdfe17bc069321b559221cbd7e28993

SHA256
25cd472203dd4271b2bc4e9c49de23d071cd21a6a283f59df4d755678e9d21a0

SHA512
c51028f5e9c31e540666c625a4654c891fbad68844eea9c5cb1596b205d5483ae53ce5471d62c36834c3e96d21674d2bcbd35679905f6218403bb82860d6ce5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024318-1676-l4ayef.34ut.jpg

Filesize
16KB

MD5
7436b5379e10190fda60fadd5a6dd794

SHA1
10186daa0fae0c2e6973bca78b4dceba5469fb70

SHA256
2915b3bdfb44f97bd6108385d475aa8f7c3fd9a5e6f115d9ab6aa9449a1012bb

SHA512
46a31b1bad3e87348c5cad2e11fab2f71e7bbe1f9fdfea735d66f76b8b4f8b73f8f27848248be037941b6eb3e32bc789bf817edcef58e054de9446ab86bfb8e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024318-1676-r1xbs2.tddk.jpg

Filesize
16KB

MD5
33ea8af9e85aea75870c041026793001

SHA1
66f5c9f809c4b8b0fbc44f0f050757644c87d1e0

SHA256
1f76c208919ded531b99f879aaa0f309fa48fdd3b03e5cd41923eba3d2de1494

SHA512
890c8fd8268c008599b14480e9f243a5a2c5cae731343f2199f383308d8bd41f545d2c74af027906a057370e33d3659bf60042dd24edc3719868162912facd04

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024318-1676-uecjdx.4k268.jpg

Filesize
16KB

MD5
0f69be148301320281d4a1a04a97bd7f

SHA1
c4dd0300864d5f449f14c94c3617a517e26c2e64

SHA256
f8006363d461a96e73e4a64b529a2c34d1f22eecbb31c5bac0d3b7ea6ac528e0

SHA512
8d1029ce6e1cfa923f67bbbd81ff26812eecd690d99151c0357de1e5b80e536ed496602e11b72b0addae4c3923d9d9d5595bf43f6c7933eb57e35e349ce22a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024318-1676-zggbtp.euo5k.jpg

Filesize
16KB

MD5
42b63bc9dee2ec1d7cb141e4ce478580

SHA1
c099f20681adc14349c9a7c6dbf4f03191465ce4

SHA256
5ee1247ed338ef5f66f4202428c7faaa122faca27df73de5d2bca0b10cbeeb68

SHA512
6367dfbe2184a9829af351e32072b094f47812861b592e7332f4c9b4e6d4e1fc79e9089de632e58a14422d7cf2dcd2dbd3072932951c609d242cd39981c4ce87

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4DC2.tmp

Filesize
1KB

MD5
69f7b97c8419365a51a902ec5c123898

SHA1
cdef45e3b4dade6771577c378e5fe9852f23d7f6

SHA256
575f34cf500080a7e8ce43e02ee2271002258c749a29c8928634b66bf5898f7e

SHA512
3c9e1b87759930815070a06cb016e0f62fa385724030306fc39f4563622e476b39b9ab65ac256553af42aeacf79dab5820353bd736acf07b6754249f28f161df

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4DF1.tmp

Filesize
1KB

MD5
99a4ce1ce2195ab997b7545f7d3a6a6d

SHA1
b9f3180e5f11b263090bf573278cb04fede027c9

SHA256
8672cb607ec4d263a8f10774342d35828c73fe8c341021db5cea409813650bc2

SHA512
abadb1c85a024b9238f0ae9b38645d64333a41208e9fc2656f6785d3815861aeb851324295525e5c07edc64267db95dcc05d7f4513f33265c044816d7b5ff9c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\epsilon-Admin\AutoFill Data\All Autofill Data.txt

Filesize
240B

MD5
810ae82f863a5ffae14d3b3944252a4e

SHA1
5393e27113753191436b14f0cafa8acabcfe6b2a

SHA256
453478914b72d9056472fb1e44c69606c62331452f47a1f3c02190f26501785c

SHA512
2421a397dd2ebb17947167addacd3117f666ddab388e3678168075f58dc8eee15bb49a4aac2290140ae5102924852d27b538740a859d0b35245f505b20f29112

Download Submit
C:\Users\Admin\AppData\Local\Temp\epsilon-Admin\Credit Cards\All Credit Cards.txt

Filesize
231B

MD5
dec2be4f1ec3592cea668aa279e7cc9b

SHA1
327cf8ab0c895e10674e00ea7f437784bb11d718

SHA256
753b99d2b4e8c58bfd10995d0c2c19255fe9c8f53703bb27d1b6f76f1f4e83cc

SHA512
81728e3d31b72905b3a09c79d1e307c4e8e79d436fcfe7560a8046b46ca4ae994fdfaeb1bc2328e35f418b8128f2e7239289e84350e142146df9cde86b20bb66

Download Submit
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat

Filesize
13KB

MD5
da0f40d84d72ae3e9324ad9a040a2e58

SHA1
4ca7f6f90fb67dce8470b67010aa19aa0fd6253f

SHA256
818350a4fb4146072a25f0467c5c99571c854d58bec30330e7db343bceca008b

SHA512
30b7d4921f39c2601d94a3e3bb0e3be79b4b7b505e52523d2562f2e2f32154d555a593df87a71cddb61b98403265f42e0d6705950b37a155dc1d64113c719fd9

Download Submit
C:\Users\Admin\AppData\Roaming\EpsilonFruit\Local Storage\leveldb\CURRENT~RFf763faf.TMP

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\screenCapture\CSCB4802849674B4A68A9D7CB6BEE18D45.TMP

Filesize
1KB

MD5
a6f2d21624678f54a2abed46e9f3ab17

SHA1
a2a6f07684c79719007d434cbd1cd2164565734a

SHA256
ab96911d094b6070cbfb48e07407371ddb41b86e36628b6a10cdb11478192344

SHA512
0b286df41c3887eecff5c38cbd6818078313b555ef001151b41ac11b80466b2f4f39da518ab9c51eeff35295cb39d52824de13e026c35270917d7274f764c676

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\screenCapture\app.manifest

Filesize
350B

MD5
8951565428aa6644f1505edb592ab38f

SHA1
9c4bee78e7338f4f8b2c8b6c0e187f43cfe88bf2

SHA256
8814db9e125d0c2b7489f8c7c3e95adf41f992d4397ed718bda8573cb8fb0e83

SHA512
7577bad37b67bf13a0d7f9b8b7d6c077ecdfb81a5bee94e06dc99e84cb20db2d568f74d1bb2cef906470b4f6859e00214beacca7d82e2b99126d27820bf3b8f5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe

Filesize
12KB

MD5
91a1d8b7dc55e8f6737b68e989bd2997

SHA1
fff7cab2a6044664645b1e73fdfaed6297612779

SHA256
a77611e9873a5298621162b67e47c7de43ff1ec7c7932804ab32d63245a4ed5d

SHA512
b776211bbeafe235cd42c89c8530d61bae815ab5fcfeeb9c2b0a52d678630fc4087cbd92f16f1187270a89080c98b619871d34ccf49a61b8d6d893f1b29bfb23

Download Submit
\Users\Admin\AppData\Local\Temp\0f73614c-5c2f-4087-8ea2-d46b7fbae888.tmp.node

Filesize
652KB

MD5
1f86d23226fffe71b8784029d8c5125b

SHA1
9cc9bc5a5ca25a682746480dff1677d0ff5ec16c

SHA256
265d11dea86267a478907b398b8b33aad69f0944784386c1795cc32b8c931ffd

SHA512
4f1aaee14c9cb0a76853a15030b525ee082a226ac67e9c90a96bbdbbb9229f6fe48192d63686f72c55e094de45c2a032bdd241fcacc190b71ffdc0fde80824ae

Download Submit
\Users\Admin\AppData\Local\Temp\8aff3ebd-90de-4e5c-88b0-868865a69ff4.tmp.node

Filesize
163KB

MD5
b0e113443ddc1ee234acbf0eb0e6f8a0

SHA1
84cc562b82570ec05df6dbbfc8f29fbb16ec68c7

SHA256
8d6f5cab1d6a99ac49772080c6f383f33a9bb983e0f8d02d0f3de4b2bdd26215

SHA512
306e89ec66fdf8b0de19d5bcda01f69809d83f464a9c21fda4b470e81ad3b722aa6cb6086fb4c2af59504fe4332c1f9efff27168598cc00be0f28fed45dde8ee

Download Submit
\Users\Admin\AppData\Local\Temp\e5c18ff0-0335-4030-aef5-10d2a79aafeb.tmp.node

Filesize
2.7MB

MD5
08b28072c6d59fdf06a808182efed01f

SHA1
35253af00af3308a64cff1eda104fd7227abb2f4

SHA256
7c999c84852b1f46a48f75b130fea445280d7032a56359dffecf36730366abc5

SHA512
f2592ade5053b674dbe4191c7001748a801dca3b19e97e19b440a3e944011c87926b0ef21c87e98b48e038889a32e01c1d74949124be3144834e2f06d9781198

Download Submit
memory/452-300-0x000007FEF2D40000-0x000007FEF372C000-memory.dmp

Filesize
9.9MB

Download
memory/488-497-0x000007FEF2D40000-0x000007FEF372C000-memory.dmp

Filesize
9.9MB

Download
memory/488-462-0x000007FEF2D40000-0x000007FEF372C000-memory.dmp

Filesize
9.9MB

Download
memory/1104-304-0x000007FEF2D40000-0x000007FEF372C000-memory.dmp

Filesize
9.9MB

Download
memory/1124-326-0x000007FEF2D40000-0x000007FEF372C000-memory.dmp

Filesize
9.9MB

Download
memory/1124-330-0x000007FEF2D40000-0x000007FEF372C000-memory.dmp

Filesize
9.9MB

Download
memory/1192-379-0x000007FEF2D40000-0x000007FEF372C000-memory.dmp

Filesize
9.9MB

Download
memory/1252-296-0x000007FEF2D40000-0x000007FEF372C000-memory.dmp

Filesize
9.9MB

Download
memory/1264-340-0x000007FEF2D40000-0x000007FEF372C000-memory.dmp

Filesize
9.9MB

Download
memory/1264-438-0x000007FEF2D40000-0x000007FEF372C000-memory.dmp

Filesize
9.9MB

Download
memory/1320-298-0x000007FEF2D40000-0x000007FEF372C000-memory.dmp

Filesize
9.9MB

Download
memory/1360-417-0x000007FEF2D40000-0x000007FEF372C000-memory.dmp

Filesize
9.9MB

Download
memory/1360-343-0x000007FEF2D40000-0x000007FEF372C000-memory.dmp

Filesize
9.9MB

Download
memory/1388-412-0x000007FEF2D40000-0x000007FEF372C000-memory.dmp

Filesize
9.9MB

Download
memory/1388-388-0x000007FEF2D40000-0x000007FEF372C000-memory.dmp

Filesize
9.9MB

Download
memory/1496-380-0x000007FEF2D40000-0x000007FEF372C000-memory.dmp

Filesize
9.9MB

Download
memory/1596-495-0x000007FEF2D40000-0x000007FEF372C000-memory.dmp

Filesize
9.9MB

Download
memory/1596-463-0x000007FEF2D40000-0x000007FEF372C000-memory.dmp

Filesize
9.9MB

Download
memory/1600-458-0x000007FEF2D40000-0x000007FEF372C000-memory.dmp

Filesize
9.9MB

Download
memory/1608-358-0x000007FEF2D40000-0x000007FEF372C000-memory.dmp

Filesize
9.9MB

Download
memory/1608-409-0x000007FEF2D40000-0x000007FEF372C000-memory.dmp

Filesize
9.9MB

Download
memory/1676-58-0x0000000002490000-0x0000000002491000-memory.dmp

Filesize
4KB

Download
memory/1704-381-0x000007FEF2D40000-0x000007FEF372C000-memory.dmp

Filesize
9.9MB

Download
memory/1704-466-0x000007FEF2D40000-0x000007FEF372C000-memory.dmp

Filesize
9.9MB

Download
memory/1764-420-0x000007FEF2D40000-0x000007FEF372C000-memory.dmp

Filesize
9.9MB

Download
memory/1764-387-0x000007FEF2D40000-0x000007FEF372C000-memory.dmp

Filesize
9.9MB

Download
memory/1768-443-0x000007FEF2D40000-0x000007FEF372C000-memory.dmp

Filesize
9.9MB

Download
memory/1768-501-0x000007FEF2D40000-0x000007FEF372C000-memory.dmp

Filesize
9.9MB

Download
memory/1848-301-0x000007FEF2D40000-0x000007FEF372C000-memory.dmp

Filesize
9.9MB

Download
memory/2004-433-0x000007FEF2D40000-0x000007FEF372C000-memory.dmp

Filesize
9.9MB

Download
memory/2004-389-0x000007FEF2D40000-0x000007FEF372C000-memory.dmp

Filesize
9.9MB

Download
memory/2024-496-0x000007FEF2D40000-0x000007FEF372C000-memory.dmp

Filesize
9.9MB

Download
memory/2024-464-0x000007FEF2D40000-0x000007FEF372C000-memory.dmp

Filesize
9.9MB

Download
memory/2044-360-0x000007FEF2D40000-0x000007FEF372C000-memory.dmp

Filesize
9.9MB

Download
memory/2044-384-0x000007FEF2D40000-0x000007FEF372C000-memory.dmp

Filesize
9.9MB

Download
memory/2064-299-0x000007FEF2D40000-0x000007FEF372C000-memory.dmp

Filesize
9.9MB

Download
memory/2064-277-0x0000000001340000-0x000000000134A000-memory.dmp

Filesize
40KB

Download
memory/2064-377-0x000007FEF2D40000-0x000007FEF372C000-memory.dmp

Filesize
9.9MB

Download
memory/2204-452-0x000007FEF2D40000-0x000007FEF372C000-memory.dmp

Filesize
9.9MB

Download
memory/2204-500-0x000007FEF2D40000-0x000007FEF372C000-memory.dmp

Filesize
9.9MB

Download
memory/2244-490-0x000007FEF2D40000-0x000007FEF372C000-memory.dmp

Filesize
9.9MB

Download
memory/2244-465-0x000007FEF2D40000-0x000007FEF372C000-memory.dmp

Filesize
9.9MB

Download
memory/2252-385-0x000007FEF2D40000-0x000007FEF372C000-memory.dmp

Filesize
9.9MB

Download
memory/2252-406-0x000007FEF2D40000-0x000007FEF372C000-memory.dmp

Filesize
9.9MB

Download
memory/2464-297-0x000007FEF2D40000-0x000007FEF372C000-memory.dmp

Filesize
9.9MB

Download
memory/2464-309-0x000007FEF2D40000-0x000007FEF372C000-memory.dmp

Filesize
9.9MB

Download
memory/2520-386-0x000007FEF2D40000-0x000007FEF372C000-memory.dmp

Filesize
9.9MB

Download
memory/2520-376-0x000007FEF2D40000-0x000007FEF372C000-memory.dmp

Filesize
9.9MB

Download
memory/2588-390-0x000007FEF2D40000-0x000007FEF372C000-memory.dmp

Filesize
9.9MB

Download
memory/2588-513-0x000007FEF2D40000-0x000007FEF372C000-memory.dmp

Filesize
9.9MB

Download
memory/2624-9-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/2624-42-0x0000000077380000-0x0000000077381000-memory.dmp

Filesize
4KB

Download
memory/2656-320-0x000007FEF2D40000-0x000007FEF372C000-memory.dmp

Filesize
9.9MB

Download
memory/2656-329-0x000007FEF2D40000-0x000007FEF372C000-memory.dmp

Filesize
9.9MB

Download
memory/2668-328-0x000007FEF2D40000-0x000007FEF372C000-memory.dmp

Filesize
9.9MB

Download
memory/2668-316-0x000007FEF2D40000-0x000007FEF372C000-memory.dmp

Filesize
9.9MB

Download
memory/2744-446-0x000007FEF2D40000-0x000007FEF372C000-memory.dmp

Filesize
9.9MB

Download
memory/2796-383-0x000007FEF2D40000-0x000007FEF372C000-memory.dmp

Filesize
9.9MB

Download
memory/2796-395-0x000007FEF2D40000-0x000007FEF372C000-memory.dmp

Filesize
9.9MB

Download
memory/2900-461-0x000007FEF2D40000-0x000007FEF372C000-memory.dmp

Filesize
9.9MB

Download
memory/2900-516-0x000007FEF2D40000-0x000007FEF372C000-memory.dmp

Filesize
9.9MB

Download
memory/3080-529-0x000007FEF2D40000-0x000007FEF372C000-memory.dmp

Filesize
9.9MB

Download
memory/3080-457-0x000007FEF2D40000-0x000007FEF372C000-memory.dmp

Filesize
9.9MB

Download
memory/3164-467-0x000007FEF2D40000-0x000007FEF372C000-memory.dmp

Filesize
9.9MB

Download
memory/3164-514-0x000007FEF2D40000-0x000007FEF372C000-memory.dmp

Filesize
9.9MB

Download
memory/3484-505-0x000007FEF2D40000-0x000007FEF372C000-memory.dmp

Filesize
9.9MB

Download