epsilon | 24c7d715a80500ca4286152f6f418ec753d5e7e95cd400a56c2df5d63ab1ffe2

Analysis

max time kernel
131s
max time network
155s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
19-04-2024 01:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

EpsilonFruit.exe
Size

139.8MB
MD5

85f4bf8349f324f0ca541059a8e5a5e0
SHA1

685097888c606190c99c1321f970192158cd5121
SHA256

46aaa87d0bff37acb4950a172739283666e191e5570189f13a98f89d545c1d2a
SHA512

95e7d670b83f5256384f1cc14f1c70250ed1be1fc0eb3bd91386ebdab8177a8c782533f6d60a00fa0cf6eba8995005d9162bfe1395983625d1ec9eafd852be0a
SSDEEP

786432:sSfg0tbLs2cRE3FsdxwBFyAaZZiljQWohhjbj6S46P845IPD:sSj5szmFcxwBFyAaZ4jMhhXcyC

Score

10^/10

epsilon evasion persistence spyware stealer

Malware Config

Signatures

Epsilon Stealer
Information stealer.
stealer epsilon

Enumerates VirtualBox registry keys 2 TTPs 5 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

EpsilonFruit.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest	EpsilonFruit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxMouse	EpsilonFruit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxService	EpsilonFruit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF	EpsilonFruit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxVideo	EpsilonFruit.exe

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

EpsilonFruit.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\FADT\VBOX__	EpsilonFruit.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\RSDT\VBOX__	EpsilonFruit.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	EpsilonFruit.exe

Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

EpsilonFruit.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions	EpsilonFruit.exe

Looks for VMWare Tools registry key 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

EpsilonFruit.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools	EpsilonFruit.exe

Checks BIOS information in registry 2 TTPs 3 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EpsilonFruit.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	EpsilonFruit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	EpsilonFruit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	EpsilonFruit.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EpsilonFruit.exeEpsilonFruit.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\International\Geo\Nation	EpsilonFruit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\International\Geo\Nation	EpsilonFruit.exe

Executes dropped EXE 64 IoCs

Processes:

screenCapture_1.3.2.exescreenCapture_1.3.2.exescreenCapture_1.3.2.exescreenCapture_1.3.2.exescreenCapture_1.3.2.exescreenCapture_1.3.2.exescreenCapture_1.3.2.exescreenCapture_1.3.2.exescreenCapture_1.3.2.exescreenCapture_1.3.2.exescreenCapture_1.3.2.exescreenCapture_1.3.2.exescreenCapture_1.3.2.exescreenCapture_1.3.2.exescreenCapture_1.3.2.exescreenCapture_1.3.2.exescreenCapture_1.3.2.exescreenCapture_1.3.2.exescreenCapture_1.3.2.exescreenCapture_1.3.2.exescreenCapture_1.3.2.exescreenCapture_1.3.2.exescreenCapture_1.3.2.exescreenCapture_1.3.2.exescreenCapture_1.3.2.exescreenCapture_1.3.2.exescreenCapture_1.3.2.exescreenCapture_1.3.2.exescreenCapture_1.3.2.exescreenCapture_1.3.2.exescreenCapture_1.3.2.exescreenCapture_1.3.2.exescreenCapture_1.3.2.exescreenCapture_1.3.2.exescreenCapture_1.3.2.exescreenCapture_1.3.2.exescreenCapture_1.3.2.exescreenCapture_1.3.2.exescreenCapture_1.3.2.exescreenCapture_1.3.2.exescreenCapture_1.3.2.exescreenCapture_1.3.2.exescreenCapture_1.3.2.exescreenCapture_1.3.2.exescreenCapture_1.3.2.exescreenCapture_1.3.2.exescreenCapture_1.3.2.exescreenCapture_1.3.2.exescreenCapture_1.3.2.exescreenCapture_1.3.2.exescreenCapture_1.3.2.exescreenCapture_1.3.2.exescreenCapture_1.3.2.exescreenCapture_1.3.2.exescreenCapture_1.3.2.exescreenCapture_1.3.2.exescreenCapture_1.3.2.exescreenCapture_1.3.2.exescreenCapture_1.3.2.exescreenCapture_1.3.2.exescreenCapture_1.3.2.exescreenCapture_1.3.2.exescreenCapture_1.3.2.exescreenCapture_1.3.2.exe

pid	Process
768	screenCapture_1.3.2.exe
2340	screenCapture_1.3.2.exe
1724	screenCapture_1.3.2.exe
584	screenCapture_1.3.2.exe
1948	screenCapture_1.3.2.exe
2104	screenCapture_1.3.2.exe
1652	screenCapture_1.3.2.exe
2936	screenCapture_1.3.2.exe
2532	screenCapture_1.3.2.exe
1448	screenCapture_1.3.2.exe
1524	screenCapture_1.3.2.exe
2436	screenCapture_1.3.2.exe
1700	screenCapture_1.3.2.exe
2112	screenCapture_1.3.2.exe
2400	screenCapture_1.3.2.exe
1544	screenCapture_1.3.2.exe
1252	screenCapture_1.3.2.exe
2264	screenCapture_1.3.2.exe
1560	screenCapture_1.3.2.exe
900	screenCapture_1.3.2.exe
1036	screenCapture_1.3.2.exe
2724	screenCapture_1.3.2.exe
2780	screenCapture_1.3.2.exe
1600	screenCapture_1.3.2.exe
2908	screenCapture_1.3.2.exe
2172	screenCapture_1.3.2.exe
1304	screenCapture_1.3.2.exe
444	screenCapture_1.3.2.exe
2432	screenCapture_1.3.2.exe
1356	screenCapture_1.3.2.exe
2396	screenCapture_1.3.2.exe
1944	screenCapture_1.3.2.exe
2108	screenCapture_1.3.2.exe
2724	screenCapture_1.3.2.exe
1068	screenCapture_1.3.2.exe
1600	screenCapture_1.3.2.exe
2112	screenCapture_1.3.2.exe
2860	screenCapture_1.3.2.exe
1544	screenCapture_1.3.2.exe
676	screenCapture_1.3.2.exe
2432	screenCapture_1.3.2.exe
1560	screenCapture_1.3.2.exe
2136	screenCapture_1.3.2.exe
1752	screenCapture_1.3.2.exe
2476	screenCapture_1.3.2.exe
2864	screenCapture_1.3.2.exe
1700	screenCapture_1.3.2.exe
1788	screenCapture_1.3.2.exe
960	screenCapture_1.3.2.exe
1544	screenCapture_1.3.2.exe
2912	screenCapture_1.3.2.exe
2264	screenCapture_1.3.2.exe
1140	screenCapture_1.3.2.exe
2792	screenCapture_1.3.2.exe
2284	screenCapture_1.3.2.exe
848	screenCapture_1.3.2.exe
2476	screenCapture_1.3.2.exe
2436	screenCapture_1.3.2.exe
1040	screenCapture_1.3.2.exe
2728	screenCapture_1.3.2.exe
2260	screenCapture_1.3.2.exe
2296	screenCapture_1.3.2.exe
1092	screenCapture_1.3.2.exe
1948	screenCapture_1.3.2.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

EpsilonFruit.exe

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\SOFTWARE\Wine	EpsilonFruit.exe

Loads dropped DLL 3 IoCs

Processes:

EpsilonFruit.exe

pid	Process
2388	EpsilonFruit.exe
2388	EpsilonFruit.exe
2388	EpsilonFruit.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsUpdater = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\0\\WindowsUpdater.exe"	reg.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
4	ipinfo.io
5	ipinfo.io

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

Processes:

EpsilonFruit.exe

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	EpsilonFruit.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

Processes:

WMIC.exe

pid	Process
1504	WMIC.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery

T1057

Processes:

tasklist.exetasklist.exe

pid	Process
1544	tasklist.exe
2132	tasklist.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

csc.exe

pid	Process
2688	csc.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

EpsilonFruit.exeEpsilonFruit.exeEpsilonFruit.exe

pid	Process
2388	EpsilonFruit.exe
544	EpsilonFruit.exe
2736	EpsilonFruit.exe
2388	EpsilonFruit.exe
2388	EpsilonFruit.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WMIC.exetasklist.exeWMIC.exe

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2604	WMIC.exe
Token: SeSecurityPrivilege	2604	WMIC.exe
Token: SeTakeOwnershipPrivilege	2604	WMIC.exe
Token: SeLoadDriverPrivilege	2604	WMIC.exe
Token: SeSystemProfilePrivilege	2604	WMIC.exe
Token: SeSystemtimePrivilege	2604	WMIC.exe
Token: SeProfSingleProcessPrivilege	2604	WMIC.exe
Token: SeIncBasePriorityPrivilege	2604	WMIC.exe
Token: SeCreatePagefilePrivilege	2604	WMIC.exe
Token: SeBackupPrivilege	2604	WMIC.exe
Token: SeRestorePrivilege	2604	WMIC.exe
Token: SeShutdownPrivilege	2604	WMIC.exe
Token: SeDebugPrivilege	2604	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2604	WMIC.exe
Token: SeRemoteShutdownPrivilege	2604	WMIC.exe
Token: SeUndockPrivilege	2604	WMIC.exe
Token: SeManageVolumePrivilege	2604	WMIC.exe
Token: 33	2604	WMIC.exe
Token: 34	2604	WMIC.exe
Token: 35	2604	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2604	WMIC.exe
Token: SeSecurityPrivilege	2604	WMIC.exe
Token: SeTakeOwnershipPrivilege	2604	WMIC.exe
Token: SeLoadDriverPrivilege	2604	WMIC.exe
Token: SeSystemProfilePrivilege	2604	WMIC.exe
Token: SeSystemtimePrivilege	2604	WMIC.exe
Token: SeProfSingleProcessPrivilege	2604	WMIC.exe
Token: SeIncBasePriorityPrivilege	2604	WMIC.exe
Token: SeCreatePagefilePrivilege	2604	WMIC.exe
Token: SeBackupPrivilege	2604	WMIC.exe
Token: SeRestorePrivilege	2604	WMIC.exe
Token: SeShutdownPrivilege	2604	WMIC.exe
Token: SeDebugPrivilege	2604	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2604	WMIC.exe
Token: SeRemoteShutdownPrivilege	2604	WMIC.exe
Token: SeUndockPrivilege	2604	WMIC.exe
Token: SeManageVolumePrivilege	2604	WMIC.exe
Token: 33	2604	WMIC.exe
Token: 34	2604	WMIC.exe
Token: 35	2604	WMIC.exe
Token: SeDebugPrivilege	1544	tasklist.exe
Token: SeIncreaseQuotaPrivilege	536	WMIC.exe
Token: SeSecurityPrivilege	536	WMIC.exe
Token: SeTakeOwnershipPrivilege	536	WMIC.exe
Token: SeLoadDriverPrivilege	536	WMIC.exe
Token: SeSystemProfilePrivilege	536	WMIC.exe
Token: SeSystemtimePrivilege	536	WMIC.exe
Token: SeProfSingleProcessPrivilege	536	WMIC.exe
Token: SeIncBasePriorityPrivilege	536	WMIC.exe
Token: SeCreatePagefilePrivilege	536	WMIC.exe
Token: SeBackupPrivilege	536	WMIC.exe
Token: SeRestorePrivilege	536	WMIC.exe
Token: SeShutdownPrivilege	536	WMIC.exe
Token: SeDebugPrivilege	536	WMIC.exe
Token: SeSystemEnvironmentPrivilege	536	WMIC.exe
Token: SeRemoteShutdownPrivilege	536	WMIC.exe
Token: SeUndockPrivilege	536	WMIC.exe
Token: SeManageVolumePrivilege	536	WMIC.exe
Token: 33	536	WMIC.exe
Token: 34	536	WMIC.exe
Token: 35	536	WMIC.exe
Token: SeIncreaseQuotaPrivilege	536	WMIC.exe
Token: SeSecurityPrivilege	536	WMIC.exe
Token: SeTakeOwnershipPrivilege	536	WMIC.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

EpsilonFruit.exe

pid	Process
2388	EpsilonFruit.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

EpsilonFruit.execmd.execmd.exe

description	pid	Process	procid_target
PID 2388 wrote to memory of 2628	2388	EpsilonFruit.exe	400
PID 2388 wrote to memory of 2628	2388	EpsilonFruit.exe	400
PID 2388 wrote to memory of 2628	2388	EpsilonFruit.exe	400
PID 2628 wrote to memory of 2604	2628	cmd.exe	203
PID 2628 wrote to memory of 2604	2628	cmd.exe	203
PID 2628 wrote to memory of 2604	2628	cmd.exe	203
PID 2388 wrote to memory of 2748	2388	EpsilonFruit.exe	31
PID 2388 wrote to memory of 2748	2388	EpsilonFruit.exe	31
PID 2388 wrote to memory of 2748	2388	EpsilonFruit.exe	31
PID 2388 wrote to memory of 2748	2388	EpsilonFruit.exe	31
PID 2388 wrote to memory of 2748	2388	EpsilonFruit.exe	31
PID 2388 wrote to memory of 2748	2388	EpsilonFruit.exe	31
PID 2388 wrote to memory of 2748	2388	EpsilonFruit.exe	31
PID 2388 wrote to memory of 2748	2388	EpsilonFruit.exe	31
PID 2388 wrote to memory of 2748	2388	EpsilonFruit.exe	31
PID 2388 wrote to memory of 2748	2388	EpsilonFruit.exe	31
PID 2388 wrote to memory of 2748	2388	EpsilonFruit.exe	31
PID 2388 wrote to memory of 2748	2388	EpsilonFruit.exe	31
PID 2388 wrote to memory of 2748	2388	EpsilonFruit.exe	31
PID 2388 wrote to memory of 2748	2388	EpsilonFruit.exe	31
PID 2388 wrote to memory of 2748	2388	EpsilonFruit.exe	31
PID 2388 wrote to memory of 2748	2388	EpsilonFruit.exe	31
PID 2388 wrote to memory of 2748	2388	EpsilonFruit.exe	31
PID 2388 wrote to memory of 2748	2388	EpsilonFruit.exe	31
PID 2388 wrote to memory of 2748	2388	EpsilonFruit.exe	31
PID 2388 wrote to memory of 2748	2388	EpsilonFruit.exe	31
PID 2388 wrote to memory of 2748	2388	EpsilonFruit.exe	31
PID 2388 wrote to memory of 2748	2388	EpsilonFruit.exe	31
PID 2388 wrote to memory of 2748	2388	EpsilonFruit.exe	31
PID 2388 wrote to memory of 2748	2388	EpsilonFruit.exe	31
PID 2388 wrote to memory of 2748	2388	EpsilonFruit.exe	31
PID 2388 wrote to memory of 2748	2388	EpsilonFruit.exe	31
PID 2388 wrote to memory of 2748	2388	EpsilonFruit.exe	31
PID 2388 wrote to memory of 2748	2388	EpsilonFruit.exe	31
PID 2388 wrote to memory of 2748	2388	EpsilonFruit.exe	31
PID 2388 wrote to memory of 2748	2388	EpsilonFruit.exe	31
PID 2388 wrote to memory of 2748	2388	EpsilonFruit.exe	31
PID 2388 wrote to memory of 2748	2388	EpsilonFruit.exe	31
PID 2388 wrote to memory of 2748	2388	EpsilonFruit.exe	31
PID 2388 wrote to memory of 2748	2388	EpsilonFruit.exe	31
PID 2388 wrote to memory of 2748	2388	EpsilonFruit.exe	31
PID 2388 wrote to memory of 2748	2388	EpsilonFruit.exe	31
PID 2388 wrote to memory of 2748	2388	EpsilonFruit.exe	31
PID 2388 wrote to memory of 2748	2388	EpsilonFruit.exe	31
PID 2388 wrote to memory of 2748	2388	EpsilonFruit.exe	31
PID 2388 wrote to memory of 2748	2388	EpsilonFruit.exe	31
PID 2388 wrote to memory of 2748	2388	EpsilonFruit.exe	31
PID 2388 wrote to memory of 544	2388	EpsilonFruit.exe	32
PID 2388 wrote to memory of 544	2388	EpsilonFruit.exe	32
PID 2388 wrote to memory of 544	2388	EpsilonFruit.exe	32
PID 2388 wrote to memory of 2736	2388	EpsilonFruit.exe	33
PID 2388 wrote to memory of 2736	2388	EpsilonFruit.exe	33
PID 2388 wrote to memory of 2736	2388	EpsilonFruit.exe	33
PID 2388 wrote to memory of 2192	2388	EpsilonFruit.exe	35
PID 2388 wrote to memory of 2192	2388	EpsilonFruit.exe	35
PID 2388 wrote to memory of 2192	2388	EpsilonFruit.exe	35
PID 2388 wrote to memory of 1412	2388	EpsilonFruit.exe	458
PID 2388 wrote to memory of 1412	2388	EpsilonFruit.exe	458
PID 2388 wrote to memory of 1412	2388	EpsilonFruit.exe	458
PID 2388 wrote to memory of 2552	2388	EpsilonFruit.exe	407
PID 2388 wrote to memory of 2552	2388	EpsilonFruit.exe	407
PID 2388 wrote to memory of 2552	2388	EpsilonFruit.exe	407
PID 2192 wrote to memory of 2912	2192	cmd.exe	217
PID 2192 wrote to memory of 2912	2192	cmd.exe	217

C:\Users\Admin\AppData\Local\Temp\EpsilonFruit.exe
"C:\Users\Admin\AppData\Local\Temp\EpsilonFruit.exe"
1⤵
- Enumerates VirtualBox registry keys
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Loads dropped DLL
- Checks for VirtualBox DLLs, possible anti-VM trick
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2388
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic CsProduct Get UUID"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2628
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic CsProduct Get UUID
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2604
- C:\Users\Admin\AppData\Local\Temp\EpsilonFruit.exe
  "C:\Users\Admin\AppData\Local\Temp\EpsilonFruit.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\EpsilonFruit" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1012 --field-trial-handle=1192,7888707671752171380,10718827970564779730,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  PID:2748
- C:\Users\Admin\AppData\Local\Temp\EpsilonFruit.exe
  "C:\Users\Admin\AppData\Local\Temp\EpsilonFruit.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\EpsilonFruit" --mojo-platform-channel-handle=1280 --field-trial-handle=1192,7888707671752171380,10718827970564779730,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:544
- C:\Users\Admin\AppData\Local\Temp\EpsilonFruit.exe
  "C:\Users\Admin\AppData\Local\Temp\EpsilonFruit.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\EpsilonFruit" --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --no-sandbox --no-zygote --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=1604 --field-trial-handle=1192,7888707671752171380,10718827970564779730,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  PID:2736
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2192
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"
    3⤵
    PID:2912
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath"
  2⤵
  PID:1412
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath
    3⤵
    PID:2432
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2552
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1544
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List"
  2⤵
  PID:1936
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:536
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:304
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:1504
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "cmd /c chcp 65001>nul && netsh wlan show profiles"
  2⤵
  PID:1112
- - C:\Windows\system32\cmd.exe
    cmd /c chcp 65001
    3⤵
    PID:824
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:1820
- - C:\Windows\system32\netsh.exe
    netsh wlan show profiles
    3⤵
    PID:636
- C:\Users\Admin\AppData\Local\Temp\EpsilonFruit.exe
  "C:\Users\Admin\AppData\Local\Temp\EpsilonFruit.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\EpsilonFruit" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1264 --field-trial-handle=1192,7888707671752171380,10718827970564779730,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  PID:1576
- C:\Users\Admin\AppData\Local\Temp\EpsilonFruit.exe
  "C:\Users\Admin\AppData\Local\Temp\EpsilonFruit.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --user-data-dir="C:\Users\Admin\AppData\Roaming\EpsilonFruit" --mojo-platform-channel-handle=1740 --field-trial-handle=1192,7888707671752171380,10718827970564779730,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
  2⤵
  PID:2384
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-4ki9wh.yiimm.jpg" "
  2⤵
  PID:2968
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /nologo /r:"Microsoft.VisualBasic.dll" /win32manifest:"app.manifest" /out:"screenCapture_1.3.2.exe" "C:\Users\Admin\AppData\Local\Temp\SCREEN~1\SCREEN~1.BAT"
    3⤵
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:2688
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES33FC.tmp" "c:\Users\Admin\AppData\Local\Temp\screenCapture\CSC5FAEE389F07A4175972C2D2FD5022DD.TMP"
      4⤵
      PID:2860
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-4ki9wh.yiimm.jpg"
    3⤵
    - Executes dropped EXE
    PID:768
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-u0c6xk.4k55j.jpg" "
  2⤵
  PID:2636
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-u0c6xk.4k55j.jpg"
    3⤵
    - Executes dropped EXE
    PID:2340
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v WindowsUpdater /t REG_SZ /d C:\Users\Admin\AppData\Local\Microsoft\Windows\0\WindowsUpdater.exe /f"
  2⤵
  PID:2072
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v WindowsUpdater /t REG_SZ /d C:\Users\Admin\AppData\Local\Microsoft\Windows\0\WindowsUpdater.exe /f
    3⤵
    - Adds Run key to start application
    PID:2400
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2408
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:2132
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1ib8lts.rdub.jpg" "
  2⤵
  PID:2148
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1ib8lts.rdub.jpg"
    3⤵
    - Executes dropped EXE
    PID:1724
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-19lrdw8.jkqh.jpg" "
  2⤵
  PID:1512
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-19lrdw8.jkqh.jpg"
    3⤵
    - Executes dropped EXE
    PID:584
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-32wli2.xvuaa.jpg" "
  2⤵
  PID:1820
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-32wli2.xvuaa.jpg"
    3⤵
    - Executes dropped EXE
    PID:1948
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1g5zxnr.jlvgl.jpg" "
  2⤵
  PID:1144
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1g5zxnr.jlvgl.jpg"
    3⤵
    - Executes dropped EXE
    PID:2104
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1eu8yrl.9p4m.jpg" "
  2⤵
  PID:1740
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1eu8yrl.9p4m.jpg"
    3⤵
    - Executes dropped EXE
    PID:1652
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1cb1wsr.9mtc.jpg" "
  2⤵
  PID:3060
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1cb1wsr.9mtc.jpg"
    3⤵
    - Executes dropped EXE
    PID:2936
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-vdmswh.f7158.jpg" "
  2⤵
  PID:1084
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-vdmswh.f7158.jpg"
    3⤵
    - Executes dropped EXE
    PID:2532
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-vx4rx5.1qmer.jpg" "
  2⤵
  PID:1616
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-vx4rx5.1qmer.jpg"
    3⤵
    - Executes dropped EXE
    PID:1448
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-660end.alj84.jpg" "
  2⤵
  PID:3048
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-660end.alj84.jpg"
    3⤵
    - Executes dropped EXE
    PID:1524
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-v5oqp7.y3ynr.jpg" "
  2⤵
  PID:2688
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-v5oqp7.y3ynr.jpg"
    3⤵
    - Executes dropped EXE
    PID:2436
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-pmuj5h.50hdf.jpg" "
  2⤵
  PID:816
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-pmuj5h.50hdf.jpg"
    3⤵
    - Executes dropped EXE
    PID:1700
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-162zuk8.11dr.jpg" "
  2⤵
  PID:2712
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-162zuk8.11dr.jpg"
    3⤵
    - Executes dropped EXE
    PID:2112
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-h1ui26.gzkvk.jpg" "
  2⤵
  PID:2408
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-h1ui26.gzkvk.jpg"
    3⤵
    - Executes dropped EXE
    PID:2400
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1dtj19v.n1lx.jpg" "
  2⤵
  PID:596
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1dtj19v.n1lx.jpg"
    3⤵
    - Executes dropped EXE
    PID:1544
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-171hn3g.so29.jpg" "
  2⤵
  PID:3020
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-171hn3g.so29.jpg"
    3⤵
    - Executes dropped EXE
    PID:1252
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-12j1lc5.lwxd.jpg" "
  2⤵
  PID:1528
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-12j1lc5.lwxd.jpg"
    3⤵
    - Executes dropped EXE
    PID:2264
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-oxtac1.9ln58.jpg" "
  2⤵
  PID:1796
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-oxtac1.9ln58.jpg"
    3⤵
    - Executes dropped EXE
    PID:1560
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1o5qql4.uhb3.jpg" "
  2⤵
  PID:1100
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1o5qql4.uhb3.jpg"
    3⤵
    - Executes dropped EXE
    PID:900
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1wutrlf.78ij.jpg" "
  2⤵
  PID:1508
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1wutrlf.78ij.jpg"
    3⤵
    - Executes dropped EXE
    PID:1036
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-beld78.rueh9.jpg" "
  2⤵
  PID:1284
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-beld78.rueh9.jpg"
    3⤵
    - Executes dropped EXE
    PID:2724
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-11d8fqo.8fxw.jpg" "
  2⤵
  PID:3004
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-11d8fqo.8fxw.jpg"
    3⤵
    - Executes dropped EXE
    PID:2780
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1hzzrh7.br3j.jpg" "
  2⤵
  PID:2516
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1hzzrh7.br3j.jpg"
    3⤵
    - Executes dropped EXE
    PID:1600
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-157rhcy.g74vl.jpg" "
  2⤵
  PID:1704
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-157rhcy.g74vl.jpg"
    3⤵
    - Executes dropped EXE
    PID:2908
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-qzsar3.q2b7k.jpg" "
  2⤵
  PID:2116
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-qzsar3.q2b7k.jpg"
    3⤵
    - Executes dropped EXE
    PID:2172
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-mnksp5.scl4m.jpg" "
  2⤵
  PID:560
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-mnksp5.scl4m.jpg"
    3⤵
    - Executes dropped EXE
    PID:1304
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1pv9n19.66jb.jpg" "
  2⤵
  PID:2152
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1pv9n19.66jb.jpg"
    3⤵
    - Executes dropped EXE
    PID:444
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-by9nih.ma3l9.jpg" "
  2⤵
  PID:2292
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-by9nih.ma3l9.jpg"
    3⤵
    - Executes dropped EXE
    PID:2432
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-9byqi1.l5cc.jpg" "
  2⤵
  PID:1528
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-9byqi1.l5cc.jpg"
    3⤵
    - Executes dropped EXE
    PID:1356
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1cig90m.czsy.jpg" "
  2⤵
  PID:1152
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1cig90m.czsy.jpg"
    3⤵
    - Executes dropped EXE
    PID:2396
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-12r0n7a.lhmp.jpg" "
  2⤵
  PID:2936
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-12r0n7a.lhmp.jpg"
    3⤵
    - Executes dropped EXE
    PID:1944
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-w8exer.nfm4c.jpg" "
  2⤵
  PID:1316
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-w8exer.nfm4c.jpg"
    3⤵
    - Executes dropped EXE
    PID:2108
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-dpg9lq.rmq2t.jpg" "
  2⤵
  PID:1580
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-dpg9lq.rmq2t.jpg"
    3⤵
    - Executes dropped EXE
    PID:2724
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1s5e4w5.y7em.jpg" "
  2⤵
  PID:3048
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1s5e4w5.y7em.jpg"
    3⤵
    - Executes dropped EXE
    PID:1068
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-144eqt.mz9d8.jpg" "
  2⤵
  PID:2628
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-144eqt.mz9d8.jpg"
    3⤵
    - Executes dropped EXE
    PID:1600
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1qdrgnc.rzc5.jpg" "
  2⤵
  PID:1788
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1qdrgnc.rzc5.jpg"
    3⤵
    - Executes dropped EXE
    PID:2112
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1olfv5q.ejsig.jpg" "
  2⤵
  PID:536
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1olfv5q.ejsig.jpg"
    3⤵
    - Executes dropped EXE
    PID:2860
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-dt4npz.whbh8.jpg" "
  2⤵
  PID:2904
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-dt4npz.whbh8.jpg"
    3⤵
    - Executes dropped EXE
    PID:1544
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1pvnii2.9wl0f.jpg" "
  2⤵
  PID:1880
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1pvnii2.9wl0f.jpg"
    3⤵
    - Executes dropped EXE
    PID:676
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-526goq.zdn9q.jpg" "
  2⤵
  PID:1716
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-526goq.zdn9q.jpg"
    3⤵
    - Executes dropped EXE
    PID:2432
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-acfdu9.w0xsh.jpg" "
  2⤵
  PID:748
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-acfdu9.w0xsh.jpg"
    3⤵
    - Executes dropped EXE
    PID:1560
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1n8posm.xg6d.jpg" "
  2⤵
  PID:2396
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1n8posm.xg6d.jpg"
    3⤵
    - Executes dropped EXE
    PID:2136
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1wvj8cy.vkmf.jpg" "
  2⤵
  PID:2532
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1wvj8cy.vkmf.jpg"
    3⤵
    - Executes dropped EXE
    PID:1752
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-z74k9z.s2z9s.jpg" "
  2⤵
  PID:2524
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-z74k9z.s2z9s.jpg"
    3⤵
    - Executes dropped EXE
    PID:2476
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1fiyxz3.npndf.jpg" "
  2⤵
  PID:1848
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1fiyxz3.npndf.jpg"
    3⤵
    - Executes dropped EXE
    PID:2864
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-18v2tvy.qr1k.jpg" "
  2⤵
  PID:2604
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-18v2tvy.qr1k.jpg"
    3⤵
    - Executes dropped EXE
    PID:1700
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-ix2rw9.c4q3.jpg" "
  2⤵
  PID:864
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-ix2rw9.c4q3.jpg"
    3⤵
    - Executes dropped EXE
    PID:1788
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-bhvyxm.vs0hu.jpg" "
  2⤵
  PID:2296
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-bhvyxm.vs0hu.jpg"
    3⤵
    - Executes dropped EXE
    PID:960
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1a1kdci.dxwig.jpg" "
  2⤵
  PID:2608
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1a1kdci.dxwig.jpg"
    3⤵
    - Executes dropped EXE
    PID:1544
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-rik2jk.epc2k.jpg" "
  2⤵
  PID:1648
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-rik2jk.epc2k.jpg"
    3⤵
    - Executes dropped EXE
    PID:2912
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-16yx3nd.1wn2.jpg" "
  2⤵
  PID:2416
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-16yx3nd.1wn2.jpg"
    3⤵
    - Executes dropped EXE
    PID:2264
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1o124hw.d67nl.jpg" "
  2⤵
  PID:1976
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1o124hw.d67nl.jpg"
    3⤵
    - Executes dropped EXE
    PID:1140
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-50e082.3614a.jpg" "
  2⤵
  PID:1892
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-50e082.3614a.jpg"
    3⤵
    - Executes dropped EXE
    PID:2792
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-g2quaw.araci.jpg" "
  2⤵
  PID:1516
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-g2quaw.araci.jpg"
    3⤵
    - Executes dropped EXE
    PID:2284
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1mgudwz.k3tu.jpg" "
  2⤵
  PID:1508
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1mgudwz.k3tu.jpg"
    3⤵
    - Executes dropped EXE
    PID:848
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1cp5lsa.l66n.jpg" "
  2⤵
  PID:2724
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1cp5lsa.l66n.jpg"
    3⤵
    - Executes dropped EXE
    PID:2476
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-vmoye2.jdo27.jpg" "
  2⤵
  PID:3004
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-vmoye2.jdo27.jpg"
    3⤵
    - Executes dropped EXE
    PID:2436
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-hro4sd.xanai.jpg" "
  2⤵
  PID:2544
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-hro4sd.xanai.jpg"
    3⤵
    - Executes dropped EXE
    PID:1040
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-ms6i14.tlaus.jpg" "
  2⤵
  PID:3052
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-ms6i14.tlaus.jpg"
    3⤵
    - Executes dropped EXE
    PID:2728
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-yrbisf.niy6.jpg" "
  2⤵
  PID:344
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-yrbisf.niy6.jpg"
    3⤵
    - Executes dropped EXE
    PID:2260
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-mh9p8d.q5u2b.jpg" "
  2⤵
  PID:2116
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-mh9p8d.q5u2b.jpg"
    3⤵
    - Executes dropped EXE
    PID:2296
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-hu063d.1bhpf.jpg" "
  2⤵
  PID:1304
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-hu063d.1bhpf.jpg"
    3⤵
    - Executes dropped EXE
    PID:1092
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-7kv3md.4mahh.jpg" "
  2⤵
  PID:3020
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-7kv3md.4mahh.jpg"
    3⤵
    - Executes dropped EXE
    PID:1948
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-137q94d.ijez.jpg" "
  2⤵
  PID:444
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-137q94d.ijez.jpg"
    3⤵
    PID:2292
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1u3m581.hkwo.jpg" "
  2⤵
  PID:2584
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1u3m581.hkwo.jpg"
    3⤵
    PID:2104
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1e0byy7.neyq.jpg" "
  2⤵
  PID:1800
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1e0byy7.neyq.jpg"
    3⤵
    PID:1976
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-cirdv3.awx5k.jpg" "
  2⤵
  PID:1152
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-cirdv3.awx5k.jpg"
    3⤵
    PID:2936
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-epmgrd.7ak7t.jpg" "
  2⤵
  PID:1568
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-epmgrd.7ak7t.jpg"
    3⤵
    PID:2212
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-3nh63v.3l2nv.jpg" "
  2⤵
  PID:2320
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-3nh63v.3l2nv.jpg"
    3⤵
    PID:1448
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-bc3hnm.xj7v.jpg" "
  2⤵
  PID:1616
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-bc3hnm.xj7v.jpg"
    3⤵
    PID:2668
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-t1ic2j.p9ol.jpg" "
  2⤵
  PID:1776
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-t1ic2j.p9ol.jpg"
    3⤵
    PID:2968
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-180nrni.o0xvi.jpg" "
  2⤵
  PID:2508
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-180nrni.o0xvi.jpg"
    3⤵
    PID:1496
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-70qaxr.ivbg6.jpg" "
  2⤵
  PID:1660
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-70qaxr.ivbg6.jpg"
    3⤵
    PID:2024
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-j9dchy.0mgtn.jpg" "
  2⤵
  PID:776
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-j9dchy.0mgtn.jpg"
    3⤵
    PID:2260
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1qki6ik.atax.jpg" "
  2⤵
  PID:1500
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1qki6ik.atax.jpg"
    3⤵
    PID:1296
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1j85kg8.ra54f.jpg" "
  2⤵
  PID:1340
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1j85kg8.ra54f.jpg"
    3⤵
    PID:2420
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-pxmjug.z3c89.jpg" "
  2⤵
  PID:2640
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-pxmjug.z3c89.jpg"
    3⤵
    PID:1712
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-bwdmjm.8upvh.jpg" "
  2⤵
  PID:820
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-bwdmjm.8upvh.jpg"
    3⤵
    PID:1412
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-ns0ldx.b8g5l.jpg" "
  2⤵
  PID:1392
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-ns0ldx.b8g5l.jpg"
    3⤵
    PID:2872
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-iv5oje.czx4s.jpg" "
  2⤵
  PID:1884
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-iv5oje.czx4s.jpg"
    3⤵
    PID:1348
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1gmxn4o.y8w2.jpg" "
  2⤵
  PID:1956
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1gmxn4o.y8w2.jpg"
    3⤵
    PID:1568
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1arp8z2.j5gxf.jpg" "
  2⤵
  PID:348
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1arp8z2.j5gxf.jpg"
    3⤵
    PID:1612
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1h3yg5x.ndq1l.jpg" "
  2⤵
  PID:2648
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1h3yg5x.ndq1l.jpg"
    3⤵
    PID:2724
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-adksiu.03hni.jpg" "
  2⤵
  PID:1968
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-adksiu.03hni.jpg"
    3⤵
    PID:2624
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-srbf24.bnxun.jpg" "
  2⤵
  PID:2688
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-srbf24.bnxun.jpg"
    3⤵
    PID:852
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1h1t4os.w38q.jpg" "
  2⤵
  PID:1596
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1h1t4os.w38q.jpg"
    3⤵
    PID:2000
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-eugezf.63qe.jpg" "
  2⤵
  PID:2552
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-eugezf.63qe.jpg"
    3⤵
    PID:2356
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-146buph.xttg.jpg" "
  2⤵
  PID:2916
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-146buph.xttg.jpg"
    3⤵
    PID:1168
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1vlw8mm.r0uz.jpg" "
  2⤵
  PID:1832
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1vlw8mm.r0uz.jpg"
    3⤵
    PID:1340
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-jkg0gc.t7b9j.jpg" "
  2⤵
  PID:636
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-jkg0gc.t7b9j.jpg"
    3⤵
    PID:2640
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-17exutv.nnm5.jpg" "
  2⤵
  PID:1736
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-17exutv.nnm5.jpg"
    3⤵
    PID:1368
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-19v5qm8.efue.jpg" "
  2⤵
  PID:2444
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-19v5qm8.efue.jpg"
    3⤵
    PID:1604
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1gf41sc.p7hu.jpg" "
  2⤵
  PID:2936
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1gf41sc.p7hu.jpg"
    3⤵
    PID:1892
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1gqgeh3.j5or.jpg" "
  2⤵
  PID:928
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1gqgeh3.j5or.jpg"
    3⤵
    PID:2396
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-j9lua1.18ofp.jpg" "
  2⤵
  PID:1524
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-j9lua1.18ofp.jpg"
    3⤵
    PID:1612
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-130tqsw.ppb8.jpg" "
  2⤵
  PID:2144
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-130tqsw.ppb8.jpg"
    3⤵
    PID:1580
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-mm4d2p.ny2lq.jpg" "
  2⤵
  PID:1848
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-mm4d2p.ny2lq.jpg"
    3⤵
    PID:2624
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-mkp1cp.y317.jpg" "
  2⤵
  PID:1496
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-mkp1cp.y317.jpg"
    3⤵
    PID:852
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1qfw24k.omjx.jpg" "
  2⤵
  PID:1788
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1qfw24k.omjx.jpg"
    3⤵
    PID:1636
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1cdjhh9.48mh.jpg" "
  2⤵
  PID:1096
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1cdjhh9.48mh.jpg"
    3⤵
    PID:2072
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1e9wmb9.ru75.jpg" "
  2⤵
  PID:1720
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1e9wmb9.ru75.jpg"
    3⤵
    PID:800
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-9giq2b.zpvof.jpg" "
  2⤵
  PID:2832
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-9giq2b.zpvof.jpg"
    3⤵
    PID:1624
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-wcomh4.hqwap.jpg" "
  2⤵
  PID:1988
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-wcomh4.hqwap.jpg"
    3⤵
    PID:1992
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-7tshhy.fwpp5.jpg" "
  2⤵
  PID:1560
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-7tshhy.fwpp5.jpg"
    3⤵
    PID:1352
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-tm9urp.4py7.jpg" "
  2⤵
  PID:2872
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-tm9urp.4py7.jpg"
    3⤵
    PID:748
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-aim9bb.v5mx5.jpg" "
  2⤵
  PID:2240
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-aim9bb.v5mx5.jpg"
    3⤵
    PID:1892
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-cbyh8n.c3aao.jpg" "
  2⤵
  PID:916
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-cbyh8n.c3aao.jpg"
    3⤵
    PID:2440
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-k7oubn.lgwml.jpg" "
  2⤵
  PID:2372
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-k7oubn.lgwml.jpg"
    3⤵
    PID:348
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-17epcky.p74u.jpg" "
  2⤵
  PID:2484
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-17epcky.p74u.jpg"
    3⤵
    PID:2248
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1ox6lnj.glw5.jpg" "
  2⤵
  PID:2140
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1ox6lnj.glw5.jpg"
    3⤵
    PID:2068
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-tm5zrv.qg8pj.jpg" "
  2⤵
  PID:2628
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-tm5zrv.qg8pj.jpg"
    3⤵
    PID:852
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-12plyt2.bfle.jpg" "
  2⤵
  PID:2172
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-12plyt2.bfle.jpg"
    3⤵
    PID:1788
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1cbvzxb.6htq.jpg" "
  2⤵
  PID:1936
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1cbvzxb.6htq.jpg"
    3⤵
    PID:1096
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1xxe46s.cw2o.jpg" "
  2⤵
  PID:2148
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1xxe46s.cw2o.jpg"
    3⤵
    PID:780
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-jezmeo.ncut.jpg" "
  2⤵
  PID:408
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-jezmeo.ncut.jpg"
    3⤵
    PID:2808
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1n91uc9.xp36.jpg" "
  2⤵
  PID:2292
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1n91uc9.xp36.jpg"
    3⤵
    PID:1412
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-fwq6hf.b45t.jpg" "
  2⤵
  PID:1736
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-fwq6hf.b45t.jpg"
    3⤵
    PID:3060
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1c4nmo4.cdbgj.jpg" "
  2⤵
  PID:1152
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1c4nmo4.cdbgj.jpg"
    3⤵
    PID:1396
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-98frl7.t9996.jpg" "
  2⤵
  PID:2212
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-98frl7.t9996.jpg"
    3⤵
    PID:2536
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-451xxi.n4wco.jpg" "
  2⤵
  PID:928
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-451xxi.n4wco.jpg"
    3⤵
    PID:1508
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-rz6u1j.vtr3l.jpg" "
  2⤵
  PID:1144
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-rz6u1j.vtr3l.jpg"
    3⤵
    PID:2344
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1pw0z1n.evtz.jpg" "
  2⤵
  PID:2648
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1pw0z1n.evtz.jpg"
    3⤵
    PID:1764
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-wgid9b.9wku.jpg" "
  2⤵
  PID:2624
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-wgid9b.9wku.jpg"
    3⤵
    PID:3004
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-y3r5ib.8z8i.jpg" "
  2⤵
  PID:1688
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-y3r5ib.8z8i.jpg"
    3⤵
    PID:3052
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-16dnpda.d4mr.jpg" "
  2⤵
  PID:2992
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-16dnpda.d4mr.jpg"
    3⤵
    PID:344
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-ndgbjh.tj03f.jpg" "
  2⤵
  PID:2852
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-ndgbjh.tj03f.jpg"
    3⤵
    PID:3000
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-jcf2mr.g575k.jpg" "
  2⤵
  PID:1240
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-jcf2mr.g575k.jpg"
    3⤵
    PID:1512
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-a9buy3.z0ih.jpg" "
  2⤵
  PID:1720
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-a9buy3.z0ih.jpg"
    3⤵
    PID:1624
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-s1alft.l20v8.jpg" "
  2⤵
  PID:824
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-s1alft.l20v8.jpg"
    3⤵
    PID:1532
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-doupu.chaor.jpg" "
  2⤵
  PID:3068
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-doupu.chaor.jpg"
    3⤵
    PID:968
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-prbl2q.12jyr.jpg" "
  2⤵
  PID:1604
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-prbl2q.12jyr.jpg"
    3⤵
    PID:1960
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-18y76rk.2cvb.jpg" "
  2⤵
  PID:1812
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-18y76rk.2cvb.jpg"
    3⤵
    PID:1036
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-ps2ukl.hss7.jpg" "
  2⤵
  PID:1284
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-ps2ukl.hss7.jpg"
    3⤵
    PID:2440
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-mpwq5b.37l5.jpg" "
  2⤵
  PID:928
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-mpwq5b.37l5.jpg"
    3⤵
    PID:2312
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-rl7pp9.sh8x.jpg" "
  2⤵
  PID:2724
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-rl7pp9.sh8x.jpg"
    3⤵
    PID:1144
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-o3ahmx.qsepp.jpg" "
  2⤵
  PID:2668
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-o3ahmx.qsepp.jpg"
    3⤵
    PID:896
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-g91c0v.cio6.jpg" "
  2⤵
  PID:816
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-g91c0v.cio6.jpg"
    3⤵
    PID:2268
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-15sc8vq.oyve.jpg" "
  2⤵
  PID:2516
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-15sc8vq.oyve.jpg"
    3⤵
    PID:1636
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1aptvyh.nqivh.jpg" "
  2⤵
  PID:2684
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1aptvyh.nqivh.jpg"
    3⤵
    PID:304
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-h4dkav.vqvx.jpg" "
  2⤵
  PID:2920
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-h4dkav.vqvx.jpg"
    3⤵
    PID:536
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1lzxzey.utqg.jpg" "
  2⤵
  PID:584
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1lzxzey.utqg.jpg"
    3⤵
    PID:1092
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-djr8op.ste2s.jpg" "
  2⤵
  PID:2568
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-djr8op.ste2s.jpg"
    3⤵
    PID:800
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1ddbe01.hdtv.jpg" "
  2⤵
  PID:2020
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1ddbe01.hdtv.jpg"
    3⤵
    PID:636
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1e9y5pl.2lvt.jpg" "
  2⤵
  PID:1352
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1e9y5pl.2lvt.jpg"
    3⤵
    PID:1412
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-iowols.02uik.jpg" "
  2⤵
  PID:2444
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-iowols.02uik.jpg"
    3⤵
    PID:1944
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1c1s2if.irwf.jpg" "
  2⤵
  PID:1152
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1c1s2if.irwf.jpg"
    3⤵
    PID:1540
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-l5pjd1.dibz.jpg" "
  2⤵
  PID:2212
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-l5pjd1.dibz.jpg"
    3⤵
    PID:2320
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-mw3zoo.umiwe.jpg" "
  2⤵
  PID:2948
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-mw3zoo.umiwe.jpg"
    3⤵
    PID:2868
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-10d2zwc.m3s.jpg" "
  2⤵
  PID:2188
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-10d2zwc.m3s.jpg"
    3⤵
    PID:348
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-e30qmf.lr5w.jpg" "
  2⤵
  PID:2968
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-e30qmf.lr5w.jpg"
    3⤵
    PID:3048
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1povmcg.7j6w.jpg" "
  2⤵
  PID:2040
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1povmcg.7j6w.jpg"
    3⤵
    PID:1596
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1rjvdas.8r1f.jpg" "
  2⤵
  PID:2620
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1rjvdas.8r1f.jpg"
    3⤵
    PID:2000
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-v48s5z.ysn68.jpg" "
  2⤵
  PID:2356
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-v48s5z.ysn68.jpg"
    3⤵
    PID:1500
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-bpq8ov.5z1z5.jpg" "
  2⤵
  PID:2092
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-bpq8ov.5z1z5.jpg"
    3⤵
    PID:2768
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1qdykja.k3x6.jpg" "
  2⤵
  PID:1544
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1qdykja.k3x6.jpg"
    3⤵
    PID:780
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-rosw2b.c794h.jpg" "
  2⤵
  PID:1880
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-rosw2b.c794h.jpg"
    3⤵
    PID:800
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-8sncje.94ddl.jpg" "
  2⤵
  PID:2012
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-8sncje.94ddl.jpg"
    3⤵
    PID:2020
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-manhp0.4gsz.jpg" "
  2⤵
  PID:968
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-manhp0.4gsz.jpg"
    3⤵
    PID:1300
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-o6k71.gp1wz.jpg" "
  2⤵
  PID:1100
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-o6k71.gp1wz.jpg"
    3⤵
    PID:1348
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-14u10t.atjrt.jpg" "
  2⤵
  PID:2964
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-14u10t.atjrt.jpg"
    3⤵
    PID:1268
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-jouh6q.3awym.jpg" "
  2⤵
  PID:2396
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-jouh6q.3awym.jpg"
    3⤵
    PID:848
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1ubexr0.rppl.jpg" "
  2⤵
  PID:1524
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1ubexr0.rppl.jpg"
    3⤵
    PID:928
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-k1bhs4.itgj.jpg" "
  2⤵
  PID:2364
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-k1bhs4.itgj.jpg"
    3⤵
    PID:2616
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1gdg27s.x6bil.jpg" "
  2⤵
  PID:2668
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1gdg27s.x6bil.jpg"
    3⤵
    PID:1764
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-w1xww.ipn1h8.jpg" "
  2⤵
  PID:2908
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-w1xww.ipn1h8.jpg"
    3⤵
    PID:1776
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-n5uod6.431r.jpg" "
  2⤵
  PID:1608
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-n5uod6.431r.jpg"
    3⤵
    PID:2508
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-l7j6t5.hvz3.jpg" "
  2⤵
  PID:2916
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-l7j6t5.hvz3.jpg"
    3⤵
    PID:2684
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-swrwtr.gtpcl.jpg" "
  2⤵
  PID:2920
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-swrwtr.gtpcl.jpg"
    3⤵
    PID:2148
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-xrvdto.xrkdn.jpg" "
  2⤵
  PID:2608
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-xrvdto.xrkdn.jpg"
    3⤵
    PID:1340
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1cjw1a7.wn7jg.jpg" "
  2⤵
  PID:1720
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1cjw1a7.wn7jg.jpg"
    3⤵
    PID:3020
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1f93r34.zbtf.jpg" "
  2⤵
  PID:2748
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1f93r34.zbtf.jpg"
    3⤵
    PID:1940
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-n4xyff.b7z5p.jpg" "
  2⤵
  PID:1732
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-n4xyff.b7z5p.jpg"
    3⤵
    PID:1604
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-e80k36.7616s.jpg" "
  2⤵
  PID:1892
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-e80k36.7616s.jpg"
    3⤵
    PID:2560
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-nb1eg8.qm1r.jpg" "
  2⤵
  PID:2720
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-nb1eg8.qm1r.jpg"
    3⤵
    PID:1284
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1wjwnqo.cffc.jpg" "
  2⤵
  PID:848
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1wjwnqo.cffc.jpg"
    3⤵
    PID:2972
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1b5zzmj.5kvr.jpg" "
  2⤵
  PID:1524
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1b5zzmj.5kvr.jpg"
    3⤵
    PID:2724
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1840hoh.6gy8.jpg" "
  2⤵
  PID:2232
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1840hoh.6gy8.jpg"
    3⤵
    PID:2744
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-mlpzv1.vk92i.jpg" "
  2⤵
  PID:2572
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-mlpzv1.vk92i.jpg"
    3⤵
    PID:896
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-blort9.q8g1c.jpg" "
  2⤵
  PID:2040
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-blort9.q8g1c.jpg"
    3⤵
    PID:2076
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-7v4slm.zkee.jpg" "
  2⤵
  PID:2132
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-7v4slm.zkee.jpg"
    3⤵
    PID:596
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-frwzdn.ni2b4.jpg" "
  2⤵
  PID:2684
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-frwzdn.ni2b4.jpg"
    3⤵
    PID:2488
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1wf6tut.7sxrg.jpg" "
  2⤵
  PID:560
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1wf6tut.7sxrg.jpg"
    3⤵
    PID:584
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-36kozv.gt3da.jpg" "
  2⤵
  PID:1340
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-36kozv.gt3da.jpg"
    3⤵
    PID:2608
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1p4sqpw.eucrh.jpg" "
  2⤵
  PID:2808
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1p4sqpw.eucrh.jpg"
    3⤵
    PID:1992
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1pg7aqd.nq8i.jpg" "
  2⤵
  PID:2576
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1pg7aqd.nq8i.jpg"
    3⤵
    PID:1532
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1gdydto.rr6x.jpg" "
  2⤵
  PID:1528
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1gdydto.rr6x.jpg"
    3⤵
    PID:1732
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-i8kev5.3t2rk.jpg" "
  2⤵
  PID:1100
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-i8kev5.3t2rk.jpg"
    3⤵
    PID:1540
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1ehuutu.2aazi.jpg" "
  2⤵
  PID:2284
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1ehuutu.2aazi.jpg"
    3⤵
    PID:1756
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-7z942a.20hx6.jpg" "
  2⤵
  PID:1036
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-7z942a.20hx6.jpg"
    3⤵
    PID:964
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1oygxd2.3v9m.jpg" "
  2⤵
  PID:3032
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1oygxd2.3v9m.jpg"
    3⤵
    PID:1728
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-ezol43.xjauc.jpg" "
  2⤵
  PID:2724
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-ezol43.xjauc.jpg"
    3⤵
    PID:1612
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1bcnlhr.8mda.jpg" "
  2⤵
  PID:2604
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1bcnlhr.8mda.jpg"
    3⤵
    PID:2232
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-rs1zhu.dssj.jpg" "
  2⤵
  PID:2628
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-rs1zhu.dssj.jpg"
    3⤵
    PID:2572
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1h94bmr.puza.jpg" "
  2⤵
  PID:2000
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1h94bmr.puza.jpg"
    3⤵
    PID:2040
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-5zckgt.z21f6.jpg" "
  2⤵
  PID:1496
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-5zckgt.z21f6.jpg"
    3⤵
    PID:1020
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-17ftrou.uwhm.jpg" "
  2⤵
  PID:844
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-17ftrou.uwhm.jpg"
    3⤵
    PID:536
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-18b401a.dp6e.jpg" "
  2⤵
  PID:1092
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-18b401a.dp6e.jpg"
    3⤵
    PID:676
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-19mzv4.d2ex8.jpg" "
  2⤵
  PID:1816
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-19mzv4.d2ex8.jpg"
    3⤵
    PID:1720
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1ejict7.2k5e.jpg" "
  2⤵
  PID:1560
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1ejict7.2k5e.jpg"
    3⤵
    PID:1444
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-ub6zsw.27wz8.jpg" "
  2⤵
  PID:2432
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-ub6zsw.27wz8.jpg"
    3⤵
    PID:2264
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-cwlib0.60kb.jpg" "
  2⤵
  PID:2136
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-cwlib0.60kb.jpg"
    3⤵
    PID:1516
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1piuk3h.0ab8.jpg" "
  2⤵
  PID:1100
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1piuk3h.0ab8.jpg"
    3⤵
    PID:2776
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-mu13cz.wwh4.jpg" "
  2⤵
  PID:748
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-mu13cz.wwh4.jpg"
    3⤵
    PID:2592
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1qod7fh.5loi.jpg" "
  2⤵
  PID:2372
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1qod7fh.5loi.jpg"
    3⤵
    PID:2344
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-wkdeoe.vv7ii.jpg" "
  2⤵
  PID:2088
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-wkdeoe.vv7ii.jpg"
    3⤵
    PID:2096
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-znivca.jlmu.jpg" "
  2⤵
  PID:2484
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-znivca.jlmu.jpg"
    3⤵
    PID:2604
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1b80csf.4qdd.jpg" "
  2⤵
  PID:1784
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1b80csf.4qdd.jpg"
    3⤵
    PID:2268
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-19a0ljn.rgsgk.jpg" "
  2⤵
  PID:1596
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-19a0ljn.rgsgk.jpg"
    3⤵
    PID:2000
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1j9qbvh.cgdb.jpg" "
  2⤵
  PID:2552
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1j9qbvh.cgdb.jpg"
    3⤵
    PID:1020
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-dqw2i4.6crk.jpg" "
  2⤵
  PID:2376
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-dqw2i4.6crk.jpg"
    3⤵
    PID:2408
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-q6qmoi.ot9fb.jpg" "
  2⤵
  PID:2612
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-q6qmoi.ot9fb.jpg"
    3⤵
    PID:2568
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1l0gzt2.4kza.jpg" "
  2⤵
  PID:1092
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1l0gzt2.4kza.jpg"
    3⤵
    PID:636
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1rmozql.kbz5.jpg" "
  2⤵
  PID:1032
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1rmozql.kbz5.jpg"
    3⤵
    PID:1736
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-197fd3q.j88n.jpg" "
  2⤵
  PID:3060
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-197fd3q.j88n.jpg"
    3⤵
    PID:2876
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1hkfspa.du54.jpg" "
  2⤵
  PID:1732
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1hkfspa.du54.jpg"
    3⤵
    PID:1960
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-3wtrz0.yucpj.jpg" "
  2⤵
  PID:2560
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-3wtrz0.yucpj.jpg"
    3⤵
    PID:1552
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1j6a5uc.lju8.jpg" "
  2⤵
  PID:2536
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1j6a5uc.lju8.jpg"
    3⤵
    PID:1520
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1lkk9ow.hopl.jpg" "
  2⤵
  PID:2964
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1lkk9ow.hopl.jpg"
    3⤵
    PID:1084
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1s34an3.qsxb.jpg" "
  2⤵
  PID:2972
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1s34an3.qsxb.jpg"
    3⤵
    PID:1144
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-9hi3o8.eyytf.jpg" "
  2⤵
  PID:1332
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-9hi3o8.eyytf.jpg"
    3⤵
    PID:1600
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-hm3da0.ekrso.jpg" "
  2⤵
  PID:1764
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-hm3da0.ekrso.jpg"
    3⤵
    PID:3028
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1ueh3ws.ixb.jpg" "
  2⤵
  PID:2400
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1ueh3ws.ixb.jpg"
    3⤵
    PID:852
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1kl77uh.r5d4.jpg" "
  2⤵
  PID:908
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1kl77uh.r5d4.jpg"
    3⤵
    PID:2068
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-smc9e0.1dxo.jpg" "
  2⤵
  PID:864
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-smc9e0.1dxo.jpg"
    3⤵
    PID:2912
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1ryzez9.pmeni.jpg" "
  2⤵
  PID:1724
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1ryzez9.pmeni.jpg"
    3⤵
    PID:408
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-dj99wj.vgbmd.jpg" "
  2⤵
  PID:1512
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-dj99wj.vgbmd.jpg"
    3⤵
    PID:1816
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1dbarww.whlj.jpg" "
  2⤵
  PID:2808
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1dbarww.whlj.jpg"
    3⤵
    PID:1272
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-12t9ic6.8px5.jpg" "
  2⤵
  PID:2012
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-12t9ic6.8px5.jpg"
    3⤵
    PID:2876
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-rj3jxv.r4vo.jpg" "
  2⤵
  PID:616
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-rj3jxv.r4vo.jpg"
    3⤵
    PID:2680
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-10rcxcq.ax7r.jpg" "
  2⤵
  PID:2124
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-10rcxcq.ax7r.jpg"
    3⤵
    PID:1540
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-mwvsrw.ml6m9.jpg" "
  2⤵
  PID:2284
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-mwvsrw.ml6m9.jpg"
    3⤵
    PID:1284
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-3gvhrp.ti8ab.jpg" "
  2⤵
  PID:332
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-3gvhrp.ti8ab.jpg"
    3⤵
    PID:2780
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1yws8qs.1jpk.jpg" "
  2⤵
  PID:964
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1yws8qs.1jpk.jpg"
    3⤵
    PID:2200
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-126m31y.3m6t.jpg" "
  2⤵
  PID:2096
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-126m31y.3m6t.jpg"
    3⤵
    PID:2824
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-zvooa7.q0s1.jpg" "
  2⤵
  PID:2744
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-zvooa7.q0s1.jpg"
    3⤵
    PID:2620
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1o00cki.wcnf.jpg" "
  2⤵
  PID:816
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1o00cki.wcnf.jpg"
    3⤵
    PID:1968
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1hriv5e.c9xt.jpg" "
  2⤵
  PID:2992
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1hriv5e.c9xt.jpg"
    3⤵
    PID:1496
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1hwmjso.el8b.jpg" "
  2⤵
  PID:908
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1hwmjso.el8b.jpg"
    3⤵
    PID:2636
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1b5b1w5.re08.jpg" "
  2⤵
  PID:1020
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1b5b1w5.re08.jpg"
    3⤵
    PID:1240
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-13qlxoq.85c9l.jpg" "
  2⤵
  PID:2376
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-13qlxoq.85c9l.jpg"
    3⤵
    PID:2152
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-l87re.ww1zkf.jpg" "
  2⤵
  PID:820
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-l87re.ww1zkf.jpg"
    3⤵
    PID:1992
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1jnmglo.3y7dh.jpg" "
  2⤵
  PID:2808
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1jnmglo.3y7dh.jpg"
    3⤵
    PID:3068
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-uaucls.128o.jpg" "
  2⤵
  PID:2156
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-uaucls.128o.jpg"
    3⤵
    PID:1892
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-14s8whb.qk2q.jpg" "
  2⤵
  PID:900
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-14s8whb.qk2q.jpg"
    3⤵
    PID:1812
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-ixtw8o.2x3x.jpg" "
  2⤵
  PID:1004
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-ixtw8o.2x3x.jpg"
    3⤵
    PID:2720
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-vbmzbh.pocf.jpg" "
  2⤵
  PID:2592
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-vbmzbh.pocf.jpg"
    3⤵
    PID:3032
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1rk1ajo.bnpe.jpg" "
  2⤵
  PID:964
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1rk1ajo.bnpe.jpg"
    3⤵
    PID:2616
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-ffns5h.l6ctk.jpg" "
  2⤵
  PID:2096
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-ffns5h.l6ctk.jpg"
    3⤵
    PID:896
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-ved4qw.1hie8.jpg" "
  2⤵
  PID:2620
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-ved4qw.1hie8.jpg"
    3⤵
    PID:2268
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-jimjuq.q900j.jpg" "
  2⤵
  PID:1788
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-jimjuq.q900j.jpg"
    3⤵
    PID:2000
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-up7tmc.orvtb.jpg" "
  2⤵
  PID:1784
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-up7tmc.orvtb.jpg"
    3⤵
    PID:304
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1ypvoa5.52jn.jpg" "
  2⤵
  PID:960
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1ypvoa5.52jn.jpg"
    3⤵
    PID:3000
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-4rqxt.hvnk1q.jpg" "
  2⤵
  PID:676
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-4rqxt.hvnk1q.jpg"
    3⤵
    PID:584
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1k0ner3.zmm9.jpg" "
  2⤵
  PID:1720
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1k0ner3.zmm9.jpg"
    3⤵
    PID:2376
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1nwql5.rhsy1.jpg" "
  2⤵
  PID:2748
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1nwql5.rhsy1.jpg"
    3⤵
    PID:1340
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-gb8uzy.n23e6.jpg" "
  2⤵
  PID:1532
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-gb8uzy.n23e6.jpg"
    3⤵
    PID:2064
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-s8eh86.wpee.jpg" "
  2⤵
  PID:1300
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-s8eh86.wpee.jpg"
    3⤵
    PID:692
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-r3jdz2.9tm1p.jpg" "
  2⤵
  PID:2156
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-r3jdz2.9tm1p.jpg"
    3⤵
    PID:2012
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1mvyco1.nsyg.jpg" "
  2⤵
  PID:2124
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1mvyco1.nsyg.jpg"
    3⤵
    PID:968
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-b161b9.ojkbj.jpg" "
  2⤵
  PID:868
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-b161b9.ojkbj.jpg"
    3⤵
    PID:2284
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-d09dbv.8jqhu.jpg" "
  2⤵
  PID:2364
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-d09dbv.8jqhu.jpg"
    3⤵
    PID:1728
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-597jnc.neu1l.jpg" "
  2⤵
  PID:2728
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-597jnc.neu1l.jpg"
    3⤵
    PID:1332
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-y54o7j.81pl.jpg" "
  2⤵
  PID:2668
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-y54o7j.81pl.jpg"
    3⤵
    PID:2656
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1y36td7.sxiae.jpg" "
  2⤵
  PID:1660
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1y36td7.sxiae.jpg"
    3⤵
    PID:2620
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1hbv6a8.9zpi.jpg" "
  2⤵
  PID:344
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1hbv6a8.9zpi.jpg"
    3⤵
    PID:1096
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-oz034e.d6yso.jpg" "
  2⤵
  PID:1976
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-oz034e.d6yso.jpg"
    3⤵
    PID:1784
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-b7vu5h.pncww.jpg" "
  2⤵
  PID:780
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-b7vu5h.pncww.jpg"
    3⤵
    PID:960
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1wqexho.opn0f.jpg" "
  2⤵
  PID:676
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1wqexho.opn0f.jpg"
    3⤵
    PID:2612
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-k3dn3k.h17u.jpg" "
  2⤵
  PID:1720
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-k3dn3k.h17u.jpg"
    3⤵
    PID:800
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-19khkjc.tch6.jpg" "
  2⤵
  PID:1444
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-19khkjc.tch6.jpg"
    3⤵
    PID:2876
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-jqlsgn.wwh7e.jpg" "
  2⤵
  PID:1236
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-jqlsgn.wwh7e.jpg"
    3⤵
    PID:1152
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-gzbyrh.cgvdq.jpg" "
  2⤵
  PID:1732
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-gzbyrh.cgvdq.jpg"
    3⤵
    PID:1568
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1cye00l.t85c.jpg" "
  2⤵
  PID:1372
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1cye00l.t85c.jpg"
    3⤵
    PID:1520
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-vstm9s.qqpw.jpg" "
  2⤵
  PID:2760
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-vstm9s.qqpw.jpg"
    3⤵
    PID:2720
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-fmn20m.hrqc.jpg" "
  2⤵
  PID:1144
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-fmn20m.hrqc.jpg"
    3⤵
    PID:1616
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1ynac89.nasl.jpg" "
  2⤵
  PID:928
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1ynac89.nasl.jpg"
    3⤵
    PID:348
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-ity7t7.4u4t.jpg" "
  2⤵
  PID:2744
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-ity7t7.4u4t.jpg"
    3⤵
    PID:852
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1is0oa9.d2kw.jpg" "
  2⤵
  PID:1968
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1is0oa9.d2kw.jpg"
    3⤵
    PID:2348
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-4253wx.59l4c.jpg" "
  2⤵
  PID:2228
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-4253wx.59l4c.jpg"
    3⤵
    PID:2224
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1sq0b46.3zi.jpg" "
  2⤵
  PID:1288
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1sq0b46.3zi.jpg"
    3⤵
    PID:1624
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1b2o6fx.kt9.jpg" "
  2⤵
  PID:864
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1b2o6fx.kt9.jpg"
    3⤵
    PID:2148
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-19whxvw.1assf.jpg" "
  2⤵
  PID:1252
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-19whxvw.1assf.jpg"
    3⤵
    PID:2612
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-5czhog.5yhlj.jpg" "
  2⤵
  PID:1992
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-5czhog.5yhlj.jpg"
    3⤵
    PID:1340
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-wpec20.rprho.jpg" "
  2⤵
  PID:824
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-wpec20.rprho.jpg"
    3⤵
    PID:1804
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-12uvweu.1vra.jpg" "
  2⤵
  PID:1516
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-12uvweu.1vra.jpg"
    3⤵
    PID:1152
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1p4dct5.v25a.jpg" "
  2⤵
  PID:1348
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-1p4dct5.v25a.jpg"
    3⤵
    PID:2012
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-15ga5vl.9ai2k.jpg" "
  2⤵
  PID:1756
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-15ga5vl.9ai2k.jpg"
    3⤵
    PID:1036
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-7pvbfq.z7gea.jpg" "
  2⤵
  PID:1708
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-7pvbfq.z7gea.jpg"
    3⤵
    PID:1620
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\2024319-2388-15wozlg.hkk1f.jpg" "
  2⤵
  PID:2140
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\2024319-2388-15wozlg.hkk1f.jpg"
    3⤵
    PID:1644

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "3217431281842466351-1876559077846694990171058027-1275948263-346850684154023341"
1⤵
PID:1724

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-6316174801102545752-336771227-21358727611851718684-21062452861774618629-1834950133"
1⤵
PID:1740

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2143159728-1615936168-581478394231930701-2128164129-16266339891391362499415092063"
1⤵
PID:560

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-4112501419816256475373102901101408543-11331545332422443-3662988501697826093"
1⤵
PID:1528

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-628015188555442199-1303659068-1391387419-12421079264381248591212728070364003228"
1⤵
PID:2408

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-495436439-7519312523240223206808800813993114151209209865-1979893918-912179323"
1⤵
PID:1820

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1406729182359586212-414583096-8522089691851402085-198307389417036744061609627780"
1⤵
PID:2416

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-922365314574664356-926794867334206891-9344578841997267605-1116402492-2039265119"
1⤵
PID:1084

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-167613225910596510062065936415-1096915984919999524-1693493193-332279634-359957564"
1⤵
PID:1648

C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
1⤵
PID:1504

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -Embedding
1⤵
PID:1796

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1720046321101381551-8878595171213512605580941401-1490676112-8325957261010534810"
1⤵
PID:864

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-676102780-99237189333145528-89056621612522980581975037443-19731033802040671395"
1⤵
PID:1544

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1535389105-7629852385865313941375138332259509091-4341993251353278589-2081374682"
1⤵
PID:2108

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1982694164-1960916304-316517947225389471356995981-119946251-1637189830853497469"
1⤵
PID:1296

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-16166079301376624299-1152628140270690006-18189306021936906841424336995993967387"
1⤵
PID:1100

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1227362638-1040720474-469792437-505791075-718634890-827433308-4367862691405256776"
1⤵
PID:1316

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1635175906-18392950401501940815-1028263091-38294768-983120521-15372582172098623644"
1⤵
PID:2524

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-5316546711109569427-6424731152009755445-1865401096-39904702810521317361253941615"
1⤵
PID:2552

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2224146101373870905-41755017-1542809631438349265-1772820015608159142-433457203"
1⤵
PID:1252

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2890741111255178990-13627397191542256374-1003686129-2697245181570345536-592340408"
1⤵
PID:1716

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "426567869295409512-1902724539-9610386398662301821958153290397953-1693900859"
1⤵
PID:2432

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1303574165-82366711872747684-715520611818620736-400539993-5951237141132346701"
1⤵
PID:2152

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-9188397422099072748-1294392983-16680103841477633550114612556170454938-286269972"
1⤵
PID:1412

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "665531772839648001-1493901180-13511758002033784642-13263629513259999471570755072"
1⤵
PID:2240

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1565140994-953604533-807624092-1104309011-146971091-432494102-626703375-1695226749"
1⤵
PID:2624

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-158957415917638513154040282701559044392-382203701-999564264-224977242746742047"
1⤵
PID:2636

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1787702074177995217-719743527344185419359393058116209571839895386-1908013595"
1⤵
PID:2852

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-18333206741128375125112390771667121919-191783105710321836291742476227-159267651"
1⤵
PID:2832

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1745669237-342647106-1072093615-825451014781650133-1740517701412877229-915851047"
1⤵
PID:2340

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-363101242-1875098921-47634138515133990051401420163-1641038719-15262081282013085278"
1⤵
PID:1616

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "182571558216704980693267654071468261339-94984417013576956451217951305-787085602"
1⤵
PID:852

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "6704645-1504167225-1852123085-492794494237383713-42098085812474869231806452122"
1⤵
PID:2132

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "594608473-137928611-563417187-926591200-14948557561831742267816219233-1764764924"
1⤵
PID:1496

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-15068467781683961720-1431026651549914671-1255061464-191562732111724760551722551623"
1⤵
PID:2344

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "17329717311996634675840774727458993346781789473430482470-1313877618-918781158"
1⤵
PID:1968

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-18567907961241854990-1618296466783886042-301962276-1313786061617527325233920755"
1⤵
PID:776

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2087763103-6445909417643409121028222685377763812679158585-1557897361258293212"
1⤵
PID:1140

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "12500194521763473379630412-756855163135262572615757908961170759908-1136688357"
1⤵
PID:1300

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "734614859-1979676446191781658818601774301225528575-1892640394-8965632001109225809"
1⤵
PID:1960

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1797671142-18946584412013463511-427435733943704290-877865341-348587698-1697781942"
1⤵
PID:2964

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1501009100-1122056145127316667-4390976871684246394-16898607991330781728-908264967"
1⤵
PID:2440

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "786523987-1664938209-16749934017818137771901114079285204481-568723974182782169"
1⤵
PID:2144

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1187525181-2656205261319459572-45625976211291998111095759961800496713-1545673024"
1⤵
PID:2616

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-4359007934580112312154582931291400941578654925657217929-2092523805-358725791"
1⤵
PID:2648

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "17906164583292596541879535121151626172-1648202581431878148-1651035045641337687"
1⤵
PID:2908

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "15967709348675825263800242701800038164106435643-87547908917930118961845986145"
1⤵
PID:1832

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-4620068031952154010-1472043917432285919-1541890612-940027947-5402825371114186555"
1⤵
PID:2012

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-10913119631759284814-794482341-2039490202-13188164761858365484-1844508000917454930"
1⤵
PID:748

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-14234926371941708320900432411-309508998-3519315383545954201646066271086601828"
1⤵
PID:2320

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1222527777-1736097053176056856613734257011875490433-183073927-668367742586659073"
1⤵
PID:2624

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1777164875-1491471279-537140759-1479708396989457868-4257696215678324621935965639"
1⤵
PID:2488

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-6582521-4964204871273786190256069935-1074430977-351707699-2080012804-1581371469"
1⤵
PID:560

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "47606642612022225433274045071993456491-621431816968889468-2138603376-1707531289"
1⤵
PID:824

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1433304530-874228842-1681697011202714708416465981561497726210427110011-1519057656"
1⤵
PID:3020

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-353300553-1517268808-1830269352-1693432525-417028854109088838-801181564-2036326529"
1⤵
PID:1528

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "739575603-940458389899124451-577932217-2014626985334740370963032251496424737"
1⤵
PID:1268

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1086215641-1664963873-1199266161698991979210626913620732472961518664084-1171736854"
1⤵
PID:928

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1914468527-130848876-18352468051202573801947164883952018157-1547787709-274997330"
1⤵
PID:800

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "290618394-900870628-5501116931303522433-1352135674-433538872489981080-901820534"
1⤵
PID:1756

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1878012683-1696138178-713763735-17444162842399215061878704668-12374750061547867379"
1⤵
PID:1784

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1401323379-1229278631157987298920244696562016257594-1002012161638952920761318899"
1⤵
PID:596

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1400536614735529421-1895313794-21386986481983143007-1809548054-405311308-1140701245"
1⤵
PID:1444

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2136613486-7480096522056145755-9606504741442944751-6308815891608470526559200548"
1⤵
PID:2612

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1727788117-1952239996726353301-1508545923155951094920350242401955782341-940704103"
1⤵
PID:1020

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "478269422774509054-1775342040-14897994573959690291804640524-1471251090-1966960925"
1⤵
PID:1812

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-693903645-385435401193734057808166046-2046949611165328884-707227527-86405077"
1⤵
PID:820

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-14096970511182023638-5453883601315572580-1485495894-1199993051563770171-1071474444"
1⤵
PID:2268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2024319-2388-11d8fqo.8fxw.jpg

Filesize
16KB

MD5
4dc2bd02171614df22e08f481e12c497

SHA1
75a83d5bec4dc4b3b0510a3341bd3fe69198a548

SHA256
cdd8624fb75dbd880d9d69a38940d28fbf31283719e2ec1e782253e03ef9d1ed

SHA512
0f1182c9bb873db3c34e1d254b26e888ae83782caf57fd5c25a840e3a42efd165e0d4f2a043b78304b556c8fea718483a65b29fc2a54fa87156d392be3fbd0dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024319-2388-12j1lc5.lwxd.jpg

Filesize
16KB

MD5
900deb34772288266472862cdbac6033

SHA1
a1f718881ec93694fc4fc58df8175d06fef66413

SHA256
bafc2044d593b968fcb7eeeb52797a8df136dfe4460044e41625a5190865fbbc

SHA512
021d44cefb07afde219d5c6a6eaa6c1aacd0a5790ab98f4e3491c60e360596200121af07fe36b9df23b6661f28dd21335916654f390eecfb7bd071efa3e1c743

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024319-2388-157rhcy.g74vl.jpg

Filesize
16KB

MD5
e3918650b08c2ba850302ca21879e020

SHA1
a5732e57dcadb6a22cb4f5cb018b7d4c18f936fa

SHA256
70d9c48bf81ed212bee3653419dacab1d5bc53b0a4e69e310c34e5bc2f6ad044

SHA512
b9a3ff837b9bbc0cf8802f344aab51e419be38aecbe137bf22c9a01c2f0938501031648b20b50978a16c14853871c644c0cf133bfc74333959cd10809c8e109b

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024319-2388-171hn3g.so29.jpg

Filesize
16KB

MD5
2f8de0e05490d1ac0f1cd38893a1e7bf

SHA1
0bd7885c20142107de534352941f323fac8ea07c

SHA256
c2ecf250f5d37fed74068a9878b27af552105e209cbd7c5cf832644350de8781

SHA512
a6acdfd78c0e8478721cea622b95879a783d6de50864b0a34d027f5f2c2b8a7e0cf22096661435096dfe4e370c35ae23ae52d1431bd5d8ce850a24c0f0e5364e

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024319-2388-19lrdw8.jkqh.jpg

Filesize
16KB

MD5
e1bbf79c140993ce765da977429c3eb7

SHA1
91a569599e03b9a536a785110eb43f63820102b5

SHA256
2928b51a1fcb2bcf9bb4b682c6514011298d0f768f716a8f3d1292d3f7681c26

SHA512
0b1cf0b5c564361481c4ac03b52a0250305a948b35e70630f97b6aa0c6de98e545c767c94c7c10020fa67402d30483b9d0b2051f850593113e788eac8896a450

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024319-2388-1cb1wsr.9mtc.jpg

Filesize
16KB

MD5
c7f76debb02b265f978dd491ab2507d8

SHA1
482171e7393ebe1b2a7bd24520e7fc05c02293c1

SHA256
d927f02a0b3142e1bad282df23810abf191898dc15d263b28b0e9f1f88d25e40

SHA512
74153d3bfa3e9ba994761831de95bf86ce2e6c5af019a94b89597223f88d213245f00c1f7ba58ec1dc3dfb2b8fdfe8311d67cfb02ce8eb84b44a054b9e5fd325

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024319-2388-1dtj19v.n1lx.jpg

Filesize
16KB

MD5
265d048d07c72332486d61ad25c08267

SHA1
aa75d4212356c5d6277d1b9455721124ace7304f

SHA256
4b1a6dd6eebb53f4c1d24501959aabfb8aee2769f580f6cb0e05843e3315e68c

SHA512
faee633fb9c836efdee6e7db1c9c8e2289cfc0a7cea842946524249db04d1723f94c36452ac7a5cc90ec636807594532bb7d1ae5795009ca3320362654088c0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024319-2388-1eu8yrl.9p4m.jpg

Filesize
16KB

MD5
831a2c38f865660b5bfbd47f34e2133f

SHA1
a2fac88626a70b38b9e5f199e4c81e4b041adb72

SHA256
f75c70ff972cdcc6c7a3bbbd0366dd84b75545ef95eaec7bccdd227833a810f3

SHA512
f9bd410e2523a9cfea05f1a776568c2368f65c127b7081c7f1f41e28ac03397f4bc7ec3dc6984fca30b1004251860ca1dfaeb2dabe80e3c2f570eeb59c44d94b

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024319-2388-1g5zxnr.jlvgl.jpg

Filesize
16KB

MD5
9b70e15927e1b9e884444be60bb74fcd

SHA1
141184427e5093d0ca49ab73092574766d1d4d95

SHA256
e9c636e07a2ab87f9c82fcacd9b9b10377c6a9130451722a86248caeb260347f

SHA512
860401b80742ff237e9c97ab790654ecd6eb70e2fa942703a42f832d7ac8086b96af0e42c416a76f634793c7998e45821737247f476acc721b7691235707e199

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024319-2388-1hzzrh7.br3j.jpg

Filesize
16KB

MD5
d1509472688cef551483563cfb5b80a2

SHA1
4e030f306bba51d20c19ecb9a9d45a9b75b6140a

SHA256
d62be8fb75bc36a95aa446188433085cd968e897294c5419f93d20fe81c76604

SHA512
f1d7fbf831e509c8d658b20fc996a99931df625dc4769df084797703b90e74e6bd4eebcfd36b958c123a2f1c2630cb6ffe326a54fc89db7c2e58a5306f04f800

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024319-2388-1ib8lts.rdub.jpg

Filesize
16KB

MD5
88581e235057a3ad52d545eb2b412d85

SHA1
c5dd4bb1688b1e90eada9e599305f97c3300d8a4

SHA256
949db7498f9213fdf9b49b430261f52faffba3dd292390131292b27f918c2e00

SHA512
af9cbb406f7933a75056b56b57aeef4d7b3c7a779ba5db17f24b86209c549f707bcee5966ca59b1b0d95c2e4d59d739bb3a1c356767cd891eeb69fa0b356c093

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024319-2388-1o5qql4.uhb3.jpg

Filesize
16KB

MD5
4e2460fcae9fa0b39a8fbe94ef92e478

SHA1
b108bdbea2d029d7fd7b9c479cc81197729bf4e7

SHA256
deb11b9faf323d2441bf945b41daa77a45ceef0b1c194fa5e654287a0ff8aeee

SHA512
c270d687a9cb35492ec5dd011086339e151cb3481e2175a0db0986aa34e61918ba0dc21daae8846c481d6ee0d054ed98a189cb37668f6b0be8861e7a69c17498

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024319-2388-1wutrlf.78ij.jpg

Filesize
16KB

MD5
3d2fac6cd423fded37be9a98e7bc3109

SHA1
649818aa11644b8381ad42bd4d8cdaefef8ce33c

SHA256
fb805c62b55aa23877811831e1ddea27800f4b216b830e8785daeda4614b8305

SHA512
7c6c34445ad4842ca4ccb6c744b87d6b5e52c850588e58e1c0381696c033518ef70bb1598699730f101fab05f60ea54e26f881a317f7d3679c7fe15723696630

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024319-2388-32wli2.xvuaa.jpg

Filesize
16KB

MD5
0c5ba4891d621378fbe7f19883194610

SHA1
5bf8e6b0a017ca36f881b11907b8f85620ef3848

SHA256
26d15875a919c1bc2a9969eb554ab1a379640fd7a9fd6637eccd9dc0e17d9d8e

SHA512
c85723e5f945c6518d0eec31788ae4a3cb5e1c1b717e6fa3424eef0aae1a3767c528e80e346ef66815780fa8856b229ed729e7429faae504fa2a6919c8fe281e

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024319-2388-4ki9wh.yiimm.jpg

Filesize
16KB

MD5
3a92d8f6fbcc47dcd35717be514f3b28

SHA1
534dd944e7a0b51ac478de16f4d008df7b0b7133

SHA256
fbd3cb167e224f3b1a95ce7ee46d3cfcbf47c62cf9ac00e4629edbe14f404b39

SHA512
edc961b87ffe1e9c39502c6efe89bd9d9639417675f2c68f5b72c7e5d99071092c830b3c5d336ecb0e9b4322f3a92242c765032a7827338185ba0d0ca70c2c79

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024319-2388-660end.alj84.jpg

Filesize
16KB

MD5
52879e1323968895b913d2085e8d8235

SHA1
68a88f8b4c80d3403bbcac2b8e7591510c491961

SHA256
e1586c373cc796b7682c1c74592bfd4f723374466e6b5b77ff5dab1ebfef0e1a

SHA512
d1eef76816d365f8d7f39f0f112d304108b3ad0962a0d50f3882232b175c98012953dc0589daa6c59dd2ef52fb20af8359196e14130f85d1ecf4ecb22f2e565e

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024319-2388-beld78.rueh9.jpg

Filesize
16KB

MD5
bf7e8875ea7defb7980f94859c3e59b2

SHA1
e75e90a6accea5f705317cdddc8714776d4f0aac

SHA256
063e86c937c7d21505d1caa5ac5286a95ec901d332ff5f345e9aeb0a9630a163

SHA512
9c5eb988faa1ae8cfb024fcbf3b3542b055e0940c83e2ab2e16ad7733d838cc3c38c3115f80d4c72523e72b0af4aac45b77e4d8d9384757a8a5cccb8228c4fa1

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024319-2388-h1ui26.gzkvk.jpg

Filesize
16KB

MD5
671472c3b083f02168140da60eac171c

SHA1
57e8488f0af47465027d118934c6d89c066e48f2

SHA256
a92f5f61160d11c54854f74674b1a934ca78958ea07ac6418f0897ba99fb125b

SHA512
97dd275f1ee26479698861d5851e0b1b90d274815c87034d49fb0d47cc3c4ba19618b18f0a10175defb05c7dd52f5a4a22afc9985403356c5055b34750795171

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024319-2388-mnksp5.scl4m.jpg

Filesize
16KB

MD5
027b8ab9725130cbcfba85794fe8d412

SHA1
a54a01fb611a73ea84827859a9a839bae18383ee

SHA256
cccd4e94f8acedbd10e9101c5c33ef4b0d1e48d22fc3e202d0892fe4b635e080

SHA512
b0ed4728c64972a5cec18ae29245712738260d085e21cbb479f665a85e275f848dc95746c3b30d315a6e944a8de8b97904425541955a161b3fc604288784f033

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024319-2388-oxtac1.9ln58.jpg

Filesize
16KB

MD5
189628fdc3f792ac6d70dcfa32cc563c

SHA1
a8bc1d4251525fa51aa0dedab117404e4732afa6

SHA256
91534452864a3668240b8a4adbdb857cafc3b3ea408e4c1e58c4d1d9c9837cab

SHA512
1af5dc0703e332adc3501febb074ea9ae6d7810f46563c9129670b6968b155808b65b798a503315aaac4595678bf373d9ba62a3af5d6587a5927150df7a6f7cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024319-2388-pmuj5h.50hdf.jpg

Filesize
16KB

MD5
e44841b2b00148fc5c1b43c489073b30

SHA1
a460008fbf457e3084318cb7d9c8047516e16782

SHA256
8929c3fa791ca1c2486f4200213271856316b8e24df351ef3a22c33e16145617

SHA512
23201f2188c2ba8c1000624b6c796375c19054bb859678eb6aa883cfa02936e672bb295e297d546fa19f93e75b995fb0e74d7388cd5111c02c6824daf7e86f73

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024319-2388-u0c6xk.4k55j.jpg

Filesize
16KB

MD5
d6aa70e0fd51c17e7f7d5a7806754651

SHA1
7f0a1165ac1de5821175fac3673e289e5c43d77b

SHA256
b13380248c7338878d9a3400ac6d3926854ee12c6ed3673cd19b19fade8d717e

SHA512
68c17ddbf3e4bd3b76eef40e284bfd7bce566f49982c882d9deeed2d076c7510b949489d00bf14e1f07fff5a2dd225bdaa3e162bd1e01c22d1ac68912abba532

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024319-2388-v5oqp7.y3ynr.jpg

Filesize
16KB

MD5
64eb7d06c24e4fb3aaab147d57bbb3ab

SHA1
1b1bc7fb1783acb8b13d4906ca7aa2c6d9abe3c8

SHA256
ad8e8afd34442e5b0713f9c36ec1cf610ebe83df2b3c2d52ce83a63d2cfe201a

SHA512
b38c2cbeb19cc6b348e699a28557edc401def7655586711758e7acf70cc1be57f3f7c53cf778edd093e6ad4255cad1b438a5703a10e48a39a9ffdff7dbe09307

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024319-2388-vx4rx5.1qmer.jpg

Filesize
16KB

MD5
a9cde0a792e47beb81dac70d20bbab41

SHA1
5536c9bbbbef650f216de55e9320e6824a3fa024

SHA256
de6112e8427c61020962c7d139def0bcc5b5a59972e45c9b9cddcaebe3dbbdc9

SHA512
5b786b320a87af169b2f6b00fd2ccb42e4015312736cdcbc3d830748acda52efb68db1704956df47549c16210e62a535a78068f5eea464c38b6a6be27027d9e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES33FC.tmp

Filesize
1KB

MD5
9bb09635c2849816ff9c4677b8b061ec

SHA1
e30d457b96fcc3722852d4eb27d57ef564c61ddc

SHA256
e91649723452852c5505c8f040fc802680609513a67dfcd4f770d2c3f9bc9e34

SHA512
9b4d26bb34046ffddd2320c23bdc5f56b5ab5db38467157c410c30fad9255a2946e041093799d5d374adedba723a6ed24c92d63366188ecc8e85e5cf8d63c55b

Download Submit
C:\Users\Admin\AppData\Local\Temp\epsilon-Admin\AutoFill Data\All Autofill Data.txt

Filesize
240B

MD5
810ae82f863a5ffae14d3b3944252a4e

SHA1
5393e27113753191436b14f0cafa8acabcfe6b2a

SHA256
453478914b72d9056472fb1e44c69606c62331452f47a1f3c02190f26501785c

SHA512
2421a397dd2ebb17947167addacd3117f666ddab388e3678168075f58dc8eee15bb49a4aac2290140ae5102924852d27b538740a859d0b35245f505b20f29112

Download Submit
C:\Users\Admin\AppData\Local\Temp\epsilon-Admin\Credit Cards\All Credit Cards.txt

Filesize
231B

MD5
dec2be4f1ec3592cea668aa279e7cc9b

SHA1
327cf8ab0c895e10674e00ea7f437784bb11d718

SHA256
753b99d2b4e8c58bfd10995d0c2c19255fe9c8f53703bb27d1b6f76f1f4e83cc

SHA512
81728e3d31b72905b3a09c79d1e307c4e8e79d436fcfe7560a8046b46ca4ae994fdfaeb1bc2328e35f418b8128f2e7239289e84350e142146df9cde86b20bb66

Download Submit
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat

Filesize
13KB

MD5
da0f40d84d72ae3e9324ad9a040a2e58

SHA1
4ca7f6f90fb67dce8470b67010aa19aa0fd6253f

SHA256
818350a4fb4146072a25f0467c5c99571c854d58bec30330e7db343bceca008b

SHA512
30b7d4921f39c2601d94a3e3bb0e3be79b4b7b505e52523d2562f2e2f32154d555a593df87a71cddb61b98403265f42e0d6705950b37a155dc1d64113c719fd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe

Filesize
12KB

MD5
ee8d6caff29dceb1dd8bb122d45e732c

SHA1
45b5acee45c696f4caa0c18769ec566df7689183

SHA256
8e5491302010f3a507b27d66af23af162a756253a18c724b1e656add542d57a4

SHA512
6ad8dca83450dda13c856fd0efc11318bfacbc53b857e1c9a6a2ad8885c656fc601a8bdd2c36e612dd67ded36f0ef89bb20a58361fec190f1b953dc8be425de0

Download Submit
C:\Users\Admin\AppData\Roaming\EpsilonFruit\Local Storage\leveldb\CURRENT~RFf762b54.TMP

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\screenCapture\CSC5FAEE389F07A4175972C2D2FD5022DD.TMP

Filesize
1KB

MD5
a6f2d21624678f54a2abed46e9f3ab17

SHA1
a2a6f07684c79719007d434cbd1cd2164565734a

SHA256
ab96911d094b6070cbfb48e07407371ddb41b86e36628b6a10cdb11478192344

SHA512
0b286df41c3887eecff5c38cbd6818078313b555ef001151b41ac11b80466b2f4f39da518ab9c51eeff35295cb39d52824de13e026c35270917d7274f764c676

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\screenCapture\app.manifest

Filesize
350B

MD5
8951565428aa6644f1505edb592ab38f

SHA1
9c4bee78e7338f4f8b2c8b6c0e187f43cfe88bf2

SHA256
8814db9e125d0c2b7489f8c7c3e95adf41f992d4397ed718bda8573cb8fb0e83

SHA512
7577bad37b67bf13a0d7f9b8b7d6c077ecdfb81a5bee94e06dc99e84cb20db2d568f74d1bb2cef906470b4f6859e00214beacca7d82e2b99126d27820bf3b8f5

Download Submit
\Users\Admin\AppData\Local\Temp\252f5e46-dfc1-4fed-80cb-7604d7c80560.tmp.node

Filesize
163KB

MD5
b0e113443ddc1ee234acbf0eb0e6f8a0

SHA1
84cc562b82570ec05df6dbbfc8f29fbb16ec68c7

SHA256
8d6f5cab1d6a99ac49772080c6f383f33a9bb983e0f8d02d0f3de4b2bdd26215

SHA512
306e89ec66fdf8b0de19d5bcda01f69809d83f464a9c21fda4b470e81ad3b722aa6cb6086fb4c2af59504fe4332c1f9efff27168598cc00be0f28fed45dde8ee

Download Submit
\Users\Admin\AppData\Local\Temp\a27791d7-b596-48af-a765-8faa2e070b0a.tmp.node

Filesize
652KB

MD5
1f86d23226fffe71b8784029d8c5125b

SHA1
9cc9bc5a5ca25a682746480dff1677d0ff5ec16c

SHA256
265d11dea86267a478907b398b8b33aad69f0944784386c1795cc32b8c931ffd

SHA512
4f1aaee14c9cb0a76853a15030b525ee082a226ac67e9c90a96bbdbbb9229f6fe48192d63686f72c55e094de45c2a032bdd241fcacc190b71ffdc0fde80824ae

Download Submit
\Users\Admin\AppData\Local\Temp\a36f25af-930e-4c93-a72f-fe89a26496bf.tmp.node

Filesize
2.7MB

MD5
08b28072c6d59fdf06a808182efed01f

SHA1
35253af00af3308a64cff1eda104fd7227abb2f4

SHA256
7c999c84852b1f46a48f75b130fea445280d7032a56359dffecf36730366abc5

SHA512
f2592ade5053b674dbe4191c7001748a801dca3b19e97e19b440a3e944011c87926b0ef21c87e98b48e038889a32e01c1d74949124be3144834e2f06d9781198

Download Submit
memory/584-257-0x0000000000BA0000-0x0000000000BAA000-memory.dmp

Filesize
40KB

Download
memory/584-356-0x000007FEF2E20000-0x000007FEF380C000-memory.dmp

Filesize
9.9MB

Download
memory/584-258-0x000007FEF2E20000-0x000007FEF380C000-memory.dmp

Filesize
9.9MB

Download
memory/768-226-0x0000000001080000-0x000000000108A000-memory.dmp

Filesize
40KB

Download
memory/768-227-0x000007FEF2E20000-0x000007FEF380C000-memory.dmp

Filesize
9.9MB

Download
memory/768-231-0x000007FEF2E20000-0x000007FEF380C000-memory.dmp

Filesize
9.9MB

Download
memory/900-424-0x000007FEF2E20000-0x000007FEF380C000-memory.dmp

Filesize
9.9MB

Download
memory/900-420-0x0000000000C60000-0x0000000000C6A000-memory.dmp

Filesize
40KB

Download
memory/1036-439-0x000007FEF2430000-0x000007FEF2E1C000-memory.dmp

Filesize
9.9MB

Download
memory/1036-432-0x0000000000210000-0x000000000021A000-memory.dmp

Filesize
40KB

Download
memory/1252-382-0x000007FEF2430000-0x000007FEF2E1C000-memory.dmp

Filesize
9.9MB

Download
memory/1252-381-0x00000000013D0000-0x00000000013DA000-memory.dmp

Filesize
40KB

Download
memory/1252-389-0x000007FEF2430000-0x000007FEF2E1C000-memory.dmp

Filesize
9.9MB

Download
memory/1304-495-0x000007FEF2430000-0x000007FEF2E1C000-memory.dmp

Filesize
9.9MB

Download
memory/1448-423-0x000007FEF2E20000-0x000007FEF380C000-memory.dmp

Filesize
9.9MB

Download
memory/1448-323-0x0000000000290000-0x000000000029A000-memory.dmp

Filesize
40KB

Download
memory/1448-328-0x000007FEF2E20000-0x000007FEF380C000-memory.dmp

Filesize
9.9MB

Download
memory/1524-433-0x000007FEF2430000-0x000007FEF2E1C000-memory.dmp

Filesize
9.9MB

Download
memory/1524-330-0x0000000000C70000-0x0000000000C7A000-memory.dmp

Filesize
40KB

Download
memory/1524-333-0x000007FEF2430000-0x000007FEF2E1C000-memory.dmp

Filesize
9.9MB

Download
memory/1544-374-0x000007FEF2E20000-0x000007FEF380C000-memory.dmp

Filesize
9.9MB

Download
memory/1560-409-0x000007FEF2430000-0x000007FEF2E1C000-memory.dmp

Filesize
9.9MB

Download
memory/1560-407-0x0000000000350000-0x000000000035A000-memory.dmp

Filesize
40KB

Download
memory/1600-467-0x0000000001030000-0x000000000103A000-memory.dmp

Filesize
40KB

Download
memory/1600-468-0x000007FEF2E20000-0x000007FEF380C000-memory.dmp

Filesize
9.9MB

Download
memory/1600-471-0x000007FEF2E20000-0x000007FEF380C000-memory.dmp

Filesize
9.9MB

Download
memory/1652-292-0x000007FEF2430000-0x000007FEF2E1C000-memory.dmp

Filesize
9.9MB

Download
memory/1652-295-0x000007FEF2430000-0x000007FEF2E1C000-memory.dmp

Filesize
9.9MB

Download
memory/1652-291-0x0000000000380000-0x000000000038A000-memory.dmp

Filesize
40KB

Download
memory/1700-345-0x00000000000B0000-0x00000000000BA000-memory.dmp

Filesize
40KB

Download
memory/1700-461-0x000007FEF2430000-0x000007FEF2E1C000-memory.dmp

Filesize
9.9MB

Download
memory/1700-350-0x000007FEF2430000-0x000007FEF2E1C000-memory.dmp

Filesize
9.9MB

Download
memory/1724-244-0x0000000000250000-0x000000000025A000-memory.dmp

Filesize
40KB

Download
memory/1724-245-0x000007FEF2430000-0x000007FEF2E1C000-memory.dmp

Filesize
9.9MB

Download
memory/1724-252-0x000007FEF2430000-0x000007FEF2E1C000-memory.dmp

Filesize
9.9MB

Download
memory/1948-273-0x000007FEF2430000-0x000007FEF2E1C000-memory.dmp

Filesize
9.9MB

Download
memory/1948-366-0x000007FEF2430000-0x000007FEF2E1C000-memory.dmp

Filesize
9.9MB

Download
memory/1948-267-0x00000000011F0000-0x00000000011FA000-memory.dmp

Filesize
40KB

Download
memory/2104-373-0x000007FEF2E20000-0x000007FEF380C000-memory.dmp

Filesize
9.9MB

Download
memory/2104-285-0x000007FEF2E20000-0x000007FEF380C000-memory.dmp

Filesize
9.9MB

Download
memory/2112-355-0x0000000001310000-0x000000000131A000-memory.dmp

Filesize
40KB

Download
memory/2112-359-0x000007FEF2E20000-0x000007FEF380C000-memory.dmp

Filesize
9.9MB

Download
memory/2172-485-0x000007FEF2E20000-0x000007FEF380C000-memory.dmp

Filesize
9.9MB

Download
memory/2172-484-0x00000000013E0000-0x00000000013EA000-memory.dmp

Filesize
40KB

Download
memory/2264-400-0x000007FEF2E20000-0x000007FEF380C000-memory.dmp

Filesize
9.9MB

Download
memory/2340-236-0x000007FEF2E20000-0x000007FEF380C000-memory.dmp

Filesize
9.9MB

Download
memory/2340-338-0x000007FEF2E20000-0x000007FEF380C000-memory.dmp

Filesize
9.9MB

Download
memory/2388-52-0x0000000002F20000-0x0000000002F21000-memory.dmp

Filesize
4KB

Download
memory/2400-367-0x000007FEF2430000-0x000007FEF2E1C000-memory.dmp

Filesize
9.9MB

Download
memory/2436-337-0x0000000000D90000-0x0000000000D9A000-memory.dmp

Filesize
40KB

Download
memory/2436-341-0x000007FEF2E20000-0x000007FEF380C000-memory.dmp

Filesize
9.9MB

Download
memory/2532-408-0x000007FEF2430000-0x000007FEF2E1C000-memory.dmp

Filesize
9.9MB

Download
memory/2532-318-0x000007FEF2430000-0x000007FEF2E1C000-memory.dmp

Filesize
9.9MB

Download
memory/2532-315-0x0000000001090000-0x000000000109A000-memory.dmp

Filesize
40KB

Download
memory/2724-445-0x0000000000950000-0x000000000095A000-memory.dmp

Filesize
40KB

Download
memory/2724-452-0x000007FEF2E20000-0x000007FEF380C000-memory.dmp

Filesize
9.9MB

Download
memory/2748-42-0x0000000076F70000-0x0000000076F71000-memory.dmp

Filesize
4KB

Download
memory/2748-9-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/2780-458-0x0000000000C10000-0x0000000000C1A000-memory.dmp

Filesize
40KB

Download
memory/2780-462-0x000007FEF2430000-0x000007FEF2E1C000-memory.dmp

Filesize
9.9MB

Download
memory/2908-480-0x000007FEF2430000-0x000007FEF2E1C000-memory.dmp

Filesize
9.9MB

Download
memory/2908-477-0x0000000001040000-0x000000000104A000-memory.dmp

Filesize
40KB

Download
memory/2908-476-0x000007FEF2430000-0x000007FEF2E1C000-memory.dmp

Filesize
9.9MB

Download
memory/2936-304-0x0000000000FB0000-0x0000000000FBA000-memory.dmp

Filesize
40KB

Download
memory/2936-307-0x000007FEF2E20000-0x000007FEF380C000-memory.dmp

Filesize
9.9MB

Download
memory/2936-399-0x000007FEF2E20000-0x000007FEF380C000-memory.dmp

Filesize
9.9MB

Download