orcus | eacf04d721fe4880dc73790ccbd58acf310dc0c90b13b7424200a9aa2b94640a

Analysis

max time kernel
102s
max time network
219s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
07/01/2024, 12:28

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

BlitzedGrabberV12.exe
Size

926.0MB
MD5

930b3bbbaa989db448d8ec5c696a5a16
SHA1

a27e7c76990a31f1414d429e828c81e14f48a00a
SHA256

eacf04d721fe4880dc73790ccbd58acf310dc0c90b13b7424200a9aa2b94640a
SHA512

cb9dc7db9f4a4c0dc5407d0a9bbd5c1301d5c4d03fed7d6b972c61a816c8860aff072f1515189d21b3336448a7c19d99f636cc3b060e4628c2ef7dbd1e75291a
SSDEEP

49152:KUAHP06/eyShf+okdWtRAOk3HQ7JTDCgV4L6uzxGiWaUKU:WmBf2dWtnGcDnMjFWxK

Score

10^/10

orcus persistence rat spyware stealer

Malware Config

Extracted

Family

orcus

209.25.141.181:40489

Mutex

248d60d8a7114264bce951ca45664b1d

Attributes

autostart_method
TaskScheduler
enable_keylogger
true
install_path
%programdata%\Chrome\chromedriver.exe
reconnect_delay
10000
registry_keyname
Orcus
taskscheduler_taskname
winlogon.exe
watchdog_path
AppData\svchost.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus

Orcus main payload 9 IoCs

resource	yara_rule
behavioral1/files/0x000200000001e7e0-19.dat	family_orcus
behavioral1/files/0x000200000001e7e0-49.dat	family_orcus
behavioral1/files/0x000200000001e7e0-73.dat	family_orcus
behavioral1/files/0x000200000001e7e0-103.dat	family_orcus
behavioral1/files/0x000200000001e7e0-136.dat	family_orcus
behavioral1/files/0x000200000001e7e0-163.dat	family_orcus
behavioral1/files/0x000200000001e7e0-195.dat	family_orcus
behavioral1/files/0x000200000001e7e0-257.dat	family_orcus
behavioral1/files/0x000200000001e7e0-370.dat	family_orcus

Orcurs Rat Executable 9 IoCs

resource	yara_rule
behavioral1/files/0x000200000001e7e0-19.dat	orcus
behavioral1/files/0x000200000001e7e0-49.dat	orcus
behavioral1/files/0x000200000001e7e0-73.dat	orcus
behavioral1/files/0x000200000001e7e0-103.dat	orcus
behavioral1/files/0x000200000001e7e0-136.dat	orcus
behavioral1/files/0x000200000001e7e0-163.dat	orcus
behavioral1/files/0x000200000001e7e0-195.dat	orcus
behavioral1/files/0x000200000001e7e0-257.dat	orcus
behavioral1/files/0x000200000001e7e0-370.dat	orcus

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	BlitzedGrabberV12.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	BlitzedGrabberV12.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	BlitzedGrabberV12.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	BlitzedGrabberV12.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	BlitzedGrabberV12.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	BlitzedGrabberV12.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	BlitzedGrabberV12.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	BlitzedGrabberV12.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	BlitzedGrabberV12.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	BlitzedGrabberV12.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	BlitzedGrabberV12.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	BlitzedGrabberV12.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	BlitzedGrabberV12.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	BlitzedGrabberV12.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	BlitzedGrabberV12.exe

Executes dropped EXE 38 IoCs

pid	Process
2384	mxfix.EXE
3060	UnityCrashHandlerV2.exe
828	mxfix.EXE
1496	UnityCrashHandlerV2.exe
4520	mxfix.EXE
3788	UnityCrashHandlerV2.exe
3476	mxfix.EXE
960	UnityCrashHandlerV2.exe
564	mxfix.EXE
3040	UnityCrashHandlerV2.exe
2496	mxfix.EXE
4988	UnityCrashHandlerV2.exe
2088	UnityCrashHandlerV2.exe
852	UnityCrashHandlerV2.exe
2600	mxfix.EXE
2620	UnityCrashHandlerV2.exe
5036	mxfix.EXE
4468	UnityCrashHandlerV2.exe
3992	mxfix.EXE
3432	UnityCrashHandlerV2.exe
4744	mxfix.EXE
912	UnityCrashHandlerV2.exe
2760	Conhost.exe
4152	UnityCrashHandlerV2.exe
1216	mxfix.EXE
2088	UnityCrashHandlerV2.exe
1896	mxfix.EXE
3612	UnityCrashHandlerV2.exe
4916	UnityCrashHandlerV2.exe
3604	UnityCrashHandlerV2.exe
5028	mxfix.EXE
1076	UnityCrashHandlerV2.exe
3116	Conhost.exe
3348	UnityCrashHandlerV2.exe
4604	cvtres.exe
1296	UnityCrashHandlerV2.exe
1460	Conhost.exe
2496	Conhost.exe

Adds Run key to start application 2 TTPs 19 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	mxfix.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	mxfix.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	mxfix.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	Conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	Conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	mxfix.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	UnityCrashHandlerV2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	mxfix.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	Conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	mxfix.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	mxfix.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	mxfix.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	mxfix.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	cvtres.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	mxfix.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	mxfix.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	mxfix.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	mxfix.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	UnityCrashHandlerV2.exe

Drops desktop.ini file(s) 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\Desktop.ini	UnityCrashHandlerV2.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	UnityCrashHandlerV2.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	UnityCrashHandlerV2.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	UnityCrashHandlerV2.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	UnityCrashHandlerV2.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	UnityCrashHandlerV2.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	UnityCrashHandlerV2.exe
File created	C:\Windows\assembly\Desktop.ini	UnityCrashHandlerV2.exe

Drops file in Windows directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	UnityCrashHandlerV2.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	UnityCrashHandlerV2.exe
File opened for modification	C:\Windows\assembly	UnityCrashHandlerV2.exe
File opened for modification	C:\Windows\assembly	UnityCrashHandlerV2.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	UnityCrashHandlerV2.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	UnityCrashHandlerV2.exe
File created	C:\Windows\assembly\Desktop.ini	UnityCrashHandlerV2.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	UnityCrashHandlerV2.exe
File opened for modification	C:\Windows\assembly	UnityCrashHandlerV2.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	UnityCrashHandlerV2.exe
File opened for modification	C:\Windows\assembly	UnityCrashHandlerV2.exe
File opened for modification	C:\Windows\assembly	UnityCrashHandlerV2.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	UnityCrashHandlerV2.exe
File opened for modification	C:\Windows\assembly	UnityCrashHandlerV2.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	UnityCrashHandlerV2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 58 IoCs

pid	Process
1808	powershell.exe
1808	powershell.exe
1808	powershell.exe
2964	powershell.exe
2964	powershell.exe
2964	powershell.exe
3076	powershell.exe
3076	powershell.exe
3076	powershell.exe
3460	powershell.exe
3460	powershell.exe
3460	powershell.exe
2540	powershell.exe
2540	powershell.exe
2540	powershell.exe
1484	powershell.exe
1484	powershell.exe
1484	powershell.exe
3368	powershell.exe
3368	powershell.exe
3368	powershell.exe
3348	powershell.exe
3348	powershell.exe
3348	powershell.exe
2444	powershell.exe
2444	powershell.exe
2444	powershell.exe
4752	BlitzedGrabberV12.exe
4752	BlitzedGrabberV12.exe
4752	BlitzedGrabberV12.exe
3864	powershell.exe
3864	powershell.exe
3864	powershell.exe
1884	Conhost.exe
1884	Conhost.exe
1884	Conhost.exe
4692	powershell.exe
4692	powershell.exe
4692	powershell.exe
4012	powershell.exe
4012	powershell.exe
4012	powershell.exe
3492	mxfix.EXE
3492	mxfix.EXE
3492	mxfix.EXE
4552	powershell.exe
4552	powershell.exe
4552	powershell.exe
1972	powershell.exe
1972	powershell.exe
1972	powershell.exe
1972	powershell.exe
3512	powershell.exe
3512	powershell.exe
3512	powershell.exe
3672	powershell.exe
3672	powershell.exe
3672	powershell.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	1808	powershell.exe
Token: SeDebugPrivilege	2964	powershell.exe
Token: SeDebugPrivilege	3076	powershell.exe
Token: SeDebugPrivilege	3460	powershell.exe
Token: SeDebugPrivilege	2540	powershell.exe
Token: SeDebugPrivilege	1484	powershell.exe
Token: SeDebugPrivilege	3368	powershell.exe
Token: SeDebugPrivilege	3348	powershell.exe
Token: SeDebugPrivilege	2444	powershell.exe
Token: SeDebugPrivilege	4752	BlitzedGrabberV12.exe
Token: SeDebugPrivilege	3864	powershell.exe
Token: SeDebugPrivilege	1884	Conhost.exe
Token: SeDebugPrivilege	4692	powershell.exe
Token: SeDebugPrivilege	4012	powershell.exe
Token: SeDebugPrivilege	3492	mxfix.EXE
Token: SeDebugPrivilege	4552	powershell.exe
Token: SeDebugPrivilege	1972	powershell.exe
Token: SeDebugPrivilege	3512	powershell.exe
Token: SeDebugPrivilege	3672	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3140 wrote to memory of 2384	3140	BlitzedGrabberV12.exe	90
PID 3140 wrote to memory of 2384	3140	BlitzedGrabberV12.exe	90
PID 3140 wrote to memory of 3060	3140	BlitzedGrabberV12.exe	91
PID 3140 wrote to memory of 3060	3140	BlitzedGrabberV12.exe	91
PID 3140 wrote to memory of 4452	3140	BlitzedGrabberV12.exe	92
PID 3140 wrote to memory of 4452	3140	BlitzedGrabberV12.exe	92
PID 2384 wrote to memory of 1808	2384	mxfix.EXE	93
PID 2384 wrote to memory of 1808	2384	mxfix.EXE	93
PID 4452 wrote to memory of 828	4452	BlitzedGrabberV12.exe	97
PID 4452 wrote to memory of 828	4452	BlitzedGrabberV12.exe	97
PID 828 wrote to memory of 2964	828	mxfix.EXE	95
PID 828 wrote to memory of 2964	828	mxfix.EXE	95
PID 4452 wrote to memory of 1496	4452	BlitzedGrabberV12.exe	98
PID 4452 wrote to memory of 1496	4452	BlitzedGrabberV12.exe	98
PID 4452 wrote to memory of 1872	4452	BlitzedGrabberV12.exe	99
PID 4452 wrote to memory of 1872	4452	BlitzedGrabberV12.exe	99
PID 1872 wrote to memory of 4520	1872	BlitzedGrabberV12.exe	101
PID 1872 wrote to memory of 4520	1872	BlitzedGrabberV12.exe	101
PID 4520 wrote to memory of 3076	4520	mxfix.EXE	102
PID 4520 wrote to memory of 3076	4520	mxfix.EXE	102
PID 1872 wrote to memory of 3788	1872	BlitzedGrabberV12.exe	104
PID 1872 wrote to memory of 3788	1872	BlitzedGrabberV12.exe	104
PID 1872 wrote to memory of 4524	1872	BlitzedGrabberV12.exe	105
PID 1872 wrote to memory of 4524	1872	BlitzedGrabberV12.exe	105
PID 4524 wrote to memory of 3476	4524	BlitzedGrabberV12.exe	108
PID 4524 wrote to memory of 3476	4524	BlitzedGrabberV12.exe	108
PID 3476 wrote to memory of 3460	3476	mxfix.EXE	110
PID 3476 wrote to memory of 3460	3476	mxfix.EXE	110
PID 4524 wrote to memory of 960	4524	BlitzedGrabberV12.exe	109
PID 4524 wrote to memory of 960	4524	BlitzedGrabberV12.exe	109
PID 4524 wrote to memory of 3364	4524	BlitzedGrabberV12.exe	112
PID 4524 wrote to memory of 3364	4524	BlitzedGrabberV12.exe	112
PID 3364 wrote to memory of 564	3364	BlitzedGrabberV12.exe	114
PID 3364 wrote to memory of 564	3364	BlitzedGrabberV12.exe	114
PID 564 wrote to memory of 2540	564	mxfix.EXE	118
PID 564 wrote to memory of 2540	564	mxfix.EXE	118
PID 3364 wrote to memory of 3040	3364	BlitzedGrabberV12.exe	116
PID 3364 wrote to memory of 3040	3364	BlitzedGrabberV12.exe	116
PID 3364 wrote to memory of 2480	3364	BlitzedGrabberV12.exe	117
PID 3364 wrote to memory of 2480	3364	BlitzedGrabberV12.exe	117
PID 2480 wrote to memory of 2496	2480	BlitzedGrabberV12.exe	119
PID 2480 wrote to memory of 2496	2480	BlitzedGrabberV12.exe	119
PID 2480 wrote to memory of 4988	2480	BlitzedGrabberV12.exe	123
PID 2480 wrote to memory of 4988	2480	BlitzedGrabberV12.exe	123
PID 2496 wrote to memory of 1484	2496	mxfix.EXE	122
PID 2496 wrote to memory of 1484	2496	mxfix.EXE	122
PID 2480 wrote to memory of 4028	2480	BlitzedGrabberV12.exe	120
PID 2480 wrote to memory of 4028	2480	BlitzedGrabberV12.exe	120
PID 4028 wrote to memory of 2088	4028	BlitzedGrabberV12.exe	157
PID 4028 wrote to memory of 2088	4028	BlitzedGrabberV12.exe	157
PID 2088 wrote to memory of 3368	2088	UnityCrashHandlerV2.exe	125
PID 2088 wrote to memory of 3368	2088	UnityCrashHandlerV2.exe	125
PID 4028 wrote to memory of 852	4028	BlitzedGrabberV12.exe	127
PID 4028 wrote to memory of 852	4028	BlitzedGrabberV12.exe	127
PID 4028 wrote to memory of 1856	4028	BlitzedGrabberV12.exe	128
PID 4028 wrote to memory of 1856	4028	BlitzedGrabberV12.exe	128
PID 1856 wrote to memory of 2600	1856	BlitzedGrabberV12.exe	129
PID 1856 wrote to memory of 2600	1856	BlitzedGrabberV12.exe	129
PID 2600 wrote to memory of 3348	2600	mxfix.EXE	130
PID 2600 wrote to memory of 3348	2600	mxfix.EXE	130
PID 1856 wrote to memory of 2620	1856	BlitzedGrabberV12.exe	132
PID 1856 wrote to memory of 2620	1856	BlitzedGrabberV12.exe	132
PID 1856 wrote to memory of 4080	1856	BlitzedGrabberV12.exe	133
PID 1856 wrote to memory of 4080	1856	BlitzedGrabberV12.exe	133

C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe
"C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3140
- C:\Users\Admin\AppData\Local\Temp\mxfix.EXE
  "C:\Users\Admin\AppData\Local\Temp\mxfix.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2384
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy Bypass -File mxfixer.ps1
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1808
- C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe
  "C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe"
  2⤵
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  - Drops file in Windows directory
  PID:3060
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\snoxramm.cmdline"
    3⤵
    PID:2820
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES10DB.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC10DA.tmp"
      4⤵
      PID:5196
- C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe
  "C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:4452
- - C:\Users\Admin\AppData\Local\Temp\mxfix.EXE
    "C:\Users\Admin\AppData\Local\Temp\mxfix.EXE"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:828
- - C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe
    "C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe"
    3⤵
    - Executes dropped EXE
    - Drops desktop.ini file(s)
    - Drops file in Windows directory
    PID:1496
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mpxkyznm.cmdline"
      4⤵
      PID:3468
    - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1158.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC1157.tmp"
        5⤵
        
        PID:1740
- - C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe
    "C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe"
    3⤵
    PID:1872
  - - C:\Users\Admin\AppData\Local\Temp\mxfix.EXE
      "C:\Users\Admin\AppData\Local\Temp\mxfix.EXE"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4520
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -ExecutionPolicy Bypass -File mxfixer.ps1
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3076
  - - C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe
      "C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe"
      4⤵
      Executes dropped EXE
      Drops desktop.ini file(s)
      Drops file in Windows directory
      PID:3788
    - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1pgtnpjb.cmdline"
        5⤵
        
        PID:4452
      - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES11A6.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC1195.tmp"
        6⤵
        
        PID:5236
  - - C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe
      "C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe"
      4⤵
      Checks computer location settings
      Suspicious use of WriteProcessMemory
      PID:4524
    - - C:\Users\Admin\AppData\Local\Temp\mxfix.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\mxfix.EXE"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:3476
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -ExecutionPolicy Bypass -File mxfixer.ps1
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3460
    - - C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe"
        5⤵
        Executes dropped EXE
        Drops desktop.ini file(s)
        Drops file in Windows directory
        
        PID:960
      - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vxuwlpyi.cmdline"
        6⤵
        
        PID:2276
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1149.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC1147.tmp"
        7⤵
        
        PID:1936
    - - C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe"
        5⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:3364
      - C:\Users\Admin\AppData\Local\Temp\mxfix.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\mxfix.EXE"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:564
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -ExecutionPolicy Bypass -File mxfixer.ps1
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2540
      - C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe"
        6⤵
        Executes dropped EXE
        Drops desktop.ini file(s)
        Drops file in Windows directory
        
        PID:3040
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jyxas2nm.cmdline"
        7⤵
        
        PID:1456
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES10EA.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC10E9.tmp"
        8⤵
        
        PID:112
      - C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe"
        6⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:2480
        
        C:\Users\Admin\AppData\Local\Temp\mxfix.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\mxfix.EXE"
        7⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2496
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -ExecutionPolicy Bypass -File mxfixer.ps1
        8⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1484
        
        C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe"
        7⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:4028
        
        C:\Users\Admin\AppData\Local\Temp\mxfix.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\mxfix.EXE"
        8⤵
        
        PID:2088
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -ExecutionPolicy Bypass -File mxfixer.ps1
        9⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3368
        
        C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe"
        8⤵
        Executes dropped EXE
        Drops desktop.ini file(s)
        Drops file in Windows directory
        
        PID:852
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nwyprvho.cmdline"
        9⤵
        
        PID:3224
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1167.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC1166.tmp"
        10⤵
        
        PID:3996
        
        C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe"
        8⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:1856
        
        C:\Users\Admin\AppData\Local\Temp\mxfix.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\mxfix.EXE"
        9⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2600
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -ExecutionPolicy Bypass -File mxfixer.ps1
        10⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3348
        
        C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe"
        9⤵
        Executes dropped EXE
        
        PID:2620
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\cp-aqxrj.cmdline"
        10⤵
        
        PID:4960
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES10AD.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC10AB.tmp"
        11⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:4604
        
        C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe"
        9⤵
        Checks computer location settings
        
        PID:4080
        
        C:\Users\Admin\AppData\Local\Temp\mxfix.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\mxfix.EXE"
        10⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:5036
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -ExecutionPolicy Bypass -File mxfixer.ps1
        11⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2444
        
        C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe"
        10⤵
        Executes dropped EXE
        
        PID:4468
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mcjbgpqq.cmdline"
        11⤵
        
        PID:4712
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES10CB.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC10CA.tmp"
        12⤵
        
        PID:5180
        
        C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe"
        10⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:1872
        
        C:\Users\Admin\AppData\Local\Temp\mxfix.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\mxfix.EXE"
        11⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:3992
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -ExecutionPolicy Bypass -File mxfixer.ps1
        12⤵
        
        PID:4752
        
        C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe"
        11⤵
        Executes dropped EXE
        
        PID:3432
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\au7bxf5h.cmdline"
        12⤵
        
        PID:1128
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES10FA.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC10F9.tmp"
        13⤵
        
        PID:5392
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -ExecutionPolicy Bypass -File mxfixer.ps1
        12⤵
        
        PID:3656
        
        C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe"
        11⤵
        
        PID:4508
        
        C:\Users\Admin\AppData\Local\Temp\mxfix.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\mxfix.EXE"
        12⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:4744
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -ExecutionPolicy Bypass -File mxfixer.ps1
        13⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3864
        
        C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe"
        12⤵
        Executes dropped EXE
        
        PID:912
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\eccjgyxc.cmdline"
        13⤵
        
        PID:3184
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES111A.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC1119.tmp"
        14⤵
        
        PID:5204
        
        C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe"
        12⤵
        Checks computer location settings
        
        PID:3636
        
        C:\Users\Admin\AppData\Local\Temp\mxfix.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\mxfix.EXE"
        13⤵
        
        PID:2760
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -ExecutionPolicy Bypass -File mxfixer.ps1
        14⤵
        
        PID:1884
        
        C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe"
        13⤵
        Executes dropped EXE
        
        PID:4152
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yxkfgpce.cmdline"
        14⤵
        
        PID:64
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1119.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC1118.tmp"
        15⤵
        
        PID:5356
        
        C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe"
        13⤵
        Checks computer location settings
        
        PID:224
        
        C:\Users\Admin\AppData\Local\Temp\mxfix.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\mxfix.EXE"
        14⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1216
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -ExecutionPolicy Bypass -File mxfixer.ps1
        15⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4692
        
        C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe"
        14⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2088
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kvopm9jb.cmdline"
        15⤵
        
        PID:3680
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1148.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC1137.tmp"
        16⤵
        
        PID:1652
        
        C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe"
        14⤵
        Checks computer location settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4752
        
        C:\Users\Admin\AppData\Local\Temp\mxfix.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\mxfix.EXE"
        15⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1896
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -ExecutionPolicy Bypass -File mxfixer.ps1
        16⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4012
        
        C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe"
        15⤵
        Executes dropped EXE
        
        PID:3612
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kpl1oren.cmdline"
        16⤵
        
        PID:1768
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES11A7.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC11A5.tmp"
        17⤵
        
        PID:5212
        
        C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe"
        15⤵
        
        PID:2820
        
        C:\Users\Admin\AppData\Local\Temp\mxfix.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\mxfix.EXE"
        16⤵
        
        PID:4916
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -ExecutionPolicy Bypass -File mxfixer.ps1
        17⤵
        
        PID:3492
        
        C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe"
        16⤵
        Executes dropped EXE
        
        PID:3604
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lewr9jyl.cmdline"
        17⤵
        
        PID:2960
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES112A.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC1129.tmp"
        18⤵
        
        PID:2388
        
        C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe"
        16⤵
        Checks computer location settings
        
        PID:3836
        
        C:\Users\Admin\AppData\Local\Temp\mxfix.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\mxfix.EXE"
        17⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:5028
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -ExecutionPolicy Bypass -File mxfixer.ps1
        18⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4552
        
        C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe"
        17⤵
        Executes dropped EXE
        
        PID:1076
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\b037ykjg.cmdline"
        18⤵
        
        PID:2704
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES109C.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC109B.tmp"
        19⤵
        
        PID:5220
        
        C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe"
        17⤵
        Checks computer location settings
        
        PID:644
        
        C:\Users\Admin\AppData\Local\Temp\mxfix.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\mxfix.EXE"
        18⤵
        
        PID:3116
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -ExecutionPolicy Bypass -File mxfixer.ps1
        19⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1972
        
        C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe"
        18⤵
        Checks computer location settings
        
        PID:4000
        
        C:\Users\Admin\AppData\Local\Temp\mxfix.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\mxfix.EXE"
        19⤵
        
        PID:4604
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -ExecutionPolicy Bypass -File mxfixer.ps1
        20⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3512
        
        C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe"
        19⤵
        Executes dropped EXE
        
        PID:1296
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\i3l6xj0v.cmdline"
        20⤵
        
        PID:1940
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        21⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:3116
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1129.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC1128.tmp"
        21⤵
        
        PID:5344
        
        C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe"
        19⤵
        
        PID:1484
        
        C:\Users\Admin\AppData\Local\Temp\mxfix.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\mxfix.EXE"
        20⤵
        
        PID:1460
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -ExecutionPolicy Bypass -File mxfixer.ps1
        21⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3672
        
        C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe"
        20⤵
        
        PID:2496
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dtbcyvib.cmdline"
        21⤵
        
        PID:4508
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        22⤵
        
        PID:1484
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES10FB.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC10FA.tmp"
        22⤵
        
        PID:5368
        
        C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe"
        20⤵
        
        PID:648
        
        C:\Users\Admin\AppData\Local\Temp\mxfix.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\mxfix.EXE"
        21⤵
        
        PID:1652
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -ExecutionPolicy Bypass -File mxfixer.ps1
        22⤵
        
        PID:1936
        
        C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe"
        21⤵
        
        PID:2472
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\pxl2_byq.cmdline"
        22⤵
        
        PID:5224
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1187.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC1176.tmp"
        23⤵
        
        PID:5276
        
        C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe"
        21⤵
        
        PID:4340
        
        C:\Users\Admin\AppData\Local\Temp\mxfix.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\mxfix.EXE"
        22⤵
        
        PID:5456
        
        C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe"
        22⤵
        
        PID:5504
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kvdk6uj2.cmdline"
        23⤵
        
        PID:5796
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES10CC.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC10CB.tmp"
        24⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\WindowsInput.exe
        
        "C:\Windows\SysWOW64\WindowsInput.exe" --install
        23⤵
        
        PID:4312
        
        C:\ProgramData\Chrome\chromedriver.exe
        
        "C:\ProgramData\Chrome\chromedriver.exe"
        23⤵
        
        PID:5780
        
        C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe"
        22⤵
        
        PID:5536
        
        C:\Users\Admin\AppData\Local\Temp\mxfix.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\mxfix.EXE"
        23⤵
        
        PID:6124
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -ExecutionPolicy Bypass -File mxfixer.ps1
        24⤵
        
        PID:5136
        
        C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe"
        23⤵
        
        PID:5420
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\uehkjmqv.cmdline"
        24⤵
        
        PID:2484
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2CFE.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC2CFD.tmp"
        25⤵
        
        PID:5348
        
        C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe"
        23⤵
        
        PID:5372
        
        C:\Users\Admin\AppData\Local\Temp\mxfix.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\mxfix.EXE"
        24⤵
        
        PID:3644
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -ExecutionPolicy Bypass -File mxfixer.ps1
        25⤵
        
        PID:1224
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        26⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1460
        
        C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe"
        24⤵
        
        PID:5800
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\v4rwhgdn.cmdline"
        25⤵
        
        PID:4780
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3088.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC3087.tmp"
        26⤵
        
        PID:1656
        
        C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe"
        24⤵
        
        PID:5496
        
        C:\Users\Admin\AppData\Local\Temp\mxfix.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\mxfix.EXE"
        25⤵
        
        PID:3548
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -ExecutionPolicy Bypass -File mxfixer.ps1
        26⤵
        
        PID:5956
        
        C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe"
        25⤵
        
        PID:3324
        
        C:\Users\Admin\AppData\Local\Temp\mxfix.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\mxfix.EXE"
        26⤵
        
        PID:5444
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -ExecutionPolicy Bypass -File mxfixer.ps1
        27⤵
        
        PID:5400
        
        C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe"
        26⤵
        
        PID:5476
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5ctzvvvx.cmdline"
        27⤵
        
        PID:2192
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4F0D.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC4F0C.tmp"
        28⤵
        
        PID:5968
        
        C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe"
        26⤵
        
        PID:4504
        
        C:\Users\Admin\AppData\Local\Temp\mxfix.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\mxfix.EXE"
        27⤵
        
        PID:5336
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -ExecutionPolicy Bypass -File mxfixer.ps1
        28⤵
        
        PID:4832
        
        C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe"
        27⤵
        
        PID:1540
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\02wyx83_.cmdline"
        28⤵
        
        PID:1756
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5C99.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC5C98.tmp"
        29⤵
        
        PID:3852
        
        C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe"
        27⤵
        
        PID:4668
        
        C:\Users\Admin\AppData\Local\Temp\mxfix.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\mxfix.EXE"
        28⤵
        
        PID:5388
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -ExecutionPolicy Bypass -File mxfixer.ps1
        29⤵
        
        PID:2980
        
        C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe"
        28⤵
        
        PID:4068
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\a3cmaxef.cmdline"
        29⤵
        
        PID:5556
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        30⤵
        Executes dropped EXE
        
        PID:2496
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6796.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC6795.tmp"
        30⤵
        
        PID:1004
        
        C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe"
        28⤵
        
        PID:3168
        
        C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe"
        29⤵
        
        PID:4352
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gfgrsfij.cmdline"
        30⤵
        
        PID:184
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES715A.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC7159.tmp"
        31⤵
        
        PID:1920
        
        C:\Users\Admin\AppData\Local\Temp\mxfix.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\mxfix.EXE"
        29⤵
        
        PID:3432
        
        C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe"
        29⤵
        
        PID:5412
        
        C:\Users\Admin\AppData\Local\Temp\mxfix.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\mxfix.EXE"
        30⤵
        
        PID:3132
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -ExecutionPolicy Bypass -File mxfixer.ps1
        31⤵
        
        PID:2192
        
        C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe"
        30⤵
        
        PID:2704
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\85ujdh2v.cmdline"
        31⤵
        
        PID:4044
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7CB4.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC7CB3.tmp"
        32⤵
        
        PID:4408
        
        C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe"
        30⤵
        
        PID:3468
        
        C:\Users\Admin\AppData\Local\Temp\mxfix.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\mxfix.EXE"
        31⤵
        
        PID:3496
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -ExecutionPolicy Bypass -File mxfixer.ps1
        32⤵
        
        PID:1756
        
        C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe"
        31⤵
        
        PID:3228
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gsmdeohy.cmdline"
        32⤵
        
        PID:468
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES88F9.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC88E8.tmp"
        33⤵
        
        PID:5396
        
        C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe"
        31⤵
        
        PID:6012
        
        C:\Users\Admin\AppData\Local\Temp\mxfix.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\mxfix.EXE"
        32⤵
        
        PID:4740
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -ExecutionPolicy Bypass -File mxfixer.ps1
        33⤵
        
        PID:3924
        
        C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe"
        32⤵
        
        PID:2296
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dttafmor.cmdline"
        33⤵
        
        PID:5276
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES97DD.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC97CD.tmp"
        34⤵
        
        PID:5576
        
        C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe"
        32⤵
        
        PID:3728
        
        C:\Users\Admin\AppData\Local\Temp\mxfix.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\mxfix.EXE"
        33⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3492
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -ExecutionPolicy Bypass -File mxfixer.ps1
        34⤵
        
        PID:6028
        
        C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe"
        33⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:4916
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\z7w0g4br.cmdline"
        34⤵
        
        PID:5720
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA078.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCA077.tmp"
        35⤵
        
        PID:1580
        
        C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe"
        33⤵
        
        PID:5260
        
        C:\Users\Admin\AppData\Local\Temp\mxfix.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\mxfix.EXE"
        34⤵
        
        PID:4532
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -ExecutionPolicy Bypass -File mxfixer.ps1
        35⤵
        
        PID:4004
        
        C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe"
        34⤵
        
        PID:5268
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\c5qmuzyq.cmdline"
        35⤵
        
        PID:3436
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAD4A.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCAD49.tmp"
        36⤵
        
        PID:5532
        
        C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe"
        34⤵
        
        PID:3420
        
        C:\Users\Admin\AppData\Local\Temp\mxfix.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\mxfix.EXE"
        35⤵
        
        PID:4292
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -ExecutionPolicy Bypass -File mxfixer.ps1
        36⤵
        
        PID:3468
        
        C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe"
        35⤵
        
        PID:4708
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mxvl0giv.cmdline"
        36⤵
        
        PID:3476
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBAE6.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCBAE5.tmp"
        37⤵
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe"
        35⤵
        
        PID:3840
        
        C:\Users\Admin\AppData\Local\Temp\mxfix.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\mxfix.EXE"
        36⤵
        
        PID:5028
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -ExecutionPolicy Bypass -File mxfixer.ps1
        37⤵
        
        PID:5980
        
        C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe"
        36⤵
        
        PID:5540
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\w14m5pgo.cmdline"
        37⤵
        
        PID:5204
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC892.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCC891.tmp"
        38⤵
        
        PID:5576
        
        C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe"
        36⤵
        
        PID:3180
        
        C:\Users\Admin\AppData\Local\Temp\mxfix.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\mxfix.EXE"
        37⤵
        
        PID:3664
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -ExecutionPolicy Bypass -File mxfixer.ps1
        38⤵
        
        PID:5844
        
        C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe"
        37⤵
        
        PID:5812
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\_g9tdupa.cmdline"
        38⤵
        
        PID:912
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD311.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCD310.tmp"
        39⤵
        
        PID:2360
        
        C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe"
        37⤵
        
        PID:4036
        
        C:\Users\Admin\AppData\Local\Temp\mxfix.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\mxfix.EXE"
        38⤵
        
        PID:5860
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -ExecutionPolicy Bypass -File mxfixer.ps1
        39⤵
        
        PID:5968
        
        C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe"
        38⤵
        
        PID:6016
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2rjxpozg.cmdline"
        39⤵
        
        PID:5460
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDE1E.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCDE1D.tmp"
        40⤵
        
        PID:5296
        
        C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe"
        38⤵
        
        PID:4544
        
        C:\Users\Admin\AppData\Local\Temp\mxfix.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\mxfix.EXE"
        39⤵
        
        PID:436
        
        C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe"
        39⤵
        
        PID:2988
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jiycey00.cmdline"
        40⤵
        
        PID:556
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEFB2.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCEFB1.tmp"
        41⤵
        
        PID:5136
        
        C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe"
        39⤵
        
        PID:4488
        
        C:\Users\Admin\AppData\Local\Temp\mxfix.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\mxfix.EXE"
        40⤵
        
        PID:916
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -ExecutionPolicy Bypass -File mxfixer.ps1
        41⤵
        
        PID:3552
        
        C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe"
        40⤵
        
        PID:4960
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ldhlfsev.cmdline"
        41⤵
        
        PID:1660
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFA50.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCFA4F.tmp"
        42⤵
        
        PID:5572
        
        C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe"
        40⤵
        
        PID:4012
        
        C:\Users\Admin\AppData\Local\Temp\mxfix.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\mxfix.EXE"
        41⤵
        
        PID:4072
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -ExecutionPolicy Bypass -File mxfixer.ps1
        42⤵
        
        PID:5620
        
        C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe"
        41⤵
        
        PID:6132
        
        C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe"
        41⤵
        
        PID:5192
        
        C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe"
        25⤵
        
        PID:5960
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\z0lqpehl.cmdline"
        26⤵
        
        PID:64
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3AF8.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC3AF7.tmp"
        27⤵
        
        PID:6072
        
        C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe"
        18⤵
        Executes dropped EXE
        
        PID:3348
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kadapxya.cmdline"
        19⤵
        
        PID:2244
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        20⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1884
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES10AC.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC109C.tmp"
        20⤵
        
        PID:1356
        
        C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe"
        7⤵
        Executes dropped EXE
        Drops desktop.ini file(s)
        Drops file in Windows directory
        
        PID:4988
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dm3nu9ok.cmdline"
        8⤵
        
        PID:2484
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        9⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2760
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1196.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC1186.tmp"
        9⤵
        
        PID:5244

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -File mxfixer.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2964

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -File mxfixer.ps1
1⤵
PID:5480

C:\Windows\SysWOW64\WindowsInput.exe
"C:\Windows\SysWOW64\WindowsInput.exe"
1⤵
PID:4204

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -File mxfixer.ps1
1⤵
PID:6128

C:\ProgramData\Chrome\chromedriver.exe
C:\ProgramData\Chrome\chromedriver.exe
1⤵
PID:1700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\BlitzedGrabberV12.exe.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
fd98baf5a9c30d41317663898985593b

SHA1
ea300b99f723d2429d75a6c40e0838bf60f17aad

SHA256
9d97a5bbc88fdcceac25f293383f7e5ce242675460ffbfb2ee9090870c034e96

SHA512
bf4dbbd671b5d7afb326622a7c781f150860294d3dba7160330046c258c84a15981c70e50d84dc7faaa7cc8b8c90bf8df818b3f2d3806a8a3671dfe5e38fe7b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
22310ad6749d8cc38284aa616efcd100

SHA1
440ef4a0a53bfa7c83fe84326a1dff4326dcb515

SHA256
55b1d8021c4eb4c3c0d75e3ed7a4eb30cd0123e3d69f32eeb596fe4ffec05abf

SHA512
2ef08e2ee15bb86695fe0c10533014ffed76ececc6e579d299d3365fafb7627f53e32e600bb6d872b9f58aca94f8cb7e1e94cdfd14777527f7f0aa019d9c6def

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
dd1d0b083fedf44b482a028fb70b96e8

SHA1
dc9c027937c9f6d52268a1504cbae42a39c8d36a

SHA256
cab7944d29e0501dc0db904ac460ca7a87700e0ec7eb62298b7b97cbf40c424c

SHA512
96bec38bfda176292ae65dcf735103e7888baa212038737c1d1e215fcb76e4c0355e4a827a1934303e7aecae91012fa412f13e38f382b732758bae985cc67973

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a9451a6b9669d49bd90704dff21beb85

SHA1
5f93d2dec01a31e04fc90c28eb1c5ca62c6fff80

SHA256
b2ff191507379930b97a212f869c3774c20b274e8fc9fcc96da5c154fb0e3056

SHA512
06634cb578f6ce8d721e6306004082073fc224b91ceea37ef870df87b12b2d5f59e7d08b20b520787a1d13f3edbbb004197bf70f180f86dd7f401a5ad289ccb5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5cfe303e798d1cc6c1dab341e7265c15

SHA1
cd2834e05191a24e28a100f3f8114d5a7708dc7c

SHA256
c4d16552769ca1762f6867bce85589c645ac3dc490b650083d74f853f898cfab

SHA512
ef151bbe0033a2caf2d40aff74855a3f42c8171e05a11c8ce93c7039d9430482c43fe93d9164ee94839aff253cad774dbf619dde9a8af38773ca66d59ac3400e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
eeec902f8040c7c6fa3299e0a7054583

SHA1
a7b7b72310e5d7351b97455bdc4a6507802ca99c

SHA256
63f23341e2d81cfb8343c98ec0fc0e352c997fd35187f8d340ffe77829bf5e51

SHA512
0af9a39f2ad1a63930fad08f171d4344da4aa925f2d6ac00153c8c447247463c52fb08b8cb6eeb1a977a4500e0b5016ae27509880f89b91751d01dcf32179348

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
f41f42c322498af0591f396c59dd4304

SHA1
e1e5aa68d73d48bc5e743a34f6c0fa8960ff7514

SHA256
d8bd9a4a363ff2ac2dc887759ec6ba4215a4ce0925a8fb9c531573458ee4a31c

SHA512
2328a1b402b4fb0de9c451fb630eab58549129d3bcfb70b9834cfbd16065ebaadec006b309ea17ac182d34c53e01705cbc9e0196eb0cbd62600c866e79a1844f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
91e89794a950f0c7d439595297e31036

SHA1
73ffcbd7ed7056221d2758180139fad6131aa726

SHA256
a987ca7d465ab74e819f81a0f13713e60a530f371c0dc0b5da1f16042f4166a1

SHA512
7c689da0d24e237c3633843700d04e831fa027f8f6818e14620956088f34f08a5202cbafef81ceb5b88786af7593286642b1d9b653b994bc4c09f7e1a638985f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mxfixer.ps1

Filesize
35B

MD5
5d792fc7c4e2fd3eb595fce4883dcb2d

SHA1
ee2a88f769ad746f119e144bd06832cb55ef1e0f

SHA256
41eccaa8649345b33e57f5d494429276e9f2eb23ca981f018da33a34aabfd8eb

SHA512
4b85fe8205c705914867227c97aa1333421970d8e6f11b2ac6be8e95fef1a0f31f985547eafe52e382f13c2a16afa05462bd614b75bee250464c50734d59a92e

Download Submit
C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe

Filesize
4.1MB

MD5
879b0fef453f65872af0b41924e5adc9

SHA1
a9b8ae3a74e8e9ddda9805db8bdc0ad1d575d4fd

SHA256
b8512f3e38e425f046902652fbdf09da7652bd398bb8f37f4192cb87c2003cdf

SHA512
f2a9916a4e0ea94a812252f9d97f379552a9e176ef58abaa0b964cc3a2b9d325cb28ef4f2225cc8d32fbca37a7e7d1df80842252a734093070d8682e05d6bffc

Download Submit
C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe

Filesize
1.5MB

MD5
88f3356ffed02fc5172f0db45583794e

SHA1
3f8b2582107cfd558d2b75c04adfd4b5d73c303c

SHA256
85c93e322185d6a2c3dacc04cf1e6173e8e93e7ff4df0610480e18c9713ddc9f

SHA512
815c0032cfe9fa80de59737b800a3388d6034cd58671451ca63d4a74295789e579ddd4f0c928a8cc11f296be4212cf9461fd317be0e1fcaebff0f08985b76f53

Download Submit
C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe

Filesize
1.6MB

MD5
f16b48c9bbe6101e156ccb95000d8dab

SHA1
5d66c71bb8889bd6516aeab28a56f9c907b703cd

SHA256
dae3b2e93d885407151e76e323b70f96dff6ce171f6a294bf667ecc0257ac9ec

SHA512
2111202ba8b27ff5c3e007cf41c65a5143d29cef05de11064a1f356b23baa1e10f858217917e5463103dd86b823151553e785cd74e6984c99a757b43ac992486

Download Submit
C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe

Filesize
6.0MB

MD5
3926c7b8fdfb0ab3b92303760b14d402

SHA1
b33e12ef4bdcd418139db59d048609c45fe8f9eb

SHA256
c101904ec19b45612213c2b398892a4523f63862bb3e24c245509db2417585e7

SHA512
4a022be27f58b1735f3a0ac9abdedbd769adb4e3ca1dacdcdc98700b17e138b647f9059585c8ef37fdd7072ad6283e95f10def171584097eb8c70e7d1212ce0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe

Filesize
3.8MB

MD5
59da608ee8a164c658434e6c66f85f7e

SHA1
0b66913c40ca6e3435e4803512fd3db759a1faae

SHA256
33a56a5c2db4ee4ee9478612b719cc547ef0dc0cd603e684f21b733bfe4aaed7

SHA512
c7e3d68b0243868b5c636172dedb11112cdd605f52b1b69d50b97e57ed8f29af07d290fb6999cf7ddd2a667d2782f10d4b057c8e69bf9b91e26ddb85155b85de

Download Submit
C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe

Filesize
2.1MB

MD5
1d7166cc31eb40a1e01b175db70836c4

SHA1
d5b00dae8cb2e60605219a836728cd99b422fa59

SHA256
d3424c83dc1c93e8313bd7cc99469772e0469998bdb9dbe0e486c84b09240e77

SHA512
ccebdb91ccea1493445504387904fb6a6c6ab1130333dbab1c5a97a780e7d9cec5a4a304a6542c9054d7e8ac88619096175c30285e03137b6cff46254001866f

Download Submit
C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe

Filesize
1.2MB

MD5
5f9da4cb26962602376e1e17c66b7823

SHA1
ada8ee930612bb39a030e7632d47e1a92c5f82b1

SHA256
3582f45a608c66c862f79781dd9356b031ed2980d8a0cd9c84773cddb29484e6

SHA512
19b4b90a2454a08f4852cc308c5880dcdd82ac2381efe96f2e48319d222262f1a073fc119d17cb1ce838ab01aaaa1094f3241f47a90b22e316db662b04a308c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe

Filesize
5.5MB

MD5
f35791ecc6e9f2a581381f77ff170ef3

SHA1
6633a71a193f1d60675e4c507d92804f2e33f8d9

SHA256
b15c76b4bcfa2c08d3b0c4dc01cf3220affdbaa4ca55c000f3aefadfe9b76703

SHA512
fd40772f76794f4b2ef13a4a6c38af5413e5f9d9dfe30ba63396171da825cabb15dd10362c19d49ee350240bec342708ad17386b61a5c55a5153c7d5a61bf8ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe

Filesize
4.5MB

MD5
baf7d0ed3f88b5a98fddc1622247f3b9

SHA1
b2b1d6ba0cb779dee26511fdf77d35911236b720

SHA256
04c1cbbbbd3a4bdc371edf7ba210727dfb27bf79f6c54716eec31b399f044bde

SHA512
25b8fa6d5a969b2ce55c91fd228eca88b36dbc24d161a8a1c0da4e9a7bb08a5df7e88e163cc22b97bb91dd93cda8dee196a32b6b69cec6d5ea54f8725a8115c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_s0tofuim.i5t.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a3cmaxef.0.cs

Filesize
208KB

MD5
3fa595cf7244b929740eb1b6a718f95c

SHA1
5eca395f11f29d1d313b77b8ecc88f6ec6c97f5a

SHA256
0f9c7d197cbeb2e25b94bfb87500bab7a5586829a3484a147c0f941dc0b92217

SHA512
3479c0cfa528d76aaf7e39e1818c1c7429ff4778d0f5f2bc9d0f3eeb4ce2d8fc6d68922859d91973f97349a627cb19d6ac31c3c7d723d54cd92e5544445a1344

Download Submit
C:\Users\Admin\AppData\Local\Temp\i3l6xj0v.0.cs

Filesize
208KB

MD5
15dd5fc6f75b6659ef0939c0931b1571

SHA1
0115077541307076c850bab8fc09c64eaec35379

SHA256
415961f82e087130e69be859e7cc7377ee3fe250e0a50471dfbd2ef078c37491

SHA512
f135ebc6a4d5d4a7da3e081a8354361b40402062feb0f0c2fd3fb249f0a3440790da1cc9a5501b25cf6064ccd4de5963112a19c30a7569f9fcfbf3d8c5934ca7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ldhlfsev.0.cs

Filesize
208KB

MD5
b3f15b62e7a57f84e42c3343a46d45cc

SHA1
8de0d32bb4a01f51a9db22867d1ff74701971725

SHA256
5d2c32e70719677ba709251984ed163e032bd5378404091f02fe01da812c9023

SHA512
231dad7abaa33e43710e0ae559b56da1c3d099100a493053b8cd60bfc2e09d9fe5e474518227d3bef3672339da7670fa8028902466b1f104bacb724d7cd1a7f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\mpxkyznm.0.cs

Filesize
208KB

MD5
39bd13b4b1158ebb3db24636a66a24e4

SHA1
3d740f26d4a1c92820b1d04a5ecea6a646eceba2

SHA256
9b888a917e53ae095e10e6a281d7d133244c931d811d416af699df41f7eb396c

SHA512
642e4fbd50522da1037baef3952a225cc996d15626fe078f95a14c462dfffbb9322678a5378dbe66d968121557788dec812fb2378e6bd64b98730e31b1009214

Download Submit
C:\Users\Admin\AppData\Local\Temp\mxfix.EXE

Filesize
64KB

MD5
0a78aa289dfbdc2a231da2477d05a9b4

SHA1
f534747751097fbe04217f29b75cddd8ff267d6b

SHA256
6620fd5c8af0670aa84bb80c43face3f4e63bd3b1e035dafeee05991cfe9c1f4

SHA512
c41ca77275e907d6d00c214b85e39b88f0bd84bba3978871f6d45f58adfd51c912949a59b3c57831a071242a9e06f2a2fded5042364677124879e288e700a3bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\mxfix.EXE

Filesize
155KB

MD5
b4ec612c441786aa614ce5f32edae475

SHA1
3a264f8daeec9b156ddb5ed576d490dd8fbd8e7d

SHA256
e18ba6573b9aa2d139ed5c30f18ac2ece3ce8287d1651db4bc632dbc816f53bd

SHA512
c6800371cdc2b571061e6e755a2c95f49dcb233c3999976f180cb7cf95fa2c62d03b52a3c497a2cd7ae46ec72eaf823db25bd291ca676724194c05966f2bce16

Download Submit
C:\Users\Admin\AppData\Local\Temp\pxl2_byq.dll

Filesize
76KB

MD5
70986492e827360a05c6162676c17f68

SHA1
55aeb727d0f09f374b65e51afeeacf7b49be2fbc

SHA256
0a3291b23af69ce053fd6b1da5ebbb07fd317ed48eb21b8c953bf31220943cf9

SHA512
c01f0e941fd6ec61d68b0346180d4e3aa85ceb115fab29fd2284fc575b411d1b863df2bdc07497280c47239a0051184e450046ae335db71c0cd02ef01fb9cc6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\z7w0g4br.0.cs

Filesize
208KB

MD5
15db58d50525df2b54c95166602be406

SHA1
74b78c22f7ec783bad09e3d3e88638094d5ec685

SHA256
d37414ca8b986100d94b657fea119ff5f8bc33446906ae057eba6909063ab229

SHA512
a4cd7dcf95bac75a28f7fd0936695a2934f9a2bb5dc42e80d9473f3e863911adcfd4a813f298855111d5a3dec8b5158a8347920043c8f2be4db0bee4f24e72cc

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe

Filesize
21KB

MD5
e6fcf516d8ed8d0d4427f86e08d0d435

SHA1
c7691731583ab7890086635cb7f3e4c22ca5e409

SHA256
8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337

SHA512
c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e

Download Submit
C:\Windows\assembly\Desktop.ini

Filesize
227B

MD5
f7f759a5cd40bc52172e83486b6de404

SHA1
d74930f354a56cfd03dc91aa96d8ae9657b1ee54

SHA256
a709c2551b8818d7849d31a65446dc2f8c4cca2dcbbc5385604286f49cfdaf1c

SHA512
a50b7826bfe72506019e4b1148a214c71c6f4743c09e809ef15cd0e0223f3078b683d203200910b07b5e1e34b94f0fe516ac53527311e2943654bfceade53298

Download Submit
memory/960-157-0x00007FFD74B90000-0x00007FFD75531000-memory.dmp

Filesize
9.6MB

Download
memory/960-128-0x00007FFD74B90000-0x00007FFD75531000-memory.dmp

Filesize
9.6MB

Download
memory/960-120-0x00007FFD74B90000-0x00007FFD75531000-memory.dmp

Filesize
9.6MB

Download
memory/1496-166-0x00007FFD74B90000-0x00007FFD75531000-memory.dmp

Filesize
9.6MB

Download
memory/1496-123-0x0000000000D50000-0x0000000000D60000-memory.dmp

Filesize
64KB

Download
memory/1496-165-0x0000000000D50000-0x0000000000D60000-memory.dmp

Filesize
64KB

Download
memory/1496-169-0x00007FFD74B90000-0x00007FFD75531000-memory.dmp

Filesize
9.6MB

Download
memory/1496-125-0x00007FFD74B90000-0x00007FFD75531000-memory.dmp

Filesize
9.6MB

Download
memory/1808-83-0x00007FFD785C0000-0x00007FFD79081000-memory.dmp

Filesize
10.8MB

Download
memory/1808-75-0x00000276F3860000-0x00000276F3870000-memory.dmp

Filesize
64KB

Download
memory/1808-71-0x00000276F3860000-0x00000276F3870000-memory.dmp

Filesize
64KB

Download
memory/1808-66-0x00007FFD785C0000-0x00007FFD79081000-memory.dmp

Filesize
10.8MB

Download
memory/1808-32-0x00000276F3860000-0x00000276F3870000-memory.dmp

Filesize
64KB

Download
memory/1808-38-0x00000276F4030000-0x00000276F4052000-memory.dmp

Filesize
136KB

Download
memory/1808-30-0x00007FFD785C0000-0x00007FFD79081000-memory.dmp

Filesize
10.8MB

Download
memory/1808-31-0x00000276F3860000-0x00000276F3870000-memory.dmp

Filesize
64KB

Download
memory/1872-67-0x000000001B200000-0x000000001B210000-memory.dmp

Filesize
64KB

Download
memory/1872-74-0x00007FFD785C0000-0x00007FFD79081000-memory.dmp

Filesize
10.8MB

Download
memory/1872-54-0x00007FFD785C0000-0x00007FFD79081000-memory.dmp

Filesize
10.8MB

Download
memory/2480-156-0x000000001B7B0000-0x000000001B7C0000-memory.dmp

Filesize
64KB

Download
memory/2480-167-0x00007FFD785C0000-0x00007FFD79081000-memory.dmp

Filesize
10.8MB

Download
memory/2480-140-0x00007FFD785C0000-0x00007FFD79081000-memory.dmp

Filesize
10.8MB

Download
memory/2540-149-0x000001CE801E0000-0x000001CE801F0000-memory.dmp

Filesize
64KB

Download
memory/2540-143-0x000001CE801E0000-0x000001CE801F0000-memory.dmp

Filesize
64KB

Download
memory/2540-142-0x00007FFD785C0000-0x00007FFD79081000-memory.dmp

Filesize
10.8MB

Download
memory/2964-52-0x0000021363320000-0x0000021363330000-memory.dmp

Filesize
64KB

Download
memory/2964-72-0x0000021363320000-0x0000021363330000-memory.dmp

Filesize
64KB

Download
memory/2964-82-0x00007FFD785C0000-0x00007FFD79081000-memory.dmp

Filesize
10.8MB

Download
memory/2964-64-0x0000021363320000-0x0000021363330000-memory.dmp

Filesize
64KB

Download
memory/2964-51-0x0000021363320000-0x0000021363330000-memory.dmp

Filesize
64KB

Download
memory/2964-50-0x00007FFD785C0000-0x00007FFD79081000-memory.dmp

Filesize
10.8MB

Download
memory/3040-137-0x00007FFD74B90000-0x00007FFD75531000-memory.dmp

Filesize
9.6MB

Download
memory/3040-138-0x00000000015D0000-0x00000000015E0000-memory.dmp

Filesize
64KB

Download
memory/3040-141-0x00007FFD74B90000-0x00007FFD75531000-memory.dmp

Filesize
9.6MB

Download
memory/3060-164-0x0000000000D70000-0x0000000000D80000-memory.dmp

Filesize
64KB

Download
memory/3060-126-0x00007FFD74B90000-0x00007FFD75531000-memory.dmp

Filesize
9.6MB

Download
memory/3060-121-0x0000000000D70000-0x0000000000D80000-memory.dmp

Filesize
64KB

Download
memory/3060-162-0x00007FFD74B90000-0x00007FFD75531000-memory.dmp

Filesize
9.6MB

Download
memory/3076-99-0x00000184732A0000-0x00000184732B0000-memory.dmp

Filesize
64KB

Download
memory/3076-84-0x00007FFD785C0000-0x00007FFD79081000-memory.dmp

Filesize
10.8MB

Download
memory/3076-85-0x00000184732A0000-0x00000184732B0000-memory.dmp

Filesize
64KB

Download
memory/3076-97-0x00000184732A0000-0x00000184732B0000-memory.dmp

Filesize
64KB

Download
memory/3076-86-0x00000184732A0000-0x00000184732B0000-memory.dmp

Filesize
64KB

Download
memory/3076-107-0x00007FFD785C0000-0x00007FFD79081000-memory.dmp

Filesize
10.8MB

Download
memory/3140-2-0x0000000002650000-0x0000000002660000-memory.dmp

Filesize
64KB

Download
memory/3140-1-0x00007FFD785C0000-0x00007FFD79081000-memory.dmp

Filesize
10.8MB

Download
memory/3140-28-0x00007FFD785C0000-0x00007FFD79081000-memory.dmp

Filesize
10.8MB

Download
memory/3140-0-0x0000000000310000-0x0000000000554000-memory.dmp

Filesize
2.3MB

Download
memory/3364-139-0x00007FFD785C0000-0x00007FFD79081000-memory.dmp

Filesize
10.8MB

Download
memory/3364-106-0x00007FFD785C0000-0x00007FFD79081000-memory.dmp

Filesize
10.8MB

Download
memory/3460-124-0x0000019794E70000-0x0000019794E80000-memory.dmp

Filesize
64KB

Download
memory/3460-122-0x0000019794E70000-0x0000019794E80000-memory.dmp

Filesize
64KB

Download
memory/3460-132-0x00007FFD785C0000-0x00007FFD79081000-memory.dmp

Filesize
10.8MB

Download
memory/3460-130-0x00007FFD785C0000-0x00007FFD79081000-memory.dmp

Filesize
10.8MB

Download
memory/3460-129-0x0000019794E70000-0x0000019794E80000-memory.dmp

Filesize
64KB

Download
memory/3788-168-0x00007FFD74B90000-0x00007FFD75531000-memory.dmp

Filesize
9.6MB

Download
memory/3788-127-0x00007FFD74B90000-0x00007FFD75531000-memory.dmp

Filesize
9.6MB

Download
memory/3788-119-0x00007FFD74B90000-0x00007FFD75531000-memory.dmp

Filesize
9.6MB

Download
memory/3788-158-0x00007FFD74B90000-0x00007FFD75531000-memory.dmp

Filesize
9.6MB

Download
memory/4452-53-0x00007FFD785C0000-0x00007FFD79081000-memory.dmp

Filesize
10.8MB

Download
memory/4452-44-0x0000000003210000-0x0000000003220000-memory.dmp

Filesize
64KB

Download
memory/4452-29-0x00007FFD785C0000-0x00007FFD79081000-memory.dmp

Filesize
10.8MB

Download
memory/4524-76-0x00007FFD785C0000-0x00007FFD79081000-memory.dmp

Filesize
10.8MB

Download
memory/4524-104-0x00007FFD785C0000-0x00007FFD79081000-memory.dmp

Filesize
10.8MB

Download