orcus | eacf04d721fe4880dc73790ccbd58acf310dc0c90b13b7424200a9aa2b94640a

Analysis

max time kernel
151s
max time network
155s
platform
windows11-21h2_x64
resource
win11-20231222-en
resource tags

arch:x64arch:x86image:win11-20231222-enlocale:en-usos:windows11-21h2-x64system
submitted
07/01/2024, 12:28

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

BlitzedGrabberV12.exe
Size

926.0MB
MD5

930b3bbbaa989db448d8ec5c696a5a16
SHA1

a27e7c76990a31f1414d429e828c81e14f48a00a
SHA256

eacf04d721fe4880dc73790ccbd58acf310dc0c90b13b7424200a9aa2b94640a
SHA512

cb9dc7db9f4a4c0dc5407d0a9bbd5c1301d5c4d03fed7d6b972c61a816c8860aff072f1515189d21b3336448a7c19d99f636cc3b060e4628c2ef7dbd1e75291a
SSDEEP

49152:KUAHP06/eyShf+okdWtRAOk3HQ7JTDCgV4L6uzxGiWaUKU:WmBf2dWtnGcDnMjFWxK

Score

10^/10

orcus rat spyware stealer

Malware Config

Extracted

Family

orcus

209.25.141.181:40489

Mutex

248d60d8a7114264bce951ca45664b1d

Attributes

autostart_method
TaskScheduler
enable_keylogger
true
install_path
%programdata%\Chrome\chromedriver.exe
reconnect_delay
10000
registry_keyname
Orcus
taskscheduler_taskname
winlogon.exe
watchdog_path
AppData\svchost.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus

Orcus main payload 5 IoCs

resource	yara_rule
behavioral2/files/0x000200000002a7ff-188.dat	family_orcus
behavioral2/files/0x000500000002a713-233.dat	family_orcus
behavioral2/files/0x000500000002a713-149.dat	family_orcus
behavioral2/files/0x000500000002a713-150.dat	family_orcus
behavioral2/files/0x000500000002a713-285.dat	family_orcus

Orcurs Rat Executable 6 IoCs

resource	yara_rule
behavioral2/memory/3608-121-0x00000000003E0000-0x00000000004DC000-memory.dmp	orcus
behavioral2/files/0x000200000002a7ff-188.dat	orcus
behavioral2/files/0x000500000002a713-233.dat	orcus
behavioral2/files/0x000500000002a713-149.dat	orcus
behavioral2/files/0x000500000002a713-150.dat	orcus
behavioral2/files/0x000500000002a713-285.dat	orcus

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe
"C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe"
1⤵
PID:4888
- C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe
  "C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe"
  2⤵
  PID:3740
- - C:\ProgramData\Chrome\chromedriver.exe
    "C:\ProgramData\Chrome\chromedriver.exe"
    3⤵
    PID:3608
  - - C:\Users\Admin\AppData\Roaming\svchost.exe
      "C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\ProgramData\Chrome\chromedriver.exe" 3608 /protectFile
      4⤵
      PID:2740
    - - C:\Users\Admin\AppData\Roaming\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\ProgramData\Chrome\chromedriver.exe" 3608 "/protectFile"
        5⤵
        
        PID:2736
- - C:\Windows\SysWOW64\WindowsInput.exe
    "C:\Windows\SysWOW64\WindowsInput.exe" --install
    3⤵
    PID:1076
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rf8o5nbt.cmdline"
    3⤵
    PID:4324
- C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe
  "C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe"
  2⤵
  PID:3656
- - C:\Users\Admin\AppData\Local\Temp\mxfix.EXE
    "C:\Users\Admin\AppData\Local\Temp\mxfix.EXE"
    3⤵
    PID:3376
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -ExecutionPolicy Bypass -File mxfixer.ps1
      4⤵
      PID:4728
- - C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe
    "C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe"
    3⤵
    PID:4140
- - C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe
    "C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe"
    3⤵
    PID:4540
- C:\Users\Admin\AppData\Local\Temp\mxfix.EXE
  "C:\Users\Admin\AppData\Local\Temp\mxfix.EXE"
  2⤵
  PID:3240

C:\Windows\SysWOW64\WindowsInput.exe
"C:\Windows\SysWOW64\WindowsInput.exe"
1⤵
PID:4536

C:\ProgramData\Chrome\chromedriver.exe
C:\ProgramData\Chrome\chromedriver.exe
1⤵
PID:1356
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
  C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEF5D.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCEF5C.tmp"
  2⤵
  PID:2564

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9BC4.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC9BC3.tmp"
1⤵
PID:4372

C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe
"C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe"
1⤵
PID:1760
- C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe
  "C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe"
  2⤵
  PID:4604
- - C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe
    "C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe"
    3⤵
    PID:2984
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jlocdygd.cmdline"
      4⤵
      PID:3340
- - C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe
    "C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe"
    3⤵
    PID:1768
  - - C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe
      "C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe"
      4⤵
      PID:3872
    - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kvitndhe.cmdline"
        5⤵
        
        PID:1432
  - - C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe
      "C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe"
      4⤵
      PID:3376
    - - C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe"
        5⤵
        
        PID:2480
      - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4mzzy_cy.cmdline"
        6⤵
        
        PID:2884
    - - C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe"
        5⤵
        
        PID:2356
      - C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe"
        6⤵
        
        PID:1496
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\q_xfwh8q.cmdline"
        7⤵
        
        PID:4112
      - C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe"
        6⤵
        
        PID:1904
        
        C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe"
        7⤵
        
        PID:1252
        
        C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe"
        8⤵
        
        PID:884
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\7abffbao.cmdline"
        9⤵
        
        PID:3220
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE2DF.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCE2DE.tmp"
        10⤵
        
        PID:1276
        
        C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe"
        8⤵
        
        PID:2688
        
        C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe"
        9⤵
        
        PID:652
        
        C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe"
        10⤵
        
        PID:2392
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\v2bxkb7q.cmdline"
        11⤵
        
        PID:4864
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9537.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC9536.tmp"
        12⤵
        
        PID:2060
        
        C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe"
        10⤵
        
        PID:3548
        
        C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe"
        11⤵
        
        PID:3240
        
        C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe"
        12⤵
        
        PID:4704
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\l6zlmpgk.cmdline"
        13⤵
        
        PID:3904
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3322.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC3321.tmp"
        14⤵
        
        PID:3348
        
        C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe"
        12⤵
        
        PID:3724
        
        C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe"
        13⤵
        
        PID:2404
        
        C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe"
        14⤵
        
        PID:3684
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yzkgpxwp.cmdline"
        15⤵
        
        PID:3240
        
        C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe"
        14⤵
        
        PID:2692
        
        C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe"
        15⤵
        
        PID:536
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\9v5jegdh.cmdline"
        16⤵
        
        PID:3064
        
        C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe"
        15⤵
        
        PID:2924
        
        C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe"
        16⤵
        
        PID:4224
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\9cvpftrq.cmdline"
        17⤵
        
        PID:1048
        
        C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe"
        16⤵
        
        PID:1108
        
        C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe"
        17⤵
        
        PID:2884
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\iuvlnrlz.cmdline"
        18⤵
        
        PID:3904
        
        C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe"
        17⤵
        
        PID:2344
        
        C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe"
        18⤵
        
        PID:4064
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\g02xk-rb.cmdline"
        19⤵
        
        PID:1584
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES92C1.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC92C0.tmp"
        20⤵
        
        PID:2260
        
        C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe"
        18⤵
        
        PID:4372
        
        C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe"
        19⤵
        
        PID:3180
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vtuvqopy.cmdline"
        20⤵
        
        PID:2000
        
        C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe"
        19⤵
        
        PID:2684
        
        C:\Users\Admin\AppData\Local\Temp\mxfix.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\mxfix.EXE"
        20⤵
        
        PID:4880
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -ExecutionPolicy Bypass -File mxfixer.ps1
        21⤵
        
        PID:1636
        
        C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe"
        20⤵
        
        PID:3348
        
        C:\Users\Admin\AppData\Local\Temp\mxfix.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\mxfix.EXE"
        21⤵
        
        PID:1836
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -ExecutionPolicy Bypass -File mxfixer.ps1
        22⤵
        
        PID:1644
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -ExecutionPolicy Bypass -File mxfixer.ps1
        23⤵
        
        PID:452
        
        C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe"
        21⤵
        
        PID:2544
        
        C:\Users\Admin\AppData\Local\Temp\mxfix.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\mxfix.EXE"
        22⤵
        
        PID:2984
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -ExecutionPolicy Bypass -File mxfixer.ps1
        23⤵
        
        PID:2480
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -ExecutionPolicy Bypass -File mxfixer.ps1
        23⤵
        
        PID:3752
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -ExecutionPolicy Bypass -File mxfixer.ps1
        24⤵
        
        PID:4932
        
        C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe"
        22⤵
        
        PID:2496
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3vl6hbir.cmdline"
        23⤵
        
        PID:1676
        
        C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe"
        22⤵
        
        PID:1684
        
        C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe"
        23⤵
        
        PID:2072
        
        C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe"
        24⤵
        
        PID:2152
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zxh06myb.cmdline"
        25⤵
        
        PID:2484
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -ExecutionPolicy Bypass -File mxfixer.ps1
        26⤵
        
        PID:1540
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -ExecutionPolicy Bypass -File mxfixer.ps1
        27⤵
        
        PID:4632
        
        C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe"
        24⤵
        
        PID:452
        
        C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe"
        25⤵
        
        PID:2392
        
        C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe"
        26⤵
        
        PID:4776
        
        C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe"
        27⤵
        
        PID:3376
        
        C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe"
        28⤵
        
        PID:2136
        
        C:\Users\Admin\AppData\Local\Temp\mxfix.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\mxfix.EXE"
        29⤵
        
        PID:2840
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -ExecutionPolicy Bypass -File mxfixer.ps1
        30⤵
        
        PID:3216
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES26F8.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC26F7.tmp"
        31⤵
        
        PID:3220
        
        C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe"
        29⤵
        
        PID:1792
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\8hcn2vw_.cmdline"
        30⤵
        
        PID:1424
        
        C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe"
        29⤵
        
        PID:476
        
        C:\Users\Admin\AppData\Local\Temp\mxfix.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\mxfix.EXE"
        30⤵
        
        PID:2628
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -ExecutionPolicy Bypass -File mxfixer.ps1
        31⤵
        
        PID:4600
        
        C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe"
        30⤵
        
        PID:1960
        
        C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe"
        31⤵
        
        PID:4932
        
        C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe"
        32⤵
        
        PID:1936
        
        C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe"
        33⤵
        
        PID:4324
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\n2s5pdwt.cmdline"
        34⤵
        
        PID:2228
        
        C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe"
        33⤵
        
        PID:3248
        
        C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe"
        34⤵
        
        PID:1352
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lftjex53.cmdline"
        35⤵
        
        PID:1472
        
        C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe"
        34⤵
        
        PID:1256
        
        C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe"
        35⤵
        
        PID:4660
        
        C:\Users\Admin\AppData\Local\Temp\mxfix.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\mxfix.EXE"
        36⤵
        
        PID:3908
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -ExecutionPolicy Bypass -File mxfixer.ps1
        37⤵
        
        PID:2124
        
        C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe"
        36⤵
        
        PID:2344
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\j73es_zq.cmdline"
        37⤵
        
        PID:3580
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDDD9.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCDDD8.tmp"
        38⤵
        
        PID:652
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES382E.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC382D.tmp"
        39⤵
        
        PID:2540
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -ExecutionPolicy Bypass -File mxfixer.ps1
        40⤵
        
        PID:4668
        
        C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe"
        36⤵
        
        PID:3836
        
        C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe"
        37⤵
        
        PID:2924
        
        C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe"
        38⤵
        
        PID:4884
        
        C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe"
        39⤵
        
        PID:2576
        
        C:\Users\Admin\AppData\Local\Temp\mxfix.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\mxfix.EXE"
        40⤵
        
        PID:1620
        
        C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe"
        40⤵
        
        PID:3828
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jf5uopte.cmdline"
        41⤵
        
        PID:2508
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES268.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC267.tmp"
        42⤵
        
        PID:3132
        
        C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe"
        40⤵
        
        PID:568
        
        C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe"
        41⤵
        
        PID:1196
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2bzz3_5w.cmdline"
        42⤵
        
        PID:1432
        
        C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe"
        41⤵
        
        PID:3156
        
        C:\Users\Admin\AppData\Local\Temp\mxfix.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\mxfix.EXE"
        42⤵
        
        PID:3848
        
        C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe"
        42⤵
        
        PID:3200
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mjohkety.cmdline"
        43⤵
        
        PID:1680
        
        C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe"
        42⤵
        
        PID:1560
        
        C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe"
        43⤵
        
        PID:4628
        
        C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe"
        44⤵
        
        PID:1840
        
        C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe"
        45⤵
        
        PID:4916
        
        C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe"
        46⤵
        
        PID:1676
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4dqsxrbk.cmdline"
        47⤵
        
        PID:652
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5396.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC5395.tmp"
        48⤵
        
        PID:1424
        
        C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe"
        46⤵
        
        PID:1012
        
        C:\Users\Admin\AppData\Local\Temp\mxfix.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\mxfix.EXE"
        47⤵
        
        PID:3752
        
        C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe"
        47⤵
        
        PID:3216
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\uvldillr.cmdline"
        48⤵
        
        PID:532
        
        C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe"
        47⤵
        
        PID:2356
        
        C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe"
        48⤵
        
        PID:4472
        
        C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe"
        49⤵
        
        PID:4220
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vqjruaap.cmdline"
        50⤵
        
        PID:652
        
        C:\Users\Admin\AppData\Local\Temp\mxfix.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\mxfix.EXE"
        49⤵
        
        PID:1356
        
        C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe"
        49⤵
        
        PID:744
        
        C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe"
        50⤵
        
        PID:2684
        
        C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe"
        51⤵
        
        PID:2260
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\6n6dmdnz.cmdline"
        52⤵
        
        PID:400
        
        C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe"
        51⤵
        
        PID:4572
        
        C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe"
        52⤵
        
        PID:2740
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\-bgehlay.cmdline"
        53⤵
        
        PID:2832
        
        C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe"
        52⤵
        
        PID:4368
        
        C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe"
        53⤵
        
        PID:1472
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\7hg-7cia.cmdline"
        54⤵
        
        PID:3572
        
        C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe"
        53⤵
        
        PID:3160
        
        C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe"
        54⤵
        
        PID:3696
        
        C:\Users\Admin\AppData\Local\Temp\mxfix.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\mxfix.EXE"
        55⤵
        
        PID:1388
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -ExecutionPolicy Bypass -File mxfixer.ps1
        56⤵
        
        PID:2344
        
        C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe"
        55⤵
        
        PID:2076
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\et9gv2ha.cmdline"
        56⤵
        
        PID:2032
        
        C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe"
        55⤵
        
        PID:4100
        
        C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe"
        56⤵
        
        PID:4804
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kcub3aya.cmdline"
        57⤵
        
        PID:1584
        
        C:\Users\Admin\AppData\Local\Temp\mxfix.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\mxfix.EXE"
        56⤵
        
        PID:2332
        
        C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe"
        56⤵
        
        PID:328
        
        C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe"
        57⤵
        
        PID:2820
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wpfpeiu2.cmdline"
        58⤵
        
        PID:240
        
        C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe"
        57⤵
        
        PID:2052
        
        C:\Users\Admin\AppData\Local\Temp\mxfix.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\mxfix.EXE"
        58⤵
        
        PID:2268
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -ExecutionPolicy Bypass -File mxfixer.ps1
        59⤵
        
        PID:3256
        
        C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe"
        58⤵
        
        PID:2156
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\e19fzeq_.cmdline"
        59⤵
        
        PID:4548
        
        C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe"
        58⤵
        
        PID:3604
        
        C:\Users\Admin\AppData\Local\Temp\mxfix.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\mxfix.EXE"
        59⤵
        
        PID:2296
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -ExecutionPolicy Bypass -File mxfixer.ps1
        60⤵
        
        PID:1628
        
        C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe"
        59⤵
        
        PID:744
        
        C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe"
        60⤵
        
        PID:4700
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\pdbpdec6.cmdline"
        61⤵
        
        PID:3156
        
        C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe"
        60⤵
        
        PID:1088
        
        C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe"
        61⤵
        
        PID:3752
        
        C:\Users\Admin\AppData\Local\Temp\mxfix.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\mxfix.EXE"
        61⤵
        
        PID:1540
        
        C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe"
        61⤵
        
        PID:3884
        
        C:\Users\Admin\AppData\Local\Temp\mxfix.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\mxfix.EXE"
        60⤵
        
        PID:792
        
        C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe"
        59⤵
        
        PID:4644
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3kkawgj2.cmdline"
        60⤵
        
        PID:4948
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESADBC.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCADBB.tmp"
        61⤵
        
        PID:3160
        
        C:\Users\Admin\AppData\Local\Temp\mxfix.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\mxfix.EXE"
        57⤵
        
        PID:3000
        
        C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe"
        54⤵
        
        PID:2016
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qnre0rhn.cmdline"
        55⤵
        
        PID:4268
        
        C:\Users\Admin\AppData\Local\Temp\mxfix.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\mxfix.EXE"
        54⤵
        
        PID:4400
        
        C:\Users\Admin\AppData\Local\Temp\mxfix.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\mxfix.EXE"
        53⤵
        
        PID:3128
        
        C:\Users\Admin\AppData\Local\Temp\mxfix.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\mxfix.EXE"
        52⤵
        
        PID:2540
        
        C:\Users\Admin\AppData\Local\Temp\mxfix.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\mxfix.EXE"
        51⤵
        
        PID:572
        
        C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe"
        50⤵
        
        PID:2172
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jqvmurwp.cmdline"
        51⤵
        
        PID:1076
        
        C:\Users\Admin\AppData\Local\Temp\mxfix.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\mxfix.EXE"
        50⤵
        
        PID:1044
        
        C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe"
        48⤵
        
        PID:1620
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\98mop_0p.cmdline"
        49⤵
        
        PID:3584
        
        C:\Users\Admin\AppData\Local\Temp\mxfix.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\mxfix.EXE"
        48⤵
        
        PID:1064
        
        C:\Users\Admin\AppData\Local\Temp\mxfix.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\mxfix.EXE"
        46⤵
        
        PID:2484
        
        C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe"
        45⤵
        
        PID:4776
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ansbpzzj.cmdline"
        46⤵
        
        PID:1448
        
        C:\Users\Admin\AppData\Local\Temp\mxfix.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\mxfix.EXE"
        45⤵
        
        PID:1544
        
        C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe"
        44⤵
        
        PID:4952
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tvjnhlb5.cmdline"
        45⤵
        
        PID:3216
        
        C:\Users\Admin\AppData\Local\Temp\mxfix.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\mxfix.EXE"
        44⤵
        
        PID:1496
        
        C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe"
        43⤵
        
        PID:2016
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jkrhurpn.cmdline"
        44⤵
        
        PID:2484
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -ExecutionPolicy Bypass -File mxfixer.ps1
        45⤵
        
        PID:2564
        
        C:\Users\Admin\AppData\Local\Temp\mxfix.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\mxfix.EXE"
        43⤵
        
        PID:4868
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB6B5.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCB6A4.tmp"
        42⤵
        
        PID:1356
        
        C:\Users\Admin\AppData\Local\Temp\mxfix.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\mxfix.EXE"
        41⤵
        
        PID:2924
        
        C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe"
        39⤵
        
        PID:1792
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jux8t9tg.cmdline"
        40⤵
        
        PID:2620
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF97F.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCF97E.tmp"
        41⤵
        
        PID:4944
        
        C:\Users\Admin\AppData\Local\Temp\mxfix.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\mxfix.EXE"
        39⤵
        
        PID:532
        
        C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe"
        38⤵
        
        PID:1668
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\6uyvbflv.cmdline"
        39⤵
        
        PID:1356
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -ExecutionPolicy Bypass -File mxfixer.ps1
        40⤵
        
        PID:4232
        
        C:\Users\Admin\AppData\Local\Temp\mxfix.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\mxfix.EXE"
        38⤵
        
        PID:2484
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1DEF.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC1DEE.tmp"
        39⤵
        
        PID:3836
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -ExecutionPolicy Bypass -File mxfixer.ps1
        38⤵
        
        PID:4876
        
        C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe"
        37⤵
        
        PID:3336
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\taqmrlur.cmdline"
        38⤵
        
        PID:948
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE6F1.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCE6F0.tmp"
        39⤵
        
        PID:4916
        
        C:\Users\Admin\AppData\Local\Temp\mxfix.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\mxfix.EXE"
        37⤵
        
        PID:2100
        
        C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe"
        35⤵
        
        PID:4268
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\uluposmi.cmdline"
        36⤵
        
        PID:476
        
        C:\Users\Admin\AppData\Local\Temp\mxfix.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\mxfix.EXE"
        35⤵
        
        PID:3564
        
        C:\Users\Admin\AppData\Local\Temp\mxfix.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\mxfix.EXE"
        34⤵
        
        PID:4492
        
        C:\Users\Admin\AppData\Local\Temp\mxfix.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\mxfix.EXE"
        33⤵
        
        PID:3224
        
        C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe"
        32⤵
        
        PID:3384
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\8yeubun5.cmdline"
        33⤵
        
        PID:3160
        
        C:\Users\Admin\AppData\Local\Temp\mxfix.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\mxfix.EXE"
        32⤵
        
        PID:1644
        
        C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe"
        31⤵
        
        PID:3348
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\w0hiv6g9.cmdline"
        32⤵
        
        PID:4492
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -ExecutionPolicy Bypass -File mxfixer.ps1
        33⤵
        
        PID:3336
        
        C:\Users\Admin\AppData\Local\Temp\mxfix.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\mxfix.EXE"
        31⤵
        
        PID:4828
        
        C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe"
        30⤵
        
        PID:796
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\txpzlfat.cmdline"
        31⤵
        
        PID:2576
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD4F0.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCD4EF.tmp"
        30⤵
        
        PID:4776
        
        C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe"
        28⤵
        
        PID:4104
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bnm4zuk6.cmdline"
        29⤵
        
        PID:4864
        
        C:\Users\Admin\AppData\Local\Temp\mxfix.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\mxfix.EXE"
        28⤵
        
        PID:4736
        
        C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe"
        27⤵
        
        PID:884
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\d1burutz.cmdline"
        28⤵
        
        PID:2108
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8CAC.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC8CAB.tmp"
        29⤵
        
        PID:4116
        
        C:\Users\Admin\AppData\Local\Temp\mxfix.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\mxfix.EXE"
        27⤵
        
        PID:1444
        
        C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe"
        26⤵
        
        PID:1428
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vhutzhrc.cmdline"
        27⤵
        
        PID:860
        
        C:\Users\Admin\AppData\Local\Temp\mxfix.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\mxfix.EXE"
        26⤵
        
        PID:4400
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -ExecutionPolicy Bypass -File mxfixer.ps1
        27⤵
        
        PID:2356
        
        C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe"
        25⤵
        
        PID:4852
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\abs8ej4n.cmdline"
        26⤵
        
        PID:2344
        
        C:\Users\Admin\AppData\Local\Temp\mxfix.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\mxfix.EXE"
        25⤵
        
        PID:2984
        
        C:\Users\Admin\AppData\Local\Temp\mxfix.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\mxfix.EXE"
        24⤵
        
        PID:1532
        
        C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe"
        23⤵
        
        PID:2740
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\k-mks2hl.cmdline"
        24⤵
        
        PID:1840
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6899.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC6898.tmp"
        25⤵
        
        PID:2360
        
        C:\Users\Admin\AppData\Local\Temp\mxfix.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\mxfix.EXE"
        23⤵
        
        PID:388
        
        C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe"
        21⤵
        
        PID:4116
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\x1iuvwo6.cmdline"
        22⤵
        
        PID:4640
        
        C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe"
        20⤵
        
        PID:2392
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\colxzup8.cmdline"
        21⤵
        
        PID:2260
        
        C:\Users\Admin\AppData\Local\Temp\mxfix.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\mxfix.EXE"
        19⤵
        
        PID:3552
        
        C:\Users\Admin\AppData\Local\Temp\mxfix.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\mxfix.EXE"
        18⤵
        
        PID:1472
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCC35.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCCC34.tmp"
        19⤵
        
        PID:3816
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7A6C.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC7A6B.tmp"
        18⤵
        
        PID:4112
        
        C:\Users\Admin\AppData\Local\Temp\mxfix.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\mxfix.EXE"
        17⤵
        
        PID:2076
        
        C:\Users\Admin\AppData\Local\Temp\mxfix.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\mxfix.EXE"
        16⤵
        
        PID:2724
        
        C:\Users\Admin\AppData\Local\Temp\mxfix.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\mxfix.EXE"
        15⤵
        
        PID:3216
        
        C:\Users\Admin\AppData\Local\Temp\mxfix.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\mxfix.EXE"
        14⤵
        
        PID:2332
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -ExecutionPolicy Bypass -File mxfixer.ps1
        15⤵
        
        PID:2384
        
        C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe"
        13⤵
        
        PID:4028
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bcwwuxxf.cmdline"
        14⤵
        
        PID:4116
        
        C:\Users\Admin\AppData\Local\Temp\mxfix.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\mxfix.EXE"
        13⤵
        
        PID:5096
        
        C:\Users\Admin\AppData\Local\Temp\mxfix.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\mxfix.EXE"
        12⤵
        
        PID:2888
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1856.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC1855.tmp"
        12⤵
        
        PID:796
        
        C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe"
        11⤵
        
        PID:3884
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\geo2je7y.cmdline"
        12⤵
        
        PID:3128
        
        C:\Users\Admin\AppData\Local\Temp\mxfix.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\mxfix.EXE"
        11⤵
        
        PID:4116
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFFA.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCFF9.tmp"
        12⤵
        
        PID:1904
        
        C:\Users\Admin\AppData\Local\Temp\mxfix.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\mxfix.EXE"
        10⤵
        
        PID:348
        
        C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe"
        9⤵
        
        PID:4648
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qvb8zdhp.cmdline"
        10⤵
        
        PID:3576
        
        C:\Users\Admin\AppData\Local\Temp\mxfix.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\mxfix.EXE"
        9⤵
        
        PID:4812
        
        C:\Users\Admin\AppData\Local\Temp\mxfix.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\mxfix.EXE"
        8⤵
        
        PID:4620
        
        C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe"
        7⤵
        
        PID:3128
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\j1cs85mm.cmdline"
        8⤵
        
        PID:1196
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFD8B.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCFD8A.tmp"
        8⤵
        
        PID:3576
        
        C:\Users\Admin\AppData\Local\Temp\mxfix.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\mxfix.EXE"
        7⤵
        
        PID:2724
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -ExecutionPolicy Bypass -File mxfixer.ps1
        8⤵
        
        PID:3160
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBA72.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCBA71.tmp"
        9⤵
        
        PID:4952
      - C:\Users\Admin\AppData\Local\Temp\mxfix.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\mxfix.EXE"
        6⤵
        
        PID:2340
    - - C:\Users\Admin\AppData\Local\Temp\mxfix.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\mxfix.EXE"
        5⤵
        
        PID:1448
      - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2FC2.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC2FC1.tmp"
        6⤵
        
        PID:476
  - - C:\Users\Admin\AppData\Local\Temp\mxfix.EXE
      "C:\Users\Admin\AppData\Local\Temp\mxfix.EXE"
      4⤵
      PID:4300
- - C:\Users\Admin\AppData\Local\Temp\mxfix.EXE
    "C:\Users\Admin\AppData\Local\Temp\mxfix.EXE"
    3⤵
    PID:1960
- C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe
  "C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe"
  2⤵
  PID:3576
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\j99mxkxx.cmdline"
    3⤵
    PID:4852
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAAE7.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCAAE6.tmp"
      4⤵
      PID:3904
    - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES694.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC693.tmp"
        5⤵
        
        PID:1436
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEC93.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCEC92.tmp"
    3⤵
    PID:4444
- C:\Users\Admin\AppData\Local\Temp\mxfix.EXE
  "C:\Users\Admin\AppData\Local\Temp\mxfix.EXE"
  2⤵
  PID:3260

C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe
"C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe"
1⤵
PID:3248
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tagtgjmm.cmdline"
  2⤵
  PID:3488

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -File mxfixer.ps1
1⤵
PID:4764

C:\Users\Admin\AppData\Local\Temp\mxfix.EXE
"C:\Users\Admin\AppData\Local\Temp\mxfix.EXE"
1⤵
PID:2128

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA22C.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCA22B.tmp"
1⤵
PID:3164

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xjzcbeaj.cmdline"
1⤵
PID:476

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -File mxfixer.ps1
1⤵
PID:1444
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -ExecutionPolicy Bypass -File mxfixer.ps1
  2⤵
  PID:2612

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES900C.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC900B.tmp"
1⤵
PID:1584

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -File mxfixer.ps1
1⤵
PID:1012

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB48C.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCB48B.tmp"
1⤵
PID:4400

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -File mxfixer.ps1
1⤵
PID:2628

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -File mxfixer.ps1
1⤵
PID:448

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBD36.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCBD35.tmp"
1⤵
PID:4852

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -File mxfixer.ps1
1⤵
PID:2248

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC6AC.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCC6AB.tmp"
1⤵
PID:3164

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -File mxfixer.ps1
1⤵
PID:1276

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD061.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCD060.tmp"
1⤵
PID:4440

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -File mxfixer.ps1
1⤵
PID:4672

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD8EC.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCD8EB.tmp"
1⤵
PID:3736

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -File mxfixer.ps1
1⤵
PID:2984

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -File mxfixer.ps1
1⤵
PID:3872

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -File mxfixer.ps1
1⤵
PID:1012

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF51F.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCF51E.tmp"
1⤵
PID:4056

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -File mxfixer.ps1
1⤵
PID:2032
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
  C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES897A.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC8979.tmp"
  2⤵
  PID:1296

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -File mxfixer.ps1
1⤵
PID:1876

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -File mxfixer.ps1
1⤵
PID:1296

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -File mxfixer.ps1
1⤵
PID:4400

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -File mxfixer.ps1
1⤵
PID:2276

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES214F.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC214E.tmp"
1⤵
PID:4112

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2A48.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC2A47.tmp"
1⤵
PID:1372

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -File mxfixer.ps1
1⤵
PID:1560

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -File mxfixer.ps1
1⤵
PID:2848

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3C88.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC3C87.tmp"
1⤵
PID:420

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -File mxfixer.ps1
1⤵
PID:1988

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES45CF.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC45CE.tmp"
1⤵
PID:3432

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4EF7.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC4EF6.tmp"
1⤵
PID:3892

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5792.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC5791.tmp"
1⤵
PID:4976

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5FEF.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC5FEE.tmp"
1⤵
PID:228

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -File mxfixer.ps1
1⤵
PID:3584

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -File mxfixer.ps1
1⤵
PID:4640

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7134.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC7133.tmp"
1⤵
PID:3248

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -File mxfixer.ps1
1⤵
PID:3816

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8355.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC8354.tmp"
1⤵
PID:4992

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -File mxfixer.ps1
1⤵
PID:1808

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9EDC.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC9EDB.tmp"
1⤵
PID:3892

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA823.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCA822.tmp"
1⤵
PID:4436

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -File mxfixer.ps1
1⤵
PID:1428

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB1C8.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCB1C7.tmp"
1⤵
PID:1196

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -File mxfixer.ps1
1⤵
PID:388

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC33C.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCC33B.tmp"
1⤵
PID:2724

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -File mxfixer.ps1
1⤵
PID:1372

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -File mxfixer.ps1
1⤵
PID:4508

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -File mxfixer.ps1
1⤵
PID:3684

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -File mxfixer.ps1
1⤵
PID:4988

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBBF.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCBBE.tmp"
1⤵
PID:4292

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -File mxfixer.ps1
1⤵
PID:532
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
  C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4194.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC4193.tmp"
  2⤵
  PID:1940

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES145A.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC1459.tmp"
1⤵
PID:2616

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -File mxfixer.ps1
1⤵
PID:4268
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
  C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8082.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC8081.tmp"
  2⤵
  PID:3548

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -File mxfixer.ps1
1⤵
PID:640

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -File mxfixer.ps1
1⤵
PID:2260

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -File mxfixer.ps1
1⤵
PID:1388

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4A2F.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC4A2E.tmp"
1⤵
PID:4852

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -File mxfixer.ps1
1⤵
PID:2124

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5C02.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC5C01.tmp"
1⤵
PID:4292

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -File mxfixer.ps1
1⤵
PID:4948

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES650A.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC6509.tmp"
1⤵
PID:3404

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6DF4.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC6DF3.tmp"
1⤵
PID:652

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -File mxfixer.ps1
1⤵
PID:2128

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES773B.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC773A.tmp"
1⤵
PID:1620

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -File mxfixer.ps1
1⤵
PID:2336

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9C18.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC9C17.tmp"
1⤵
PID:388

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA4F2.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCA4F1.tmp"
1⤵
PID:2000

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -File mxfixer.ps1
1⤵
PID:3172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Chrome\chromedriver.exe

Filesize
5.7MB

MD5
a1c49675458e2cb9241055e5bc21b03e

SHA1
72e3eaafd781050b7f45bde6065fd5036d84477c

SHA256
37349f8857956dd37b8100f6b36921a980d52eb088a6be72c3b6b519220417b7

SHA512
3fa4bd19d7eeab224b407af2e3c483116708e94b94e0f4ffff933529ae24cf305874efe410aca7e79e1cdaa4945f1dc3d9db50aac707818768da62efa746ebd4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\UnityCrashHandlerV2.exe.log

Filesize
706B

MD5
ff2a00f3070e734f54758fb05eb2cc15

SHA1
09f46a42146fbea98bb576f9be8ededdbe979d89

SHA256
7c979cb4d3e8c0a08d522b043a2f22181e4b88c170220d04eb7d537313b599ad

SHA512
7875ec4aa4fa093e0ba01444d55ea7d07de48965bebcbf665c6670c00446c987de2a22fd6aabdad4347c46b5720d2574bf01a317ce211493e0b382dfb2fc264d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\BlitzedGrabberV12.exe.log

Filesize
654B

MD5
2cbbb74b7da1f720b48ed31085cbd5b8

SHA1
79caa9a3ea8abe1b9c4326c3633da64a5f724964

SHA256
e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3

SHA512
ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\svchost.exe.log

Filesize
425B

MD5
bb27934be8860266d478c13f2d65f45e

SHA1
a69a0e171864dcac9ade1b04fc0313e6b4024ccb

SHA256
85ad0d9909461517acf2e24ff116ca350e9b7000b4eefb23aa3647423c9745b4

SHA512
87dd77feac509a25b30c76c119752cc25020cca9c53276c2082aef2a8c75670ef67e1e70024a63d44ae442b64f4bc464aee6691e80c525376bb7421929cfa3bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e8eb51096d6f6781456fef7df731d97

SHA1
ec2aaf851a618fb43c3d040a13a71997c25bda43

SHA256
96bfd9dd5883329927fe8c08b8956355a1a6ceb30ceeb5d4252b346df32bc864

SHA512
0a73dc9a49f92d9dd556c2ca2e36761890b3538f355ee1f013e7cf648d8c4d065f28046cd4a167db3dea304d1fbcbcea68d11ce6e12a3f20f8b6c018a60422d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
42040a6f7e21cfd86a96c5332c2788bb

SHA1
5c6a3971c7fd8ed44dd7c402777a95823cba1e5c

SHA256
d4d37b2b2ac762d3dd8d5dda2910d4bd3450f43698a0d5cebd7f8392d193883e

SHA512
7af6ee3759fdad0e75d55c875551b155d94d9435e9bfe2acf76689e633470b4d7515fbdf2202e07ea4d6c2f9e9822f6d109284513f43e620328f905b90df74ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
479895245adefd8bf3b5b12635182370

SHA1
7d469513c242796f2b1d2eb4ffe9285a2a62d768

SHA256
e15a137d87bf45fec91ec8dd7a5d342e98ceda16fd1791dec6f3e8124c5a75fa

SHA512
9caef52372788c95784147032f93eb8dca2fb2e33649a53c70755a041a7b5962e3df5817166a48e6be622e5ecec1b46c60a2086f69c75f30b68eb2475eb20f01

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
050567a067ffea4eb40fe2eefebdc1ee

SHA1
6e1fb2c7a7976e0724c532449e97722787a00fec

SHA256
3952d5b543e5cb0cb84014f4ad9f5f1b7166f592d28640cbc3d914d0e6f41d2e

SHA512
341ad71ef7e850b10e229666312e4bca87a0ed9fe25ba4b0ab65661d5a0efa855db0592153106da07134d8fc2c6c0e44709bf38183c9a574a1fa543189971259

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mxfixer.ps1

Filesize
35B

MD5
5d792fc7c4e2fd3eb595fce4883dcb2d

SHA1
ee2a88f769ad746f119e144bd06832cb55ef1e0f

SHA256
41eccaa8649345b33e57f5d494429276e9f2eb23ca981f018da33a34aabfd8eb

SHA512
4b85fe8205c705914867227c97aa1333421970d8e6f11b2ac6be8e95fef1a0f31f985547eafe52e382f13c2a16afa05462bd614b75bee250464c50734d59a92e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES900C.tmp

Filesize
1KB

MD5
5890cebfd3f14e122261210bcf2fdc70

SHA1
0246c71ba5015da537f9277af275da845cc08bed

SHA256
c873e2a2acf15c519cf8319dcb2a87bd8ff3607ecd67bdd7c2cb650a09ecaf3e

SHA512
3841f65bf54733a796d6b5d3a1989d0192a85a599b092d44b97db7cd4a775c96515656a7947c4d79cd9c987bd5b46590d83f6ced30d7feaf5ec21119c6ec8723

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9BC4.tmp

Filesize
1KB

MD5
0ffc2a9724ed2e54bcf74cbb586ced0f

SHA1
aa22b051f2f3b7d0925078176864df1aff39e174

SHA256
9b1300a3e60fe0e0ad10d49b69fee687a2e1e89d01b91be129a66a8dc84b114b

SHA512
d87d5d161604d684f1a7f106e0f706bcba8b38590d6f522bfa7347f63bafab36e3de174f1d42f2a9bc506097354bcc3221d89e193f32326dbdd9bf562798aad1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA22C.tmp

Filesize
1KB

MD5
505c8211bc2d70177521abb9053ad255

SHA1
9b9e02a064f6e3514ce4ab6e89a0a54ea16505ff

SHA256
4b56dee2385849ac2baae9811565281415fbdc769ee3a0c620d62b0ba5dd5214

SHA512
07851f01ca8e2a7c3b1208f0a7295160a7b729e30b3d222bcd08c665686b0d5809b2acf2e8c6c515aa9ef27c779c2b8b1bf94b36e3ccbb0229e21ec4f37db4ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESAAE7.tmp

Filesize
1KB

MD5
95d73af1b69709000cb284dab1d9d7a3

SHA1
e304cd6975c6234b14d2ec4ebe17664ba6da864c

SHA256
02e94d46ecf6e45d58f6ed5f192e236d6e63b7ab5ad328d01e05e00c758e55ba

SHA512
683433b07ba49e996619c8e1cba47976103db35d2f15b075e54d559e6018a9af239372c5b0b8d543315b749daf2a7db998a9095134456ede8dc47e53bc5a34a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe

Filesize
6.0MB

MD5
3926c7b8fdfb0ab3b92303760b14d402

SHA1
b33e12ef4bdcd418139db59d048609c45fe8f9eb

SHA256
c101904ec19b45612213c2b398892a4523f63862bb3e24c245509db2417585e7

SHA512
4a022be27f58b1735f3a0ac9abdedbd769adb4e3ca1dacdcdc98700b17e138b647f9059585c8ef37fdd7072ad6283e95f10def171584097eb8c70e7d1212ce0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe

Filesize
5.4MB

MD5
3256de2dd4920e6412274e6b86eec2ee

SHA1
5bf2a2a1c867257562cacb77abed69b9b702300e

SHA256
4122b9e7ffc9ee222b428dfdf28876b979b6b96ddbe2bed82ad16d8faa2fec05

SHA512
5ce86714fe8e69331d823a66a96db2d4c893ae2be100c0be2374a7fb39318bb8edee124f15ccb4fcaedbbfbeb04dfb32bbe44fa87a2dd193e65f72511ea95c2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe

Filesize
5.7MB

MD5
5d6f6f93b456bcb84eb817cb0cfe90e3

SHA1
47253303c16b763f9056d9396dab3d32eeb5baac

SHA256
d039b8f46532eff4a900c75d968f8aa465d1c25d9ae44d1a8d052037d18089fb

SHA512
6ecdf29c3b3e42b877c3d20e2026ea4b86e4667823fdd61399ae37e0c5782cdd4946524046d73e083d5352f12c32b3deb3add334c446f98de7a2f57b45ca3ccc

Download Submit
C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe

Filesize
5.9MB

MD5
5fdae30a0a1424cece5c4c0cd283c297

SHA1
dd09bd9b9215aff0a3b028c4e83f8bb39f670ca3

SHA256
4c68403945236ce2dcb3ed96afc28c1831b07998f619e222408b143c88681a3d

SHA512
301535a8810bb183278cf92372d12c94472f48488cdf695479edd2c3de286a8ceacedcda56d5e30bbea4e2cf0a48ae2f8b082e34e5aa77e59386afb7713f8ba9

Download Submit
C:\Users\Admin\AppData\Local\Temp\j99mxkxx.dll

Filesize
76KB

MD5
bee80a14831941ddeec7f5fde92520fd

SHA1
f85733eee106593b17feaf88f3f9f7650fdd3441

SHA256
214992eb6d8dda1b34a6320bea0cce4cb265d05c61fa7e105468d5fa084202de

SHA512
1efe4828ef153d91a94c59789bf7db3030ba7870a91ba73a6a3b9e28e409674bc84ac8ea9216d61b3617166607318f9e14c4cc5dc9edbb7b8e5d791288118d2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\mxfix.EXE

Filesize
155KB

MD5
b4ec612c441786aa614ce5f32edae475

SHA1
3a264f8daeec9b156ddb5ed576d490dd8fbd8e7d

SHA256
e18ba6573b9aa2d139ed5c30f18ac2ece3ce8287d1651db4bc632dbc816f53bd

SHA512
c6800371cdc2b571061e6e755a2c95f49dcb233c3999976f180cb7cf95fa2c62d03b52a3c497a2cd7ae46ec72eaf823db25bd291ca676724194c05966f2bce16

Download Submit
C:\Users\Admin\AppData\Local\Temp\rf8o5nbt.dll

Filesize
76KB

MD5
76ed69312164ea2cacc116547b882322

SHA1
4c37b46a90bf486037d992928dc3485d38ade1a6

SHA256
5349f0cbe47b415d6b90be94b0b90f546cb8c7dba41e3611a1b39752aef81bda

SHA512
f45490e4b0eb09344dd40a80bc5cd6a24be33068adfb6fb9c867290ea19fc03a9372a85982c7083ab4a6d3db3fc06dde50406a80c88cb7a528a568575363fc81

Download Submit
C:\Users\Admin\AppData\Local\Temp\tagtgjmm.dll

Filesize
76KB

MD5
bdf4ae5d8aa51077ae839ee5c35ccb55

SHA1
2cea55a5a04cbb67664ade61a7869bb20cd48131

SHA256
6d14efb6bcb50f115334f65b8b324b09669a0ddb59361873268ad0f1d273ed0d

SHA512
f9a06c53cf86c6c1b2f14250171794f33bba2f1b58f173ce571add74d1e0720485c44c531383d96b749ba24b95e39d453ef9a34f69921f052d5148b4d45c3f1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\xjzcbeaj.dll

Filesize
76KB

MD5
e5f6fa3da8c8c847b31a0c956639fe9d

SHA1
b6dcce34e5dd3e316fe48487dfdc345ee1f9f1ef

SHA256
d89565451fbe79099e94b97b290e9c89f854cb5bd17d47f4b3e527de9e7987ac

SHA512
84347b6e9849d711803dd738d04f340c2785338780945c1e40d8dae0b4e7430c1ae5efdb9393c94987200cffcf150412889ab534007b8f9396f9ac93b67009c6

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
9KB

MD5
913967b216326e36a08010fb70f9dba3

SHA1
7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf

SHA256
8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a

SHA512
c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe

Filesize
21KB

MD5
e6fcf516d8ed8d0d4427f86e08d0d435

SHA1
c7691731583ab7890086635cb7f3e4c22ca5e409

SHA256
8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337

SHA512
c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe.config

Filesize
357B

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC900B.tmp

Filesize
676B

MD5
0092423595e70c35f2fee46991c61161

SHA1
1a197c5f731d044f14a4d4dc2c31f869ba0a2b06

SHA256
cd82737e314faeab9fb36e5bdceb4a74536bfa50c4715456529e467eb34b41c9

SHA512
5faeb51f62a17f724e36c1f3a06f2816e0cca2c71aef130a6a7e9b5c2aa466fa4b2fe24743597b6574e342d96dff729d4dfe86dd3f6df8146dc830b3a3feb5f0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC9BC3.tmp

Filesize
676B

MD5
ce0030ecced61fd31c7fcac43d8a5ec9

SHA1
26b2d4d11b3b5f462b731d0b596520a688fe296f

SHA256
9134c79559fba45344bc8ee491585ec6e9f97070fe5134d15ed01bb76aa03141

SHA512
1b49fbaf33e2ef7813911294619eb6bbb72926cffca18b07f6e8a15060e4418b47dd87e788e9f8e8e3cfd587d52b625fbd312c59056ce63e718cb3cdf43c2ca1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCA22B.tmp

Filesize
676B

MD5
06f31fad0da59a49f4db0ec9746c41f3

SHA1
cda8d6954fb22de7cce390af6cba6ed59140d83c

SHA256
39856d3c6d682e108cb69811f9187f9732069bc23785b13de57d00087fd6833e

SHA512
8e0dfe965b92f43c3687d8f0721c3c68779fe23346e9eb283a46fef5c0e108d0c54ea74b4e1c42e6cb5ed81edbe069cbdc79a97d423e4ea6a3f9f60f68ca0e9e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCAAE6.tmp

Filesize
676B

MD5
83a2d7efefff5d101bb876e6cda9e79b

SHA1
265f120af26ac14eeea929e82006b1c743baa5d0

SHA256
94f261ef7e2340175b6bb6e98bf4aa47ad741085debacc4feaa45cf688790110

SHA512
92f8cf115176c3c33999ef63dd2ad6c027683ac309d4c096820805f3269da4342a1c6e4c269f3ecc5fac60d77051cf8aae84c645ce8e6f8bfe8599ec711847cc

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCB48B.tmp

Filesize
676B

MD5
4c968db7ca408322ffab93e9e2fb8f13

SHA1
6270e63e8af58c90ceacc117342e9774427cd584

SHA256
e6cc6a5ded7f6669aa79813c042ddf9feb44c1d9287836a58632b7e5a80ea79d

SHA512
79d9f30304a791f4ae89f7ab57ea2d1bbf748385a07c6b95d5d36ad9ef8c9a038433965e65b2a84574f8e8be1d30561f8c9a461da6ae9fea45196e99701007ae

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\j99mxkxx.cmdline

Filesize
349B

MD5
68c24ce087061e9a353307c87f250768

SHA1
d8642ab5f78950cbf0460ddd5e92aa6c9ab7c8ac

SHA256
85c25657f386a4e02d01d916f720fd34d618f81f093f663e4f17e22bbfb383a7

SHA512
ffd274b6d54d792c3091950980be1c0950e2c1a68d3b59a4ff68213bf200a4616a4e8337679e9203291fc7dc827275cf9bc8f2192208fcd1b480be1740cf0523

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jlocdygd.0.cs

Filesize
208KB

MD5
10a24fa44952b48b8273dc15a2f607a5

SHA1
332ee36f42b6520023444a3d64ec11b8a43c46c2

SHA256
475d984b360e49a77d6889e6990929bd956c133ac6034bb5a59edbe20d14e5e3

SHA512
0078047f57c9fa630d30bc94001090037178a3ffcf542e3c41bebcdc1279c6ba43365f23da7c262d0bd508e527591bc4fd71409d48c3365eddeebbd847325685

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jlocdygd.cmdline

Filesize
349B

MD5
1dfced53d374f3445a59c874325093f7

SHA1
90b08043efa865f5baef2758f503342a982e5efc

SHA256
528a4abdfe67d4aa14d7032025f5af9ffb112a77a6749ddf6a8394f2ab917129

SHA512
6be3efdf96e98df34ca8f9d398c0befcb0278c7b60c59e6391b65c1bcd262d316fc6f929fbeac74c1e40420c69043892d8cca167b52c177dc01590c1c78b8f74

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rf8o5nbt.0.cs

Filesize
208KB

MD5
ad8f3ede036f944e6e35c668f68e7e1b

SHA1
08f53a32c5ef19d058cf0bcd8832352c89f5c66f

SHA256
e0554ccbcfc5c79574b318900e858be7d57534a9746b7779cc77802cdf310bb4

SHA512
d630670030b705041434ba17000d29eb62b2aac52fe2c43466495451d9ace0734bbd150cd7710cc9aae7c610aa7e2c326639ded199045a3254bcf73059aacd09

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tagtgjmm.0.cs

Filesize
208KB

MD5
0aeef54d1c3182278b48ec7b436cc443

SHA1
e4f2dbcadf3dd5d29d5523f583323d5aed8a9cf8

SHA256
34c27c659501db28a8e8d790a88cff53e5ca63932451a5af4f80ee033d0dafbf

SHA512
d5098c12ebb0e5460a25f5b2a2ecf843795492c4cd581d76e9eb2d068168cdd35111a7a84dca28af725a0cfe17baa75a2bdbf81543cb820e626c839e871a168b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tagtgjmm.cmdline

Filesize
349B

MD5
f951aa715c906201bd977c65d5a3ad18

SHA1
2904f1021d3497e2521fdb67b89392671ae68f19

SHA256
5bd30530554879d6fcc6e4ab91af4690ea47adaf58d66f99071090b6381d717a

SHA512
47356267abf9b9b8fc55f7e6a232297eb04b2818d37b74659f6815c01d102f9faa7f6f6274c0f366d07df1c41bef8271083238be99cb5f5f036c69f3194c7e35

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xjzcbeaj.0.cs

Filesize
208KB

MD5
24ea1de4a1a2293a19cefa010053c8e2

SHA1
58aa2aa7b5fbaa8b23e52296351ffc0f87417736

SHA256
3df3a253d3a6feaf7005fde361fb3064d685cb5ce0845ce42633a80fc99b8f00

SHA512
2b4f74746affae0f4c42b71ec1153a3bda81058a1a0f44924089abb942fb8d85262fd9abb3578da48278b8e9a80c0ad70b7b60b165de3686567d6acd5a5b6794

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xjzcbeaj.cmdline

Filesize
349B

MD5
0a606e6e593ed45fef14ce5cd89a9c41

SHA1
fcb9cb8c24c0e2dbaade40a612530f75d9789706

SHA256
3e6e9d67294addfde593f1b2d65d07ecbcbf12fe40e09563a0c4a5b8a3d209e0

SHA512
82e4fa02e87bf8baf47d5868d7ce4243550e0c7429a448bc1f84941fd222f8dadf153b738a9ad24107f1a565f157325f62acc7bffedd5e19b17d95acab1b1d66

Download Submit
memory/388-1637-0x000001DEEB650000-0x000001DEEB79F000-memory.dmp

Filesize
1.3MB

Download
memory/448-405-0x000002F158400000-0x000002F15854F000-memory.dmp

Filesize
1.3MB

Download
memory/452-1597-0x00000211FA660000-0x00000211FA7AF000-memory.dmp

Filesize
1.3MB

Download
memory/476-208-0x0000000002300000-0x0000000002310000-memory.dmp

Filesize
64KB

Download
memory/532-2017-0x00000141EC310000-0x00000141EC45F000-memory.dmp

Filesize
1.3MB

Download
memory/640-2101-0x00000255441D0000-0x000002554431F000-memory.dmp

Filesize
1.3MB

Download
memory/1012-359-0x000001B83D5F0000-0x000001B83D73F000-memory.dmp

Filesize
1.3MB

Download
memory/1012-659-0x000001C87F530000-0x000001C87F67F000-memory.dmp

Filesize
1.3MB

Download
memory/1076-88-0x00000000004C0000-0x00000000004CC000-memory.dmp

Filesize
48KB

Download
memory/1076-96-0x00007FFF058F0000-0x00007FFF063B2000-memory.dmp

Filesize
10.8MB

Download
memory/1076-90-0x0000000000E10000-0x0000000000E22000-memory.dmp

Filesize
72KB

Download
memory/1076-92-0x0000000002860000-0x000000000289C000-memory.dmp

Filesize
240KB

Download
memory/1076-91-0x000000001B220000-0x000000001B230000-memory.dmp

Filesize
64KB

Download
memory/1076-89-0x00007FFF058F0000-0x00007FFF063B2000-memory.dmp

Filesize
10.8MB

Download
memory/1276-491-0x0000029F7BCB0000-0x0000029F7BDFF000-memory.dmp

Filesize
1.3MB

Download
memory/1296-786-0x000001BF77F80000-0x000001BF780CF000-memory.dmp

Filesize
1.3MB

Download
memory/1372-1720-0x000002039E510000-0x000002039E65F000-memory.dmp

Filesize
1.3MB

Download
memory/1388-2271-0x0000028CBF060000-0x0000028CBF1AF000-memory.dmp

Filesize
1.3MB

Download
memory/1428-1554-0x000001FBC9F00000-0x000001FBCA04F000-memory.dmp

Filesize
1.3MB

Download
memory/1444-306-0x000002341EC50000-0x000002341ED9F000-memory.dmp

Filesize
1.3MB

Download
memory/1540-1848-0x00000251DE640000-0x00000251DE78F000-memory.dmp

Filesize
1.3MB

Download
memory/1560-962-0x00000245C1BF0000-0x00000245C1D3F000-memory.dmp

Filesize
1.3MB

Download
memory/1628-2738-0x0000019970D80000-0x0000019970ECF000-memory.dmp

Filesize
1.3MB

Download
memory/1636-1085-0x000001A8BBFE0000-0x000001A8BC12F000-memory.dmp

Filesize
1.3MB

Download
memory/1644-1131-0x00000176E2A00000-0x00000176E2B4F000-memory.dmp

Filesize
1.3MB

Download
memory/1808-1425-0x0000018066EB0000-0x0000018066FFF000-memory.dmp

Filesize
1.3MB

Download
memory/1876-744-0x0000024035AE0000-0x0000024035C2F000-memory.dmp

Filesize
1.3MB

Download
memory/1988-1043-0x0000016373FE0000-0x000001637412F000-memory.dmp

Filesize
1.3MB

Download
memory/2032-702-0x000002286F2B0000-0x000002286F3FF000-memory.dmp

Filesize
1.3MB

Download
memory/2124-1764-0x00000267F8D20000-0x00000267F8E6F000-memory.dmp

Filesize
1.3MB

Download
memory/2124-2357-0x0000010EF3520000-0x0000010EF366F000-memory.dmp

Filesize
1.3MB

Download
memory/2128-2484-0x000001D7DBFF0000-0x000001D7DC13F000-memory.dmp

Filesize
1.3MB

Download
memory/2248-446-0x0000019865CD0000-0x0000019865E1F000-memory.dmp

Filesize
1.3MB

Download
memory/2260-2143-0x000001E222160000-0x000001E2222AF000-memory.dmp

Filesize
1.3MB

Download
memory/2276-872-0x000002543BD50000-0x000002543BE9F000-memory.dmp

Filesize
1.3MB

Download
memory/2336-2652-0x000001BDC73E0000-0x000001BDC752F000-memory.dmp

Filesize
1.3MB

Download
memory/2344-2567-0x000001CA6B570000-0x000001CA6B6BF000-memory.dmp

Filesize
1.3MB

Download
memory/2356-2524-0x000001DCB2D30000-0x000001DCB2E7F000-memory.dmp

Filesize
1.3MB

Download
memory/2384-2609-0x0000012BFCDD0000-0x0000012BFCF1F000-memory.dmp

Filesize
1.3MB

Download
memory/2480-1170-0x0000024DCCE40000-0x0000024DCCF8F000-memory.dmp

Filesize
1.3MB

Download
memory/2564-2185-0x0000025FF89D0000-0x0000025FF8B1F000-memory.dmp

Filesize
1.3MB

Download
memory/2612-1381-0x000001C5B4710000-0x000001C5B485F000-memory.dmp

Filesize
1.3MB

Download
memory/2628-56-0x00007FFF058F0000-0x00007FFF063B2000-memory.dmp

Filesize
10.8MB

Download
memory/2628-52-0x00000236B3EE0000-0x00000236B3EF0000-memory.dmp

Filesize
64KB

Download
memory/2628-27-0x00007FFF058F0000-0x00007FFF063B2000-memory.dmp

Filesize
10.8MB

Download
memory/2628-29-0x00000236B3EE0000-0x00000236B3EF0000-memory.dmp

Filesize
64KB

Download
memory/2628-51-0x00000236B3EE0000-0x00000236B3EF0000-memory.dmp

Filesize
64KB

Download
memory/2628-55-0x00000236B3EF0000-0x00000236B403F000-memory.dmp

Filesize
1.3MB

Download
memory/2628-40-0x000002369B910000-0x000002369B932000-memory.dmp

Filesize
136KB

Download
memory/2628-28-0x00000236B3EE0000-0x00000236B3EF0000-memory.dmp

Filesize
64KB

Download
memory/2736-203-0x0000000074A70000-0x0000000075221000-memory.dmp

Filesize
7.7MB

Download
memory/2740-205-0x0000000074A70000-0x0000000075221000-memory.dmp

Filesize
7.7MB

Download
memory/2740-191-0x0000000074A70000-0x0000000075221000-memory.dmp

Filesize
7.7MB

Download
memory/2740-190-0x0000000000580000-0x0000000000588000-memory.dmp

Filesize
32KB

Download
memory/2848-1001-0x000001FC00060000-0x000001FC001AF000-memory.dmp

Filesize
1.3MB

Download
memory/2984-577-0x00000270C1960000-0x00000270C1AAF000-memory.dmp

Filesize
1.3MB

Download
memory/3160-916-0x0000023A29250000-0x0000023A2939F000-memory.dmp

Filesize
1.3MB

Download
memory/3172-2784-0x000001DFFCB80000-0x000001DFFCCCF000-memory.dmp

Filesize
1.3MB

Download
memory/3216-1467-0x000002BF4DCA0000-0x000002BF4DDEF000-memory.dmp

Filesize
1.3MB

Download
memory/3256-2696-0x00000283450A0000-0x00000283451EF000-memory.dmp

Filesize
1.3MB

Download
memory/3336-1680-0x0000027E59AB0000-0x0000027E59BFF000-memory.dmp

Filesize
1.3MB

Download
memory/3584-1211-0x0000027E9EB10000-0x0000027E9EC5F000-memory.dmp

Filesize
1.3MB

Download
memory/3608-137-0x0000000002760000-0x0000000002772000-memory.dmp

Filesize
72KB

Download
memory/3608-123-0x000000001B220000-0x000000001B230000-memory.dmp

Filesize
64KB

Download
memory/3608-169-0x000000001B180000-0x000000001B190000-memory.dmp

Filesize
64KB

Download
memory/3608-170-0x000000001BA50000-0x000000001BC12000-memory.dmp

Filesize
1.8MB

Download
memory/3608-146-0x0000000002910000-0x000000000295E000-memory.dmp

Filesize
312KB

Download
memory/3608-193-0x00007FFF058F0000-0x00007FFF063B2000-memory.dmp

Filesize
10.8MB

Download
memory/3608-173-0x000000001B220000-0x000000001B230000-memory.dmp

Filesize
64KB

Download
memory/3608-159-0x000000001B160000-0x000000001B178000-memory.dmp

Filesize
96KB

Download
memory/3608-120-0x00007FFF058F0000-0x00007FFF063B2000-memory.dmp

Filesize
10.8MB

Download
memory/3608-121-0x00000000003E0000-0x00000000004DC000-memory.dmp

Filesize
1008KB

Download
memory/3656-157-0x00007FFF058F0000-0x00007FFF063B2000-memory.dmp

Filesize
10.8MB

Download
memory/3656-131-0x00007FFF058F0000-0x00007FFF063B2000-memory.dmp

Filesize
10.8MB

Download
memory/3656-122-0x000000001B240000-0x000000001B250000-memory.dmp

Filesize
64KB

Download
memory/3656-47-0x00007FFF058F0000-0x00007FFF063B2000-memory.dmp

Filesize
10.8MB

Download
memory/3684-1894-0x0000024977020000-0x000002497716F000-memory.dmp

Filesize
1.3MB

Download
memory/3740-42-0x000000001BEC0000-0x000000001BF1C000-memory.dmp

Filesize
368KB

Download
memory/3740-72-0x0000000001810000-0x0000000001822000-memory.dmp

Filesize
72KB

Download
memory/3740-119-0x00007FFEFFD90000-0x00007FFF00731000-memory.dmp

Filesize
9.6MB

Download
memory/3740-41-0x00007FFEFFD90000-0x00007FFF00731000-memory.dmp

Filesize
9.6MB

Download
memory/3740-74-0x000000001D1D0000-0x000000001D1F0000-memory.dmp

Filesize
128KB

Download
memory/3740-50-0x00007FFEFFD90000-0x00007FFF00731000-memory.dmp

Filesize
9.6MB

Download
memory/3740-31-0x0000000001760000-0x0000000001770000-memory.dmp

Filesize
64KB

Download
memory/3740-45-0x000000001C080000-0x000000001C08E000-memory.dmp

Filesize
56KB

Download
memory/3740-73-0x0000000001780000-0x0000000001788000-memory.dmp

Filesize
32KB

Download
memory/3740-70-0x000000001CBA0000-0x000000001CBB6000-memory.dmp

Filesize
88KB

Download
memory/3740-48-0x000000001C560000-0x000000001CA2E000-memory.dmp

Filesize
4.8MB

Download
memory/3740-49-0x000000001CAD0000-0x000000001CB6C000-memory.dmp

Filesize
624KB

Download
memory/3752-1296-0x000001E6596E0000-0x000001E65982F000-memory.dmp

Filesize
1.3MB

Download
memory/3816-1338-0x0000018C27670000-0x0000018C277BF000-memory.dmp

Filesize
1.3MB

Download
memory/3872-618-0x00000155D1A80000-0x00000155D1BCF000-memory.dmp

Filesize
1.3MB

Download
memory/4140-168-0x00007FFF058F0000-0x00007FFF063B2000-memory.dmp

Filesize
10.8MB

Download
memory/4232-2312-0x0000016D4D560000-0x0000016D4D6AF000-memory.dmp

Filesize
1.3MB

Download
memory/4268-2060-0x000001FBF92A0000-0x000001FBF93EF000-memory.dmp

Filesize
1.3MB

Download
memory/4324-62-0x0000000000B20000-0x0000000000B30000-memory.dmp

Filesize
64KB

Download
memory/4400-834-0x000002667AFF0000-0x000002667B13F000-memory.dmp

Filesize
1.3MB

Download
memory/4508-1805-0x000002CF2BFE0000-0x000002CF2C12F000-memory.dmp

Filesize
1.3MB

Download
memory/4536-184-0x00007FFF058F0000-0x00007FFF063B2000-memory.dmp

Filesize
10.8MB

Download
memory/4536-99-0x0000000019B00000-0x0000000019B10000-memory.dmp

Filesize
64KB

Download
memory/4536-192-0x0000000019B00000-0x0000000019B10000-memory.dmp

Filesize
64KB

Download
memory/4536-98-0x00007FFF058F0000-0x00007FFF063B2000-memory.dmp

Filesize
10.8MB

Download
memory/4536-100-0x000000001A020000-0x000000001A12A000-memory.dmp

Filesize
1.0MB

Download
memory/4540-154-0x0000000001040000-0x0000000001050000-memory.dmp

Filesize
64KB

Download
memory/4540-158-0x00007FFF00390000-0x00007FFF00D31000-memory.dmp

Filesize
9.6MB

Download
memory/4540-156-0x00007FFF00390000-0x00007FFF00D31000-memory.dmp

Filesize
9.6MB

Download
memory/4600-1511-0x00000294CAE90000-0x00000294CAFDF000-memory.dmp

Filesize
1.3MB

Download
memory/4640-1253-0x00000253720B0000-0x00000253721FF000-memory.dmp

Filesize
1.3MB

Download
memory/4668-2441-0x00000126E64F0000-0x00000126E663F000-memory.dmp

Filesize
1.3MB

Download
memory/4672-532-0x000001B6CE040000-0x000001B6CE18F000-memory.dmp

Filesize
1.3MB

Download
memory/4728-147-0x00007FFF058F0000-0x00007FFF063B2000-memory.dmp

Filesize
10.8MB

Download
memory/4728-204-0x00007FFF058F0000-0x00007FFF063B2000-memory.dmp

Filesize
10.8MB

Download
memory/4728-196-0x000001FA49ED0000-0x000001FA4A01F000-memory.dmp

Filesize
1.3MB

Download
memory/4728-151-0x000001FA49DC0000-0x000001FA49DD0000-memory.dmp

Filesize
64KB

Download
memory/4728-153-0x000001FA49DC0000-0x000001FA49DD0000-memory.dmp

Filesize
64KB

Download
memory/4728-194-0x000001FA49DC0000-0x000001FA49DD0000-memory.dmp

Filesize
64KB

Download
memory/4728-187-0x000001FA49DC0000-0x000001FA49DD0000-memory.dmp

Filesize
64KB

Download
memory/4764-254-0x000002CE6D0D0000-0x000002CE6D21F000-memory.dmp

Filesize
1.3MB

Download
memory/4876-1975-0x0000020EB0CE0000-0x0000020EB0E2F000-memory.dmp

Filesize
1.3MB

Download
memory/4888-0-0x0000000000F40000-0x0000000001184000-memory.dmp

Filesize
2.3MB

Download
memory/4888-30-0x00007FFF058F0000-0x00007FFF063B2000-memory.dmp

Filesize
10.8MB

Download
memory/4888-2-0x0000000003250000-0x0000000003260000-memory.dmp

Filesize
64KB

Download
memory/4888-1-0x00007FFF058F0000-0x00007FFF063B2000-memory.dmp

Filesize
10.8MB

Download
memory/4932-2228-0x00000218E9DD0000-0x00000218E9F1F000-memory.dmp

Filesize
1.3MB

Download
memory/4948-2401-0x000001CDB33F0000-0x000001CDB353F000-memory.dmp

Filesize
1.3MB

Download
memory/4988-1939-0x000002EA4F020000-0x000002EA4F16F000-memory.dmp

Filesize
1.3MB

Download