Malware Analysis Report

2025-01-18 04:44

Sample ID 230608-ntxrkseh85
Target sinple.exe
SHA256 06a0a8d963239e64adfedf7332c222e2beaf2aa4ab971bc1c9e5b9804a30ee6f
Tags
stealer revengerat trojan persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

06a0a8d963239e64adfedf7332c222e2beaf2aa4ab971bc1c9e5b9804a30ee6f

Threat Level: Known bad

The file sinple.exe was found to be: Known bad.

Malicious Activity Summary

stealer revengerat trojan persistence

RevengeRat Executable

Revengerat family

RevengeRAT

RevengeRat Executable

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Uses the VBS compiler for execution

Adds Run key to start application

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-06-08 11:41

Signatures

RevengeRat Executable

stealer
Description Indicator Process Target
N/A N/A N/A N/A

Revengerat family

revengerat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-06-08 11:41

Reported

2023-06-08 11:44

Platform

win7-20230220-en

Max time kernel

48s

Max time network

40s

Command Line

"C:\Users\Admin\AppData\Local\Temp\sinple.exe"

Signatures

RevengeRAT

trojan revengerat

RevengeRat Executable

stealer
Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Proxifier.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\sinple.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sinple.exe N/A

Uses the VBS compiler for execution

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\sinple.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Proxifier.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1736 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\sinple.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1736 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\sinple.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1736 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\sinple.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1736 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\sinple.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1008 wrote to memory of 1784 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1008 wrote to memory of 1784 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1008 wrote to memory of 1784 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1008 wrote to memory of 1784 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1736 wrote to memory of 516 N/A C:\Users\Admin\AppData\Local\Temp\sinple.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1736 wrote to memory of 516 N/A C:\Users\Admin\AppData\Local\Temp\sinple.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1736 wrote to memory of 516 N/A C:\Users\Admin\AppData\Local\Temp\sinple.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1736 wrote to memory of 516 N/A C:\Users\Admin\AppData\Local\Temp\sinple.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 516 wrote to memory of 1820 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 516 wrote to memory of 1820 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 516 wrote to memory of 1820 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 516 wrote to memory of 1820 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1736 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\sinple.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1736 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\sinple.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1736 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\sinple.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1736 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\sinple.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1196 wrote to memory of 1380 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1196 wrote to memory of 1380 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1196 wrote to memory of 1380 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1196 wrote to memory of 1380 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1736 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\sinple.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1736 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\sinple.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1736 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\sinple.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1736 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\sinple.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 752 wrote to memory of 756 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 752 wrote to memory of 756 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 752 wrote to memory of 756 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 752 wrote to memory of 756 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1736 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\sinple.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1736 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\sinple.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1736 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\sinple.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1736 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\sinple.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1788 wrote to memory of 884 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1788 wrote to memory of 884 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1788 wrote to memory of 884 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1788 wrote to memory of 884 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1736 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\sinple.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1736 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\sinple.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1736 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\sinple.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1736 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\sinple.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1536 wrote to memory of 2004 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1536 wrote to memory of 2004 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1536 wrote to memory of 2004 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1536 wrote to memory of 2004 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1736 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\sinple.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1736 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\sinple.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1736 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\sinple.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1736 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\sinple.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 776 wrote to memory of 536 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 776 wrote to memory of 536 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 776 wrote to memory of 536 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 776 wrote to memory of 536 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1736 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\sinple.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1736 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\sinple.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1736 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\sinple.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1736 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\sinple.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1136 wrote to memory of 1624 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1136 wrote to memory of 1624 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1136 wrote to memory of 1624 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1136 wrote to memory of 1624 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

Processes

C:\Users\Admin\AppData\Local\Temp\sinple.exe

"C:\Users\Admin\AppData\Local\Temp\sinple.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\drrdubo5.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8E2E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8E2D.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ja5xoet-.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8FF2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8FF1.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\5nbzuju-.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES90AD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc90AC.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\dn7cgxyb.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES91B7.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc91B6.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\2ocqbxef.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES92C0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc92BF.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rm5wtm-i.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES938B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc938A.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\r3s0bhpv.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9484.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9483.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jzyimfce.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES954F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc954E.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\8aa6zjwe.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES960A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9609.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\o6oxt8hb.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9733.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9732.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\uc1dgc5u.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES97DE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc97DD.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\dtf0uxiy.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES98C8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc98C7.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hmtey0fl.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9983.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9982.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\v1mct50i.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9A8D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9A8C.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ee-2cbkr.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9B48.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9B47.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\koqgqcxq.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9C32.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9C31.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\56q8jpi6.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9E44.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9E43.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ikqaj31i.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9F0F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9F0E.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\pc4oxifs.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9FCA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9FC9.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ftysnjp8.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA085.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA084.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\cuwfqwsb.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA16F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA16E.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\uyidrzb0.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA24A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA239.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\4qc45a7s.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA2E6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA2E5.tmp"

C:\Users\Admin\AppData\Roaming\Proxifier.exe

"C:\Users\Admin\AppData\Roaming\Proxifier.exe"

Network

Country Destination Domain Proto
US 45.61.48.65:6767 tcp
US 45.61.48.65:6767 tcp
US 45.61.48.65:6767 tcp
US 45.61.48.65:6767 tcp
US 45.61.48.65:6767 tcp
US 45.61.48.65:6767 tcp
US 45.61.48.65:6767 tcp
US 45.61.48.65:6767 tcp

Files

memory/1736-54-0x0000000001FD0000-0x0000000002010000-memory.dmp

memory/1736-55-0x0000000001FD0000-0x0000000002010000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\drrdubo5.cmdline

MD5 cfb38a29278e0e1eb2a0d9d8e798d018
SHA1 2da1ea6d0786f73c016250c9f6a901348b994906
SHA256 4239055b21455362779f8532afc51147a90ad96b08d7ceeece3e74d1f8888384
SHA512 cecb0df7d5bd3662cf492458342c5f6cd8d7aba74723239d1457dcb3eb7ecb01aad5c75addc729e953d55fa325097560ba8690c6103eb5f763abaaafc29fd6bb

C:\Users\Admin\AppData\Local\Temp\drrdubo5.0.vb

MD5 765027485419f5efdff59d9dcb2f838b
SHA1 7a926cff602315306435e8ba4a6d207bf3ea2378
SHA256 300b9346165cdb43cede160a89933c8ba8a85aec6a435e762017e27c04d7935e
SHA512 b60b199c1da7d4bd6ec20fd7b9df3697ba6cc5c2fe45bce446401c2c1f0f25d067834cf790196af12fbb41913a214c1a97ba8cb4a4e2b619eb4b196a6b7f383c

C:\ProgramData\RR\vcredist2010_x64.log-MSI_vc_red.msi.ico

MD5 c398ae0c9782f218c0068cd155cb676c
SHA1 7c5bb00a34d55518a401cd3c60c8821ed58eb433
SHA256 9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3
SHA512 85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8

C:\Users\Admin\AppData\Local\Temp\vbc8E2D.tmp

MD5 a723e1440df9c93e522322b0a50cd0d8
SHA1 22404fe7052bf320f25262e0f226aa34ce913673
SHA256 16611772d8906e5f593633385538fe35b9eb4c7d840b92adccc1d5567b4ced9e
SHA512 15b85fc12e4011e3f74aee35b252073043a54345195d7c93d09904dd7a3b662a7779dd5c3c864b41bce12358d62245f8c8a2ae84142c8320f88d7360c340756f

C:\Users\Admin\AppData\Local\Temp\RES8E2E.tmp

MD5 3f8eb0a8c010980ab68d8b3c03f4a406
SHA1 460959ba5bd64ba5fda9c7ef2b3c7f5ed454faa0
SHA256 6b91e17ae14f637091f20cb6aef546328fd51a30d354b887dc125d0509692340
SHA512 7c2ba05811c2f7936b26455af307ccdb8b468e2190ca98195015d9b892b37462b1f8f513e98baaf588c085aa972a613efc48b3eb0e7219483fd49f6ec1645c2c

C:\Users\Admin\AppData\Local\Temp\ja5xoet-.cmdline

MD5 98cc7fc6c9dbe761f8d4ad13823067cf
SHA1 e894c5374da1ce72bc849c6d6caffdd3aea53f78
SHA256 409be4ae4aeb16a86bccfb321e6bcb1db400e05ab7a8d14e503de2327d5576c0
SHA512 9456473e7e0312051deb1732f8f04b553e5086c9dc2d5023c1ebbe351ba1f74eb3aa0f226e5fe567a7cfa74912d14832ad4a8efff68eb1f6bd2716a468b0fd4e

memory/516-78-0x0000000001FF0000-0x0000000002030000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ja5xoet-.0.vb

MD5 730aac757f2944dd189cafeaafc3a70a
SHA1 4c6b8281d73701cc009b24e6e33c920083b07845
SHA256 0aa525047c23c08ab9deadc31dd1699f444d62efd9c35f897166025ead0dbdcf
SHA512 b63ec233eecb4157a290e300ef998f9ec786599fa5c86d09f006d1d20a53cdc88ad169b1365f2c0b479303ad7f722741e7d25b89d7176a25643de86621257615

C:\ProgramData\RR\vcredist2010_x64.log.ico

MD5 cef770e695edef796b197ce9b5842167
SHA1 b0ef9613270fe46cd789134c332b622e1fbf505b
SHA256 a14f7534dcd9eac876831c5c1416cee3ab0f9027cf20185c1c9965df91dea063
SHA512 95c7392ffcf91eaa02c41c70a577f9f66aff4e6a83e4d0c80dbd3a2725f89f90de7ab6484497bf6e0a0802fd8ced042647b67c5ea4bee09e1b2be30b0db1f12f

C:\Users\Admin\AppData\Local\Temp\vbc8FF1.tmp

MD5 220272bc2dac32c1c45572e95f1642f4
SHA1 7fb8a05228840f1dc12e359544f60e96a1adbab0
SHA256 ac797d34811b0161473ea61a2c491c32443851f23adf8e900c370828cba227aa
SHA512 986f388e5b2ed6a9d8ed2fb7fa020e04518e10d9c42e19c38defd6f7af377a38ccfeb2b4edf4a105c13148d74cc51f37c84ba4629152dbdd1c7cf8a7628398d6

C:\Users\Admin\AppData\Local\Temp\RES8FF2.tmp

MD5 1e3a1b815107328906cbfd0ccdc1f9a7
SHA1 6968b9cf7687f495384e4acd3449ba04a74ef1ed
SHA256 20b63e1ac06b827f33730fb8d81330a55d7c3f2f1ab587392e856c7330684a2c
SHA512 cb5ac24390e25cc5a2cea463342dcb8081d660115108d95aace53cf8ba0377ecc48d375f094e067e46098745af7648400a49bef8ccd337ebb833be099706e71d

C:\Users\Admin\AppData\Local\Temp\5nbzuju-.cmdline

MD5 bd22201c76b0e93a7e0d67747b70d2b3
SHA1 526a16494055c65438b496bdffe5f1e9758443c8
SHA256 c58a1701e7a475d47f978d1d5520e3412fb7350b607abb9665671fc4d40aeb96
SHA512 389f12eed11906cd53278911a2be28f2988b5051db9865ef0c7bfe47e59d3f71b66a7b47bf786666c3a1f31d3bdb816eaf06d0685c3672efa5e1508b5629abf2

C:\ProgramData\RR\vcredist2010_x86.log-MSI_vc_red.msi.ico

MD5 c398ae0c9782f218c0068cd155cb676c
SHA1 7c5bb00a34d55518a401cd3c60c8821ed58eb433
SHA256 9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3
SHA512 85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8

C:\Users\Admin\AppData\Local\Temp\5nbzuju-.0.vb

MD5 1e1d275892ad343cb92dd5e066110848
SHA1 a29ac508770951e4697597fbdb8491ec04321126
SHA256 4435a41003ce14b0fedbe12c19b26decdc5a26603c97ee1a30d0ce1f9387a147
SHA512 221c21975a989ba51eb9cc519e755a7dd51db723b68cc216f18616e930647a21e60dd304545d4a3e3896b2d23ebbbba3e548f08d68c9d8ac42e6dbe572805e29

C:\Users\Admin\AppData\Local\Temp\vbc90AC.tmp

MD5 28782b2eec2c663f9ed53921f11e1a02
SHA1 214a94c189429b0727eba7f67abbfd195184cd4b
SHA256 3482730f6a758e9e8997a7cfdadd3bb4a3abb1287971ed0c81a5060f3a7a7345
SHA512 3bdd342031d826509d24b06b1c4d0462fbb67340266c8859b676cad9c62241f46b05ce26502ec4fb2e3fc5d63478ed4e67b0608045ebc8b77624c21132b89792

C:\Users\Admin\AppData\Local\Temp\RES90AD.tmp

MD5 c7a964fb6389f3bf484bc50735be7bc4
SHA1 7b18cb98a0d30c1c5e091dfb139ed075351aebf6
SHA256 befa91e1be71e411d61033b19b6972543b0f09c0618f42de29447905d14e6fe8
SHA512 67bd2238670ec72f1fc9cff4f57e7ece7a833944cb7ad7faabf8b467797f4852dc404cc2ee41db9445d6cd8f44276199efee78e0e9447c49703600cc95546766

C:\Users\Admin\AppData\Local\Temp\dn7cgxyb.cmdline

MD5 ae91d1f36476eef4464dfeeec47f4cb8
SHA1 7d6bc02e3b86651feb117cdb51fe409727536065
SHA256 54140459568aa29512bd9a311b22ceb03bf92048ea76e2109283ba3c1fb88a75
SHA512 ff59be9f6b48757ab423d538d8237e5d9fc522021b56a70bdffa844e4319ee2414a61250f494910f35bd1dd39f97e56e73a638678491c609b8ce586421862976

C:\Users\Admin\AppData\Local\Temp\dn7cgxyb.0.vb

MD5 1d7cc4603776bd921d70043fe7b46af0
SHA1 1a20d7f435523c25a59b6a05c44a2f693c48f306
SHA256 fb581834b33872fc47bf75e7d8b1a9dc860e66ec85d45c37c48fa6a85835f0ef
SHA512 02de139dd0b74902104503c8568e7b9c6e2fa47057f71e497bb34e33e28a107ad2b4539e0cd7dd8ea881631d2dc21a24735fa0b8629e9c539cb37cde4eed52ce

C:\ProgramData\RR\vcredist2010_x86.log.ico

MD5 cef770e695edef796b197ce9b5842167
SHA1 b0ef9613270fe46cd789134c332b622e1fbf505b
SHA256 a14f7534dcd9eac876831c5c1416cee3ab0f9027cf20185c1c9965df91dea063
SHA512 95c7392ffcf91eaa02c41c70a577f9f66aff4e6a83e4d0c80dbd3a2725f89f90de7ab6484497bf6e0a0802fd8ced042647b67c5ea4bee09e1b2be30b0db1f12f

C:\Users\Admin\AppData\Local\Temp\vbc91B6.tmp

MD5 21cfc9f7e0db925220e5da37be575d47
SHA1 57a039a16d41a7c9b6b6de94b2b7abdb6f09e63f
SHA256 3c9b517527e365575c3d37c7611c5b291dd6719201a72d0d69d15c6e580f0afb
SHA512 9719a395e8a8b18ec34387be8334ea7eafa1e476fafb38265cc1448dee088df6bcfa05e9f88129a0468d7192cc4f11eff005aaef20f6584095afdcbdf976bfca

C:\Users\Admin\AppData\Local\Temp\RES91B7.tmp

MD5 43869d46979b8e7a1d6d754d4424ae6d
SHA1 fd3f97a0a5502cd03c4e96b487818f7da99d333f
SHA256 b7e9f755267419df20fe8dae2e4e61f4b4f2cc6ee9d480d6b2b0d69984d07344
SHA512 4bd2498e0eb50bd2ae629ed9b0b8b3af93f869bd1b657507e8725ceda324796bb5015fccc9ea9e02e7cbb075a0d4a9dce1d2824dcc4d63d1a39e81aaaa5e8451

C:\Users\Admin\AppData\Local\Temp\2ocqbxef.cmdline

MD5 2f3c42c981f91912feff4a20f4773b4f
SHA1 a2499405e5dace27f5f2b607741606caab2fb979
SHA256 5b1fbf8c7ec400930012ca7b5d5bc9be76b4760b8803880d299b1e56d1bf8b1e
SHA512 0384ae84937fb07176eec3157b548e53cda0f43d8807a8b67497646b9a59957e91ecbfe45d5d44732ae0c7b26256ad8b772fa0a356a271c36d5b27ceebdeae37

C:\Users\Admin\AppData\Local\Temp\2ocqbxef.0.vb

MD5 89dcc840c0bfdeeaae975e09ebcc6ce9
SHA1 458d038e183152d969cb7083816e979ee7f90f3e
SHA256 9def943a06587ec01f9c8307397147c1c381265a642b74d36c9692028497b69c
SHA512 0ecd6d927de1fe0d21a0e1de46d199143a296780bec9b470aab91d89e1b8e1db0f6af5844321df8cc30eced4b2f24d3ef06aaa65d14372f0696778de3e579466

C:\ProgramData\RR\vcredist2012_x64_0_vcRuntimeMinimum_x64.ico

MD5 c398ae0c9782f218c0068cd155cb676c
SHA1 7c5bb00a34d55518a401cd3c60c8821ed58eb433
SHA256 9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3
SHA512 85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8

C:\Users\Admin\AppData\Local\Temp\RES92C0.tmp

MD5 6b503e21ada530d862127be01ebe8904
SHA1 2cd93733be3642290be22b404e20f93ee4c284bf
SHA256 d2301869ae1566ba5d44f58a8305d6a7a2caf743032818cf459e12c797ec4df4
SHA512 9c7333951a8cc72745d5d4f3b52c5db9ae6ae70f77d0c2214658a45da126ace32363d70b98e350595c48359ba5fc1517446354d586e45680fa101dd65ca6eb64

C:\Users\Admin\AppData\Local\Temp\vbc92BF.tmp

MD5 b949336b54379424a7f7c0b327b6d9a8
SHA1 0958fb7c1ebf180e8dee851428f5f1ac50004bfc
SHA256 affccca398cbcf996ac1e97e41da99e253b411e4e870744507b8ff4423ebd20f
SHA512 ebf388d34930d6c8e0f72c69e69260318b906de5c42f57c4d9e2c2e4f57ddfda2489dedbede78c360cad89cf8fa6022273d63af952ca1465a6addc0003ad1906

C:\Users\Admin\AppData\Local\Temp\rm5wtm-i.cmdline

MD5 9ab15b4048be610cf7b8d4aa1fa31b15
SHA1 fdd3695d8687cbe5d9897bdeca79cab168599e4f
SHA256 b46af02a88ac4788fd6ee8dbac6096745816edfd9ae7a8b7f1c3b573a344fcbc
SHA512 09f59a60ef796ed4e765885b88234c56d690c3700dd48c769fa735a91b124769e55faa666af607b999371e1d709cc85ef88d36c2bd807070e88ae08ad746184d

C:\Users\Admin\AppData\Local\Temp\rm5wtm-i.0.vb

MD5 4e197b41b1397d3d6285153f5511e42c
SHA1 ae5ec0496c187cf5d478a7f211bad37131078421
SHA256 6c60c5838c58d263822c0f98af7e8052af29ea0cb0dcafeafafbda37373b2407
SHA512 9a5e5e508e1dcebe834d56406804b83a13f18a5a5e1f70cedecc618e9ac00f960be72a9b7866e0982fe9d34a9e20537a4af6c911d33f662d344aae3bbe16d15b

C:\ProgramData\RR\vcredist2012_x64_1_vcRuntimeAdditional_x64.ico

MD5 c398ae0c9782f218c0068cd155cb676c
SHA1 7c5bb00a34d55518a401cd3c60c8821ed58eb433
SHA256 9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3
SHA512 85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8

C:\Users\Admin\AppData\Local\Temp\vbc938A.tmp

MD5 798665eea8f516bc0d9b7166126cb25d
SHA1 51cf927bd6dfa6143b06ab1d4e4b6da177cf6111
SHA256 d18cb689d3d780f678d91d816e6da3440379e9fccaa00e57af11c63e9717565f
SHA512 0218f6cec316583c45867e254945f8fbe25781dcd796128314a29cfa1a58f81161e7a89e58cf95d6898ec6b93c71754a738fedf6d944712a58a8b78d84f15b3c

C:\Users\Admin\AppData\Local\Temp\RES938B.tmp

MD5 9970af350af92b211bbb6b45526b7473
SHA1 ce23166e83dd37753248746db7cf5f868891f6f5
SHA256 d2f80761f8787d5bbfa480a27b7962b03d62b9b89dba9e6c58707c7e5e15d1bb
SHA512 7e5f4f348d6f8e7ba103b77eac8f449a3ffdab4cb033d5bd3fc1e1085451bd18943be8a84ae007f6a173807048dfccb5007f4b0c47031edc299ad7d45d4cbd9c

C:\ProgramData\RR\vcredist2012_x86_0_vcRuntimeMinimum_x86.ico

MD5 c398ae0c9782f218c0068cd155cb676c
SHA1 7c5bb00a34d55518a401cd3c60c8821ed58eb433
SHA256 9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3
SHA512 85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8

C:\Users\Admin\AppData\Local\Temp\r3s0bhpv.cmdline

MD5 9acda4da17a2e3c9d894345139c15364
SHA1 b5d01c351be0c03f4aa1378b974872aed7e1185d
SHA256 23b6df16dcc69991e5eb8dd4c51fb9e75ef9e4d7682f0371853a65ae56669c53
SHA512 196fe21a8a45f9c7699e8999e5a0032186078a09550185c951c652f47cf5212432b34e6fe02236cd62c9d0bd7d08afb48be90a59f0809514e72165a4543e047b

C:\Users\Admin\AppData\Local\Temp\r3s0bhpv.0.vb

MD5 576a4db4cf7b848c3871fe3abdb6924f
SHA1 f14d6572e6d255853a42c9e2df8cabadc9287b68
SHA256 326a63d5733e214e6b160c5f70de4f2e023e2123767a404f533274c6030b2bdc
SHA512 4c1856177bac45aaa95406ff317a4c80a23167f651485723500e4bdfef51ee20cd885e53c70840b9873c4a597e996453efa5b4f4f9ebf600fb1bab5b98a4b2f9

C:\ProgramData\RR\vcredist2012_x86_0_vcRuntimeMinimum_x86.ico

MD5 c398ae0c9782f218c0068cd155cb676c
SHA1 7c5bb00a34d55518a401cd3c60c8821ed58eb433
SHA256 9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3
SHA512 85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8

C:\Users\Admin\AppData\Local\Temp\vbc9483.tmp

MD5 0c8e01dcb4c4348529bb035673de1558
SHA1 fa9dbb4dae1667499c445d217518fe7a8cd3aad6
SHA256 e6635156bf8cbea1f1da25beb8105bd7009c04f662c9faa654f1dbb19beb5fb4
SHA512 a211032ea3b8bbe630924f87d38b77077afa2f78193442bb3c16bd6e5e89334d33a676c78a6c2957b2317f9eb4102826ab670460cad08895449e5713c876610d

C:\Users\Admin\AppData\Local\Temp\RES9484.tmp

MD5 b78ab326790e0ebccbb78d919c1194d6
SHA1 fb875e111864939543b9466a73d6eb9199beebb3
SHA256 4aa1dc0fb9c3e85a38249e89226894afca7fe98b84c3c14f3504cb31797cb04b
SHA512 dcec0e91d66a1c64787c003441d838b146679bb7e7d0711af6db6e591ba84e19875c44de0059d6244d049bcc42f9f637aa3012cdae8684e379aa5b52eef6563b

C:\Users\Admin\AppData\Local\Temp\jzyimfce.cmdline

MD5 d10d8c7630b2caa342d7fcc8ff590788
SHA1 8f1fe282872618ab2114bd13aa9d8291b60810f5
SHA256 f7211c75700eb65b0dafee41d4a3c38edb92394d96ab1f96c509a5b379ebb1aa
SHA512 417ba817786eef415f19a9325f0553c0492a081c8cc0c97523dadab578fab6e22a061d74704fd09b60730181d11d35f35d976875a98912498f07673f002477f5

C:\Users\Admin\AppData\Local\Temp\jzyimfce.0.vb

MD5 20ee6329b751aebd77717efdc917a156
SHA1 42a0e13e322adaf2d68766fa4a86c86634b146bb
SHA256 f13d391d916dfafd08f999352ae3704640a61e80cab3503fc4bbf8b071ac9b98
SHA512 d64d3b00971cd5b429e0efc89aefa353f78a8560d9f7d64e144d4da685f364e9f0cf605b7e4c6c159111879661cad80421236559ddcd313969a56422a5998b43

C:\ProgramData\RR\vcredist2012_x86_1_vcRuntimeAdditional_x86.ico

MD5 c398ae0c9782f218c0068cd155cb676c
SHA1 7c5bb00a34d55518a401cd3c60c8821ed58eb433
SHA256 9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3
SHA512 85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8

C:\Users\Admin\AppData\Local\Temp\vbc954E.tmp

MD5 5aaace268cc2cba471cdcc17ba01077c
SHA1 006a56f624867ccf4a3707a6a58464b37ee8e3b8
SHA256 b6c9a20e9a373ab6748acf44c47529da95139eb0c464829ced91317f7bc44581
SHA512 bb48a1e4e7b124792e505c27d6398dbc15d62b75932dc9dde713325f2767b40908d8901cd6c0a6b7d5c3009b656b20bdadfa7800a6a3921c4eb2649d247e7149

C:\Users\Admin\AppData\Local\Temp\RES954F.tmp

MD5 1298ce25929fe2e8d63cd12d977ae6e3
SHA1 5e2df2c99e64ddad9560b9da6fc510ef6d914a58
SHA256 d00d5935c7df39f4c557b91d0fe46ac10e2186ea3c814cee5bfa492d4ddd1ddc
SHA512 3f8ce773289306bc26ea322926f367a4300c02d5f5d2b4bcd29c371943505dc6329c23416675e6a32a9ab56e2f80af3ca9c54d95f9796849197edec06a2c8757

C:\Users\Admin\AppData\Local\Temp\8aa6zjwe.cmdline

MD5 a818c8fab7d37fc55abda6fad3ad4b1a
SHA1 db0e918a8d9d35258adbf53a7fdf96d5a6297a2c
SHA256 7eb1bdab7c99c0edc24ab33b5a153be40e8cd150b4e492395d38d9a24fa2580b
SHA512 3c805f675356f6d261d4c177cecafd912d0a94cd0dbe127051bfdec550a0cae7bf891450921549618f2f0e69960417b877d454a0342a020239b816f88d384545

memory/1352-185-0x0000000001EF0000-0x0000000001F30000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8aa6zjwe.0.vb

MD5 d6ad23b321c78bf5f60c85b1b6e84958
SHA1 dc184031c8795be088f0d64d8d7ad239b4c88f19
SHA256 d7e67c772a1059032ae5906e48aa25007fb5c3b9bf4138bb57db7b734f365f0f
SHA512 de50b3e83afaef8c597d1e18bbb44e923e9720dfb49a201353e0b71aab66bf61d5a30de12132b5f6da48dced5abe252f7505d56c1621f2548905af4f4fdfe8fe

C:\ProgramData\RR\vcredist2013_x64_000_vcRuntimeMinimum_x64.ico

MD5 c398ae0c9782f218c0068cd155cb676c
SHA1 7c5bb00a34d55518a401cd3c60c8821ed58eb433
SHA256 9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3
SHA512 85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8

C:\Users\Admin\AppData\Local\Temp\vbc9609.tmp

MD5 e9e95d8b9fcce9dde9109d33d6d79648
SHA1 5b4710da6d497089be3c224a93d814f54a2737f1
SHA256 ecd6c8b309f2c43caf21c990ff94db61bf417d559fb92cee2c22bdbed789c71b
SHA512 b1f386470b4a514a63365428b1ace30c2da3146d308291874fd23661530aa5921d86eb7e544f2867c4e35e8544ef45186f3399aa46edd91df444f2f1722fd214

C:\Users\Admin\AppData\Local\Temp\RES960A.tmp

MD5 11135d7e5c122b4be7cf90afff88454b
SHA1 426978b4c52930ad04b7f96078dd16f78ca67451
SHA256 e96f9f06bcc78197e7e96eaa63520741c917b60e19b8f8d72b72dfc050b8eb6f
SHA512 8dff41da9cf2d1ff05df2b491a18eace4a800c6e8dad3b5d31a53d3240f09c170054c053b02b9d56b9fa5c0fb0ce7d36fbbea69fef1dcc16ac5a6ba2523e031d

C:\Users\Admin\AppData\Local\Temp\o6oxt8hb.cmdline

MD5 f863889115881fdd3cc85711e100803d
SHA1 ede7495ba21140c01c666f8bdcf27b5918134a0f
SHA256 0be745ada8beee3af51868cd75f0d9339da22e18d7aae87d7e28d3a475590b93
SHA512 e47986d8b8598e57adad9eb05e78db4beb3743ce731a7d5f17e9b4b36abc495e792e5246ec2963d093514bd0d2182f0aaaa9a194927b0f0c987d460d1c45b0de

C:\Users\Admin\AppData\Local\Temp\o6oxt8hb.0.vb

MD5 2b602e97d8f27ea52f36b7fc0a54888a
SHA1 067627e8844e80d5b53a84d60d961de74b7bb2a7
SHA256 68fc3102135efa4bb3778832043605b7e588b184a48b88a47f7b76bbe0ac0692
SHA512 5011be85ca87139c35f92044ea04e945f64ce451edfee499362063dcafa2b273e14da188c200cfc968ca01bf2c46fbf5e187f06b7839eb4963b0c4820e0f0bb6

C:\ProgramData\RR\vcredist2013_x64_001_vcRuntimeAdditional_x64.ico

MD5 c398ae0c9782f218c0068cd155cb676c
SHA1 7c5bb00a34d55518a401cd3c60c8821ed58eb433
SHA256 9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3
SHA512 85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8

C:\Users\Admin\AppData\Local\Temp\vbc9732.tmp

MD5 f6a6579926f8ab59589b1cf616304673
SHA1 c582c3a336ace4f4799692fed4a4a82f586959ad
SHA256 395fd3137466150a90328b1ee6a93cfb5d5d7c497a6af3ef84f1002d681305a4
SHA512 04e6ca5603b128200b1421c6c8b321a4d39917f9ac60fe782926db1fdcb4bab301601f41d369d3677c8984f5956ff33946d8a95ce7b4bb5b0c8afb8df30a41aa

C:\Users\Admin\AppData\Local\Temp\RES9733.tmp

MD5 12451254d5e7a6df293f9af9cb4479d5
SHA1 094f4e89632514de867651f03b5f49c5b3b53a70
SHA256 6fde6b9d29833861290e8c205da10475980d9960c2c726ce0afc1684eb9b4478
SHA512 be4c432e60068d395a5bec939f3a9528bf32df2944ca53d6fadff846f5c4d4d318f74aabd968fccaeb43ff1424f8e0da05b0d1430870e7803c1fad4fad5483dd

C:\Users\Admin\AppData\Local\Temp\uc1dgc5u.cmdline

MD5 b00e1829dfccbac6d487bd59f8945d72
SHA1 d10cc99206a465fbc78b99842761f51be32aa165
SHA256 76a0fc12fbb9ee1f1ad69964de3d45a2f0243c9fa9ee9f8a2d98409ad4f79379
SHA512 92dc3dd9c4a992dbae4665a027afee151d50d39b33ddc96a91d60fb78f737a6dff6b40a8fe7ff87ca429a32fc36a51c4eba96062043c5f0461047b45fd0dfcea

C:\Users\Admin\AppData\Local\Temp\uc1dgc5u.0.vb

MD5 229ceeda3d01a47c7ec805fbc68adec5
SHA1 862e27673e6c96418b11a7b489d34979a0769b63
SHA256 8a9401559b55732e163c376b019394707767ec3219f2443e4716dc17a66868e7
SHA512 c6a2c33c8428961a719ce547c1915e0a89e8bf63d23c9c5fbc074ff0cf7f9f679fecd81eaeaaaedc0e330f51eb0818fd5c8a143dad87c18309e89473c3046e32

C:\ProgramData\RR\vcredist2013_x86_000_vcRuntimeMinimum_x86.ico

MD5 c398ae0c9782f218c0068cd155cb676c
SHA1 7c5bb00a34d55518a401cd3c60c8821ed58eb433
SHA256 9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3
SHA512 85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8

C:\Users\Admin\AppData\Local\Temp\RES97DE.tmp

MD5 c8deecda4e4c244a92f69ccb38704356
SHA1 417177e0ebb302d53eb9e24c284cbada21a930a9
SHA256 1db98b002aef928d24af8ce9f8ae23732c264a6315c4c67c6d6dae9974094e52
SHA512 b5bd7e5c928e705cfca36377a3ae1a45c2828848d6d994b20eb505012357ef68431c7d637c9390a96bfebdfedc4c410113da9cb7942ecab19408bada3c79e392

C:\Users\Admin\AppData\Local\Temp\vbc97DD.tmp

MD5 7e29200b3bd3cd44814c02d517c87064
SHA1 2b6dea9f3b5e192521f516cab4484340e42fffbc
SHA256 9a889340720cc8c0a3c042f412bdfb3479605fcdad1cd7bdf138b3eea4c27159
SHA512 4c86c18c5b470727311a32044dd8133303a0bb2cdd0255cd3f11d95aac28bd445c1001e27586977e82d99d2e241c3a36bb16f42ee48e94a85a71d60429976e2b

C:\Users\Admin\AppData\Local\Temp\dtf0uxiy.cmdline

MD5 c9e58dad75934ecd481f8f0dfdac101d
SHA1 a9ccdc67c37c97022feae362e45106f47c89ac04
SHA256 7ee2cd414b54d8458c61d039073a5930bbd536a26d66694e795a1eee3c1babfc
SHA512 3cc8bb823182aa784ed3266ce8ef3d14e11e71fa4b1418e884e74f5b38ea04e05e708417158e3564f6a33f4fe7888518079057f50839161efdcae2f419cee432

C:\Users\Admin\AppData\Local\Temp\dtf0uxiy.0.vb

MD5 17926b0653225224f0fe8e4117977e8b
SHA1 0d90e4ad975b1a08a4dee3ac0def26010ba24696
SHA256 5103ba7bdac31f926cdda8eebc2750f28755c53ac805a59289a95d9627205e86
SHA512 805267fe7caffebd2146983f9a7b668779447ac20cba5d2e4a96bcc328513a26cc02aad800fba0dc5778bfb31a8d9ac7871e4a720d510cfbc5dd0a17a5632b89

C:\ProgramData\RR\vcredist2013_x86_001_vcRuntimeAdditional_x86.ico

MD5 c398ae0c9782f218c0068cd155cb676c
SHA1 7c5bb00a34d55518a401cd3c60c8821ed58eb433
SHA256 9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3
SHA512 85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8

C:\Users\Admin\AppData\Local\Temp\vbc98C7.tmp

MD5 b720714c1dcceb83f360b21978b61ae0
SHA1 f03b8c47c5f1bdad66a188cf1ed93861b4100cf8
SHA256 236293656caa2cbb53e34a0e4aa107ddc71a66d5f59d403e202cf8822eecb6f2
SHA512 da5d14a53accfb19a1dd5c52c3730849633142272e7df084bbf27a886189b8d0249e4e9087ada9b8e39fe8428b03744ebd77e9d4ac81c258c1c997fda12fe109

C:\Users\Admin\AppData\Local\Temp\RES98C8.tmp

MD5 89caffb9e7cb9efdc8a306e6c5fda3db
SHA1 d9d0bcc658d809178ea682382746f5f6c79bbf53
SHA256 07125667b796b239f99d329080b5e3934f4f48d080c19fd1a35d30aaec9f4257
SHA512 9945f6ba92c11ad367f316b04f6d0b00e1dc039bc7d5bb2c35219a3c6dd5fef00676d414777128f7019ca9979830805c8b6b47631ad1d8af6ed5a7026c890e20

C:\Users\Admin\AppData\Local\Temp\hmtey0fl.cmdline

MD5 7f3b80cc9e676c7f20eff0467554de64
SHA1 9980355393ca26313bf158e49b858a44996ee98b
SHA256 9b1b9a0482478dbd74f7739409f817a5f05a153e299dc67c0f685fc1275b723e
SHA512 3cc0eac56b6b6f5ca3cedeb044c1aebba69eb175e978a57e78a2c2288265e9621ea693c357994befbc0204b3ccc98ad4ec15b3891c81536ff2a88dffcf3abf5f

C:\Users\Admin\AppData\Local\Temp\hmtey0fl.0.vb

MD5 77acd2541a160fefc7f7be7420d4c501
SHA1 59a2a4138f0138b95c14c39eb6124fef655cc178
SHA256 6f5d6e20e01893b2d3767a5cf15cabc96ae8800d92e170aad0c79ebf9126474c
SHA512 8dcc80a4fa55a44d57ec57c94bfc6c240d5681f1607ab3719d49fb0d4356e786cf1cb17f59878b9e26d34bfe3564f012b17708ee153a8e3163f96b164606484b

C:\ProgramData\RR\vcredist2022_x64_000_vcRuntimeMinimum_x64.ico

MD5 c398ae0c9782f218c0068cd155cb676c
SHA1 7c5bb00a34d55518a401cd3c60c8821ed58eb433
SHA256 9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3
SHA512 85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8

C:\Users\Admin\AppData\Local\Temp\vbc9982.tmp

MD5 fb8f5c3b2ca288fc561389705829d85c
SHA1 fe5239f74f9bc3cfb372cc230a72a303aaf9d02a
SHA256 c34f4fb8a7cec76fb35ea5fae9f81a5a0bc8ad767107b8450cef4257a8bab39b
SHA512 c6f0510d0099ff1129c94002d3b9acb9c3fd875f5106b379eaccbff103d5ea18ebb4797b6ce92d9f16d0541189257af9797a1633355b5a5078064a08138814e8

memory/1636-281-0x00000000020D0000-0x0000000002110000-memory.dmp

memory/1652-337-0x0000000000270000-0x00000000002B0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Proxifier.exe

MD5 0923eeaec8c777e7d62d15fd71c46aaf
SHA1 17e5d701a931468b17e49f06b3eddc5d88a4dcf3
SHA256 06a0a8d963239e64adfedf7332c222e2beaf2aa4ab971bc1c9e5b9804a30ee6f
SHA512 9847456153f74f06b2db1bec6eb4d3059e3d25932f2ed2164f9faec1b63dced1567d183c7698bf7ea18f7c9c2af198b37e10af38fbc5d91d43eb066fbf14cf99

memory/1032-356-0x00000000002B0000-0x00000000002F0000-memory.dmp

memory/1652-357-0x0000000000270000-0x00000000002B0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-06-08 11:41

Reported

2023-06-08 11:44

Platform

win10v2004-20230220-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\sinple.exe"

Signatures

RevengeRAT

trojan revengerat

RevengeRat Executable

stealer
Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\sinple.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Proxifier.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Proxifier.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Proxifier.exe" C:\Users\Admin\AppData\Roaming\Proxifier.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\sinple.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Proxifier.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2184 wrote to memory of 4884 N/A C:\Users\Admin\AppData\Local\Temp\sinple.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2184 wrote to memory of 4884 N/A C:\Users\Admin\AppData\Local\Temp\sinple.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2184 wrote to memory of 4884 N/A C:\Users\Admin\AppData\Local\Temp\sinple.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4884 wrote to memory of 3724 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4884 wrote to memory of 3724 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4884 wrote to memory of 3724 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2184 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\sinple.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2184 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\sinple.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2184 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\sinple.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2436 wrote to memory of 4460 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2436 wrote to memory of 4460 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2436 wrote to memory of 4460 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2184 wrote to memory of 4372 N/A C:\Users\Admin\AppData\Local\Temp\sinple.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2184 wrote to memory of 4372 N/A C:\Users\Admin\AppData\Local\Temp\sinple.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2184 wrote to memory of 4372 N/A C:\Users\Admin\AppData\Local\Temp\sinple.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4372 wrote to memory of 3404 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4372 wrote to memory of 3404 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4372 wrote to memory of 3404 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2184 wrote to memory of 3808 N/A C:\Users\Admin\AppData\Local\Temp\sinple.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2184 wrote to memory of 3808 N/A C:\Users\Admin\AppData\Local\Temp\sinple.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2184 wrote to memory of 3808 N/A C:\Users\Admin\AppData\Local\Temp\sinple.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3808 wrote to memory of 648 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3808 wrote to memory of 648 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3808 wrote to memory of 648 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2184 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\sinple.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2184 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\sinple.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2184 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\sinple.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2644 wrote to memory of 1180 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2644 wrote to memory of 1180 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2644 wrote to memory of 1180 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2184 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\sinple.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2184 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\sinple.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2184 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\sinple.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2356 wrote to memory of 3552 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2356 wrote to memory of 3552 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2356 wrote to memory of 3552 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2184 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\sinple.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2184 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\sinple.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2184 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\sinple.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2224 wrote to memory of 1916 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2224 wrote to memory of 1916 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2224 wrote to memory of 1916 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2184 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\Temp\sinple.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2184 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\Temp\sinple.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2184 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\Temp\sinple.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1016 wrote to memory of 1500 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1016 wrote to memory of 1500 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1016 wrote to memory of 1500 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2184 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\sinple.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2184 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\sinple.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2184 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\sinple.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 540 wrote to memory of 4976 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 540 wrote to memory of 4976 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 540 wrote to memory of 4976 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2184 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\sinple.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2184 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\sinple.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2184 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\sinple.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2400 wrote to memory of 1884 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2400 wrote to memory of 1884 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2400 wrote to memory of 1884 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2184 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\sinple.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2184 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\sinple.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2184 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\sinple.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1484 wrote to memory of 5016 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

Processes

C:\Users\Admin\AppData\Local\Temp\sinple.exe

"C:\Users\Admin\AppData\Local\Temp\sinple.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kszktkfp.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3CCA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc61918E76CC341FA93FE8C3099B749AB.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vipiasmt.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3E9F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc428F2A38964536A49C996CC75776.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\7sgqms9a.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4006.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc59C9ACCBDF25461F8C6648EDAB7A5816.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mghfcbpb.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4120.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc390377AF58434EC89175971B21B3EC2.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\fggngwti.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4258.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8045C8EC672C4916A711FF8B5E460FB.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xp-gtw2g.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES43FE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4C53A39DB1274697A1961F243DFD5CB.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kjooxi5i.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4565.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3F2F538858EB4B0A8E2FA28BE74C8C4B.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wmjznfsb.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES46EC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7679203888E5401AA57D71222764652.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vlv-ut5q.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4873.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAD52A98C4DCF4138A7E684463BD81AC.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\gx1sjtfp.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES49CA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc85E2E4BA6E1246529F975DACEE55A0F2.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\h7yuqwvh.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4B80.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1460D0263A164223A436D7EDAD199059.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\nukjguto.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4CF7.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAE1CC6DCE00B453BA5A8AE81129979B5.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\3kofyd3f.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4E5E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc98A69E6141CC4689B847B228DFED2B.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rvxx_duj.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4FB6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc72D7B5F750BC4231878D312029BC269.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mljhhbpm.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES512D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD2F9AD1034594C17BF54AB99D328A77A.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\72denm7c.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5311.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF41B52C4D52F46F394A9AE5AB0D3A9FF.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\u1zu_kcc.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES541B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6F9E846BD51E4B10B950AC1491BB1B.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\9uwbrut-.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES564E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc735939C282D481BB0424E7B93B0BBE3.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zagiasno.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES57F3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3640FE4882944A68BA12929C3FF45348.TMP"

C:\Users\Admin\AppData\Roaming\Proxifier.exe

"C:\Users\Admin\AppData\Roaming\Proxifier.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\s-xaficf.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\cxsxkcrv.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBBBE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc24EE45994F645B89CA129E215B029.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ub98fglq.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBCF7.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC036699AC2E14B4F8DE8A6942C1F9735.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\fbkrml5w.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBE00.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7AEA6FFD28184F2F9B8E84902377E3D2.TMP"

Network

Country Destination Domain Proto
US 8.8.8.8:53 123.108.74.40.in-addr.arpa udp
US 45.61.48.65:6767 tcp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 45.61.48.65:6767 tcp
US 45.61.48.65:6767 tcp
US 45.61.48.65:6767 tcp
US 45.61.48.65:6767 tcp
US 20.189.173.6:443 tcp
US 52.152.110.14:443 tcp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 45.61.48.65:6767 tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 45.61.48.65:6767 tcp
US 45.61.48.65:6767 tcp
US 45.61.48.65:6767 tcp
US 209.197.3.8:80 tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 204.79.197.203:80 tcp
US 45.61.48.65:6767 tcp
US 8.8.8.8:53 203.151.224.20.in-addr.arpa udp
US 52.152.110.14:443 tcp
US 45.61.48.65:6767 tcp
US 45.61.48.65:6767 tcp
US 45.61.48.65:6767 tcp
NL 84.53.175.11:80 tcp
US 45.61.48.65:6767 tcp
US 52.152.110.14:443 tcp
US 45.61.48.65:6767 tcp
US 45.61.48.65:6767 tcp
US 45.61.48.65:6767 tcp
US 45.61.48.65:6767 tcp
US 52.152.110.14:443 tcp
US 45.61.48.65:6767 tcp
US 45.61.48.65:6767 tcp
US 45.61.48.65:6767 tcp
US 45.61.48.65:6767 tcp
US 52.152.110.14:443 tcp
US 45.61.48.65:6767 tcp
US 45.61.48.65:6767 tcp
US 45.61.48.65:6767 tcp
US 45.61.48.65:6767 tcp
US 45.61.48.65:6767 tcp
US 52.152.110.14:443 tcp
US 45.61.48.65:6767 tcp
US 45.61.48.65:6767 tcp
US 45.61.48.65:6767 tcp

Files

memory/2184-133-0x0000000000970000-0x0000000000980000-memory.dmp

memory/2184-134-0x0000000000970000-0x0000000000980000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kszktkfp.cmdline

MD5 7be2897d720d843921545073f7565259
SHA1 c8bcf9e2b366a8644832a18021226927bcb99597
SHA256 f3b3bda915dbf0b6b8aacc8a2af4fd39a0fa6b04d18af0b7eb8cdd45f6e88dcc
SHA512 e43ed1966ceb31d242658066b3bc1a56328abb270ba1c474f0beb5d2dbf99ef15f62a26befc9ab570e97fd7bbe2d19c1a58d432fbac34be44b7bef89a9eafe27

memory/4884-142-0x0000000002410000-0x0000000002420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kszktkfp.0.vb

MD5 a24252a492e9da11f4ad29c20318e99a
SHA1 e5a31668ea40b0fa9b72a1e8f1d26de77c66494f
SHA256 9203aa7c639f36265648e3dc00f91484e626389ac636edfd9f4d8bf96867f7b8
SHA512 a032c1f0e735d6d90d3c2c5d6683e68fd3d07203d2ded9f09380e4f1d1624976a11a7e7eb0b82d7108f66b4170ead8d3d092b5a6118896483043757f8e2597c3

C:\ProgramData\RR\DumpStack.log.ico

MD5 9430abf1376e53c0e5cf57b89725e992
SHA1 87d11177ee1baa392c6cca84cf4930074ad535c5
SHA256 21f533cb537d7ff2de0ee25c84de4159c1aabcf3a1ac021b48cb21bb341dc381
SHA512 dd1e4f45f1073fe9ab7fb712a62a623072e6222457d989ee22a09426a474d49a2fb55b393e6cbd6bc36585fa6767e7dca284fa960ea8cb71819f5e2d3abfaf78

C:\Users\Admin\AppData\Local\Temp\vbc61918E76CC341FA93FE8C3099B749AB.TMP

MD5 16b2b9dd815dc842f50e3e73a6fb0991
SHA1 f5d56c75d863dea1c3f5b280dc7e77d681cc9b18
SHA256 d8334fb8b81809659365a6cdfd641a58110702d56ddaea72b0710522d017ce93
SHA512 f3d39a5fcfaf059c03c3d54d475d561696d0d760517bb88143701cd8368970e687bc89cc683c696523ecf1c1a3275f305fc6a4fc28cb395acba5a74d398ea207

C:\Users\Admin\AppData\Local\Temp\RES3CCA.tmp

MD5 6235185b22fe983e07e42c0cae90d36c
SHA1 1ce5370654dce808fa2950e152456bc18ac2c230
SHA256 b56b29ce998c1bd214cdd48585e0c8d46fe607625f9c8bd5e858d97700add354
SHA512 71acddcc83831cd316b9be88331ff0fb7a5e502706564e11aa3519aa310b62ed5d34d5bf08855ec418dcadb2a53ab00fd9e2cfdd33ff149ce9a3685199888670

C:\Users\Admin\AppData\Local\Temp\vipiasmt.cmdline

MD5 748a48543ec84eeda05d9ab22079e88d
SHA1 6d7f584bad511af47e86c657e94c6b03e37a30ec
SHA256 0beea2c1da66034e966071f958bb2abb3b5e6f6e55990603840162d06b950716
SHA512 9f29cad1c546be99dd9fd08af5c4a3ec07d9e56e5684665abac4b3cf3e7cfd73e28f512f473c2e1a87bd1b3e2e6f9e630c4c626709788629af4a4fb95af3f319

C:\Users\Admin\AppData\Local\Temp\vipiasmt.0.vb

MD5 765027485419f5efdff59d9dcb2f838b
SHA1 7a926cff602315306435e8ba4a6d207bf3ea2378
SHA256 300b9346165cdb43cede160a89933c8ba8a85aec6a435e762017e27c04d7935e
SHA512 b60b199c1da7d4bd6ec20fd7b9df3697ba6cc5c2fe45bce446401c2c1f0f25d067834cf790196af12fbb41913a214c1a97ba8cb4a4e2b619eb4b196a6b7f383c

C:\ProgramData\RR\vcredist2010_x64.log-MSI_vc_red.msi.ico

MD5 fde1b01ca49aa70922404cdfcf32a643
SHA1 b0a2002c39a37a0ccaf219d42f1075471fd8b481
SHA256 741fe085e34db44b7c8ae83288697fab1359b028411c45dab2a3ca8b9ea548a5
SHA512 b6b4af427069602e929c1a6ce9d88c4634f0927b7292efb4070d15fb40ce39fc5ce868452dcd5642b2864730502de7a4c33679c936beb1a86c26a753d3f4dc25

C:\Users\Admin\AppData\Local\Temp\vbc428F2A38964536A49C996CC75776.TMP

MD5 2c50be735989d098e5359cd5be6f5583
SHA1 fa707aacfc26dec00f3a5331b1fe0de75ee696c0
SHA256 c804beb54e3e129ae776bf5ea52b3dc6c69fc52c997e768fd62c71fe275cb19d
SHA512 f3b20c9c6b96088c1645d4fad9bf71444bb1fb8ab16517c9ee15b046bea216488eaff5cec1f5e1b5a4eaa0c695a71680a687da2cf890d26ea9abbb25f76b5936

C:\Users\Admin\AppData\Local\Temp\RES3E9F.tmp

MD5 a1c97edcf1ad719afe55f048cf867865
SHA1 59772d4d2757835b2bd003b323f8166ca99e0b22
SHA256 abd61c522548cd857c37ac77bcd7c8b5e39c838879d168cc64e05d7289588b80
SHA512 53cefbf9b3ea2fa5e9834a1db80800c12d12526ad5273450ac61cd5880b8bbf24afa5cf175d9c9c2ae0dd73c5330c1821bb8a29ebc346646dd61cedad1f94951

C:\Users\Admin\AppData\Local\Temp\7sgqms9a.cmdline

MD5 b204e1ed136c07e38143c495f8eff6cb
SHA1 df8b2ff641ce282411555d5e13c9c01b63e82cdf
SHA256 480f9ce7a43f9f8aa7f600bce177622836315cef91c00bef04bcc36d43197527
SHA512 fffab31d3342de43dba3a0b959d596db6958eaca5f0e5eba3680def196ed5d5319d97ebc23f28b6e1d4b1fbc9097efdeb530e456d0c38ccdd4795c10857db1da

C:\Users\Admin\AppData\Local\Temp\7sgqms9a.0.vb

MD5 730aac757f2944dd189cafeaafc3a70a
SHA1 4c6b8281d73701cc009b24e6e33c920083b07845
SHA256 0aa525047c23c08ab9deadc31dd1699f444d62efd9c35f897166025ead0dbdcf
SHA512 b63ec233eecb4157a290e300ef998f9ec786599fa5c86d09f006d1d20a53cdc88ad169b1365f2c0b479303ad7f722741e7d25b89d7176a25643de86621257615

C:\ProgramData\RR\vcredist2010_x64.log.ico

MD5 bb4ff6746434c51de221387a31a00910
SHA1 43e764b72dc8de4f65d8cf15164fc7868aa76998
SHA256 546c4eeccca3320558d30eac5dc3d4726846bdc54af33aa63ac8f3e6fc128506
SHA512 1e4c405eca8d1b02147271095545434697d3d672310b4ea2ecca8715eaa9689be3f25c3d4898e7a4b42c413f258eda729a70f5ad8bc314a742082b5a6a8e9ff1

C:\Users\Admin\AppData\Local\Temp\vbc59C9ACCBDF25461F8C6648EDAB7A5816.TMP

MD5 0f7b966846a055753f43c98c49b9cf4d
SHA1 64826dc32debc30962bf8fbdb15118f218431733
SHA256 dc045cee8760d6bd89a12d049e2e36b8e60402d80dafabcfe59f5201216d931a
SHA512 7cf6567e7e7b5f55026475976da656356949535fca5b920ad2e17f42c989caa7d9f7fe6c798993bcfa38116ac2a6e8e645069b57eede090823debd04480bed92

C:\Users\Admin\AppData\Local\Temp\RES4006.tmp

MD5 b5d4bad8bc81ff94a9c58d69fabf4883
SHA1 5d05376c5c1bcfd586f9d62bf46801e9a157dbd1
SHA256 a9703b743b6fab2dd8d20bb379eba2410fc6baae5a99c16917a548b1ae88a55c
SHA512 16c304f2629538f478ef2fe3b37c73091b690ff89a5954107dda163f501438f1b51eea21ff8d5a94518d08d93be89521169c3209c4f64b0a1f06f12218b4f494

C:\Users\Admin\AppData\Local\Temp\mghfcbpb.cmdline

MD5 b3d9a73119cd9c0d3e7f786e28ec12e4
SHA1 f2a61aaf2d287e52875288bb2a5cb595f7e56fab
SHA256 5b4d0eacfdabe1b3c5e8a3c214a934883a4e22f1280987d9a3abca2fe8b888ec
SHA512 bce5f8ea74355fd8129a6f091d22fb58abe6ff30f302f7670d0f9af23d568e658f457d26664e318cff5be3b3daa0fe18131cf14862bc3009da3c84d7727ac02e

C:\Users\Admin\AppData\Local\Temp\mghfcbpb.0.vb

MD5 1e1d275892ad343cb92dd5e066110848
SHA1 a29ac508770951e4697597fbdb8491ec04321126
SHA256 4435a41003ce14b0fedbe12c19b26decdc5a26603c97ee1a30d0ce1f9387a147
SHA512 221c21975a989ba51eb9cc519e755a7dd51db723b68cc216f18616e930647a21e60dd304545d4a3e3896b2d23ebbbba3e548f08d68c9d8ac42e6dbe572805e29

C:\ProgramData\RR\vcredist2010_x86.log-MSI_vc_red.msi.ico

MD5 fde1b01ca49aa70922404cdfcf32a643
SHA1 b0a2002c39a37a0ccaf219d42f1075471fd8b481
SHA256 741fe085e34db44b7c8ae83288697fab1359b028411c45dab2a3ca8b9ea548a5
SHA512 b6b4af427069602e929c1a6ce9d88c4634f0927b7292efb4070d15fb40ce39fc5ce868452dcd5642b2864730502de7a4c33679c936beb1a86c26a753d3f4dc25

C:\Users\Admin\AppData\Local\Temp\vbc390377AF58434EC89175971B21B3EC2.TMP

MD5 1392ca053fd02a3956b2506eced4b4d4
SHA1 9e673eb0df6ca5a13baf5fc6e5fb2aa538e401ee
SHA256 e416bbb1cb532da075992c8e1198948f29523d693687b61ccd99a5ce76656711
SHA512 5160590d4c452345d72521471cd752ad1bb80c608b928468944c9ea6cfca4eb74f33c9c961dceeb7f3c8ac205519bf29d733756a59f1930164c1cb33d637edc5

C:\Users\Admin\AppData\Local\Temp\RES4120.tmp

MD5 bfc4c2e67cfb50cdef3c476c4ac355f4
SHA1 74e47ebae5218b0c7c6465eee48c8e50d3a8cbce
SHA256 24b79ee693ca63cbfd0d6c482cea5d40465fe51d3c71f8c585e434a3693a5e51
SHA512 f23fa9a0e0aea4afe7fc3f789d8868d86578f05a29db7533010153761cbd21606a07092c9b25f79b66008a6fdf779cbf2026539e4012828cc39e018a51db94a6

C:\Users\Admin\AppData\Local\Temp\fggngwti.cmdline

MD5 303776126af9666265b87ea4430110aa
SHA1 9917fd3383173fc679cd70a2ca280a5b5df111cd
SHA256 62ff430d4cce9e70541814bf126584f653fa068952b00ea4397773b44e7e2c0b
SHA512 798b9dc972def2949e0013d5c6b897aac117dd594bcd7f16c9530761d444619b6c32bcba01bebec989bbc08cde4d329745ca68e6c5e64734df8bb44d2d9c9ee1

C:\Users\Admin\AppData\Local\Temp\fggngwti.0.vb

MD5 1d7cc4603776bd921d70043fe7b46af0
SHA1 1a20d7f435523c25a59b6a05c44a2f693c48f306
SHA256 fb581834b33872fc47bf75e7d8b1a9dc860e66ec85d45c37c48fa6a85835f0ef
SHA512 02de139dd0b74902104503c8568e7b9c6e2fa47057f71e497bb34e33e28a107ad2b4539e0cd7dd8ea881631d2dc21a24735fa0b8629e9c539cb37cde4eed52ce

C:\ProgramData\RR\vcredist2010_x86.log.ico

MD5 bb4ff6746434c51de221387a31a00910
SHA1 43e764b72dc8de4f65d8cf15164fc7868aa76998
SHA256 546c4eeccca3320558d30eac5dc3d4726846bdc54af33aa63ac8f3e6fc128506
SHA512 1e4c405eca8d1b02147271095545434697d3d672310b4ea2ecca8715eaa9689be3f25c3d4898e7a4b42c413f258eda729a70f5ad8bc314a742082b5a6a8e9ff1

C:\Users\Admin\AppData\Local\Temp\vbc8045C8EC672C4916A711FF8B5E460FB.TMP

MD5 d9e069fb786d8f674d3b809dc55599d5
SHA1 21a3a20e94de7ebd290ea19bc44cd9f806976b5d
SHA256 380c1303d1809cc4b4a53994c98db5aaf6ef5ad740aebb1e772576b1c90c843e
SHA512 71adfaf9119e898ee6604fcd2669e4b22b7038f34443f8ff4e919a205b2f19faeaf595352a04aca05b0a7ff5515720d26869ea2f4c965a32df96d43493dddffc

C:\Users\Admin\AppData\Local\Temp\RES4258.tmp

MD5 eec66bae734805b16952081c946118fb
SHA1 eda83aad9f8cfc3700a5b8e4fad2b59355f7eb66
SHA256 df325643909c4adc15a304616d0862b895c09805b7b1d4fa4d28edf276fe17c0
SHA512 61ba59f029c9b95a34fe3d8e5d766d775b5c4c29e30e35bbd48fb7d0dd40dfd40808118d274825a7c68f101994254a9390da0e4efe1775baa07a7be7f4feb557

C:\Users\Admin\AppData\Local\Temp\xp-gtw2g.cmdline

MD5 766cbbb1995673ee624dfa9ff62275c6
SHA1 27ebefac2e93299611f604105515ed5ba7d9b6ab
SHA256 874a798057f34737ae735f849a559accba11d5b756e5e46b99e187f494feaf5f
SHA512 0d9bd692890f587e893d68e9af5ba4e1345455d3fe26c18949f2e9d09ff1d18b835f3c00046e4d0c48529d1ebd908cae3b4289be8b534438797cd02933d5c88e

C:\Users\Admin\AppData\Local\Temp\xp-gtw2g.0.vb

MD5 89dcc840c0bfdeeaae975e09ebcc6ce9
SHA1 458d038e183152d969cb7083816e979ee7f90f3e
SHA256 9def943a06587ec01f9c8307397147c1c381265a642b74d36c9692028497b69c
SHA512 0ecd6d927de1fe0d21a0e1de46d199143a296780bec9b470aab91d89e1b8e1db0f6af5844321df8cc30eced4b2f24d3ef06aaa65d14372f0696778de3e579466

C:\ProgramData\RR\vcredist2012_x64_0_vcRuntimeMinimum_x64.ico

MD5 fde1b01ca49aa70922404cdfcf32a643
SHA1 b0a2002c39a37a0ccaf219d42f1075471fd8b481
SHA256 741fe085e34db44b7c8ae83288697fab1359b028411c45dab2a3ca8b9ea548a5
SHA512 b6b4af427069602e929c1a6ce9d88c4634f0927b7292efb4070d15fb40ce39fc5ce868452dcd5642b2864730502de7a4c33679c936beb1a86c26a753d3f4dc25

C:\Users\Admin\AppData\Local\Temp\vbc4C53A39DB1274697A1961F243DFD5CB.TMP

MD5 fc4c0fe4714cc48682ce84d3d6687235
SHA1 27ddcbf3432886d7f4b471af3e80c2f5a162ec5f
SHA256 c9ad61b9c345ceb89d4f855b91b983ffe65213d1d68d4f15204035d4e00fee90
SHA512 48cfdf170e6742b1662843e9b18dade1fd32c4c53c4d4c4f475d7ddeb14755bafd21e731ff7e13e63717a8e45039381e1678af14ad85499e7ce07aae5bcc9a7c

C:\Users\Admin\AppData\Local\Temp\RES43FE.tmp

MD5 e50fefa6287dfd49362c788b2836d351
SHA1 abbecb376ac09f8c79377ae756f4ea4096fef472
SHA256 ae4a1e872b002f84790e7c2643d6a4fe02aa4a1ce773bd367f05664a9d61fa53
SHA512 2215a4170db7fb9f27b9faf326288e7d2a12153339679f3a7213f07e5379873e4b94f118ec61f9cbe48e8b19b939e31c63c46093f94aa269188e19c6f6b97406

C:\Users\Admin\AppData\Local\Temp\kjooxi5i.cmdline

MD5 27cf32874f1ccc58a34d326e7c7e450b
SHA1 55f9971577675980f2404c20c438643e875bfe4b
SHA256 64f79bea30c10cdd674858181e43af3427afdc0f8218a950f1dc1b47c525e52a
SHA512 cea3f0ab96f05e7d77a56b3d43616180d65a3a016dce279cae0a4897087af33ab7c5617b1b3cd0b35d64b77b649a7a27228c993f32aa133fdf48701cc808fa24

C:\Users\Admin\AppData\Local\Temp\kjooxi5i.0.vb

MD5 4e197b41b1397d3d6285153f5511e42c
SHA1 ae5ec0496c187cf5d478a7f211bad37131078421
SHA256 6c60c5838c58d263822c0f98af7e8052af29ea0cb0dcafeafafbda37373b2407
SHA512 9a5e5e508e1dcebe834d56406804b83a13f18a5a5e1f70cedecc618e9ac00f960be72a9b7866e0982fe9d34a9e20537a4af6c911d33f662d344aae3bbe16d15b

C:\ProgramData\RR\vcredist2012_x64_1_vcRuntimeAdditional_x64.ico

MD5 fde1b01ca49aa70922404cdfcf32a643
SHA1 b0a2002c39a37a0ccaf219d42f1075471fd8b481
SHA256 741fe085e34db44b7c8ae83288697fab1359b028411c45dab2a3ca8b9ea548a5
SHA512 b6b4af427069602e929c1a6ce9d88c4634f0927b7292efb4070d15fb40ce39fc5ce868452dcd5642b2864730502de7a4c33679c936beb1a86c26a753d3f4dc25

C:\Users\Admin\AppData\Local\Temp\vbc3F2F538858EB4B0A8E2FA28BE74C8C4B.TMP

MD5 12b669f7520a181be81fbc7e5a3854e8
SHA1 03258089e7fd56bc62a43f83b0222e63cb034ac6
SHA256 b37c2d99a6fcc3e4096f5339c5b5dc28167a1902f4898180836ccd160c624d38
SHA512 fdc1c564a44e3bbbdc3b2bd65bcee01d388a813a362410e335be45d4a49efa33b56f6355075d962954ea4a601ab7248ce630d7307764623bd1acec981b0546dc

C:\Users\Admin\AppData\Local\Temp\RES4565.tmp

MD5 5e1a63d93c1e4d0aee4ae753844b4503
SHA1 6fa83119bb84c38c1d97f26d044bb881a70d4368
SHA256 38a6afc658266f1de67ed79bb005a82a1381eea6e718b33b1c1a47051d23acf3
SHA512 0670dda787d4edd20d9350d5f400d94177d30804881bb15e0e1c06121f65db1aa55439249e4f3715e3756496df96e2b8316a728dd51756f2a1535522afe8a528

C:\ProgramData\RR\vcredist2012_x86_0_vcRuntimeMinimum_x86.ico

MD5 fde1b01ca49aa70922404cdfcf32a643
SHA1 b0a2002c39a37a0ccaf219d42f1075471fd8b481
SHA256 741fe085e34db44b7c8ae83288697fab1359b028411c45dab2a3ca8b9ea548a5
SHA512 b6b4af427069602e929c1a6ce9d88c4634f0927b7292efb4070d15fb40ce39fc5ce868452dcd5642b2864730502de7a4c33679c936beb1a86c26a753d3f4dc25

C:\Users\Admin\AppData\Local\Temp\wmjznfsb.cmdline

MD5 155dffbb903b2cdd565bde3cb173d93f
SHA1 4e1ee5b506bffe6bcb8d1ea287d17fb42e98fc37
SHA256 cd36c1e18c4910aaaf9f731e2aae92d4fd039f0a6488157d2f1a0ed2c96d843f
SHA512 2a4f15f02530245b616ba39cdc80cbbda82abc4d5c24f201c6e4979598ab9faa8a6654a9f77f7c0db2e900d00f61b9a637c6d30aed8db80aed66d7efa4e195e9

C:\Users\Admin\AppData\Local\Temp\wmjznfsb.0.vb

MD5 576a4db4cf7b848c3871fe3abdb6924f
SHA1 f14d6572e6d255853a42c9e2df8cabadc9287b68
SHA256 326a63d5733e214e6b160c5f70de4f2e023e2123767a404f533274c6030b2bdc
SHA512 4c1856177bac45aaa95406ff317a4c80a23167f651485723500e4bdfef51ee20cd885e53c70840b9873c4a597e996453efa5b4f4f9ebf600fb1bab5b98a4b2f9

C:\ProgramData\RR\vcredist2012_x86_0_vcRuntimeMinimum_x86.ico

MD5 fde1b01ca49aa70922404cdfcf32a643
SHA1 b0a2002c39a37a0ccaf219d42f1075471fd8b481
SHA256 741fe085e34db44b7c8ae83288697fab1359b028411c45dab2a3ca8b9ea548a5
SHA512 b6b4af427069602e929c1a6ce9d88c4634f0927b7292efb4070d15fb40ce39fc5ce868452dcd5642b2864730502de7a4c33679c936beb1a86c26a753d3f4dc25

C:\Users\Admin\AppData\Local\Temp\vbc7679203888E5401AA57D71222764652.TMP

MD5 34b1ef0c8b9dd76e751c1f70024a20bb
SHA1 6b4c8b9899b9d6952ec592804e3b76f8c94874c2
SHA256 3d73e87d7fc47d46ec00f290ee35eed9dcb06589c7be7f0f34d44bd1e74aa710
SHA512 a0956483e3298f8a10d18506d822208dc88db9281748c776bf728537c42d0de4ff3ea5e63e43f36f8f7f34ec884d8adff8fe2c328e4fd53e8311d1042486c9e0

C:\Users\Admin\AppData\Local\Temp\RES46EC.tmp

MD5 7408ccb68aba93fcf6467dca5fb32c2f
SHA1 cfae4bc1d7029624d8a32e3b5941a4b40275ad6e
SHA256 1b76da9922e04b275f77b4b44f88e51f0799ac518339f04d88ed08f99f18fc5e
SHA512 45b3ca3e3dd2767abb603cf909d20fb2c023fdcd134dcbefb8e06c25de7b84d2568244b449383cde30f534db321ce8543c0e40fc974687df6ecbf9e2623e27bc

C:\Users\Admin\AppData\Local\Temp\vlv-ut5q.cmdline

MD5 74dc2303eab3497a337c34fb8f6311d7
SHA1 8a2866730a578187d6c5beb40a4d7ffe9ceb0846
SHA256 059a26ffea3fdf8fda0e21d5724bd7217dfe649497f85630a3415452efa4dea0
SHA512 5da634bffede8eb92aa4808c1afedbc471c33ef60fbed3b3bbe2545243d09699571f962b4c85a7565e248e57446c3c2a8bf47b7ecff2eaef0f36912fc3715f87

C:\Users\Admin\AppData\Local\Temp\vlv-ut5q.0.vb

MD5 20ee6329b751aebd77717efdc917a156
SHA1 42a0e13e322adaf2d68766fa4a86c86634b146bb
SHA256 f13d391d916dfafd08f999352ae3704640a61e80cab3503fc4bbf8b071ac9b98
SHA512 d64d3b00971cd5b429e0efc89aefa353f78a8560d9f7d64e144d4da685f364e9f0cf605b7e4c6c159111879661cad80421236559ddcd313969a56422a5998b43

C:\ProgramData\RR\vcredist2012_x86_1_vcRuntimeAdditional_x86.ico

MD5 fde1b01ca49aa70922404cdfcf32a643
SHA1 b0a2002c39a37a0ccaf219d42f1075471fd8b481
SHA256 741fe085e34db44b7c8ae83288697fab1359b028411c45dab2a3ca8b9ea548a5
SHA512 b6b4af427069602e929c1a6ce9d88c4634f0927b7292efb4070d15fb40ce39fc5ce868452dcd5642b2864730502de7a4c33679c936beb1a86c26a753d3f4dc25

C:\Users\Admin\AppData\Local\Temp\vbcAD52A98C4DCF4138A7E684463BD81AC.TMP

MD5 8d067f39be8a567fcc67535f279d02f5
SHA1 9472314cf7895a6cb8523fc3fa7aa5e44a3a6540
SHA256 0a83defa0de061cc5a70a1ac69c42e48acd5f9f82054874e5d1da085802084ca
SHA512 6cf2891817bd726607996541949b62f1ac4b9c69da5030ab37f1ed479e0ff177464600bb30760dbbc7b3e13438221990019dd06eec8d101eb293a3306494f2ed

C:\Users\Admin\AppData\Local\Temp\RES4873.tmp

MD5 7b53a1c3890ad90506256c571aeecdb0
SHA1 09e790ea0e1e6d682ec76c45cde097449ad1b099
SHA256 344f76e4e3fb0943719a9409b5fa63d98b665c9f1109fea6a8a20de1a86ffc33
SHA512 177d69398a35d885278c87e1f87c5e0977daaebcad29f548eaf94677574cc406bb4142e158e1057606339f93e60d129a8dedbe95c662e6b739ee9a2c00db5c82

C:\Users\Admin\AppData\Local\Temp\gx1sjtfp.cmdline

MD5 919c2d91a221c6ac5881a0c86ee0d51e
SHA1 d9da0f72e376e3881756806309b87c3bf66d043d
SHA256 ccf0a76d92296ffc1d2d80444832cadb84874f3945aedc2a068575b597820b3d
SHA512 a73539b51225590a3d56f9ebbc7e05ff190c75be3c08e07367de14d679238be92ee5b5515fee93e1d1ad408df6f7d5931e97ac6d722f4700ea814d46387eca30

C:\Users\Admin\AppData\Local\Temp\gx1sjtfp.0.vb

MD5 d6ad23b321c78bf5f60c85b1b6e84958
SHA1 dc184031c8795be088f0d64d8d7ad239b4c88f19
SHA256 d7e67c772a1059032ae5906e48aa25007fb5c3b9bf4138bb57db7b734f365f0f
SHA512 de50b3e83afaef8c597d1e18bbb44e923e9720dfb49a201353e0b71aab66bf61d5a30de12132b5f6da48dced5abe252f7505d56c1621f2548905af4f4fdfe8fe

C:\ProgramData\RR\vcredist2013_x64_000_vcRuntimeMinimum_x64.ico

MD5 fde1b01ca49aa70922404cdfcf32a643
SHA1 b0a2002c39a37a0ccaf219d42f1075471fd8b481
SHA256 741fe085e34db44b7c8ae83288697fab1359b028411c45dab2a3ca8b9ea548a5
SHA512 b6b4af427069602e929c1a6ce9d88c4634f0927b7292efb4070d15fb40ce39fc5ce868452dcd5642b2864730502de7a4c33679c936beb1a86c26a753d3f4dc25

C:\Users\Admin\AppData\Local\Temp\vbc85E2E4BA6E1246529F975DACEE55A0F2.TMP

MD5 543ca9690ba58921b67d497b5fb852ba
SHA1 67d2fef22c7a74395ce0025338099ddbd7fe2bfd
SHA256 27a33ad7986a375f671b05561dfcc43c8ce9d38d2b6fecaa7dac8f4aa9dca3f6
SHA512 54e59a45fd855989997d1a8921ef0dba696a4ab4f3e05b775ec02135b74f18598bf13b4da99b5b4b969e9ff20fee5fd230684f30b978eaf91a6d90764d0ba813

C:\Users\Admin\AppData\Local\Temp\RES49CA.tmp

MD5 55685bfd94ef1def94f25bf8ac25f4f8
SHA1 f4e5456fbd7cdf7c0d8c91879490796c7dee4c04
SHA256 dee5783a81c1685b10cdd75ff33a1ce70b2233a5726371a2b15b84c7078dfc40
SHA512 7f146126c8df0002d23a7bafc13185f9bbd7a68767f1c60429fc53cd5ae9a2317d900c8a4ca96778b32d9a0ab576fce6b170ab5884106de00f4c619312dc65bd

C:\Users\Admin\AppData\Local\Temp\h7yuqwvh.cmdline

MD5 faffc2c12f4103a69d706794e43f9336
SHA1 a89f4ddd435b6839bf867db006aa099928149e8b
SHA256 8a9f6df8bec4f843f6894d5940892feb14a3d04333075ac41dc93858cd8ded57
SHA512 2a0b1610c9492720c7f621903cf7bf87ded69603e107cfb4d83264a008eece5027aa3b4e1584c63aef61e054cbb347dde2a7eaa4a854f56dd813257d91b066fd

C:\Users\Admin\AppData\Local\Temp\h7yuqwvh.0.vb

MD5 2b602e97d8f27ea52f36b7fc0a54888a
SHA1 067627e8844e80d5b53a84d60d961de74b7bb2a7
SHA256 68fc3102135efa4bb3778832043605b7e588b184a48b88a47f7b76bbe0ac0692
SHA512 5011be85ca87139c35f92044ea04e945f64ce451edfee499362063dcafa2b273e14da188c200cfc968ca01bf2c46fbf5e187f06b7839eb4963b0c4820e0f0bb6

C:\ProgramData\RR\vcredist2013_x64_001_vcRuntimeAdditional_x64.ico

MD5 fde1b01ca49aa70922404cdfcf32a643
SHA1 b0a2002c39a37a0ccaf219d42f1075471fd8b481
SHA256 741fe085e34db44b7c8ae83288697fab1359b028411c45dab2a3ca8b9ea548a5
SHA512 b6b4af427069602e929c1a6ce9d88c4634f0927b7292efb4070d15fb40ce39fc5ce868452dcd5642b2864730502de7a4c33679c936beb1a86c26a753d3f4dc25

C:\Users\Admin\AppData\Local\Temp\vbc1460D0263A164223A436D7EDAD199059.TMP

MD5 ba4797f1d7688de9a7fef50db07c75ec
SHA1 ccfd654b9b74a97f74943086daad6805feb80253
SHA256 5194d1ff26808b403b2817fb8d139574d960505efaa8255dc917eef9bb4a8a49
SHA512 0bc7ae6eae21ee516b32db2997b7d6ab0a4dc56942152a3c6d20b153795c0155343b441bbee85bb03d1f93d8867a8fee3994869321de577af4900be5dcc6e067

memory/1484-299-0x0000000002440000-0x0000000002450000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RES4B80.tmp

MD5 cf2d3f80a87de0b498e53a5ee821f491
SHA1 a83869bb8d17c5744e4c062420b1dc0bcfa563a2
SHA256 3843b0d46e8d579c62230abbd2bb4866b1e2f18da739a9816ee43b4677c81a1f
SHA512 79e5d2aa3705fae922bdf5f85132c80c2a0ea4ac2ac5697a3c685d7fe1595fc0f3378694f033b61851021c7d26937e5167a47883e66f6ec98d17498c369f22f2

C:\Users\Admin\AppData\Local\Temp\nukjguto.cmdline

MD5 08882e2ff5ff8540cf76f4053ae95c22
SHA1 905fdd1dd9fd735536550aaff873f1e9ca43cb65
SHA256 37b7f9cae39d22a25222edd69263938560121306b036c482b6a8933f1ab40407
SHA512 f14142c64920632ad98d58d103a2df8f8573b50b8c418fa7d2da0d3edd14e3745f7278ee29ce0eb7f513ebf8ae1dbfb9a2ef44ca30e5dc19b2af2de680bf59f0

C:\Users\Admin\AppData\Local\Temp\nukjguto.0.vb

MD5 229ceeda3d01a47c7ec805fbc68adec5
SHA1 862e27673e6c96418b11a7b489d34979a0769b63
SHA256 8a9401559b55732e163c376b019394707767ec3219f2443e4716dc17a66868e7
SHA512 c6a2c33c8428961a719ce547c1915e0a89e8bf63d23c9c5fbc074ff0cf7f9f679fecd81eaeaaaedc0e330f51eb0818fd5c8a143dad87c18309e89473c3046e32

C:\ProgramData\RR\vcredist2013_x86_000_vcRuntimeMinimum_x86.ico

MD5 fde1b01ca49aa70922404cdfcf32a643
SHA1 b0a2002c39a37a0ccaf219d42f1075471fd8b481
SHA256 741fe085e34db44b7c8ae83288697fab1359b028411c45dab2a3ca8b9ea548a5
SHA512 b6b4af427069602e929c1a6ce9d88c4634f0927b7292efb4070d15fb40ce39fc5ce868452dcd5642b2864730502de7a4c33679c936beb1a86c26a753d3f4dc25

C:\Users\Admin\AppData\Local\Temp\vbcAE1CC6DCE00B453BA5A8AE81129979B5.TMP

MD5 da6c426709a5565c7b06ee1310d63f26
SHA1 f12b017a838df962821782290005825944cb8465
SHA256 775a9a8eb25fcf05a4e57d4422864cfbd8f74fa224c377a1c12fb69f17e7c7bc
SHA512 31b659e2b3e6322c79eae2bec369b50922a088c7aa0f16ade218b97889fc0edaadd85ad762802744c8d5b8ca702df2a0e69a42fca9ad49082d69b1b3bcd31e06

C:\Users\Admin\AppData\Local\Temp\RES4CF7.tmp

MD5 812bce075cd34c5744f0a62c7129bafe
SHA1 c869d53d17e612a383813413079262a3154893f2
SHA256 fbe62c0e73779794716053d2e6e26b41de01ff57cf6e7c35527a8439b63fcd89
SHA512 685496bff52c9bde9fb2ef9cc838d061a20bb4a2d00bf28806daaad62c1a958e512e3e205f9d22dfddb9288d2e58138547d30badecca0f691cdd931e8aa34646

C:\Users\Admin\AppData\Local\Temp\3kofyd3f.cmdline

MD5 e3f9d7975647f00aaa382a4c0a5eb993
SHA1 4ec33aa26b6d53364c9e0b8170e00fdca121164d
SHA256 964752671aa2869013a473f907b8cf89407ea0859dd4484cd7004e0d255a788a
SHA512 e0a30418b27a74fdddacfda1d6a2a5f3e216697751d3415d044ee0f4d92b5746bc9b731fb3bf924cc30a0342d957049d5b65aa454c3dc60f5e15c12219f2665d

C:\Users\Admin\AppData\Local\Temp\3kofyd3f.0.vb

MD5 17926b0653225224f0fe8e4117977e8b
SHA1 0d90e4ad975b1a08a4dee3ac0def26010ba24696
SHA256 5103ba7bdac31f926cdda8eebc2750f28755c53ac805a59289a95d9627205e86
SHA512 805267fe7caffebd2146983f9a7b668779447ac20cba5d2e4a96bcc328513a26cc02aad800fba0dc5778bfb31a8d9ac7871e4a720d510cfbc5dd0a17a5632b89

C:\ProgramData\RR\vcredist2013_x86_001_vcRuntimeAdditional_x86.ico

MD5 fde1b01ca49aa70922404cdfcf32a643
SHA1 b0a2002c39a37a0ccaf219d42f1075471fd8b481
SHA256 741fe085e34db44b7c8ae83288697fab1359b028411c45dab2a3ca8b9ea548a5
SHA512 b6b4af427069602e929c1a6ce9d88c4634f0927b7292efb4070d15fb40ce39fc5ce868452dcd5642b2864730502de7a4c33679c936beb1a86c26a753d3f4dc25

C:\Users\Admin\AppData\Local\Temp\vbc98A69E6141CC4689B847B228DFED2B.TMP

MD5 510af1892ccce29fcc5e99c3d1f75719
SHA1 0c227003eaad34d4d85bf8f42d09e9c5e29b5e18
SHA256 e66727df28ad835c315d3b5d3563fb5504261201fc9ec379da1892e102ca5204
SHA512 73e3e15b44363d1a4df169efb39b78eb2d9da422dcacc2e50021e0f009c10134bd53456ecadb4f4b59eace41ff952c6fa3e64e1cd778f75b73eaf210f68c1074

memory/3952-337-0x00000000026A0000-0x00000000026B0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Proxifier.exe

MD5 0923eeaec8c777e7d62d15fd71c46aaf
SHA1 17e5d701a931468b17e49f06b3eddc5d88a4dcf3
SHA256 06a0a8d963239e64adfedf7332c222e2beaf2aa4ab971bc1c9e5b9804a30ee6f
SHA512 9847456153f74f06b2db1bec6eb4d3059e3d25932f2ed2164f9faec1b63dced1567d183c7698bf7ea18f7c9c2af198b37e10af38fbc5d91d43eb066fbf14cf99

memory/2184-392-0x0000000000970000-0x0000000000980000-memory.dmp

memory/428-393-0x0000000002540000-0x0000000002550000-memory.dmp

memory/4576-408-0x0000000000BD0000-0x0000000000BE0000-memory.dmp

memory/4576-409-0x0000000000BD0000-0x0000000000BE0000-memory.dmp