bitrat | 8c05da461e90984671ffd87f0e4e28e057cca4d32a0569764dcdcce2d545fac2

Resubmissions

17-04-2024 14:54

240417-r96wzada86 10

17-04-2024 14:54

17-04-2024 14:54

17-04-2024 14:54

17-04-2024 14:54

15-04-2024 13:19

10-04-2024 12:02

10-04-2024 12:02

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25-01-2024 23:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

75bff99becc32bcbe56efbe7a75f4d45.exe
Size

7.0MB
MD5

75bff99becc32bcbe56efbe7a75f4d45
SHA1

81bfcc77809161a5254a27d3d4d30548c96fcd5b
SHA256

8c05da461e90984671ffd87f0e4e28e057cca4d32a0569764dcdcce2d545fac2
SHA512

940af628585713a16e685eb5251c0b954bc014460cd4ca33226df2ef260f32af56223eaf1c341862fdf1669c6bafb6e7d9c5efbeb5e437ce5e2fd9905beece69
SSDEEP

49152:uW/1GYdVTXN3r3+LXDIDAKpvuh3jwLN6/VNUKIdI9OiKuDbD2yvAkdm5wrgWX+5z:hXkZL/p

Score

10^/10

bitrat zgrat persistence rat trojan upx

Malware Config

Extracted

Family

bitrat

Version

1.38

obqdy2u226qjiavs42z4z6zgcf6tefsoxaqzjvohmoy7kafdwgqgjkqd.onion:80

Attributes

communication_password
d93b4f1ee6f5b875a4f7fcef966bd09a
tor_process
WinSock

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat

Detect ZGRat V1 34 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4736-8-0x00000000031A0000-0x0000000003222000-memory.dmp	family_zgrat_v1
behavioral2/memory/4736-12-0x00000000031A0000-0x000000000321C000-memory.dmp	family_zgrat_v1
behavioral2/memory/4736-10-0x00000000031A0000-0x000000000321C000-memory.dmp	family_zgrat_v1
behavioral2/memory/4736-14-0x00000000031A0000-0x000000000321C000-memory.dmp	family_zgrat_v1
behavioral2/memory/4736-22-0x00000000031A0000-0x000000000321C000-memory.dmp	family_zgrat_v1
behavioral2/memory/4736-20-0x00000000031A0000-0x000000000321C000-memory.dmp	family_zgrat_v1
behavioral2/memory/4736-24-0x00000000031A0000-0x000000000321C000-memory.dmp	family_zgrat_v1
behavioral2/memory/4736-26-0x00000000031A0000-0x000000000321C000-memory.dmp	family_zgrat_v1
behavioral2/memory/4736-18-0x00000000031A0000-0x000000000321C000-memory.dmp	family_zgrat_v1
behavioral2/memory/4736-28-0x00000000031A0000-0x000000000321C000-memory.dmp	family_zgrat_v1
behavioral2/memory/4736-44-0x00000000031A0000-0x000000000321C000-memory.dmp	family_zgrat_v1
behavioral2/memory/4736-58-0x00000000031A0000-0x000000000321C000-memory.dmp	family_zgrat_v1
behavioral2/memory/4736-72-0x00000000031A0000-0x000000000321C000-memory.dmp	family_zgrat_v1
behavioral2/memory/4736-70-0x00000000031A0000-0x000000000321C000-memory.dmp	family_zgrat_v1
behavioral2/memory/4736-68-0x00000000031A0000-0x000000000321C000-memory.dmp	family_zgrat_v1
behavioral2/memory/4736-66-0x00000000031A0000-0x000000000321C000-memory.dmp	family_zgrat_v1
behavioral2/memory/4736-64-0x00000000031A0000-0x000000000321C000-memory.dmp	family_zgrat_v1
behavioral2/memory/4736-62-0x00000000031A0000-0x000000000321C000-memory.dmp	family_zgrat_v1
behavioral2/memory/4736-60-0x00000000031A0000-0x000000000321C000-memory.dmp	family_zgrat_v1
behavioral2/memory/4736-56-0x00000000031A0000-0x000000000321C000-memory.dmp	family_zgrat_v1
behavioral2/memory/4736-54-0x00000000031A0000-0x000000000321C000-memory.dmp	family_zgrat_v1
behavioral2/memory/4736-52-0x00000000031A0000-0x000000000321C000-memory.dmp	family_zgrat_v1
behavioral2/memory/4736-50-0x00000000031A0000-0x000000000321C000-memory.dmp	family_zgrat_v1
behavioral2/memory/4736-48-0x00000000031A0000-0x000000000321C000-memory.dmp	family_zgrat_v1
behavioral2/memory/4736-46-0x00000000031A0000-0x000000000321C000-memory.dmp	family_zgrat_v1
behavioral2/memory/4736-42-0x00000000031A0000-0x000000000321C000-memory.dmp	family_zgrat_v1
behavioral2/memory/4736-40-0x00000000031A0000-0x000000000321C000-memory.dmp	family_zgrat_v1
behavioral2/memory/4736-38-0x00000000031A0000-0x000000000321C000-memory.dmp	family_zgrat_v1
behavioral2/memory/4736-36-0x00000000031A0000-0x000000000321C000-memory.dmp	family_zgrat_v1
behavioral2/memory/4736-34-0x00000000031A0000-0x000000000321C000-memory.dmp	family_zgrat_v1
behavioral2/memory/4736-32-0x00000000031A0000-0x000000000321C000-memory.dmp	family_zgrat_v1
behavioral2/memory/4736-30-0x00000000031A0000-0x000000000321C000-memory.dmp	family_zgrat_v1
behavioral2/memory/4736-16-0x00000000031A0000-0x000000000321C000-memory.dmp	family_zgrat_v1
behavioral2/memory/4736-9-0x00000000031A0000-0x000000000321C000-memory.dmp	family_zgrat_v1

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

75bff99becc32bcbe56efbe7a75f4d45.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\","	75bff99becc32bcbe56efbe7a75f4d45.exe

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

ACProtect 1.3x - 1.4x DLL software 16 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\d4f7be4f\tor\libcrypto-1_1.dll	acprotect
C:\Users\Admin\AppData\Local\d4f7be4f\tor\zlib1.dll	acprotect
C:\Users\Admin\AppData\Local\d4f7be4f\tor\libwinpthread-1.dll	acprotect
C:\Users\Admin\AppData\Local\d4f7be4f\tor\libcrypto-1_1.dll	acprotect
C:\Users\Admin\AppData\Local\d4f7be4f\tor\libcrypto-1_1.dll	acprotect
C:\Users\Admin\AppData\Local\d4f7be4f\tor\libgcc_s_sjlj-1.dll	acprotect
C:\Users\Admin\AppData\Local\d4f7be4f\tor\libssp-0.dll	acprotect
C:\Users\Admin\AppData\Local\d4f7be4f\tor\libevent-2-1-6.dll	acprotect
C:\Users\Admin\AppData\Local\d4f7be4f\tor\libevent-2-1-6.dll	acprotect
C:\Users\Admin\AppData\Local\d4f7be4f\tor\libssl-1_1.dll	acprotect
C:\Users\Admin\AppData\Local\d4f7be4f\tor\libssl-1_1.dll	acprotect
C:\Users\Admin\AppData\Local\d4f7be4f\tor\libssl-1_1.dll	acprotect
C:\Users\Admin\AppData\Local\d4f7be4f\tor\libcrypto-1_1.dll	acprotect
C:\Users\Admin\AppData\Local\d4f7be4f\tor\libssl-1_1.dll	acprotect
C:\Users\Admin\AppData\Local\d4f7be4f\tor\libssl-1_1.dll	acprotect
C:\Users\Admin\AppData\Local\d4f7be4f\tor\libcrypto-1_1.dll	acprotect

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

75bff99becc32bcbe56efbe7a75f4d45.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	75bff99becc32bcbe56efbe7a75f4d45.exe

Executes dropped EXE 3 IoCs

Processes:

WinSock.exeWinSock.exeWinSock.exe

pid process

2188 WinSock.exe
3368 WinSock.exe
6104 WinSock.exe

Loads dropped DLL 23 IoCs

Processes:

WinSock.exeWinSock.exeWinSock.exe

pid	process
2188	WinSock.exe
2188	WinSock.exe
2188	WinSock.exe
2188	WinSock.exe
2188	WinSock.exe
2188	WinSock.exe
2188	WinSock.exe
2188	WinSock.exe
2188	WinSock.exe
3368	WinSock.exe
3368	WinSock.exe
3368	WinSock.exe
3368	WinSock.exe
3368	WinSock.exe
3368	WinSock.exe
3368	WinSock.exe
6104	WinSock.exe
6104	WinSock.exe
6104	WinSock.exe
6104	WinSock.exe
6104	WinSock.exe
6104	WinSock.exe
6104	WinSock.exe

UPX packed file 56 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe	upx
C:\Users\Admin\AppData\Local\d4f7be4f\tor\libcrypto-1_1.dll	upx
C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe	upx
C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe	upx
C:\Users\Admin\AppData\Local\d4f7be4f\tor\zlib1.dll	upx
behavioral2/memory/2188-2469-0x0000000000310000-0x0000000000714000-memory.dmp	upx
behavioral2/memory/2188-2481-0x0000000073430000-0x00000000736FF000-memory.dmp	upx
behavioral2/memory/2188-2486-0x0000000073700000-0x000000007380A000-memory.dmp	upx
behavioral2/memory/2188-2484-0x0000000073960000-0x0000000073A2E000-memory.dmp	upx
behavioral2/memory/2188-2483-0x00000000733A0000-0x0000000073428000-memory.dmp	upx
C:\Users\Admin\AppData\Local\d4f7be4f\tor\libwinpthread-1.dll	upx
C:\Users\Admin\AppData\Local\d4f7be4f\tor\libcrypto-1_1.dll	upx
C:\Users\Admin\AppData\Local\d4f7be4f\tor\libcrypto-1_1.dll	upx
behavioral2/memory/2188-2476-0x0000000073810000-0x0000000073834000-memory.dmp	upx
C:\Users\Admin\AppData\Local\d4f7be4f\tor\libgcc_s_sjlj-1.dll	upx
behavioral2/memory/2188-2473-0x0000000073840000-0x0000000073889000-memory.dmp	upx
behavioral2/memory/2188-2472-0x0000000073890000-0x0000000073958000-memory.dmp	upx
C:\Users\Admin\AppData\Local\d4f7be4f\tor\libssp-0.dll	upx
C:\Users\Admin\AppData\Local\d4f7be4f\tor\libevent-2-1-6.dll	upx
C:\Users\Admin\AppData\Local\d4f7be4f\tor\libevent-2-1-6.dll	upx
C:\Users\Admin\AppData\Local\d4f7be4f\tor\libssl-1_1.dll	upx
C:\Users\Admin\AppData\Local\d4f7be4f\tor\libssl-1_1.dll	upx
behavioral2/memory/2188-2535-0x0000000073430000-0x00000000736FF000-memory.dmp	upx
behavioral2/memory/2188-2534-0x0000000073810000-0x0000000073834000-memory.dmp	upx
behavioral2/memory/2188-2533-0x0000000000310000-0x0000000000714000-memory.dmp	upx
behavioral2/memory/2188-2537-0x0000000073840000-0x0000000073889000-memory.dmp	upx
behavioral2/memory/2188-2536-0x0000000073890000-0x0000000073958000-memory.dmp	upx
behavioral2/memory/2188-2547-0x0000000073960000-0x0000000073A2E000-memory.dmp	upx
behavioral2/memory/3368-2606-0x0000000073890000-0x0000000073958000-memory.dmp	upx
behavioral2/memory/3368-2604-0x0000000073430000-0x00000000736FF000-memory.dmp	upx
behavioral2/memory/3368-2602-0x0000000000310000-0x0000000000714000-memory.dmp	upx
behavioral2/memory/3368-2613-0x0000000073810000-0x0000000073834000-memory.dmp	upx
behavioral2/memory/2188-2611-0x0000000000310000-0x0000000000714000-memory.dmp	upx
behavioral2/memory/3368-2614-0x0000000073700000-0x000000007380A000-memory.dmp	upx
behavioral2/memory/3368-2617-0x00000000733A0000-0x0000000073428000-memory.dmp	upx
behavioral2/memory/3368-2610-0x0000000073840000-0x0000000073889000-memory.dmp	upx
behavioral2/memory/3368-2609-0x0000000073960000-0x0000000073A2E000-memory.dmp	upx
behavioral2/memory/3368-2623-0x0000000073960000-0x0000000073A2E000-memory.dmp	upx
behavioral2/memory/3368-2624-0x0000000000310000-0x0000000000714000-memory.dmp	upx
behavioral2/memory/3368-2625-0x0000000073430000-0x00000000736FF000-memory.dmp	upx
behavioral2/memory/3368-2626-0x0000000073890000-0x0000000073958000-memory.dmp	upx
C:\Users\Admin\AppData\Local\d4f7be4f\tor\libssl-1_1.dll	upx
C:\Users\Admin\AppData\Local\d4f7be4f\tor\libcrypto-1_1.dll	upx
C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe	upx
C:\Users\Admin\AppData\Local\d4f7be4f\tor\libssl-1_1.dll	upx
behavioral2/memory/6104-2640-0x0000000073610000-0x0000000073634000-memory.dmp	upx
behavioral2/memory/6104-2642-0x0000000073500000-0x000000007360A000-memory.dmp	upx
behavioral2/memory/6104-2645-0x00000000733A0000-0x000000007346E000-memory.dmp	upx
behavioral2/memory/6104-2648-0x0000000073760000-0x0000000073A2F000-memory.dmp	upx
behavioral2/memory/6104-2641-0x0000000073470000-0x00000000734F8000-memory.dmp	upx
behavioral2/memory/6104-2639-0x0000000073640000-0x0000000073689000-memory.dmp	upx
C:\Users\Admin\AppData\Local\d4f7be4f\tor\libssl-1_1.dll	upx
behavioral2/memory/6104-2638-0x0000000073690000-0x0000000073758000-memory.dmp	upx
C:\Users\Admin\AppData\Local\d4f7be4f\tor\libcrypto-1_1.dll	upx
C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe	upx
behavioral2/memory/6104-2664-0x0000000000310000-0x0000000000714000-memory.dmp	upx

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

73 myexternalip.com
62 myexternalip.com
63 myexternalip.com

flow	ioc
73	myexternalip.com
62	myexternalip.com
63	myexternalip.com

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

Processes:

75bff99becc32bcbe56efbe7a75f4d45.exe

pid	process
1440	75bff99becc32bcbe56efbe7a75f4d45.exe
1440	75bff99becc32bcbe56efbe7a75f4d45.exe
1440	75bff99becc32bcbe56efbe7a75f4d45.exe
1440	75bff99becc32bcbe56efbe7a75f4d45.exe
1440	75bff99becc32bcbe56efbe7a75f4d45.exe
1440	75bff99becc32bcbe56efbe7a75f4d45.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

75bff99becc32bcbe56efbe7a75f4d45.exe

description pid process target process

PID 4736 set thread context of 1440 4736 75bff99becc32bcbe56efbe7a75f4d45.exe 75bff99becc32bcbe56efbe7a75f4d45.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	pid	process	target process
PID 4736 set thread context of 1440	4736	75bff99becc32bcbe56efbe7a75f4d45.exe	75bff99becc32bcbe56efbe7a75f4d45.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

75bff99becc32bcbe56efbe7a75f4d45.exe

pid	process
4736	75bff99becc32bcbe56efbe7a75f4d45.exe
4736	75bff99becc32bcbe56efbe7a75f4d45.exe
4736	75bff99becc32bcbe56efbe7a75f4d45.exe
4736	75bff99becc32bcbe56efbe7a75f4d45.exe
4736	75bff99becc32bcbe56efbe7a75f4d45.exe
4736	75bff99becc32bcbe56efbe7a75f4d45.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

75bff99becc32bcbe56efbe7a75f4d45.exe75bff99becc32bcbe56efbe7a75f4d45.exe

description	pid	process
Token: SeDebugPrivilege	4736	75bff99becc32bcbe56efbe7a75f4d45.exe
Token: SeShutdownPrivilege	1440	75bff99becc32bcbe56efbe7a75f4d45.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

75bff99becc32bcbe56efbe7a75f4d45.exe

pid process

1440 75bff99becc32bcbe56efbe7a75f4d45.exe
1440 75bff99becc32bcbe56efbe7a75f4d45.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

75bff99becc32bcbe56efbe7a75f4d45.exe75bff99becc32bcbe56efbe7a75f4d45.exe

C:\Users\Admin\AppData\Local\Temp\75bff99becc32bcbe56efbe7a75f4d45.exe
"C:\Users\Admin\AppData\Local\Temp\75bff99becc32bcbe56efbe7a75f4d45.exe"
1⤵
- Modifies WinLogon for persistence
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4736

C:\Users\Admin\AppData\Local\Temp\75bff99becc32bcbe56efbe7a75f4d45.exe
C:\Users\Admin\AppData\Local\Temp\75bff99becc32bcbe56efbe7a75f4d45.exe
2⤵
PID:896

C:\Users\Admin\AppData\Local\Temp\75bff99becc32bcbe56efbe7a75f4d45.exe
C:\Users\Admin\AppData\Local\Temp\75bff99becc32bcbe56efbe7a75f4d45.exe
2⤵
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1440

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
"C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2188

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
"C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3368

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
"C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe" -f torrc
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:6104

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
Filesize
323KB

MD5
3fb4454010218d0aaffd17f5a10f70cb

SHA1
101f0c030973339a509aafe2dffa34768db6f513

SHA256
c9e091da739e3fc11642d76c555540bfbf6ea06f898e8178b4393510783a1219

SHA512
a6be8301fd6c0b0888d5f025f6edb6ca08495970b1153809704877dd1c4b6fc34cbf66aa0f7252c18ca141a7b56fa49cf52fd2fab674601ad3b4ac6974b0ecdb

Download Submit
C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
Filesize
523KB

MD5
3c583bfbaac85d1df27766d90941801f

SHA1
0ae4135d3704f2fc186adc0c1987e0c067c1ad04

SHA256
76edae689b777ec64d3e580c2d5830e4458298eaff94ef8b55d9b416e51644e5

SHA512
583727d17594cd083e14a8e0f284ec808a134d443dd58d4d3702a176006731b2101e07a6b53007536855e747bf00a7c7ec18efaab2a18666a3e54170e4849a60

Download Submit
C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
Filesize
445KB

MD5
795d37709a2f6a76e26afeee70ed85ad

SHA1
4288cff830b7668fe4961f379d8d0a8c1b9725dc

SHA256
404faef6517117807ef01083d09fd6a7411d2a09851106ecfc235c41744018da

SHA512
aa258407358e642eb0095f2f7e0ea5ad0b0a13b9d4fff42cc3a4268507712f37b0c5b2b1978c4fb7c45f64597127250cdd3fa62324a69491b5dd600e0ef1f96e

Download Submit
C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
Filesize
973KB

MD5
5cfe61ff895c7daa889708665ef05d7b

SHA1
5e58efe30406243fbd58d4968b0492ddeef145f2

SHA256
f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5

SHA512
43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

Download Submit
C:\Users\Admin\AppData\Local\d4f7be4f\tor\WinSock.exe
Filesize
570KB

MD5
4b39a2eef9bcec8e1f2f17b3ccc9c726

SHA1
8630a3def985321967fbdea073908738a8da2b1a

SHA256
5c7a69905381a04a9365796cd255a5f34103c763358b79a9cc146e9e090d4297

SHA512
27593c752a655422f792e0780f43599afa1accf254f69f8bfd771c4f897b1c659d390a5f3d355919eea471309b234ad0b78ab9e9c745a1482d52ae239b9f2bb4

Download Submit
C:\Users\Admin\AppData\Local\d4f7be4f\tor\data\cached-certs
Filesize
20KB

MD5
3970702a4eb9f99d8d17b32fffdebdbd

SHA1
0039162f93b1c54d97b2474c5704ddaa98568a7a

SHA256
1525de4da80ceda71b22cd7e630f55dd04c68e5e0801f8686ac2c05d109be6a1

SHA512
e768b1889181046bdfb3e15eee81ffe703d70ed1dd989ba07cde1c62d231823ac2ecc3881bddf944db74c79787fef7de480abac172df62f92ee037f3714a362c

Download Submit
C:\Users\Admin\AppData\Local\d4f7be4f\tor\data\cached-microdesc-consensus
Filesize
362KB

MD5
2f1329bab4ac6ee2d644ed0cc5e7f899

SHA1
2a7c02c02c6e6c8e15107de9fc88f99947c859b4

SHA256
c0734d02deda19951f49fdafa013adbc4b9d5f942b015b8f3f936c141fb59fd6

SHA512
e494cb0dbc158ab92f32bc4ecffdb8422a50d9e91b0c26e2b62996a1c1963b46128a14dfae106e4a7ab6db889e50de19ca22824ab3497b691b5cc011fc19273b

Download Submit
C:\Users\Admin\AppData\Local\d4f7be4f\tor\data\cached-microdesc-consensus.tmp
Filesize
35KB

MD5
6141164c2e3da5c8736bd53dc20c9d26

SHA1
6dfe9a08a380d50e4029e8d8b7c2a65c2ce656cf

SHA256
a098203d847f959b9d8c102bec6c0e620d15bc27310e1007623d68d0d00ac7b2

SHA512
248075287c3452a32d295fdbdd918a645343d5a1bf22c1eb1c565d071a982046a5d1e532148c250f3f771c02eeadcbbcee7090ecd0fc741e8b8dcc9406b2e4ca

Download Submit
C:\Users\Admin\AppData\Local\d4f7be4f\tor\data\cached-microdescs.new
Filesize
741KB

MD5
812f8f79588d01906ea452edcf8ecb19

SHA1
9998ff6585f61ba0e422e8d3f73e6b6262d3b5ac

SHA256
9d67c43ada66324f91d78db82e9a38748201b02fbb755c0cb03bf059698b7547

SHA512
7002b77fd2e4d3fc4babc9f59563f1b7261dd76313ae456391fed0b0b644e7a65526ca4b60b4fd1fd65593a6653e5d6e4cc27077ebba34106127d5c67605d566

Download Submit
C:\Users\Admin\AppData\Local\d4f7be4f\tor\data\cached-microdescs.new
Filesize
388KB

MD5
50a4771297b34398e7b14ef99da1a1ef

SHA1
49c018e79a7e404101b5ba996774a6fd75f84363

SHA256
5ee7cdf17d567e9402f142e0697d4be6bf14a5cc485b636fcbf287341c271bb9

SHA512
150e2543b8a2ac0629799f5c86fa82a591a263c60c9ce2b0054bb9db67007cb07b73cb93f8b9ed4baaa08ee36d44606c6fe52df681f47bfeef62893b60cd38c2

Download Submit
C:\Users\Admin\AppData\Local\d4f7be4f\tor\data\state
Filesize
232B

MD5
9c41355d77d1fb56d0cde786f6a1132c

SHA1
eb042ea6ec0594f4f9c9a565f9d39d93d3a61935

SHA256
28263a01ff4128c19b83eaac76f97929647d78b2e3bfa2055eea4527db5259c7

SHA512
0d71f45e40878c75d98747ae456cc591c8d714e372a92fc313c6d5849c23854c1122c18eb7ecbbe474e28b5ce0593cb9b15b6891d4be98acd55c5db1fa70bef6

Download Submit
C:\Users\Admin\AppData\Local\d4f7be4f\tor\data\unverified-microdesc-consensus
Filesize
266KB

MD5
13da655c9fd1f04a3ffcc679c50e9102

SHA1
edc47e531b47b1921ddf295c1ec081b97d2c1b95

SHA256
29cb07dab6dbae42f7c747ef301a3f9fc41cfed2d3305e4e46ba59cf2827c574

SHA512
a0b93524e537733295cfd31d21493354d3d5529808e255417fe850d067f9cd619aca5d3766a665f22cc6377cfa1094a6b36e5b5509995dd27c2ba19d41552949

Download Submit
C:\Users\Admin\AppData\Local\d4f7be4f\tor\libcrypto-1_1.dll
Filesize
270KB

MD5
66333b2c6edfebde6ac8386eb09a952a

SHA1
524c53de470cee7097bc0745c3c6e20df25b79b4

SHA256
dfa11a16722c6718a8a7a60c9401ebd8e5e46f226595bdf635233f10db37ae13

SHA512
103a09ef812e4d48e8b7ef586a02d895d0ef1f02df9cab518bd2ed79da12a484ff0a18cd94cec8525cb2021c1b89d696fcb06cc072f98e28c7b338b5d0a3cfef

Download Submit
C:\Users\Admin\AppData\Local\d4f7be4f\tor\libcrypto-1_1.dll
Filesize
448KB

MD5
48c25f0a1331def9a82b786ccc6f9990

SHA1
6146109f2ca37c6cf4beb8175c3eeefcf2d736bd

SHA256
483e18bb61dbfc500449e48793b05985060031923329252bf98a85f0dde45efd

SHA512
df19a87036e6e050d2fdc0d141f2f1a77d64a2036373a27eceda6543e7107c91d76346b994c2cd9b381df3171518b78d1a2453d1d221abc03fbfb403932b73be

Download Submit
C:\Users\Admin\AppData\Local\d4f7be4f\tor\libcrypto-1_1.dll
Filesize
413KB

MD5
59cb72f3693767e7dfa8d5dcec5ac083

SHA1
6c4a6ce1f4069b7e52bc684b688914f3e7796b8d

SHA256
34ff3c219268dd006a0be224c457f4be1e5a48b886a87fb279a567718eef4ce0

SHA512
205a960f540b22ec6cc6e217341b6814c32d1d31b1682cda10794745282f5b05fd2780efdf4850f828dbb60b491b16e0908603e10d1b80e8a9cf5175dc3f77f1

Download Submit
C:\Users\Admin\AppData\Local\d4f7be4f\tor\libcrypto-1_1.dll
Filesize
810KB

MD5
133a2a093ba1e1e8708a90fdf31cd6e6

SHA1
25da4e442bc63c6c938c655a49e8001561eca49a

SHA256
a89cdcacd83f2524e0f441706a4aff5511da4c5b55af3bccb57c06db0574f874

SHA512
cfef29d583c0f361219683a1d29360532c83493029b9e26aee1b47a136ad4de9940de84bbe14d0e39a15beaade4c1e5d759823771de6e21b4dd21182e1ad1226

Download Submit
C:\Users\Admin\AppData\Local\d4f7be4f\tor\libcrypto-1_1.dll
Filesize
517KB

MD5
67fdbb07e5458a7ad9f8af3a03851442

SHA1
65598a3e4353092fba31e65ed4ab4305ab5c6317

SHA256
0f29b34a8934aae90c04542e3da52ae3401d031986c6007e2ef490ad02a32b80

SHA512
b29f3ccc04c7a15115b0c46cdf0f4100f377ae2bfca815221ac7f6be16770dff29b433f8860b356c7db178a9ded04b54503bb4978cb6b1befbac51939c04820c

Download Submit
C:\Users\Admin\AppData\Local\d4f7be4f\tor\libevent-2-1-6.dll
Filesize
366KB

MD5
099983c13bade9554a3c17484e5481f1

SHA1
a84e69ad9722f999252d59d0ed9a99901a60e564

SHA256
b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838

SHA512
89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

Download Submit
C:\Users\Admin\AppData\Local\d4f7be4f\tor\libevent-2-1-6.dll
Filesize
339KB

MD5
b7d8e10b11f7ddd18241b5021ba521f9

SHA1
4b5afd07adfbd03ce37c55a878eaba170a093134

SHA256
297a4ab503971f2bcba7d6e20c8acb36d64002123176c7775487d0a003eecd92

SHA512
759fdb7d5ef72095b08e9dcfe071b3fd4fb93df1ffcfa39655799d41bd1c6c912a58146e30b429130fe9d6820578df6d5ea612401649cd8be80227c14a253207

Download Submit
C:\Users\Admin\AppData\Local\d4f7be4f\tor\libgcc_s_sjlj-1.dll
Filesize
286KB

MD5
b0d98f7157d972190fe0759d4368d320

SHA1
5715a533621a2b642aad9616e603c6907d80efc4

SHA256
2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5

SHA512
41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

Download Submit
C:\Users\Admin\AppData\Local\d4f7be4f\tor\libssl-1_1.dll
Filesize
439KB

MD5
c88826ac4bb879622e43ead5bdb95aeb

SHA1
87d29853649a86f0463bfd9ad887b85eedc21723

SHA256
c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f

SHA512
f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

Download Submit
C:\Users\Admin\AppData\Local\d4f7be4f\tor\libssl-1_1.dll
Filesize
386KB

MD5
03ab981731017c1df9b7c58f9e093fc4

SHA1
63dc324287cc1c0ae238f5f213319efb0ce831f9

SHA256
b769475d8921b9ccc7c1adda81f89782335bb1fd824c6adb1aa992920688a214

SHA512
8bf3c1c4b2636c39aa3e20a296828180610ae9cc13f5a3e7b3b78dd0f1686d0ab2dbd93ef8784cf19bf5e341756899a55568d0770230053ca861ae17fc511eea

Download Submit
C:\Users\Admin\AppData\Local\d4f7be4f\tor\libssl-1_1.dll
Filesize
313KB

MD5
628dc67bcdce6d69874b3db107084248

SHA1
f7b0f367268312871b5312ff71f4bf10c02670a4

SHA256
790ce63fb407baaf3e9dac67573dbeea0ab5a8c87a7cd75b4dd657084d0e2341

SHA512
bcde6d5677036efb804c451d46f01fc881b164f1037a12d38a178e2295f4452f7da903e8391e13d72ff2716677f27aba8b244a18894cb4fbb9252b7ed0e5945e

Download Submit
C:\Users\Admin\AppData\Local\d4f7be4f\tor\libssl-1_1.dll
Filesize
432KB

MD5
c3c68d7d00c0261b582b83ec28546052

SHA1
2f4f8db0e978f5e0ec60bf17cfbcd527e80b44a5

SHA256
530cca66bfe52ae78e9d8710f7eae7aefc4cd163513436c8cef15bdb580ccaf0

SHA512
a3a1f92b727f2174ee9ac8c3bc368a15d2d7d35c55b9e361f5816a473a2c9bfc0198b2c5a6f99596f37b29cef34d526ea3f1ccaa3dea577e9002d158a8d2eebc

Download Submit
C:\Users\Admin\AppData\Local\d4f7be4f\tor\libssl-1_1.dll
Filesize
372KB

MD5
3a6524dee77624b00ca969512c898a78

SHA1
d0878d5be49bd1b8bd8371b333c1647e438056c5

SHA256
0e03462ab77ef9e80afe337faa6628e2b63375f9777e4f24ebee57b4e4510580

SHA512
ab38e802ca5e8a16c6adef7c27255fe4e2ca2e9b660ca10b89d2f91a45ed7c3db0ebaa24dab9552083ea6c517c60a3223f170ac923bfba73f7fdad495a566a1d

Download Submit
C:\Users\Admin\AppData\Local\d4f7be4f\tor\libssp-0.dll
Filesize
88KB

MD5
2c916456f503075f746c6ea649cf9539

SHA1
fa1afc1f3d728c89b2e90e14ca7d88b599580a9d

SHA256
cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6

SHA512
1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

Download Submit
C:\Users\Admin\AppData\Local\d4f7be4f\tor\libwinpthread-1.dll
Filesize
188KB

MD5
d407cc6d79a08039a6f4b50539e560b8

SHA1
21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71

SHA256
92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e

SHA512
378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

Download Submit
C:\Users\Admin\AppData\Local\d4f7be4f\tor\torrc
Filesize
157B

MD5
68afdef35a6105c2b148649bd05901b0

SHA1
828a2b590a95c2a411cc1b0004207747f2571024

SHA256
4e4e4e7f9fb03bcb898ce4f6075e3082d3a341d9fff1955ddf45089f83565622

SHA512
f198da05ec57c8525e6643f7f2c212701d0ab641d2850a28ce4cea7c33ac7b5c75782273bf7f01f95ccf02e27adf7c237ed116c5b0f220c13e70fe0aa7cfc671

Download Submit
C:\Users\Admin\AppData\Local\d4f7be4f\tor\zlib1.dll
Filesize
52KB

MD5
add33041af894b67fe34e1dc819b7eb6

SHA1
6db46eb021855a587c95479422adcc774a272eeb

SHA256
8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183

SHA512
bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

Download Submit
memory/1440-2575-0x00000000726C0000-0x00000000726F9000-memory.dmp

Filesize
228KB

Download
memory/1440-2496-0x0000000072F90000-0x0000000072FC9000-memory.dmp

Filesize
228KB

Download
memory/1440-2518-0x0000000000400000-0x0000000000BD8000-memory.dmp

Filesize
7.8MB

Download
memory/1440-2444-0x0000000074580000-0x00000000745B9000-memory.dmp

Filesize
228KB

Download
memory/1440-2441-0x0000000000400000-0x0000000000BD8000-memory.dmp

Filesize
7.8MB

Download
memory/2188-2476-0x0000000073810000-0x0000000073834000-memory.dmp

Filesize
144KB

Download
memory/2188-2473-0x0000000073840000-0x0000000073889000-memory.dmp

Filesize
292KB

Download
memory/2188-2534-0x0000000073810000-0x0000000073834000-memory.dmp

Filesize
144KB

Download
memory/2188-2533-0x0000000000310000-0x0000000000714000-memory.dmp

Filesize
4.0MB

Download
memory/2188-2537-0x0000000073840000-0x0000000073889000-memory.dmp

Filesize
292KB

Download
memory/2188-2483-0x00000000733A0000-0x0000000073428000-memory.dmp

Filesize
544KB

Download
memory/2188-2484-0x0000000073960000-0x0000000073A2E000-memory.dmp

Filesize
824KB

Download
memory/2188-2536-0x0000000073890000-0x0000000073958000-memory.dmp

Filesize
800KB

Download
memory/2188-2486-0x0000000073700000-0x000000007380A000-memory.dmp

Filesize
1.0MB

Download
memory/2188-2535-0x0000000073430000-0x00000000736FF000-memory.dmp

Filesize
2.8MB

Download
memory/2188-2489-0x00000000012D0000-0x0000000001358000-memory.dmp

Filesize
544KB

Download
memory/2188-2472-0x0000000073890000-0x0000000073958000-memory.dmp

Filesize
800KB

Download
memory/2188-2538-0x0000000001860000-0x0000000001B2F000-memory.dmp

Filesize
2.8MB

Download
memory/2188-2547-0x0000000073960000-0x0000000073A2E000-memory.dmp

Filesize
824KB

Download
memory/2188-2548-0x00000000012D0000-0x0000000001358000-memory.dmp

Filesize
544KB

Download
memory/2188-2482-0x0000000001860000-0x0000000001B2F000-memory.dmp

Filesize
2.8MB

Download
memory/2188-2611-0x0000000000310000-0x0000000000714000-memory.dmp

Filesize
4.0MB

Download
memory/2188-2469-0x0000000000310000-0x0000000000714000-memory.dmp

Filesize
4.0MB

Download
memory/2188-2481-0x0000000073430000-0x00000000736FF000-memory.dmp

Filesize
2.8MB

Download
memory/3368-2602-0x0000000000310000-0x0000000000714000-memory.dmp

Filesize
4.0MB

Download
memory/3368-2606-0x0000000073890000-0x0000000073958000-memory.dmp

Filesize
800KB

Download
memory/3368-2626-0x0000000073890000-0x0000000073958000-memory.dmp

Filesize
800KB

Download
memory/3368-2625-0x0000000073430000-0x00000000736FF000-memory.dmp

Filesize
2.8MB

Download
memory/3368-2624-0x0000000000310000-0x0000000000714000-memory.dmp

Filesize
4.0MB

Download
memory/3368-2623-0x0000000073960000-0x0000000073A2E000-memory.dmp

Filesize
824KB

Download
memory/3368-2609-0x0000000073960000-0x0000000073A2E000-memory.dmp

Filesize
824KB

Download
memory/3368-2610-0x0000000073840000-0x0000000073889000-memory.dmp

Filesize
292KB

Download
memory/3368-2617-0x00000000733A0000-0x0000000073428000-memory.dmp

Filesize
544KB

Download
memory/3368-2614-0x0000000073700000-0x000000007380A000-memory.dmp

Filesize
1.0MB

Download
memory/3368-2613-0x0000000073810000-0x0000000073834000-memory.dmp

Filesize
144KB

Download
memory/3368-2604-0x0000000073430000-0x00000000736FF000-memory.dmp

Filesize
2.8MB

Download
memory/4736-54-0x00000000031A0000-0x000000000321C000-memory.dmp

Filesize
496KB

Download
memory/4736-38-0x00000000031A0000-0x000000000321C000-memory.dmp

Filesize
496KB

Download
memory/4736-50-0x00000000031A0000-0x000000000321C000-memory.dmp

Filesize
496KB

Download
memory/4736-52-0x00000000031A0000-0x000000000321C000-memory.dmp

Filesize
496KB

Download
memory/4736-2442-0x0000000074670000-0x0000000074E20000-memory.dmp

Filesize
7.7MB

Download
memory/4736-56-0x00000000031A0000-0x000000000321C000-memory.dmp

Filesize
496KB

Download
memory/4736-60-0x00000000031A0000-0x000000000321C000-memory.dmp

Filesize
496KB

Download
memory/4736-62-0x00000000031A0000-0x000000000321C000-memory.dmp

Filesize
496KB

Download
memory/4736-64-0x00000000031A0000-0x000000000321C000-memory.dmp

Filesize
496KB

Download
memory/4736-66-0x00000000031A0000-0x000000000321C000-memory.dmp

Filesize
496KB

Download
memory/4736-68-0x00000000031A0000-0x000000000321C000-memory.dmp

Filesize
496KB

Download
memory/4736-70-0x00000000031A0000-0x000000000321C000-memory.dmp

Filesize
496KB

Download
memory/4736-72-0x00000000031A0000-0x000000000321C000-memory.dmp

Filesize
496KB

Download
memory/4736-58-0x00000000031A0000-0x000000000321C000-memory.dmp

Filesize
496KB

Download
memory/4736-44-0x00000000031A0000-0x000000000321C000-memory.dmp

Filesize
496KB

Download
memory/4736-28-0x00000000031A0000-0x000000000321C000-memory.dmp

Filesize
496KB

Download
memory/4736-18-0x00000000031A0000-0x000000000321C000-memory.dmp

Filesize
496KB

Download
memory/4736-26-0x00000000031A0000-0x000000000321C000-memory.dmp

Filesize
496KB

Download
memory/4736-24-0x00000000031A0000-0x000000000321C000-memory.dmp

Filesize
496KB

Download
memory/4736-215-0x0000000003360000-0x0000000003370000-memory.dmp

Filesize
64KB

Download
memory/4736-46-0x00000000031A0000-0x000000000321C000-memory.dmp

Filesize
496KB

Download
memory/4736-0-0x0000000074670000-0x0000000074E20000-memory.dmp

Filesize
7.7MB

Download
memory/4736-42-0x00000000031A0000-0x000000000321C000-memory.dmp

Filesize
496KB

Download
memory/4736-20-0x00000000031A0000-0x000000000321C000-memory.dmp

Filesize
496KB

Download
memory/4736-40-0x00000000031A0000-0x000000000321C000-memory.dmp

Filesize
496KB

Download
memory/4736-48-0x00000000031A0000-0x000000000321C000-memory.dmp

Filesize
496KB

Download
memory/4736-36-0x00000000031A0000-0x000000000321C000-memory.dmp

Filesize
496KB

Download
memory/4736-34-0x00000000031A0000-0x000000000321C000-memory.dmp

Filesize
496KB

Download
memory/4736-32-0x00000000031A0000-0x000000000321C000-memory.dmp

Filesize
496KB

Download
memory/4736-30-0x00000000031A0000-0x000000000321C000-memory.dmp

Filesize
496KB

Download
memory/4736-16-0x00000000031A0000-0x000000000321C000-memory.dmp

Filesize
496KB

Download
memory/4736-9-0x00000000031A0000-0x000000000321C000-memory.dmp

Filesize
496KB

Download
memory/4736-22-0x00000000031A0000-0x000000000321C000-memory.dmp

Filesize
496KB

Download
memory/4736-14-0x00000000031A0000-0x000000000321C000-memory.dmp

Filesize
496KB

Download
memory/4736-10-0x00000000031A0000-0x000000000321C000-memory.dmp

Filesize
496KB

Download
memory/4736-12-0x00000000031A0000-0x000000000321C000-memory.dmp

Filesize
496KB

Download
memory/4736-1-0x00000000006E0000-0x0000000000DE8000-memory.dmp

Filesize
7.0MB

Download
memory/4736-2-0x0000000005EA0000-0x0000000006444000-memory.dmp

Filesize
5.6MB

Download
memory/4736-8-0x00000000031A0000-0x0000000003222000-memory.dmp

Filesize
520KB

Download
memory/4736-7-0x0000000007E50000-0x0000000008370000-memory.dmp

Filesize
5.1MB

Download
memory/4736-3-0x00000000057C0000-0x0000000005852000-memory.dmp

Filesize
584KB

Download
memory/4736-4-0x0000000003360000-0x0000000003370000-memory.dmp

Filesize
64KB

Download
memory/4736-6-0x0000000074670000-0x0000000074E20000-memory.dmp

Filesize
7.7MB

Download
memory/4736-5-0x0000000005890000-0x000000000589A000-memory.dmp

Filesize
40KB

Download
memory/6104-2639-0x0000000073640000-0x0000000073689000-memory.dmp

Filesize
292KB

Download
memory/6104-2641-0x0000000073470000-0x00000000734F8000-memory.dmp

Filesize
544KB

Download
memory/6104-2638-0x0000000073690000-0x0000000073758000-memory.dmp

Filesize
800KB

Download
memory/6104-2648-0x0000000073760000-0x0000000073A2F000-memory.dmp

Filesize
2.8MB

Download
memory/6104-2645-0x00000000733A0000-0x000000007346E000-memory.dmp

Filesize
824KB

Download
memory/6104-2642-0x0000000073500000-0x000000007360A000-memory.dmp

Filesize
1.0MB

Download
memory/6104-2640-0x0000000073610000-0x0000000073634000-memory.dmp

Filesize
144KB

Download
memory/6104-2664-0x0000000000310000-0x0000000000714000-memory.dmp

Filesize
4.0MB

Download

description	pid	process	target process
PID 4736 wrote to memory of 896	4736	75bff99becc32bcbe56efbe7a75f4d45.exe	75bff99becc32bcbe56efbe7a75f4d45.exe
PID 4736 wrote to memory of 896	4736	75bff99becc32bcbe56efbe7a75f4d45.exe	75bff99becc32bcbe56efbe7a75f4d45.exe
PID 4736 wrote to memory of 896	4736	75bff99becc32bcbe56efbe7a75f4d45.exe	75bff99becc32bcbe56efbe7a75f4d45.exe
PID 4736 wrote to memory of 1440	4736	75bff99becc32bcbe56efbe7a75f4d45.exe	75bff99becc32bcbe56efbe7a75f4d45.exe
PID 4736 wrote to memory of 1440	4736	75bff99becc32bcbe56efbe7a75f4d45.exe	75bff99becc32bcbe56efbe7a75f4d45.exe
PID 4736 wrote to memory of 1440	4736	75bff99becc32bcbe56efbe7a75f4d45.exe	75bff99becc32bcbe56efbe7a75f4d45.exe
PID 4736 wrote to memory of 1440	4736	75bff99becc32bcbe56efbe7a75f4d45.exe	75bff99becc32bcbe56efbe7a75f4d45.exe
PID 4736 wrote to memory of 1440	4736	75bff99becc32bcbe56efbe7a75f4d45.exe	75bff99becc32bcbe56efbe7a75f4d45.exe
PID 4736 wrote to memory of 1440	4736	75bff99becc32bcbe56efbe7a75f4d45.exe	75bff99becc32bcbe56efbe7a75f4d45.exe
PID 4736 wrote to memory of 1440	4736	75bff99becc32bcbe56efbe7a75f4d45.exe	75bff99becc32bcbe56efbe7a75f4d45.exe
PID 4736 wrote to memory of 1440	4736	75bff99becc32bcbe56efbe7a75f4d45.exe	75bff99becc32bcbe56efbe7a75f4d45.exe
PID 4736 wrote to memory of 1440	4736	75bff99becc32bcbe56efbe7a75f4d45.exe	75bff99becc32bcbe56efbe7a75f4d45.exe
PID 4736 wrote to memory of 1440	4736	75bff99becc32bcbe56efbe7a75f4d45.exe	75bff99becc32bcbe56efbe7a75f4d45.exe
PID 4736 wrote to memory of 1440	4736	75bff99becc32bcbe56efbe7a75f4d45.exe	75bff99becc32bcbe56efbe7a75f4d45.exe
PID 4736 wrote to memory of 1440	4736	75bff99becc32bcbe56efbe7a75f4d45.exe	75bff99becc32bcbe56efbe7a75f4d45.exe
PID 1440 wrote to memory of 2188	1440	75bff99becc32bcbe56efbe7a75f4d45.exe	WinSock.exe
PID 1440 wrote to memory of 2188	1440	75bff99becc32bcbe56efbe7a75f4d45.exe	WinSock.exe
PID 1440 wrote to memory of 2188	1440	75bff99becc32bcbe56efbe7a75f4d45.exe	WinSock.exe
PID 1440 wrote to memory of 3368	1440	75bff99becc32bcbe56efbe7a75f4d45.exe	WinSock.exe
PID 1440 wrote to memory of 3368	1440	75bff99becc32bcbe56efbe7a75f4d45.exe	WinSock.exe
PID 1440 wrote to memory of 3368	1440	75bff99becc32bcbe56efbe7a75f4d45.exe	WinSock.exe
PID 1440 wrote to memory of 6104	1440	75bff99becc32bcbe56efbe7a75f4d45.exe	WinSock.exe
PID 1440 wrote to memory of 6104	1440	75bff99becc32bcbe56efbe7a75f4d45.exe	WinSock.exe
PID 1440 wrote to memory of 6104	1440	75bff99becc32bcbe56efbe7a75f4d45.exe	WinSock.exe