djvu | 3d557b2b7692818e771d9f0dff1eeab3a5d309b5b627e913e88cbc1d2318d0a8

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
17-06-2024 10:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

47ef84920598e68e97ad8b54a1ee0b3f.exe
Size

702KB
MD5

47ef84920598e68e97ad8b54a1ee0b3f
SHA1

b7aeccf0a7e118dd7bb822dd353129e8324e76a5
SHA256

3d557b2b7692818e771d9f0dff1eeab3a5d309b5b627e913e88cbc1d2318d0a8
SHA512

8acf513af3064cbc6e87d28651b88bd5959068983a585853f6bc678793b0dc930bbfd8ac3ed1c908f3d78e7bea6135400d911a0e14e17434f594e50e680b375a
SSDEEP

12288:+NffGiSE400a6/ctd8jCg1wy3c2UlyF/nZ9aQ5GxFF4E69zWRx:+FepEGWg1yPkF/nZ9HoE9w

Score

10^/10

djvu discovery persistence ransomware

Malware Config

Extracted

Family

djvu

http://cajgtus.com/raud/get.php

Attributes

extension
.baaa
offline_id
BmydHWxftXsUWlPOfJ63XT7FvAyu6D9OzaEHjdt1
payload_url
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. Do not ask assistants from youtube and recovery data sites for help in recovering your data. They can use your free decryption quota and scam you. Our contact is emails in this text document only. You can get and look video overview decrypt tool: https://wetransfer.com/downloads/f35c6683300c19850f91d3ba79178a1920240429101631/1aabc4 Price of private key and decrypt software is $999. Discount 50% available if you contact us first 72 hours, that's price for you is $499. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0866AWDas

rsa_pubkey.plain

Signatures

Detected Djvu ransomware 17 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2940-2-0x00000000043C0000-0x00000000044DB000-memory.dmp	family_djvu
behavioral1/memory/2628-5-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2628-7-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2628-9-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2628-31-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2616-35-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2616-51-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2616-52-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2616-50-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2616-55-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/3064-69-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2616-71-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2616-74-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2616-73-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2616-75-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2616-76-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2616-451-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Renames multiple (185) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Executes dropped EXE 2 IoCs

Processes:

47ef84920598e68e97ad8b54a1ee0b3f.exe47ef84920598e68e97ad8b54a1ee0b3f.exe

pid process

2340 47ef84920598e68e97ad8b54a1ee0b3f.exe
3064 47ef84920598e68e97ad8b54a1ee0b3f.exe
Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

2484 icacls.exe

pid	process
2340	47ef84920598e68e97ad8b54a1ee0b3f.exe
3064	47ef84920598e68e97ad8b54a1ee0b3f.exe

pid	process
2484	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

47ef84920598e68e97ad8b54a1ee0b3f.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\27f04711-53de-4557-8e92-08a1ea222b65\\47ef84920598e68e97ad8b54a1ee0b3f.exe\" --AutoStart"	47ef84920598e68e97ad8b54a1ee0b3f.exe

Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

3 api.2ip.ua
4 api.2ip.ua
9 api.2ip.ua
14 api.2ip.ua

flow	ioc
3	api.2ip.ua
4	api.2ip.ua
9	api.2ip.ua
14	api.2ip.ua

Suspicious use of SetThreadContext 3 IoCs

Processes:

47ef84920598e68e97ad8b54a1ee0b3f.exe47ef84920598e68e97ad8b54a1ee0b3f.exe47ef84920598e68e97ad8b54a1ee0b3f.exe

description	pid	process	target process
PID 2940 set thread context of 2628	2940	47ef84920598e68e97ad8b54a1ee0b3f.exe	47ef84920598e68e97ad8b54a1ee0b3f.exe
PID 2760 set thread context of 2616	2760	47ef84920598e68e97ad8b54a1ee0b3f.exe	47ef84920598e68e97ad8b54a1ee0b3f.exe
PID 2340 set thread context of 3064	2340	47ef84920598e68e97ad8b54a1ee0b3f.exe	47ef84920598e68e97ad8b54a1ee0b3f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

47ef84920598e68e97ad8b54a1ee0b3f.exe47ef84920598e68e97ad8b54a1ee0b3f.exe47ef84920598e68e97ad8b54a1ee0b3f.exe

pid	process
2628	47ef84920598e68e97ad8b54a1ee0b3f.exe
2616	47ef84920598e68e97ad8b54a1ee0b3f.exe
3064	47ef84920598e68e97ad8b54a1ee0b3f.exe
3064	47ef84920598e68e97ad8b54a1ee0b3f.exe
2616	47ef84920598e68e97ad8b54a1ee0b3f.exe

Suspicious use of WriteProcessMemory 45 IoCs

Processes:

47ef84920598e68e97ad8b54a1ee0b3f.exe47ef84920598e68e97ad8b54a1ee0b3f.exe47ef84920598e68e97ad8b54a1ee0b3f.exetaskeng.exe47ef84920598e68e97ad8b54a1ee0b3f.exe

C:\Users\Admin\AppData\Local\Temp\47ef84920598e68e97ad8b54a1ee0b3f.exe
"C:\Users\Admin\AppData\Local\Temp\47ef84920598e68e97ad8b54a1ee0b3f.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2940

C:\Users\Admin\AppData\Local\Temp\47ef84920598e68e97ad8b54a1ee0b3f.exe
"C:\Users\Admin\AppData\Local\Temp\47ef84920598e68e97ad8b54a1ee0b3f.exe"
2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2628

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\27f04711-53de-4557-8e92-08a1ea222b65" /deny *S-1-1-0:(OI)(CI)(DE,DC)
3⤵
- Modifies file permissions
PID:2484

C:\Users\Admin\AppData\Local\Temp\47ef84920598e68e97ad8b54a1ee0b3f.exe
"C:\Users\Admin\AppData\Local\Temp\47ef84920598e68e97ad8b54a1ee0b3f.exe" --Admin IsNotAutoStart IsNotTask
3⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2760

C:\Users\Admin\AppData\Local\Temp\47ef84920598e68e97ad8b54a1ee0b3f.exe
"C:\Users\Admin\AppData\Local\Temp\47ef84920598e68e97ad8b54a1ee0b3f.exe" --Admin IsNotAutoStart IsNotTask
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:2616

C:\Windows\system32\taskeng.exe
taskeng.exe {078845F0-7EE0-485A-A1D3-995453CECE9B} S-1-5-21-481678230-3773327859-3495911762-1000:UIBNQNMA\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2788

C:\Users\Admin\AppData\Local\27f04711-53de-4557-8e92-08a1ea222b65\47ef84920598e68e97ad8b54a1ee0b3f.exe
C:\Users\Admin\AppData\Local\27f04711-53de-4557-8e92-08a1ea222b65\47ef84920598e68e97ad8b54a1ee0b3f.exe --Task
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2340

C:\Users\Admin\AppData\Local\27f04711-53de-4557-8e92-08a1ea222b65\47ef84920598e68e97ad8b54a1ee0b3f.exe
C:\Users\Admin\AppData\Local\27f04711-53de-4557-8e92-08a1ea222b65\47ef84920598e68e97ad8b54a1ee0b3f.exe --Task
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3064

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12
Filesize
1KB

MD5
2365869258df7a66a2121b802ca4afd9

SHA1
73acc30a2edeb9d6830de559bb8a74f35168135d

SHA256
d6b1932822bbd72a8e78c771717d992142348f67d625a42393719fefbe59b0ed

SHA512
795004bab536e128dbd81c188976d37c7b650efbfa5a80374df4c65a1049c27658f4620b7605583928eb167fcb69b4c99e4c8730c507b824a7bde9c7fb0e21f4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8
Filesize
436B

MD5
1bfe0a81db078ea084ff82fe545176fe

SHA1
50b116f578bd272922fa8eae94f7b02fd3b88384

SHA256
5ba8817f13eee00e75158bad93076ab474a068c6b52686579e0f728fda68499f

SHA512
37c582f3f09f8d80529608c09041295d1644bcc9de6fb8c4669b05339b0dd870f9525abc5eed53ad06a94b51441275504bc943c336c5beb63b53460ba836ca8d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12
Filesize
174B

MD5
c01081be22541243a186e1a4833cc351

SHA1
390643186fa880f068432379916605a2f3e509e8

SHA256
456b36e9312efa3a45b6ac0f34e8ada99a9dc1d849c5c6a8d0adbb76a5ba9ca4

SHA512
988314816324c53324692e1864aa5c50383ee5f19d79811624abd8ec4228a7a3ab1e688ed846e7ef2a9123f0488341374281ee9ffc4964f5a16916b576d0ef7d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
c0edd7be732ace6e2dfb194a75eb7c3c

SHA1
6c608dfe0292a4e3af050cdce34646034f646ee3

SHA256
c43613d1c37d6a6a5a36f57b9a1ecd4ef7794a95fa15fcd40adcb6b38c6da693

SHA512
7f276d425468b921671781813edb669a0ad40a782b9dcb73293d0db3b5379e593cce68b21572df9bc0a8302819da4fa61573b725d2bef28ac34d8c3d01f859b8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8
Filesize
170B

MD5
067989a2512442ae03070588c74b3185

SHA1
a078b44e70e7de095d7e2e012ed3070d717bb5cb

SHA256
419d5e932e282c8c682d5d3a23fd3970c016c99a028b3c74713d7754e0481b19

SHA512
f05a6ec89476c70a04cdb1a0d11392a5c65fd8c271d59f2b400279de1945934ddff0415f7797b5cc39dd7bf4a99e90fee71aa33d69055350661191206a157e58

Download Submit
C:\Users\Admin\AppData\Local\27f04711-53de-4557-8e92-08a1ea222b65\47ef84920598e68e97ad8b54a1ee0b3f.exe
Filesize
702KB

MD5
47ef84920598e68e97ad8b54a1ee0b3f

SHA1
b7aeccf0a7e118dd7bb822dd353129e8324e76a5

SHA256
3d557b2b7692818e771d9f0dff1eeab3a5d309b5b627e913e88cbc1d2318d0a8

SHA512
8acf513af3064cbc6e87d28651b88bd5959068983a585853f6bc678793b0dc930bbfd8ac3ed1c908f3d78e7bea6135400d911a0e14e17434f594e50e680b375a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab22FB.tmp
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4AD7.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
memory/2340-54-0x0000000000220000-0x00000000002B1000-memory.dmp

Filesize
580KB

Download
memory/2616-76-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2616-50-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2616-451-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2616-71-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2616-51-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2616-73-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2616-75-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2616-52-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2616-35-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2616-55-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2616-74-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2628-31-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2628-5-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2628-7-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2628-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2628-9-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2760-32-0x0000000000310000-0x00000000003A1000-memory.dmp

Filesize
580KB

Download
memory/2940-8-0x0000000000220000-0x00000000002B1000-memory.dmp

Filesize
580KB

Download
memory/2940-1-0x0000000000220000-0x00000000002B1000-memory.dmp

Filesize
580KB

Download
memory/2940-0-0x0000000000220000-0x00000000002B1000-memory.dmp

Filesize
580KB

Download
memory/2940-2-0x00000000043C0000-0x00000000044DB000-memory.dmp

Filesize
1.1MB

Download
memory/3064-69-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download

description	pid	process	target process
PID 2940 wrote to memory of 2628	2940	47ef84920598e68e97ad8b54a1ee0b3f.exe	47ef84920598e68e97ad8b54a1ee0b3f.exe
PID 2940 wrote to memory of 2628	2940	47ef84920598e68e97ad8b54a1ee0b3f.exe	47ef84920598e68e97ad8b54a1ee0b3f.exe
PID 2940 wrote to memory of 2628	2940	47ef84920598e68e97ad8b54a1ee0b3f.exe	47ef84920598e68e97ad8b54a1ee0b3f.exe
PID 2940 wrote to memory of 2628	2940	47ef84920598e68e97ad8b54a1ee0b3f.exe	47ef84920598e68e97ad8b54a1ee0b3f.exe
PID 2940 wrote to memory of 2628	2940	47ef84920598e68e97ad8b54a1ee0b3f.exe	47ef84920598e68e97ad8b54a1ee0b3f.exe
PID 2940 wrote to memory of 2628	2940	47ef84920598e68e97ad8b54a1ee0b3f.exe	47ef84920598e68e97ad8b54a1ee0b3f.exe
PID 2940 wrote to memory of 2628	2940	47ef84920598e68e97ad8b54a1ee0b3f.exe	47ef84920598e68e97ad8b54a1ee0b3f.exe
PID 2940 wrote to memory of 2628	2940	47ef84920598e68e97ad8b54a1ee0b3f.exe	47ef84920598e68e97ad8b54a1ee0b3f.exe
PID 2940 wrote to memory of 2628	2940	47ef84920598e68e97ad8b54a1ee0b3f.exe	47ef84920598e68e97ad8b54a1ee0b3f.exe
PID 2940 wrote to memory of 2628	2940	47ef84920598e68e97ad8b54a1ee0b3f.exe	47ef84920598e68e97ad8b54a1ee0b3f.exe
PID 2940 wrote to memory of 2628	2940	47ef84920598e68e97ad8b54a1ee0b3f.exe	47ef84920598e68e97ad8b54a1ee0b3f.exe
PID 2628 wrote to memory of 2484	2628	47ef84920598e68e97ad8b54a1ee0b3f.exe	icacls.exe
PID 2628 wrote to memory of 2484	2628	47ef84920598e68e97ad8b54a1ee0b3f.exe	icacls.exe
PID 2628 wrote to memory of 2484	2628	47ef84920598e68e97ad8b54a1ee0b3f.exe	icacls.exe
PID 2628 wrote to memory of 2484	2628	47ef84920598e68e97ad8b54a1ee0b3f.exe	icacls.exe
PID 2628 wrote to memory of 2760	2628	47ef84920598e68e97ad8b54a1ee0b3f.exe	47ef84920598e68e97ad8b54a1ee0b3f.exe
PID 2628 wrote to memory of 2760	2628	47ef84920598e68e97ad8b54a1ee0b3f.exe	47ef84920598e68e97ad8b54a1ee0b3f.exe
PID 2628 wrote to memory of 2760	2628	47ef84920598e68e97ad8b54a1ee0b3f.exe	47ef84920598e68e97ad8b54a1ee0b3f.exe
PID 2628 wrote to memory of 2760	2628	47ef84920598e68e97ad8b54a1ee0b3f.exe	47ef84920598e68e97ad8b54a1ee0b3f.exe
PID 2760 wrote to memory of 2616	2760	47ef84920598e68e97ad8b54a1ee0b3f.exe	47ef84920598e68e97ad8b54a1ee0b3f.exe
PID 2760 wrote to memory of 2616	2760	47ef84920598e68e97ad8b54a1ee0b3f.exe	47ef84920598e68e97ad8b54a1ee0b3f.exe
PID 2760 wrote to memory of 2616	2760	47ef84920598e68e97ad8b54a1ee0b3f.exe	47ef84920598e68e97ad8b54a1ee0b3f.exe
PID 2760 wrote to memory of 2616	2760	47ef84920598e68e97ad8b54a1ee0b3f.exe	47ef84920598e68e97ad8b54a1ee0b3f.exe
PID 2760 wrote to memory of 2616	2760	47ef84920598e68e97ad8b54a1ee0b3f.exe	47ef84920598e68e97ad8b54a1ee0b3f.exe
PID 2760 wrote to memory of 2616	2760	47ef84920598e68e97ad8b54a1ee0b3f.exe	47ef84920598e68e97ad8b54a1ee0b3f.exe
PID 2760 wrote to memory of 2616	2760	47ef84920598e68e97ad8b54a1ee0b3f.exe	47ef84920598e68e97ad8b54a1ee0b3f.exe
PID 2760 wrote to memory of 2616	2760	47ef84920598e68e97ad8b54a1ee0b3f.exe	47ef84920598e68e97ad8b54a1ee0b3f.exe
PID 2760 wrote to memory of 2616	2760	47ef84920598e68e97ad8b54a1ee0b3f.exe	47ef84920598e68e97ad8b54a1ee0b3f.exe
PID 2760 wrote to memory of 2616	2760	47ef84920598e68e97ad8b54a1ee0b3f.exe	47ef84920598e68e97ad8b54a1ee0b3f.exe
PID 2760 wrote to memory of 2616	2760	47ef84920598e68e97ad8b54a1ee0b3f.exe	47ef84920598e68e97ad8b54a1ee0b3f.exe
PID 2788 wrote to memory of 2340	2788	taskeng.exe	47ef84920598e68e97ad8b54a1ee0b3f.exe
PID 2788 wrote to memory of 2340	2788	taskeng.exe	47ef84920598e68e97ad8b54a1ee0b3f.exe
PID 2788 wrote to memory of 2340	2788	taskeng.exe	47ef84920598e68e97ad8b54a1ee0b3f.exe
PID 2788 wrote to memory of 2340	2788	taskeng.exe	47ef84920598e68e97ad8b54a1ee0b3f.exe
PID 2340 wrote to memory of 3064	2340	47ef84920598e68e97ad8b54a1ee0b3f.exe	47ef84920598e68e97ad8b54a1ee0b3f.exe
PID 2340 wrote to memory of 3064	2340	47ef84920598e68e97ad8b54a1ee0b3f.exe	47ef84920598e68e97ad8b54a1ee0b3f.exe
PID 2340 wrote to memory of 3064	2340	47ef84920598e68e97ad8b54a1ee0b3f.exe	47ef84920598e68e97ad8b54a1ee0b3f.exe
PID 2340 wrote to memory of 3064	2340	47ef84920598e68e97ad8b54a1ee0b3f.exe	47ef84920598e68e97ad8b54a1ee0b3f.exe
PID 2340 wrote to memory of 3064	2340	47ef84920598e68e97ad8b54a1ee0b3f.exe	47ef84920598e68e97ad8b54a1ee0b3f.exe
PID 2340 wrote to memory of 3064	2340	47ef84920598e68e97ad8b54a1ee0b3f.exe	47ef84920598e68e97ad8b54a1ee0b3f.exe
PID 2340 wrote to memory of 3064	2340	47ef84920598e68e97ad8b54a1ee0b3f.exe	47ef84920598e68e97ad8b54a1ee0b3f.exe
PID 2340 wrote to memory of 3064	2340	47ef84920598e68e97ad8b54a1ee0b3f.exe	47ef84920598e68e97ad8b54a1ee0b3f.exe
PID 2340 wrote to memory of 3064	2340	47ef84920598e68e97ad8b54a1ee0b3f.exe	47ef84920598e68e97ad8b54a1ee0b3f.exe
PID 2340 wrote to memory of 3064	2340	47ef84920598e68e97ad8b54a1ee0b3f.exe	47ef84920598e68e97ad8b54a1ee0b3f.exe
PID 2340 wrote to memory of 3064	2340	47ef84920598e68e97ad8b54a1ee0b3f.exe	47ef84920598e68e97ad8b54a1ee0b3f.exe