djvu | 3d557b2b7692818e771d9f0dff1eeab3a5d309b5b627e913e88cbc1d2318d0a8

Analysis

max time kernel
137s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
17-06-2024 10:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

47ef84920598e68e97ad8b54a1ee0b3f.exe
Size

702KB
MD5

47ef84920598e68e97ad8b54a1ee0b3f
SHA1

b7aeccf0a7e118dd7bb822dd353129e8324e76a5
SHA256

3d557b2b7692818e771d9f0dff1eeab3a5d309b5b627e913e88cbc1d2318d0a8
SHA512

8acf513af3064cbc6e87d28651b88bd5959068983a585853f6bc678793b0dc930bbfd8ac3ed1c908f3d78e7bea6135400d911a0e14e17434f594e50e680b375a
SSDEEP

12288:+NffGiSE400a6/ctd8jCg1wy3c2UlyF/nZ9aQ5GxFF4E69zWRx:+FepEGWg1yPkF/nZ9HoE9w

Score

10^/10

djvu discovery persistence ransomware

Malware Config

Extracted

Family

djvu

http://cajgtus.com/raud/get.php

Attributes

extension
.baaa
offline_id
BmydHWxftXsUWlPOfJ63XT7FvAyu6D9OzaEHjdt1
payload_url
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. Do not ask assistants from youtube and recovery data sites for help in recovering your data. They can use your free decryption quota and scam you. Our contact is emails in this text document only. You can get and look video overview decrypt tool: https://wetransfer.com/downloads/f35c6683300c19850f91d3ba79178a1920240429101631/1aabc4 Price of private key and decrypt software is $999. Discount 50% available if you contact us first 72 hours, that's price for you is $499. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0866AWDas

rsa_pubkey.plain

Signatures

Detected Djvu ransomware 22 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4764-2-0x00000000048A0000-0x00000000049BB000-memory.dmp	family_djvu
behavioral2/memory/2332-3-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/2332-4-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/2332-5-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/2332-6-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/2332-18-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4672-22-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4672-24-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4672-29-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4672-31-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4672-30-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4204-34-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4204-35-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4672-39-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4672-41-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4672-43-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4672-44-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3380-47-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3380-48-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4672-50-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4672-287-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4672-428-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Renames multiple (187) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

47ef84920598e68e97ad8b54a1ee0b3f.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation 47ef84920598e68e97ad8b54a1ee0b3f.exe
Executes dropped EXE 4 IoCs

Processes:

47ef84920598e68e97ad8b54a1ee0b3f.exe47ef84920598e68e97ad8b54a1ee0b3f.exe47ef84920598e68e97ad8b54a1ee0b3f.exe47ef84920598e68e97ad8b54a1ee0b3f.exe

pid process

3944 47ef84920598e68e97ad8b54a1ee0b3f.exe
4204 47ef84920598e68e97ad8b54a1ee0b3f.exe
5016 47ef84920598e68e97ad8b54a1ee0b3f.exe
3380 47ef84920598e68e97ad8b54a1ee0b3f.exe
Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

3940 icacls.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	47ef84920598e68e97ad8b54a1ee0b3f.exe

pid	process
3944	47ef84920598e68e97ad8b54a1ee0b3f.exe
4204	47ef84920598e68e97ad8b54a1ee0b3f.exe
5016	47ef84920598e68e97ad8b54a1ee0b3f.exe
3380	47ef84920598e68e97ad8b54a1ee0b3f.exe

pid	process
3940	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

47ef84920598e68e97ad8b54a1ee0b3f.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\f96c301a-ba15-445c-9fc3-ff9949ce5fc7\\47ef84920598e68e97ad8b54a1ee0b3f.exe\" --AutoStart"	47ef84920598e68e97ad8b54a1ee0b3f.exe

Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

60 api.2ip.ua
68 api.2ip.ua
74 api.2ip.ua
19 api.2ip.ua
20 api.2ip.ua

flow	ioc
60	api.2ip.ua
68	api.2ip.ua
74	api.2ip.ua
19	api.2ip.ua
20	api.2ip.ua

Suspicious use of SetThreadContext 4 IoCs

Processes:

47ef84920598e68e97ad8b54a1ee0b3f.exe47ef84920598e68e97ad8b54a1ee0b3f.exe47ef84920598e68e97ad8b54a1ee0b3f.exe47ef84920598e68e97ad8b54a1ee0b3f.exe

description	pid	process	target process
PID 4764 set thread context of 2332	4764	47ef84920598e68e97ad8b54a1ee0b3f.exe	47ef84920598e68e97ad8b54a1ee0b3f.exe
PID 1084 set thread context of 4672	1084	47ef84920598e68e97ad8b54a1ee0b3f.exe	47ef84920598e68e97ad8b54a1ee0b3f.exe
PID 3944 set thread context of 4204	3944	47ef84920598e68e97ad8b54a1ee0b3f.exe	47ef84920598e68e97ad8b54a1ee0b3f.exe
PID 5016 set thread context of 3380	5016	47ef84920598e68e97ad8b54a1ee0b3f.exe	47ef84920598e68e97ad8b54a1ee0b3f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

47ef84920598e68e97ad8b54a1ee0b3f.exe47ef84920598e68e97ad8b54a1ee0b3f.exe47ef84920598e68e97ad8b54a1ee0b3f.exe47ef84920598e68e97ad8b54a1ee0b3f.exe

pid	process
2332	47ef84920598e68e97ad8b54a1ee0b3f.exe
2332	47ef84920598e68e97ad8b54a1ee0b3f.exe
4672	47ef84920598e68e97ad8b54a1ee0b3f.exe
4672	47ef84920598e68e97ad8b54a1ee0b3f.exe
4204	47ef84920598e68e97ad8b54a1ee0b3f.exe
4204	47ef84920598e68e97ad8b54a1ee0b3f.exe
3380	47ef84920598e68e97ad8b54a1ee0b3f.exe
3380	47ef84920598e68e97ad8b54a1ee0b3f.exe
4672	47ef84920598e68e97ad8b54a1ee0b3f.exe
4672	47ef84920598e68e97ad8b54a1ee0b3f.exe

Suspicious use of WriteProcessMemory 46 IoCs

Processes:

47ef84920598e68e97ad8b54a1ee0b3f.exe47ef84920598e68e97ad8b54a1ee0b3f.exe47ef84920598e68e97ad8b54a1ee0b3f.exe47ef84920598e68e97ad8b54a1ee0b3f.exe47ef84920598e68e97ad8b54a1ee0b3f.exe

C:\Users\Admin\AppData\Local\Temp\47ef84920598e68e97ad8b54a1ee0b3f.exe
"C:\Users\Admin\AppData\Local\Temp\47ef84920598e68e97ad8b54a1ee0b3f.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4764

C:\Users\Admin\AppData\Local\Temp\47ef84920598e68e97ad8b54a1ee0b3f.exe
"C:\Users\Admin\AppData\Local\Temp\47ef84920598e68e97ad8b54a1ee0b3f.exe"
2⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2332

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\f96c301a-ba15-445c-9fc3-ff9949ce5fc7" /deny *S-1-1-0:(OI)(CI)(DE,DC)
3⤵
- Modifies file permissions
PID:3940

C:\Users\Admin\AppData\Local\Temp\47ef84920598e68e97ad8b54a1ee0b3f.exe
"C:\Users\Admin\AppData\Local\Temp\47ef84920598e68e97ad8b54a1ee0b3f.exe" --Admin IsNotAutoStart IsNotTask
3⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1084

C:\Users\Admin\AppData\Local\Temp\47ef84920598e68e97ad8b54a1ee0b3f.exe
"C:\Users\Admin\AppData\Local\Temp\47ef84920598e68e97ad8b54a1ee0b3f.exe" --Admin IsNotAutoStart IsNotTask
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:4672

C:\Users\Admin\AppData\Local\f96c301a-ba15-445c-9fc3-ff9949ce5fc7\47ef84920598e68e97ad8b54a1ee0b3f.exe
C:\Users\Admin\AppData\Local\f96c301a-ba15-445c-9fc3-ff9949ce5fc7\47ef84920598e68e97ad8b54a1ee0b3f.exe --Task
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3944

C:\Users\Admin\AppData\Local\f96c301a-ba15-445c-9fc3-ff9949ce5fc7\47ef84920598e68e97ad8b54a1ee0b3f.exe
C:\Users\Admin\AppData\Local\f96c301a-ba15-445c-9fc3-ff9949ce5fc7\47ef84920598e68e97ad8b54a1ee0b3f.exe --Task
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4204

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4172 --field-trial-handle=3084,i,4016110471176367543,14287608422419064331,262144 --variations-seed-version /prefetch:8
1⤵
PID:3184

C:\Users\Admin\AppData\Local\f96c301a-ba15-445c-9fc3-ff9949ce5fc7\47ef84920598e68e97ad8b54a1ee0b3f.exe
C:\Users\Admin\AppData\Local\f96c301a-ba15-445c-9fc3-ff9949ce5fc7\47ef84920598e68e97ad8b54a1ee0b3f.exe --Task
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5016

C:\Users\Admin\AppData\Local\f96c301a-ba15-445c-9fc3-ff9949ce5fc7\47ef84920598e68e97ad8b54a1ee0b3f.exe
C:\Users\Admin\AppData\Local\f96c301a-ba15-445c-9fc3-ff9949ce5fc7\47ef84920598e68e97ad8b54a1ee0b3f.exe --Task
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3380

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12
Filesize
1KB

MD5
2365869258df7a66a2121b802ca4afd9

SHA1
73acc30a2edeb9d6830de559bb8a74f35168135d

SHA256
d6b1932822bbd72a8e78c771717d992142348f67d625a42393719fefbe59b0ed

SHA512
795004bab536e128dbd81c188976d37c7b650efbfa5a80374df4c65a1049c27658f4620b7605583928eb167fcb69b4c99e4c8730c507b824a7bde9c7fb0e21f4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8
Filesize
436B

MD5
1bfe0a81db078ea084ff82fe545176fe

SHA1
50b116f578bd272922fa8eae94f7b02fd3b88384

SHA256
5ba8817f13eee00e75158bad93076ab474a068c6b52686579e0f728fda68499f

SHA512
37c582f3f09f8d80529608c09041295d1644bcc9de6fb8c4669b05339b0dd870f9525abc5eed53ad06a94b51441275504bc943c336c5beb63b53460ba836ca8d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12
Filesize
174B

MD5
53eed1e94cb73ddc3fbf5eb560cb657b

SHA1
55d54678edcaaf000c9add0650ce9f374b36b783

SHA256
97ae7b0a6ad57187558aaa8b65d2f803b3bcfd2ec2dfa517df7e75fe6225861f

SHA512
6291c00c558427e562c58fae3ff66f1c674fe03f7c8e11263a5f291639b41c3c45b4296f2f8d4a2a0a0c9b23cea8fe377791a2cdc60e09f277b78ddba8038e1a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8
Filesize
170B

MD5
9b4572d3cd4b6e4e306f45d6194187eb

SHA1
f77d7a9ccd2bf9400a66ae5d05dae0b5d2478381

SHA256
1fcaa0b3b4a33e48628bccfd560901bfb26d21b0e379e740ecdbf1206de9930c

SHA512
e083e42a162642dd3091141aa1cba3bb8e0f1fe7472f3f5c03cfadfe6e1a620c8dccf3b3840b18406af6ff2381422f143c61a7471a257f343fd5552f30913d07

Download Submit
C:\Users\Admin\AppData\Local\f96c301a-ba15-445c-9fc3-ff9949ce5fc7\47ef84920598e68e97ad8b54a1ee0b3f.exe
Filesize
702KB

MD5
47ef84920598e68e97ad8b54a1ee0b3f

SHA1
b7aeccf0a7e118dd7bb822dd353129e8324e76a5

SHA256
3d557b2b7692818e771d9f0dff1eeab3a5d309b5b627e913e88cbc1d2318d0a8

SHA512
8acf513af3064cbc6e87d28651b88bd5959068983a585853f6bc678793b0dc930bbfd8ac3ed1c908f3d78e7bea6135400d911a0e14e17434f594e50e680b375a

Download Submit
memory/2332-4-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2332-6-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2332-18-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2332-5-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2332-3-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3380-47-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3380-48-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4204-35-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4204-34-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4672-29-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4672-43-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4672-30-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4672-428-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4672-24-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4672-39-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4672-41-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4672-31-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4672-44-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4672-22-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4672-287-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4672-50-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4764-2-0x00000000048A0000-0x00000000049BB000-memory.dmp

Filesize
1.1MB

Download
memory/4764-1-0x00000000047F0000-0x0000000004885000-memory.dmp

Filesize
596KB

Download

description	pid	process	target process
PID 4764 wrote to memory of 2332	4764	47ef84920598e68e97ad8b54a1ee0b3f.exe	47ef84920598e68e97ad8b54a1ee0b3f.exe
PID 4764 wrote to memory of 2332	4764	47ef84920598e68e97ad8b54a1ee0b3f.exe	47ef84920598e68e97ad8b54a1ee0b3f.exe
PID 4764 wrote to memory of 2332	4764	47ef84920598e68e97ad8b54a1ee0b3f.exe	47ef84920598e68e97ad8b54a1ee0b3f.exe
PID 4764 wrote to memory of 2332	4764	47ef84920598e68e97ad8b54a1ee0b3f.exe	47ef84920598e68e97ad8b54a1ee0b3f.exe
PID 4764 wrote to memory of 2332	4764	47ef84920598e68e97ad8b54a1ee0b3f.exe	47ef84920598e68e97ad8b54a1ee0b3f.exe
PID 4764 wrote to memory of 2332	4764	47ef84920598e68e97ad8b54a1ee0b3f.exe	47ef84920598e68e97ad8b54a1ee0b3f.exe
PID 4764 wrote to memory of 2332	4764	47ef84920598e68e97ad8b54a1ee0b3f.exe	47ef84920598e68e97ad8b54a1ee0b3f.exe
PID 4764 wrote to memory of 2332	4764	47ef84920598e68e97ad8b54a1ee0b3f.exe	47ef84920598e68e97ad8b54a1ee0b3f.exe
PID 4764 wrote to memory of 2332	4764	47ef84920598e68e97ad8b54a1ee0b3f.exe	47ef84920598e68e97ad8b54a1ee0b3f.exe
PID 4764 wrote to memory of 2332	4764	47ef84920598e68e97ad8b54a1ee0b3f.exe	47ef84920598e68e97ad8b54a1ee0b3f.exe
PID 2332 wrote to memory of 3940	2332	47ef84920598e68e97ad8b54a1ee0b3f.exe	icacls.exe
PID 2332 wrote to memory of 3940	2332	47ef84920598e68e97ad8b54a1ee0b3f.exe	icacls.exe
PID 2332 wrote to memory of 3940	2332	47ef84920598e68e97ad8b54a1ee0b3f.exe	icacls.exe
PID 2332 wrote to memory of 1084	2332	47ef84920598e68e97ad8b54a1ee0b3f.exe	47ef84920598e68e97ad8b54a1ee0b3f.exe
PID 2332 wrote to memory of 1084	2332	47ef84920598e68e97ad8b54a1ee0b3f.exe	47ef84920598e68e97ad8b54a1ee0b3f.exe
PID 2332 wrote to memory of 1084	2332	47ef84920598e68e97ad8b54a1ee0b3f.exe	47ef84920598e68e97ad8b54a1ee0b3f.exe
PID 1084 wrote to memory of 4672	1084	47ef84920598e68e97ad8b54a1ee0b3f.exe	47ef84920598e68e97ad8b54a1ee0b3f.exe
PID 1084 wrote to memory of 4672	1084	47ef84920598e68e97ad8b54a1ee0b3f.exe	47ef84920598e68e97ad8b54a1ee0b3f.exe
PID 1084 wrote to memory of 4672	1084	47ef84920598e68e97ad8b54a1ee0b3f.exe	47ef84920598e68e97ad8b54a1ee0b3f.exe
PID 1084 wrote to memory of 4672	1084	47ef84920598e68e97ad8b54a1ee0b3f.exe	47ef84920598e68e97ad8b54a1ee0b3f.exe
PID 1084 wrote to memory of 4672	1084	47ef84920598e68e97ad8b54a1ee0b3f.exe	47ef84920598e68e97ad8b54a1ee0b3f.exe
PID 1084 wrote to memory of 4672	1084	47ef84920598e68e97ad8b54a1ee0b3f.exe	47ef84920598e68e97ad8b54a1ee0b3f.exe
PID 1084 wrote to memory of 4672	1084	47ef84920598e68e97ad8b54a1ee0b3f.exe	47ef84920598e68e97ad8b54a1ee0b3f.exe
PID 1084 wrote to memory of 4672	1084	47ef84920598e68e97ad8b54a1ee0b3f.exe	47ef84920598e68e97ad8b54a1ee0b3f.exe
PID 1084 wrote to memory of 4672	1084	47ef84920598e68e97ad8b54a1ee0b3f.exe	47ef84920598e68e97ad8b54a1ee0b3f.exe
PID 1084 wrote to memory of 4672	1084	47ef84920598e68e97ad8b54a1ee0b3f.exe	47ef84920598e68e97ad8b54a1ee0b3f.exe
PID 3944 wrote to memory of 4204	3944	47ef84920598e68e97ad8b54a1ee0b3f.exe	47ef84920598e68e97ad8b54a1ee0b3f.exe
PID 3944 wrote to memory of 4204	3944	47ef84920598e68e97ad8b54a1ee0b3f.exe	47ef84920598e68e97ad8b54a1ee0b3f.exe
PID 3944 wrote to memory of 4204	3944	47ef84920598e68e97ad8b54a1ee0b3f.exe	47ef84920598e68e97ad8b54a1ee0b3f.exe
PID 3944 wrote to memory of 4204	3944	47ef84920598e68e97ad8b54a1ee0b3f.exe	47ef84920598e68e97ad8b54a1ee0b3f.exe
PID 3944 wrote to memory of 4204	3944	47ef84920598e68e97ad8b54a1ee0b3f.exe	47ef84920598e68e97ad8b54a1ee0b3f.exe
PID 3944 wrote to memory of 4204	3944	47ef84920598e68e97ad8b54a1ee0b3f.exe	47ef84920598e68e97ad8b54a1ee0b3f.exe
PID 3944 wrote to memory of 4204	3944	47ef84920598e68e97ad8b54a1ee0b3f.exe	47ef84920598e68e97ad8b54a1ee0b3f.exe
PID 3944 wrote to memory of 4204	3944	47ef84920598e68e97ad8b54a1ee0b3f.exe	47ef84920598e68e97ad8b54a1ee0b3f.exe
PID 3944 wrote to memory of 4204	3944	47ef84920598e68e97ad8b54a1ee0b3f.exe	47ef84920598e68e97ad8b54a1ee0b3f.exe
PID 3944 wrote to memory of 4204	3944	47ef84920598e68e97ad8b54a1ee0b3f.exe	47ef84920598e68e97ad8b54a1ee0b3f.exe
PID 5016 wrote to memory of 3380	5016	47ef84920598e68e97ad8b54a1ee0b3f.exe	47ef84920598e68e97ad8b54a1ee0b3f.exe
PID 5016 wrote to memory of 3380	5016	47ef84920598e68e97ad8b54a1ee0b3f.exe	47ef84920598e68e97ad8b54a1ee0b3f.exe
PID 5016 wrote to memory of 3380	5016	47ef84920598e68e97ad8b54a1ee0b3f.exe	47ef84920598e68e97ad8b54a1ee0b3f.exe
PID 5016 wrote to memory of 3380	5016	47ef84920598e68e97ad8b54a1ee0b3f.exe	47ef84920598e68e97ad8b54a1ee0b3f.exe
PID 5016 wrote to memory of 3380	5016	47ef84920598e68e97ad8b54a1ee0b3f.exe	47ef84920598e68e97ad8b54a1ee0b3f.exe
PID 5016 wrote to memory of 3380	5016	47ef84920598e68e97ad8b54a1ee0b3f.exe	47ef84920598e68e97ad8b54a1ee0b3f.exe
PID 5016 wrote to memory of 3380	5016	47ef84920598e68e97ad8b54a1ee0b3f.exe	47ef84920598e68e97ad8b54a1ee0b3f.exe
PID 5016 wrote to memory of 3380	5016	47ef84920598e68e97ad8b54a1ee0b3f.exe	47ef84920598e68e97ad8b54a1ee0b3f.exe
PID 5016 wrote to memory of 3380	5016	47ef84920598e68e97ad8b54a1ee0b3f.exe	47ef84920598e68e97ad8b54a1ee0b3f.exe
PID 5016 wrote to memory of 3380	5016	47ef84920598e68e97ad8b54a1ee0b3f.exe	47ef84920598e68e97ad8b54a1ee0b3f.exe