57594f717e61f16279700e7f364b2856ac853b7d76f284621e3aa46d3f7faa3c

Analysis

max time kernel
118s
max time network
117s
platform
windows7_x64
resource
win7v20201028
submitted
31/10/2020, 18:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

inn.bin.exe
Size

155KB
MD5

af568e8a6060812f040f0cb0fd6f5a7b
SHA1

e7f0c17b338d78c4f8b82b032af9f81828512b30
SHA256

3ae7bedf236d4e53a33f3a3e1e80eae2d93e91b1988da2f7fcb8fde5dcc3a0e9
SHA512

2c44272dcf130a95ea0e83fa02d2629edecf94b16452127f2e177f00f4bf48f2e306ec53b28d2005a27e8b683dc683fb54146a711233aa1e1c4256a9e4ac979b

Score

1^/10

Malware Config

Signatures

Kills process with taskkill 20 IoCs

evasion

pid	Process
1588	taskkill.exe
1728	taskkill.exe
1792	taskkill.exe
1968	taskkill.exe
1752	taskkill.exe
1116	taskkill.exe
1472	taskkill.exe
916	taskkill.exe
576	taskkill.exe
1684	taskkill.exe
1796	taskkill.exe
296	taskkill.exe
552	taskkill.exe
1320	taskkill.exe
1988	taskkill.exe
1800	taskkill.exe
2000	taskkill.exe
268	taskkill.exe
956	taskkill.exe
1920	taskkill.exe

Runs net.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	1588	taskkill.exe
Token: SeDebugPrivilege	1988	taskkill.exe
Token: SeDebugPrivilege	1684	taskkill.exe
Token: SeDebugPrivilege	1968	taskkill.exe
Token: SeDebugPrivilege	1800	taskkill.exe
Token: SeDebugPrivilege	1796	taskkill.exe
Token: SeDebugPrivilege	1728	taskkill.exe
Token: SeDebugPrivilege	1752	taskkill.exe
Token: SeDebugPrivilege	296	taskkill.exe
Token: SeDebugPrivilege	1116	taskkill.exe
Token: SeDebugPrivilege	1792	taskkill.exe
Token: SeDebugPrivilege	916	taskkill.exe
Token: SeDebugPrivilege	1920	taskkill.exe
Token: SeDebugPrivilege	576	taskkill.exe
Token: SeDebugPrivilege	1472	taskkill.exe
Token: SeDebugPrivilege	552	taskkill.exe
Token: SeDebugPrivilege	956	taskkill.exe
Token: SeDebugPrivilege	2000	taskkill.exe
Token: SeDebugPrivilege	268	taskkill.exe
Token: SeDebugPrivilege	1320	taskkill.exe

Suspicious use of WriteProcessMemory 364 IoCs

description	pid	Process	procid_target
PID 2024 wrote to memory of 1588	2024	inn.bin.exe	26
PID 2024 wrote to memory of 1588	2024	inn.bin.exe	26
PID 2024 wrote to memory of 1588	2024	inn.bin.exe	26
PID 2024 wrote to memory of 1588	2024	inn.bin.exe	26
PID 2024 wrote to memory of 1684	2024	inn.bin.exe	27
PID 2024 wrote to memory of 1684	2024	inn.bin.exe	27
PID 2024 wrote to memory of 1684	2024	inn.bin.exe	27
PID 2024 wrote to memory of 1684	2024	inn.bin.exe	27
PID 2024 wrote to memory of 1988	2024	inn.bin.exe	29
PID 2024 wrote to memory of 1988	2024	inn.bin.exe	29
PID 2024 wrote to memory of 1988	2024	inn.bin.exe	29
PID 2024 wrote to memory of 1988	2024	inn.bin.exe	29
PID 2024 wrote to memory of 1968	2024	inn.bin.exe	32
PID 2024 wrote to memory of 1968	2024	inn.bin.exe	32
PID 2024 wrote to memory of 1968	2024	inn.bin.exe	32
PID 2024 wrote to memory of 1968	2024	inn.bin.exe	32
PID 2024 wrote to memory of 1796	2024	inn.bin.exe	33
PID 2024 wrote to memory of 1796	2024	inn.bin.exe	33
PID 2024 wrote to memory of 1796	2024	inn.bin.exe	33
PID 2024 wrote to memory of 1796	2024	inn.bin.exe	33
PID 2024 wrote to memory of 1752	2024	inn.bin.exe	36
PID 2024 wrote to memory of 1752	2024	inn.bin.exe	36
PID 2024 wrote to memory of 1752	2024	inn.bin.exe	36
PID 2024 wrote to memory of 1752	2024	inn.bin.exe	36
PID 2024 wrote to memory of 1800	2024	inn.bin.exe	37
PID 2024 wrote to memory of 1800	2024	inn.bin.exe	37
PID 2024 wrote to memory of 1800	2024	inn.bin.exe	37
PID 2024 wrote to memory of 1800	2024	inn.bin.exe	37
PID 2024 wrote to memory of 296	2024	inn.bin.exe	38
PID 2024 wrote to memory of 296	2024	inn.bin.exe	38
PID 2024 wrote to memory of 296	2024	inn.bin.exe	38
PID 2024 wrote to memory of 296	2024	inn.bin.exe	38
PID 2024 wrote to memory of 1728	2024	inn.bin.exe	41
PID 2024 wrote to memory of 1728	2024	inn.bin.exe	41
PID 2024 wrote to memory of 1728	2024	inn.bin.exe	41
PID 2024 wrote to memory of 1728	2024	inn.bin.exe	41
PID 2024 wrote to memory of 1116	2024	inn.bin.exe	43
PID 2024 wrote to memory of 1116	2024	inn.bin.exe	43
PID 2024 wrote to memory of 1116	2024	inn.bin.exe	43
PID 2024 wrote to memory of 1116	2024	inn.bin.exe	43
PID 2024 wrote to memory of 2000	2024	inn.bin.exe	46
PID 2024 wrote to memory of 2000	2024	inn.bin.exe	46
PID 2024 wrote to memory of 2000	2024	inn.bin.exe	46
PID 2024 wrote to memory of 2000	2024	inn.bin.exe	46
PID 2024 wrote to memory of 268	2024	inn.bin.exe	47
PID 2024 wrote to memory of 268	2024	inn.bin.exe	47
PID 2024 wrote to memory of 268	2024	inn.bin.exe	47
PID 2024 wrote to memory of 268	2024	inn.bin.exe	47
PID 2024 wrote to memory of 552	2024	inn.bin.exe	50
PID 2024 wrote to memory of 552	2024	inn.bin.exe	50
PID 2024 wrote to memory of 552	2024	inn.bin.exe	50
PID 2024 wrote to memory of 552	2024	inn.bin.exe	50
PID 2024 wrote to memory of 956	2024	inn.bin.exe	51
PID 2024 wrote to memory of 956	2024	inn.bin.exe	51
PID 2024 wrote to memory of 956	2024	inn.bin.exe	51
PID 2024 wrote to memory of 956	2024	inn.bin.exe	51
PID 2024 wrote to memory of 1472	2024	inn.bin.exe	53
PID 2024 wrote to memory of 1472	2024	inn.bin.exe	53
PID 2024 wrote to memory of 1472	2024	inn.bin.exe	53
PID 2024 wrote to memory of 1472	2024	inn.bin.exe	53
PID 2024 wrote to memory of 916	2024	inn.bin.exe	55
PID 2024 wrote to memory of 916	2024	inn.bin.exe	55
PID 2024 wrote to memory of 916	2024	inn.bin.exe	55
PID 2024 wrote to memory of 916	2024	inn.bin.exe	55
PID 2024 wrote to memory of 1320	2024	inn.bin.exe	58
PID 2024 wrote to memory of 1320	2024	inn.bin.exe	58
PID 2024 wrote to memory of 1320	2024	inn.bin.exe	58
PID 2024 wrote to memory of 1320	2024	inn.bin.exe	58
PID 2024 wrote to memory of 1792	2024	inn.bin.exe	59
PID 2024 wrote to memory of 1792	2024	inn.bin.exe	59
PID 2024 wrote to memory of 1792	2024	inn.bin.exe	59
PID 2024 wrote to memory of 1792	2024	inn.bin.exe	59
PID 2024 wrote to memory of 576	2024	inn.bin.exe	62
PID 2024 wrote to memory of 576	2024	inn.bin.exe	62
PID 2024 wrote to memory of 576	2024	inn.bin.exe	62
PID 2024 wrote to memory of 576	2024	inn.bin.exe	62
PID 2024 wrote to memory of 1920	2024	inn.bin.exe	64
PID 2024 wrote to memory of 1920	2024	inn.bin.exe	64
PID 2024 wrote to memory of 1920	2024	inn.bin.exe	64
PID 2024 wrote to memory of 1920	2024	inn.bin.exe	64
PID 2024 wrote to memory of 1996	2024	inn.bin.exe	66
PID 2024 wrote to memory of 1996	2024	inn.bin.exe	66
PID 2024 wrote to memory of 1996	2024	inn.bin.exe	66
PID 2024 wrote to memory of 1996	2024	inn.bin.exe	66
PID 2024 wrote to memory of 1580	2024	inn.bin.exe	68
PID 2024 wrote to memory of 1580	2024	inn.bin.exe	68
PID 2024 wrote to memory of 1580	2024	inn.bin.exe	68
PID 2024 wrote to memory of 1580	2024	inn.bin.exe	68
PID 2024 wrote to memory of 1608	2024	inn.bin.exe	70
PID 2024 wrote to memory of 1608	2024	inn.bin.exe	70
PID 2024 wrote to memory of 1608	2024	inn.bin.exe	70
PID 2024 wrote to memory of 1608	2024	inn.bin.exe	70
PID 2024 wrote to memory of 2064	2024	inn.bin.exe	72
PID 2024 wrote to memory of 2064	2024	inn.bin.exe	72
PID 2024 wrote to memory of 2064	2024	inn.bin.exe	72
PID 2024 wrote to memory of 2064	2024	inn.bin.exe	72
PID 2024 wrote to memory of 2088	2024	inn.bin.exe	74
PID 2024 wrote to memory of 2088	2024	inn.bin.exe	74
PID 2024 wrote to memory of 2088	2024	inn.bin.exe	74
PID 2024 wrote to memory of 2088	2024	inn.bin.exe	74
PID 2024 wrote to memory of 2104	2024	inn.bin.exe	75
PID 2024 wrote to memory of 2104	2024	inn.bin.exe	75
PID 2024 wrote to memory of 2104	2024	inn.bin.exe	75
PID 2024 wrote to memory of 2104	2024	inn.bin.exe	75
PID 2024 wrote to memory of 2128	2024	inn.bin.exe	77
PID 2024 wrote to memory of 2128	2024	inn.bin.exe	77
PID 2024 wrote to memory of 2128	2024	inn.bin.exe	77
PID 2024 wrote to memory of 2128	2024	inn.bin.exe	77
PID 2024 wrote to memory of 2152	2024	inn.bin.exe	79
PID 2024 wrote to memory of 2152	2024	inn.bin.exe	79
PID 2024 wrote to memory of 2152	2024	inn.bin.exe	79
PID 2024 wrote to memory of 2152	2024	inn.bin.exe	79
PID 2024 wrote to memory of 2176	2024	inn.bin.exe	81
PID 2024 wrote to memory of 2176	2024	inn.bin.exe	81
PID 2024 wrote to memory of 2176	2024	inn.bin.exe	81
PID 2024 wrote to memory of 2176	2024	inn.bin.exe	81
PID 2024 wrote to memory of 2200	2024	inn.bin.exe	83
PID 2024 wrote to memory of 2200	2024	inn.bin.exe	83
PID 2024 wrote to memory of 2200	2024	inn.bin.exe	83
PID 2024 wrote to memory of 2200	2024	inn.bin.exe	83
PID 2024 wrote to memory of 2224	2024	inn.bin.exe	85
PID 2024 wrote to memory of 2224	2024	inn.bin.exe	85
PID 2024 wrote to memory of 2224	2024	inn.bin.exe	85
PID 2024 wrote to memory of 2224	2024	inn.bin.exe	85
PID 2024 wrote to memory of 2256	2024	inn.bin.exe	88
PID 2024 wrote to memory of 2256	2024	inn.bin.exe	88
PID 2024 wrote to memory of 2256	2024	inn.bin.exe	88
PID 2024 wrote to memory of 2256	2024	inn.bin.exe	88
PID 2024 wrote to memory of 2272	2024	inn.bin.exe	89
PID 2024 wrote to memory of 2272	2024	inn.bin.exe	89
PID 2024 wrote to memory of 2272	2024	inn.bin.exe	89
PID 2024 wrote to memory of 2272	2024	inn.bin.exe	89
PID 2024 wrote to memory of 2304	2024	inn.bin.exe	92
PID 2024 wrote to memory of 2304	2024	inn.bin.exe	92
PID 2024 wrote to memory of 2304	2024	inn.bin.exe	92
PID 2024 wrote to memory of 2304	2024	inn.bin.exe	92
PID 2024 wrote to memory of 2328	2024	inn.bin.exe	94
PID 2024 wrote to memory of 2328	2024	inn.bin.exe	94
PID 2024 wrote to memory of 2328	2024	inn.bin.exe	94
PID 2024 wrote to memory of 2328	2024	inn.bin.exe	94
PID 2024 wrote to memory of 2344	2024	inn.bin.exe	95
PID 2024 wrote to memory of 2344	2024	inn.bin.exe	95
PID 2024 wrote to memory of 2344	2024	inn.bin.exe	95
PID 2024 wrote to memory of 2344	2024	inn.bin.exe	95
PID 2024 wrote to memory of 2368	2024	inn.bin.exe	97
PID 2024 wrote to memory of 2368	2024	inn.bin.exe	97
PID 2024 wrote to memory of 2368	2024	inn.bin.exe	97
PID 2024 wrote to memory of 2368	2024	inn.bin.exe	97
PID 2024 wrote to memory of 2392	2024	inn.bin.exe	99
PID 2024 wrote to memory of 2392	2024	inn.bin.exe	99
PID 2024 wrote to memory of 2392	2024	inn.bin.exe	99
PID 2024 wrote to memory of 2392	2024	inn.bin.exe	99
PID 2024 wrote to memory of 2416	2024	inn.bin.exe	101
PID 2024 wrote to memory of 2416	2024	inn.bin.exe	101
PID 2024 wrote to memory of 2416	2024	inn.bin.exe	101
PID 2024 wrote to memory of 2416	2024	inn.bin.exe	101
PID 2024 wrote to memory of 2448	2024	inn.bin.exe	104
PID 2024 wrote to memory of 2448	2024	inn.bin.exe	104
PID 2024 wrote to memory of 2448	2024	inn.bin.exe	104
PID 2024 wrote to memory of 2448	2024	inn.bin.exe	104
PID 2024 wrote to memory of 2464	2024	inn.bin.exe	105
PID 2024 wrote to memory of 2464	2024	inn.bin.exe	105
PID 2024 wrote to memory of 2464	2024	inn.bin.exe	105
PID 2024 wrote to memory of 2464	2024	inn.bin.exe	105
PID 2024 wrote to memory of 2488	2024	inn.bin.exe	107
PID 2024 wrote to memory of 2488	2024	inn.bin.exe	107
PID 2024 wrote to memory of 2488	2024	inn.bin.exe	107
PID 2024 wrote to memory of 2488	2024	inn.bin.exe	107
PID 2024 wrote to memory of 2512	2024	inn.bin.exe	109
PID 2024 wrote to memory of 2512	2024	inn.bin.exe	109
PID 2024 wrote to memory of 2512	2024	inn.bin.exe	109
PID 2024 wrote to memory of 2512	2024	inn.bin.exe	109
PID 2024 wrote to memory of 2548	2024	inn.bin.exe	112
PID 2024 wrote to memory of 2548	2024	inn.bin.exe	112
PID 2024 wrote to memory of 2548	2024	inn.bin.exe	112
PID 2024 wrote to memory of 2548	2024	inn.bin.exe	112
PID 2024 wrote to memory of 2664	2024	inn.bin.exe	114
PID 2024 wrote to memory of 2664	2024	inn.bin.exe	114
PID 2024 wrote to memory of 2664	2024	inn.bin.exe	114
PID 2024 wrote to memory of 2664	2024	inn.bin.exe	114
PID 2024 wrote to memory of 2760	2024	inn.bin.exe	115
PID 2024 wrote to memory of 2760	2024	inn.bin.exe	115
PID 2024 wrote to memory of 2760	2024	inn.bin.exe	115
PID 2024 wrote to memory of 2760	2024	inn.bin.exe	115
PID 2024 wrote to memory of 2804	2024	inn.bin.exe	119
PID 2024 wrote to memory of 2804	2024	inn.bin.exe	119
PID 2024 wrote to memory of 2804	2024	inn.bin.exe	119
PID 2024 wrote to memory of 2804	2024	inn.bin.exe	119
PID 2024 wrote to memory of 2836	2024	inn.bin.exe	120
PID 2024 wrote to memory of 2836	2024	inn.bin.exe	120
PID 2024 wrote to memory of 2836	2024	inn.bin.exe	120
PID 2024 wrote to memory of 2836	2024	inn.bin.exe	120
PID 2024 wrote to memory of 2896	2024	inn.bin.exe	124
PID 2024 wrote to memory of 2896	2024	inn.bin.exe	124
PID 2024 wrote to memory of 2896	2024	inn.bin.exe	124
PID 2024 wrote to memory of 2896	2024	inn.bin.exe	124
PID 2024 wrote to memory of 2936	2024	inn.bin.exe	125
PID 2024 wrote to memory of 2936	2024	inn.bin.exe	125
PID 2024 wrote to memory of 2936	2024	inn.bin.exe	125
PID 2024 wrote to memory of 2936	2024	inn.bin.exe	125
PID 2024 wrote to memory of 3024	2024	inn.bin.exe	128
PID 2024 wrote to memory of 3024	2024	inn.bin.exe	128
PID 2024 wrote to memory of 3024	2024	inn.bin.exe	128
PID 2024 wrote to memory of 3024	2024	inn.bin.exe	128
PID 2024 wrote to memory of 2140	2024	inn.bin.exe	130
PID 2024 wrote to memory of 2140	2024	inn.bin.exe	130
PID 2024 wrote to memory of 2140	2024	inn.bin.exe	130
PID 2024 wrote to memory of 2140	2024	inn.bin.exe	130
PID 2024 wrote to memory of 2252	2024	inn.bin.exe	132
PID 2024 wrote to memory of 2252	2024	inn.bin.exe	132
PID 2024 wrote to memory of 2252	2024	inn.bin.exe	132
PID 2024 wrote to memory of 2252	2024	inn.bin.exe	132
PID 2024 wrote to memory of 2340	2024	inn.bin.exe	134
PID 2024 wrote to memory of 2340	2024	inn.bin.exe	134
PID 2024 wrote to memory of 2340	2024	inn.bin.exe	134
PID 2024 wrote to memory of 2340	2024	inn.bin.exe	134
PID 2024 wrote to memory of 2476	2024	inn.bin.exe	136
PID 2024 wrote to memory of 2476	2024	inn.bin.exe	136
PID 2024 wrote to memory of 2476	2024	inn.bin.exe	136
PID 2024 wrote to memory of 2476	2024	inn.bin.exe	136
PID 2024 wrote to memory of 2540	2024	inn.bin.exe	138
PID 2024 wrote to memory of 2540	2024	inn.bin.exe	138
PID 2024 wrote to memory of 2540	2024	inn.bin.exe	138
PID 2024 wrote to memory of 2540	2024	inn.bin.exe	138
PID 2064 wrote to memory of 3220	2064	net.exe	141
PID 2064 wrote to memory of 3220	2064	net.exe	141
PID 2064 wrote to memory of 3220	2064	net.exe	141
PID 2064 wrote to memory of 3220	2064	net.exe	141
PID 1608 wrote to memory of 3228	1608	net.exe	142
PID 1608 wrote to memory of 3228	1608	net.exe	142
PID 1608 wrote to memory of 3228	1608	net.exe	142
PID 1608 wrote to memory of 3228	1608	net.exe	142
PID 1996 wrote to memory of 3236	1996	net.exe	143
PID 1996 wrote to memory of 3236	1996	net.exe	143
PID 1996 wrote to memory of 3236	1996	net.exe	143
PID 1996 wrote to memory of 3236	1996	net.exe	143
PID 2304 wrote to memory of 3284	2304	net.exe	144
PID 2304 wrote to memory of 3284	2304	net.exe	144
PID 2304 wrote to memory of 3284	2304	net.exe	144
PID 2304 wrote to memory of 3284	2304	net.exe	144
PID 2224 wrote to memory of 3276	2224	net.exe	147
PID 2224 wrote to memory of 3276	2224	net.exe	147
PID 2224 wrote to memory of 3276	2224	net.exe	147
PID 2224 wrote to memory of 3276	2224	net.exe	147
PID 2512 wrote to memory of 3268	2512	net.exe	145
PID 2512 wrote to memory of 3268	2512	net.exe	145
PID 2512 wrote to memory of 3268	2512	net.exe	145
PID 2512 wrote to memory of 3268	2512	net.exe	145
PID 2416 wrote to memory of 3300	2416	net.exe	148
PID 2416 wrote to memory of 3300	2416	net.exe	148
PID 2416 wrote to memory of 3300	2416	net.exe	148
PID 2416 wrote to memory of 3300	2416	net.exe	148
PID 2272 wrote to memory of 3292	2272	net.exe	146
PID 2272 wrote to memory of 3292	2272	net.exe	146
PID 2272 wrote to memory of 3292	2272	net.exe	146
PID 2272 wrote to memory of 3292	2272	net.exe	146
PID 2548 wrote to memory of 3440	2548	net.exe	149
PID 2548 wrote to memory of 3440	2548	net.exe	149
PID 2548 wrote to memory of 3440	2548	net.exe	149
PID 2548 wrote to memory of 3440	2548	net.exe	149
PID 2464 wrote to memory of 3464	2464	net.exe	150
PID 2464 wrote to memory of 3464	2464	net.exe	150
PID 2464 wrote to memory of 3464	2464	net.exe	150
PID 2464 wrote to memory of 3464	2464	net.exe	150
PID 2104 wrote to memory of 3472	2104	net.exe	151
PID 2104 wrote to memory of 3472	2104	net.exe	151
PID 2104 wrote to memory of 3472	2104	net.exe	151
PID 2104 wrote to memory of 3472	2104	net.exe	151
PID 2252 wrote to memory of 3508	2252	net.exe	154
PID 2252 wrote to memory of 3508	2252	net.exe	154
PID 2252 wrote to memory of 3508	2252	net.exe	154
PID 2252 wrote to memory of 3508	2252	net.exe	154
PID 2140 wrote to memory of 3484	2140	net.exe	152
PID 2140 wrote to memory of 3484	2140	net.exe	152
PID 2140 wrote to memory of 3484	2140	net.exe	152
PID 2140 wrote to memory of 3484	2140	net.exe	152
PID 1580 wrote to memory of 3516	1580	net.exe	155
PID 1580 wrote to memory of 3516	1580	net.exe	155
PID 1580 wrote to memory of 3516	1580	net.exe	155
PID 1580 wrote to memory of 3516	1580	net.exe	155
PID 2760 wrote to memory of 3500	2760	net.exe	153
PID 2760 wrote to memory of 3500	2760	net.exe	153
PID 2760 wrote to memory of 3500	2760	net.exe	153
PID 2760 wrote to memory of 3500	2760	net.exe	153
PID 2340 wrote to memory of 3552	2340	net.exe	156
PID 2340 wrote to memory of 3552	2340	net.exe	156
PID 2340 wrote to memory of 3552	2340	net.exe	156
PID 2340 wrote to memory of 3552	2340	net.exe	156
PID 2200 wrote to memory of 3564	2200	net.exe	157
PID 2200 wrote to memory of 3564	2200	net.exe	157
PID 2200 wrote to memory of 3564	2200	net.exe	157
PID 2200 wrote to memory of 3564	2200	net.exe	157
PID 2368 wrote to memory of 3572	2368	net.exe	158
PID 2368 wrote to memory of 3572	2368	net.exe	158
PID 2368 wrote to memory of 3572	2368	net.exe	158
PID 2368 wrote to memory of 3572	2368	net.exe	158
PID 2448 wrote to memory of 3584	2448	net.exe	159
PID 2448 wrote to memory of 3584	2448	net.exe	159
PID 2448 wrote to memory of 3584	2448	net.exe	159
PID 2448 wrote to memory of 3584	2448	net.exe	159
PID 2088 wrote to memory of 3592	2088	net.exe	160
PID 2088 wrote to memory of 3592	2088	net.exe	160
PID 2088 wrote to memory of 3592	2088	net.exe	160
PID 2088 wrote to memory of 3592	2088	net.exe	160
PID 2836 wrote to memory of 3604	2836	net.exe	161
PID 2836 wrote to memory of 3604	2836	net.exe	161
PID 2836 wrote to memory of 3604	2836	net.exe	161
PID 2836 wrote to memory of 3604	2836	net.exe	161
PID 3024 wrote to memory of 3612	3024	net.exe	162
PID 3024 wrote to memory of 3612	3024	net.exe	162
PID 3024 wrote to memory of 3612	3024	net.exe	162
PID 3024 wrote to memory of 3612	3024	net.exe	162
PID 2152 wrote to memory of 3644	2152	net.exe	165
PID 2152 wrote to memory of 3644	2152	net.exe	165
PID 2152 wrote to memory of 3644	2152	net.exe	165
PID 2152 wrote to memory of 3644	2152	net.exe	165
PID 2488 wrote to memory of 3636	2488	net.exe	164
PID 2488 wrote to memory of 3636	2488	net.exe	164
PID 2488 wrote to memory of 3636	2488	net.exe	164
PID 2488 wrote to memory of 3636	2488	net.exe	164
PID 2392 wrote to memory of 3656	2392	net.exe	166
PID 2392 wrote to memory of 3656	2392	net.exe	166
PID 2392 wrote to memory of 3656	2392	net.exe	166
PID 2392 wrote to memory of 3656	2392	net.exe	166
PID 2936 wrote to memory of 3624	2936	net.exe	163
PID 2936 wrote to memory of 3624	2936	net.exe	163
PID 2936 wrote to memory of 3624	2936	net.exe	163
PID 2936 wrote to memory of 3624	2936	net.exe	163
PID 2476 wrote to memory of 3708	2476	net.exe	169
PID 2476 wrote to memory of 3708	2476	net.exe	169
PID 2476 wrote to memory of 3708	2476	net.exe	169
PID 2476 wrote to memory of 3708	2476	net.exe	169
PID 2256 wrote to memory of 3720	2256	net.exe	170
PID 2256 wrote to memory of 3720	2256	net.exe	170
PID 2256 wrote to memory of 3720	2256	net.exe	170
PID 2256 wrote to memory of 3720	2256	net.exe	170
PID 2664 wrote to memory of 3728	2664	net.exe	171
PID 2664 wrote to memory of 3728	2664	net.exe	171
PID 2664 wrote to memory of 3728	2664	net.exe	171
PID 2664 wrote to memory of 3728	2664	net.exe	171
PID 2176 wrote to memory of 3668	2176	net.exe	167
PID 2176 wrote to memory of 3668	2176	net.exe	167
PID 2176 wrote to memory of 3668	2176	net.exe	167
PID 2176 wrote to memory of 3668	2176	net.exe	167
PID 2328 wrote to memory of 3680	2328	net.exe	168
PID 2328 wrote to memory of 3680	2328	net.exe	168
PID 2328 wrote to memory of 3680	2328	net.exe	168
PID 2328 wrote to memory of 3680	2328	net.exe	168
PID 2128 wrote to memory of 3772	2128	net.exe	172
PID 2128 wrote to memory of 3772	2128	net.exe	172
PID 2128 wrote to memory of 3772	2128	net.exe	172
PID 2128 wrote to memory of 3772	2128	net.exe	172
PID 2344 wrote to memory of 3808	2344	net.exe	173
PID 2344 wrote to memory of 3808	2344	net.exe	173
PID 2344 wrote to memory of 3808	2344	net.exe	173
PID 2344 wrote to memory of 3808	2344	net.exe	173
PID 2896 wrote to memory of 3860	2896	net.exe	174
PID 2896 wrote to memory of 3860	2896	net.exe	174
PID 2896 wrote to memory of 3860	2896	net.exe	174
PID 2896 wrote to memory of 3860	2896	net.exe	174
PID 2804 wrote to memory of 3880	2804	net.exe	175
PID 2804 wrote to memory of 3880	2804	net.exe	175
PID 2804 wrote to memory of 3880	2804	net.exe	175
PID 2804 wrote to memory of 3880	2804	net.exe	175

C:\Users\Admin\AppData\Local\Temp\inn.bin.exe
"C:\Users\Admin\AppData\Local\Temp\inn.bin.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2024
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im "mysql*"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1588
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im "dsa*"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1684
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im "Ntrtscan*"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1988
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im "ds_monitor*"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1968
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im "Notifier*"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1796
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im "TmListen*"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1752
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im "iVPAgent*"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1800
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im "CNTAoSMgr*"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:296
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im "IBM*"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1728
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im "bes10*"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1116
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im "black*"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2000
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im "robo*"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:268
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im "copy*"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:552
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im "store.exe"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:956
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im "sql*"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1472
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im "vee*"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:916
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im "wrsa*"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1320
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im "wrsa.exe"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1792
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im "postg*"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:576
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im "sage*"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1920
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "MSSQLServerADHelper100"
  2⤵
  PID:1996
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQLServerADHelper100"
    3⤵
    PID:3236
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "MSSQL$ISARS"
  2⤵
  PID:1580
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQL$ISARS"
    3⤵
    PID:3516
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "MSSQL$MSFW"
  2⤵
  PID:1608
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQL$MSFW"
    3⤵
    PID:3228
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "SQLAgent$ISARS"
  2⤵
  PID:2064
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLAgent$ISARS"
    3⤵
    PID:3220
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "SQLAgent$MSFW"
  2⤵
  PID:2088
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLAgent$MSFW"
    3⤵
    PID:3592
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "SQLBrowser"
  2⤵
  PID:2104
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLBrowser"
    3⤵
    PID:3472
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "ReportServer$ISARS"
  2⤵
  PID:2128
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "ReportServer$ISARS"
    3⤵
    PID:3772
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "SQLWriter"
  2⤵
  PID:2152
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLWriter"
    3⤵
    PID:3644
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "WinDefend"
  2⤵
  PID:2176
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "WinDefend"
    3⤵
    PID:3668
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "mr2kserv"
  2⤵
  PID:2200
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "mr2kserv"
    3⤵
    PID:3564
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "MSExchangeADTopology"
  2⤵
  PID:2224
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSExchangeADTopology"
    3⤵
    PID:3276
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "MSExchangeFBA"
  2⤵
  PID:2256
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSExchangeFBA"
    3⤵
    PID:3720
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "MSExchangeIS"
  2⤵
  PID:2272
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSExchangeIS"
    3⤵
    PID:3292
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "MSExchangeSA"
  2⤵
  PID:2304
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSExchangeSA"
    3⤵
    PID:3284
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "ShadowProtectSvc"
  2⤵
  PID:2328
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "ShadowProtectSvc"
    3⤵
    PID:3680
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "SPAdminV4"
  2⤵
  PID:2344
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SPAdminV4"
    3⤵
    PID:3808
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "SPTimerV4"
  2⤵
  PID:2368
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SPTimerV4"
    3⤵
    PID:3572
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "SPTraceV4"
  2⤵
  PID:2392
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SPTraceV4"
    3⤵
    PID:3656
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "SPUserCodeV4"
  2⤵
  PID:2416
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SPUserCodeV4"
    3⤵
    PID:3300
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "SPWriterV4"
  2⤵
  PID:2448
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SPWriterV4"
    3⤵
    PID:3584
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "SPSearch4"
  2⤵
  PID:2464
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SPSearch4"
    3⤵
    PID:3464
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "MSSQLServerADHelper100"
  2⤵
  PID:2488
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQLServerADHelper100"
    3⤵
    PID:3636
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "IISADMIN"
  2⤵
  PID:2512
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "IISADMIN"
    3⤵
    PID:3268
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "firebirdguardiandefaultinstance"
  2⤵
  PID:2548
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "firebirdguardiandefaultinstance"
    3⤵
    PID:3440
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "ibmiasrw"
  2⤵
  PID:2664
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "ibmiasrw"
    3⤵
    PID:3728
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "QBCFMonitorService"
  2⤵
  PID:2760
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "QBCFMonitorService"
    3⤵
    PID:3500
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "QBVSS"
  2⤵
  PID:2804
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "QBVSS"
    3⤵
    PID:3880
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "QBPOSDBServiceV12"
  2⤵
  PID:2836
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "QBPOSDBServiceV12"
    3⤵
    PID:3604
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "IBM Domino Server(CProgramFilesIBMDominodata)"
  2⤵
  PID:2896
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "IBM Domino Server(CProgramFilesIBMDominodata)"
    3⤵
    PID:3860
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "IBM Domino Diagnostics(CProgramFilesIBMDomino)"
  2⤵
  PID:2936
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "IBM Domino Diagnostics(CProgramFilesIBMDomino)"
    3⤵
    PID:3624
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "IISADMIN"
  2⤵
  PID:3024
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "IISADMIN"
    3⤵
    PID:3612
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "Simply Accounting Database Connection Manager"
  2⤵
  PID:2140
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Simply Accounting Database Connection Manager"
    3⤵
    PID:3484
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "QuickBooksDB1"
  2⤵
  PID:2252
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "QuickBooksDB1"
    3⤵
    PID:3508
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "QuickBooksDB2"
  2⤵
  PID:2340
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "QuickBooksDB2"
    3⤵
    PID:3552
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "QuickBooksDB3"
  2⤵
  PID:2476
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "QuickBooksDB3"
    3⤵
    PID:3708
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "QuickBooksDB4"
  2⤵
  PID:2540

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads