57594f717e61f16279700e7f364b2856ac853b7d76f284621e3aa46d3f7faa3c

Analysis

max time kernel
83s
max time network
112s
platform
windows10_x64
resource
win10v20201028
submitted
31/10/2020, 18:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

inn.bin.exe
Size

155KB
MD5

af568e8a6060812f040f0cb0fd6f5a7b
SHA1

e7f0c17b338d78c4f8b82b032af9f81828512b30
SHA256

3ae7bedf236d4e53a33f3a3e1e80eae2d93e91b1988da2f7fcb8fde5dcc3a0e9
SHA512

2c44272dcf130a95ea0e83fa02d2629edecf94b16452127f2e177f00f4bf48f2e306ec53b28d2005a27e8b683dc683fb54146a711233aa1e1c4256a9e4ac979b

Score

10^/10

persistence ransomware

Malware Config

Extracted

Path

C:\Boot\bg-BG\read_me_lkd.txt

Ransom Note

Hello Technology and Strategy! All your fileservers, HyperV infrastructure and backups have been encrypted! Trying to decrypt or modify the files with programs other than our decryptor can lead to permanent loss of data! The only way to recover your files is by cooperating with us. To prove our seriousness, we can decrypt 1 non - critical file for free as proof. Contacts: [email protected] [email protected]

Emails

[email protected]

Signatures

Modifies extensions of user files 7 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\SelectClose.tiff	inn.bin.exe
File renamed	C:\Users\Admin\Pictures\AddBackup.tif => C:\Users\Admin\Pictures\AddBackup.tif.crypted	inn.bin.exe
File renamed	C:\Users\Admin\Pictures\ConnectRename.raw => C:\Users\Admin\Pictures\ConnectRename.raw.crypted	inn.bin.exe
File renamed	C:\Users\Admin\Pictures\DisableRequest.raw => C:\Users\Admin\Pictures\DisableRequest.raw.crypted	inn.bin.exe
File renamed	C:\Users\Admin\Pictures\ExitSkip.raw => C:\Users\Admin\Pictures\ExitSkip.raw.crypted	inn.bin.exe
File renamed	C:\Users\Admin\Pictures\ResizeSkip.crw => C:\Users\Admin\Pictures\ResizeSkip.crw.crypted	inn.bin.exe
File renamed	C:\Users\Admin\Pictures\SelectClose.tiff => C:\Users\Admin\Pictures\SelectClose.tiff.crypted	inn.bin.exe

Modifies service 2 TTPs 5 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe

Kills process with taskkill 140 IoCs

evasion

pid	Process
9624	taskkill.exe
5100	taskkill.exe
4924	taskkill.exe
8176	taskkill.exe
9588	taskkill.exe
3968	taskkill.exe
8124	taskkill.exe
8328	taskkill.exe
8932	taskkill.exe
2260	taskkill.exe
5824	taskkill.exe
5720	taskkill.exe
7512	taskkill.exe
8484	taskkill.exe
6096	taskkill.exe
5228	taskkill.exe
5144	taskkill.exe
7372	taskkill.exe
6876	taskkill.exe
7304	taskkill.exe
8028	taskkill.exe
8880	taskkill.exe
6620	taskkill.exe
6772	taskkill.exe
8656	taskkill.exe
6108	taskkill.exe
4860	taskkill.exe
7016	taskkill.exe
5748	taskkill.exe
9428	taskkill.exe
1320	taskkill.exe
5572	taskkill.exe
5376	taskkill.exe
3524	taskkill.exe
4216	taskkill.exe
6712	taskkill.exe
7624	taskkill.exe
8548	taskkill.exe
9180	taskkill.exe
4052	taskkill.exe
5992	taskkill.exe
1452	taskkill.exe
4940	taskkill.exe
5792	taskkill.exe
8220	taskkill.exe
9088	taskkill.exe
6448	taskkill.exe
7928	taskkill.exe
8196	taskkill.exe
1364	taskkill.exe
8704	taskkill.exe
8420	taskkill.exe
8788	taskkill.exe
3884	taskkill.exe
5652	taskkill.exe
7728	taskkill.exe
8832	taskkill.exe
9508	taskkill.exe
4352	taskkill.exe
5312	taskkill.exe
3476	taskkill.exe
2668	taskkill.exe
1208	taskkill.exe
9364	taskkill.exe
7840	taskkill.exe
8036	taskkill.exe
9132	taskkill.exe
7352	taskkill.exe
7376	taskkill.exe
9052	taskkill.exe
9324	taskkill.exe
4136	taskkill.exe
4272	taskkill.exe
5972	taskkill.exe
7260	taskkill.exe
7680	taskkill.exe
2828	taskkill.exe
5732	taskkill.exe
6696	taskkill.exe
5540	taskkill.exe
6848	taskkill.exe
7880	taskkill.exe
8596	taskkill.exe
5948	taskkill.exe
7452	taskkill.exe
7688	taskkill.exe
8924	taskkill.exe
4728	taskkill.exe
8072	taskkill.exe
8368	taskkill.exe
9004	taskkill.exe
9268	taskkill.exe
6760	taskkill.exe
7488	taskkill.exe
7788	taskkill.exe
5204	taskkill.exe
5816	taskkill.exe
5140	taskkill.exe
7312	taskkill.exe
8744	taskkill.exe
2356	taskkill.exe
6544	taskkill.exe
6372	taskkill.exe
5472	taskkill.exe
5896	taskkill.exe
8664	taskkill.exe
4820	taskkill.exe
6184	taskkill.exe
6048	taskkill.exe
6340	taskkill.exe
7648	taskkill.exe
3868	taskkill.exe
5744	taskkill.exe
6440	taskkill.exe
7992	taskkill.exe
8268	taskkill.exe
8320	taskkill.exe
5320	taskkill.exe
7032	taskkill.exe
6324	taskkill.exe
5848	taskkill.exe
5196	taskkill.exe
4652	taskkill.exe
2196	taskkill.exe
4932	taskkill.exe
6572	taskkill.exe
7188	taskkill.exe
2172	taskkill.exe
2364	taskkill.exe
3892	taskkill.exe
6268	taskkill.exe
4984	taskkill.exe
5564	taskkill.exe
5076	taskkill.exe
4676	taskkill.exe
7276	taskkill.exe
2632	taskkill.exe
4176	taskkill.exe
4968	taskkill.exe
9544	taskkill.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 190 IoCs

pid	Process
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe
2868	inn.bin.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2868	inn.bin.exe

Suspicious use of AdjustPrivilegeToken 143 IoCs

description	pid	Process
Token: SeDebugPrivilege	2196	taskkill.exe
Token: SeDebugPrivilege	2828	taskkill.exe
Token: SeDebugPrivilege	3884	taskkill.exe
Token: SeDebugPrivilege	2356	taskkill.exe
Token: SeDebugPrivilege	3968	taskkill.exe
Token: SeDebugPrivilege	1364	taskkill.exe
Token: SeDebugPrivilege	2632	taskkill.exe
Token: SeDebugPrivilege	2260	taskkill.exe
Token: SeDebugPrivilege	2668	taskkill.exe
Token: SeDebugPrivilege	3524	taskkill.exe
Token: SeDebugPrivilege	1320	taskkill.exe
Token: SeDebugPrivilege	1208	taskkill.exe
Token: SeDebugPrivilege	4052	taskkill.exe
Token: SeDebugPrivilege	2364	taskkill.exe
Token: SeDebugPrivilege	3892	taskkill.exe
Token: SeDebugPrivilege	4136	taskkill.exe
Token: SeDebugPrivilege	4216	taskkill.exe
Token: SeDebugPrivilege	4176	taskkill.exe
Token: SeDebugPrivilege	4352	taskkill.exe
Token: SeDebugPrivilege	4272	taskkill.exe
Token: SeDebugPrivilege	5100	taskkill.exe
Token: SeDebugPrivilege	4968	taskkill.exe
Token: SeDebugPrivilege	5824	taskkill.exe
Token: SeDebugPrivilege	5204	taskkill.exe
Token: SeDebugPrivilege	4728	taskkill.exe
Token: SeDebugPrivilege	4820	taskkill.exe
Token: SeDebugPrivilege	6760	taskkill.exe
Token: SeDebugPrivilege	4984	taskkill.exe
Token: SeDebugPrivilege	6048	taskkill.exe
Token: SeDebugPrivilege	5720	taskkill.exe
Token: SeDebugPrivilege	5320	taskkill.exe
Token: SeDebugPrivilege	6184	taskkill.exe
Token: SeDebugPrivilege	5652	taskkill.exe
Token: SeDebugPrivilege	5572	taskkill.exe
Token: SeDebugPrivilege	5472	taskkill.exe
Token: SeDebugPrivilege	6544	taskkill.exe
Token: SeDebugPrivilege	5540	taskkill.exe
Token: SeDebugPrivilege	5376	taskkill.exe
Token: SeDebugPrivilege	4924	taskkill.exe
Token: SeDebugPrivilege	4932	taskkill.exe
Token: SeDebugPrivilege	6340	taskkill.exe
Token: SeDebugPrivilege	5948	taskkill.exe
Token: SeDebugPrivilege	5896	taskkill.exe
Token: SeDebugPrivilege	6096	taskkill.exe
Token: SeDebugPrivilege	5228	taskkill.exe
Token: SeDebugPrivilege	5972	taskkill.exe
Token: SeDebugPrivilege	6620	taskkill.exe
Token: SeDebugPrivilege	6712	taskkill.exe
Token: SeDebugPrivilege	7032	taskkill.exe
Token: SeDebugPrivilege	6108	taskkill.exe
Token: SeDebugPrivilege	5564	taskkill.exe
Token: SeDebugPrivilege	6372	taskkill.exe
Token: SeDebugPrivilege	6876	taskkill.exe
Token: SeDebugPrivilege	4860	taskkill.exe
Token: SeDebugPrivilege	6268	taskkill.exe
Token: SeDebugPrivilege	5992	taskkill.exe
Token: SeDebugPrivilege	5076	taskkill.exe
Token: SeDebugPrivilege	5732	taskkill.exe
Token: SeDebugPrivilege	5744	taskkill.exe
Token: SeDebugPrivilege	7016	taskkill.exe
Token: SeDebugPrivilege	6696	taskkill.exe
Token: SeDebugPrivilege	6572	taskkill.exe
Token: SeDebugPrivilege	6848	taskkill.exe
Token: SeDebugPrivilege	5848	taskkill.exe
Token: SeDebugPrivilege	5748	taskkill.exe
Token: SeDebugPrivilege	5144	taskkill.exe
Token: SeDebugPrivilege	5196	taskkill.exe
Token: SeDebugPrivilege	6440	taskkill.exe
Token: SeDebugPrivilege	5816	taskkill.exe
Token: SeDebugPrivilege	1452	taskkill.exe
Token: SeDebugPrivilege	5792	taskkill.exe
Token: SeDebugPrivilege	4940	taskkill.exe
Token: SeDebugPrivilege	4652	taskkill.exe
Token: SeDebugPrivilege	5312	taskkill.exe
Token: SeDebugPrivilege	6772	taskkill.exe
Token: SeDebugPrivilege	6448	taskkill.exe
Token: SeDebugPrivilege	6324	taskkill.exe
Token: SeDebugPrivilege	3476	taskkill.exe
Token: SeDebugPrivilege	5140	taskkill.exe
Token: SeDebugPrivilege	4676	taskkill.exe
Token: SeDebugPrivilege	7188	taskkill.exe
Token: SeDebugPrivilege	7376	taskkill.exe
Token: SeDebugPrivilege	7352	taskkill.exe
Token: SeDebugPrivilege	7260	taskkill.exe
Token: SeDebugPrivilege	7304	taskkill.exe
Token: SeDebugPrivilege	7452	taskkill.exe
Token: SeDebugPrivilege	7488	taskkill.exe
Token: SeDebugPrivilege	7624	taskkill.exe
Token: SeDebugPrivilege	7648	taskkill.exe
Token: SeDebugPrivilege	7512	taskkill.exe
Token: SeDebugPrivilege	7788	taskkill.exe
Token: SeDebugPrivilege	7680	taskkill.exe
Token: SeDebugPrivilege	7728	taskkill.exe
Token: SeDebugPrivilege	7928	taskkill.exe
Token: SeDebugPrivilege	7840	taskkill.exe
Token: SeDebugPrivilege	7992	taskkill.exe
Token: SeDebugPrivilege	7880	taskkill.exe
Token: SeDebugPrivilege	8124	taskkill.exe
Token: SeDebugPrivilege	8072	taskkill.exe
Token: SeDebugPrivilege	8028	taskkill.exe
Token: SeDebugPrivilege	8176	taskkill.exe
Token: SeDebugPrivilege	7276	taskkill.exe
Token: SeDebugPrivilege	7372	taskkill.exe
Token: SeDebugPrivilege	7312	taskkill.exe
Token: SeDebugPrivilege	8036	taskkill.exe
Token: SeDebugPrivilege	7688	taskkill.exe
Token: SeDebugPrivilege	8196	taskkill.exe
Token: SeDebugPrivilege	8268	taskkill.exe
Token: SeDebugPrivilege	8220	taskkill.exe
Token: SeDebugPrivilege	8320	taskkill.exe
Token: SeDebugPrivilege	8420	taskkill.exe
Token: SeDebugPrivilege	8368	taskkill.exe
Token: SeDebugPrivilege	8484	taskkill.exe
Token: SeDebugPrivilege	8548	taskkill.exe
Token: SeDebugPrivilege	8596	taskkill.exe
Token: SeDebugPrivilege	8656	taskkill.exe
Token: SeDebugPrivilege	8704	taskkill.exe
Token: SeDebugPrivilege	8788	taskkill.exe
Token: SeDebugPrivilege	8744	taskkill.exe
Token: SeDebugPrivilege	8932	taskkill.exe
Token: SeDebugPrivilege	8832	taskkill.exe
Token: SeDebugPrivilege	8880	taskkill.exe
Token: SeDebugPrivilege	9052	taskkill.exe
Token: SeDebugPrivilege	9132	taskkill.exe
Token: SeDebugPrivilege	9004	taskkill.exe
Token: SeDebugPrivilege	9088	taskkill.exe
Token: SeDebugPrivilege	2172	taskkill.exe
Token: SeDebugPrivilege	8328	taskkill.exe
Token: SeDebugPrivilege	9180	taskkill.exe
Token: SeDebugPrivilege	8664	taskkill.exe
Token: SeDebugPrivilege	3868	taskkill.exe
Token: SeDebugPrivilege	8924	taskkill.exe
Token: SeDebugPrivilege	9364	taskkill.exe
Token: SeDebugPrivilege	9324	taskkill.exe
Token: SeDebugPrivilege	9268	taskkill.exe
Token: SeDebugPrivilege	9428	taskkill.exe
Token: SeDebugPrivilege	9508	taskkill.exe
Token: SeDebugPrivilege	9588	taskkill.exe
Token: SeDebugPrivilege	9624	taskkill.exe
Token: SeDebugPrivilege	9544	taskkill.exe
Token: SeBackupPrivilege	11548	vssvc.exe
Token: SeRestorePrivilege	11548	vssvc.exe
Token: SeAuditPrivilege	11548	vssvc.exe

Suspicious use of WriteProcessMemory 762 IoCs

description	pid	Process	procid_target
PID 2868 wrote to memory of 2196	2868	inn.bin.exe	75
PID 2868 wrote to memory of 2196	2868	inn.bin.exe	75
PID 2868 wrote to memory of 2196	2868	inn.bin.exe	75
PID 2868 wrote to memory of 2828	2868	inn.bin.exe	76
PID 2868 wrote to memory of 2828	2868	inn.bin.exe	76
PID 2868 wrote to memory of 2828	2868	inn.bin.exe	76
PID 2868 wrote to memory of 3884	2868	inn.bin.exe	78
PID 2868 wrote to memory of 3884	2868	inn.bin.exe	78
PID 2868 wrote to memory of 3884	2868	inn.bin.exe	78
PID 2868 wrote to memory of 3968	2868	inn.bin.exe	80
PID 2868 wrote to memory of 3968	2868	inn.bin.exe	80
PID 2868 wrote to memory of 3968	2868	inn.bin.exe	80
PID 2868 wrote to memory of 2356	2868	inn.bin.exe	82
PID 2868 wrote to memory of 2356	2868	inn.bin.exe	82
PID 2868 wrote to memory of 2356	2868	inn.bin.exe	82
PID 2868 wrote to memory of 2632	2868	inn.bin.exe	84
PID 2868 wrote to memory of 2632	2868	inn.bin.exe	84
PID 2868 wrote to memory of 2632	2868	inn.bin.exe	84
PID 2868 wrote to memory of 1364	2868	inn.bin.exe	86
PID 2868 wrote to memory of 1364	2868	inn.bin.exe	86
PID 2868 wrote to memory of 1364	2868	inn.bin.exe	86
PID 2868 wrote to memory of 2668	2868	inn.bin.exe	88
PID 2868 wrote to memory of 2668	2868	inn.bin.exe	88
PID 2868 wrote to memory of 2668	2868	inn.bin.exe	88
PID 2868 wrote to memory of 3524	2868	inn.bin.exe	90
PID 2868 wrote to memory of 3524	2868	inn.bin.exe	90
PID 2868 wrote to memory of 3524	2868	inn.bin.exe	90
PID 2868 wrote to memory of 2260	2868	inn.bin.exe	92
PID 2868 wrote to memory of 2260	2868	inn.bin.exe	92
PID 2868 wrote to memory of 2260	2868	inn.bin.exe	92
PID 2868 wrote to memory of 1320	2868	inn.bin.exe	94
PID 2868 wrote to memory of 1320	2868	inn.bin.exe	94
PID 2868 wrote to memory of 1320	2868	inn.bin.exe	94
PID 2868 wrote to memory of 4052	2868	inn.bin.exe	96
PID 2868 wrote to memory of 4052	2868	inn.bin.exe	96
PID 2868 wrote to memory of 4052	2868	inn.bin.exe	96
PID 2868 wrote to memory of 1208	2868	inn.bin.exe	98
PID 2868 wrote to memory of 1208	2868	inn.bin.exe	98
PID 2868 wrote to memory of 1208	2868	inn.bin.exe	98
PID 2868 wrote to memory of 2364	2868	inn.bin.exe	100
PID 2868 wrote to memory of 2364	2868	inn.bin.exe	100
PID 2868 wrote to memory of 2364	2868	inn.bin.exe	100
PID 2868 wrote to memory of 3892	2868	inn.bin.exe	102
PID 2868 wrote to memory of 3892	2868	inn.bin.exe	102
PID 2868 wrote to memory of 3892	2868	inn.bin.exe	102
PID 2868 wrote to memory of 4136	2868	inn.bin.exe	104
PID 2868 wrote to memory of 4136	2868	inn.bin.exe	104
PID 2868 wrote to memory of 4136	2868	inn.bin.exe	104
PID 2868 wrote to memory of 4176	2868	inn.bin.exe	106
PID 2868 wrote to memory of 4176	2868	inn.bin.exe	106
PID 2868 wrote to memory of 4176	2868	inn.bin.exe	106
PID 2868 wrote to memory of 4216	2868	inn.bin.exe	108
PID 2868 wrote to memory of 4216	2868	inn.bin.exe	108
PID 2868 wrote to memory of 4216	2868	inn.bin.exe	108
PID 2868 wrote to memory of 4272	2868	inn.bin.exe	110
PID 2868 wrote to memory of 4272	2868	inn.bin.exe	110
PID 2868 wrote to memory of 4272	2868	inn.bin.exe	110
PID 2868 wrote to memory of 4352	2868	inn.bin.exe	113
PID 2868 wrote to memory of 4352	2868	inn.bin.exe	113
PID 2868 wrote to memory of 4352	2868	inn.bin.exe	113
PID 2868 wrote to memory of 4424	2868	inn.bin.exe	115
PID 2868 wrote to memory of 4424	2868	inn.bin.exe	115
PID 2868 wrote to memory of 4424	2868	inn.bin.exe	115
PID 2868 wrote to memory of 4472	2868	inn.bin.exe	116
PID 2868 wrote to memory of 4472	2868	inn.bin.exe	116
PID 2868 wrote to memory of 4472	2868	inn.bin.exe	116
PID 2868 wrote to memory of 4492	2868	inn.bin.exe	117
PID 2868 wrote to memory of 4492	2868	inn.bin.exe	117
PID 2868 wrote to memory of 4492	2868	inn.bin.exe	117
PID 2868 wrote to memory of 4524	2868	inn.bin.exe	119
PID 2868 wrote to memory of 4524	2868	inn.bin.exe	119
PID 2868 wrote to memory of 4524	2868	inn.bin.exe	119
PID 2868 wrote to memory of 4564	2868	inn.bin.exe	122
PID 2868 wrote to memory of 4564	2868	inn.bin.exe	122
PID 2868 wrote to memory of 4564	2868	inn.bin.exe	122
PID 2868 wrote to memory of 4612	2868	inn.bin.exe	124
PID 2868 wrote to memory of 4612	2868	inn.bin.exe	124
PID 2868 wrote to memory of 4612	2868	inn.bin.exe	124
PID 2868 wrote to memory of 4660	2868	inn.bin.exe	126
PID 2868 wrote to memory of 4660	2868	inn.bin.exe	126
PID 2868 wrote to memory of 4660	2868	inn.bin.exe	126
PID 2868 wrote to memory of 4712	2868	inn.bin.exe	128
PID 2868 wrote to memory of 4712	2868	inn.bin.exe	128
PID 2868 wrote to memory of 4712	2868	inn.bin.exe	128
PID 2868 wrote to memory of 4752	2868	inn.bin.exe	130
PID 2868 wrote to memory of 4752	2868	inn.bin.exe	130
PID 2868 wrote to memory of 4752	2868	inn.bin.exe	130
PID 2868 wrote to memory of 4792	2868	inn.bin.exe	132
PID 2868 wrote to memory of 4792	2868	inn.bin.exe	132
PID 2868 wrote to memory of 4792	2868	inn.bin.exe	132
PID 2868 wrote to memory of 4824	2868	inn.bin.exe	133
PID 2868 wrote to memory of 4824	2868	inn.bin.exe	133
PID 2868 wrote to memory of 4824	2868	inn.bin.exe	133
PID 2868 wrote to memory of 4864	2868	inn.bin.exe	136
PID 2868 wrote to memory of 4864	2868	inn.bin.exe	136
PID 2868 wrote to memory of 4864	2868	inn.bin.exe	136
PID 2868 wrote to memory of 4912	2868	inn.bin.exe	138
PID 2868 wrote to memory of 4912	2868	inn.bin.exe	138
PID 2868 wrote to memory of 4912	2868	inn.bin.exe	138
PID 2868 wrote to memory of 4956	2868	inn.bin.exe	140
PID 2868 wrote to memory of 4956	2868	inn.bin.exe	140
PID 2868 wrote to memory of 4956	2868	inn.bin.exe	140
PID 2868 wrote to memory of 5012	2868	inn.bin.exe	142
PID 2868 wrote to memory of 5012	2868	inn.bin.exe	142
PID 2868 wrote to memory of 5012	2868	inn.bin.exe	142
PID 2868 wrote to memory of 5064	2868	inn.bin.exe	144
PID 2868 wrote to memory of 5064	2868	inn.bin.exe	144
PID 2868 wrote to memory of 5064	2868	inn.bin.exe	144
PID 2868 wrote to memory of 3516	2868	inn.bin.exe	146
PID 2868 wrote to memory of 3516	2868	inn.bin.exe	146
PID 2868 wrote to memory of 3516	2868	inn.bin.exe	146
PID 2868 wrote to memory of 4348	2868	inn.bin.exe	148
PID 2868 wrote to memory of 4348	2868	inn.bin.exe	148
PID 2868 wrote to memory of 4348	2868	inn.bin.exe	148
PID 4424 wrote to memory of 4540	4424	net.exe	149
PID 4424 wrote to memory of 4540	4424	net.exe	149
PID 4424 wrote to memory of 4540	4424	net.exe	149
PID 4612 wrote to memory of 4620	4612	net.exe	150
PID 4612 wrote to memory of 4620	4612	net.exe	150
PID 4612 wrote to memory of 4620	4612	net.exe	150
PID 4524 wrote to memory of 4480	4524	net.exe	151
PID 4524 wrote to memory of 4480	4524	net.exe	151
PID 4524 wrote to memory of 4480	4524	net.exe	151
PID 4492 wrote to memory of 4780	4492	net.exe	152
PID 4492 wrote to memory of 4780	4492	net.exe	152
PID 4492 wrote to memory of 4780	4492	net.exe	152
PID 4564 wrote to memory of 4920	4564	net.exe	154
PID 4564 wrote to memory of 4920	4564	net.exe	154
PID 4564 wrote to memory of 4920	4564	net.exe	154
PID 4472 wrote to memory of 4964	4472	net.exe	155
PID 4472 wrote to memory of 4964	4472	net.exe	155
PID 4472 wrote to memory of 4964	4472	net.exe	155
PID 2868 wrote to memory of 5020	2868	inn.bin.exe	156
PID 2868 wrote to memory of 5020	2868	inn.bin.exe	156
PID 2868 wrote to memory of 5020	2868	inn.bin.exe	156
PID 2868 wrote to memory of 5176	2868	inn.bin.exe	159
PID 2868 wrote to memory of 5176	2868	inn.bin.exe	159
PID 2868 wrote to memory of 5176	2868	inn.bin.exe	159
PID 4660 wrote to memory of 5208	4660	net.exe	160
PID 4660 wrote to memory of 5208	4660	net.exe	160
PID 4660 wrote to memory of 5208	4660	net.exe	160
PID 2868 wrote to memory of 5232	2868	inn.bin.exe	161
PID 2868 wrote to memory of 5232	2868	inn.bin.exe	161
PID 2868 wrote to memory of 5232	2868	inn.bin.exe	161
PID 4752 wrote to memory of 5256	4752	net.exe	162
PID 4752 wrote to memory of 5256	4752	net.exe	162
PID 4752 wrote to memory of 5256	4752	net.exe	162
PID 4712 wrote to memory of 5276	4712	net.exe	163
PID 4712 wrote to memory of 5276	4712	net.exe	163
PID 4712 wrote to memory of 5276	4712	net.exe	163
PID 2868 wrote to memory of 5304	2868	inn.bin.exe	165
PID 2868 wrote to memory of 5304	2868	inn.bin.exe	165
PID 2868 wrote to memory of 5304	2868	inn.bin.exe	165
PID 2868 wrote to memory of 5340	2868	inn.bin.exe	167
PID 2868 wrote to memory of 5340	2868	inn.bin.exe	167
PID 2868 wrote to memory of 5340	2868	inn.bin.exe	167
PID 4792 wrote to memory of 5364	4792	net.exe	168
PID 4792 wrote to memory of 5364	4792	net.exe	168
PID 4792 wrote to memory of 5364	4792	net.exe	168
PID 2868 wrote to memory of 5404	2868	inn.bin.exe	170
PID 2868 wrote to memory of 5404	2868	inn.bin.exe	170
PID 2868 wrote to memory of 5404	2868	inn.bin.exe	170
PID 4824 wrote to memory of 5424	4824	net.exe	171
PID 4824 wrote to memory of 5424	4824	net.exe	171
PID 4824 wrote to memory of 5424	4824	net.exe	171
PID 2868 wrote to memory of 5504	2868	inn.bin.exe	173
PID 2868 wrote to memory of 5504	2868	inn.bin.exe	173
PID 2868 wrote to memory of 5504	2868	inn.bin.exe	173
PID 2868 wrote to memory of 5548	2868	inn.bin.exe	175
PID 2868 wrote to memory of 5548	2868	inn.bin.exe	175
PID 2868 wrote to memory of 5548	2868	inn.bin.exe	175
PID 4912 wrote to memory of 5596	4912	net.exe	176
PID 4912 wrote to memory of 5596	4912	net.exe	176
PID 4912 wrote to memory of 5596	4912	net.exe	176
PID 2868 wrote to memory of 5628	2868	inn.bin.exe	178
PID 2868 wrote to memory of 5628	2868	inn.bin.exe	178
PID 2868 wrote to memory of 5628	2868	inn.bin.exe	178
PID 4864 wrote to memory of 5668	4864	net.exe	179
PID 4864 wrote to memory of 5668	4864	net.exe	179
PID 4864 wrote to memory of 5668	4864	net.exe	179
PID 4956 wrote to memory of 5680	4956	net.exe	180
PID 4956 wrote to memory of 5680	4956	net.exe	180
PID 4956 wrote to memory of 5680	4956	net.exe	180
PID 2868 wrote to memory of 5708	2868	inn.bin.exe	182
PID 2868 wrote to memory of 5708	2868	inn.bin.exe	182
PID 2868 wrote to memory of 5708	2868	inn.bin.exe	182
PID 2868 wrote to memory of 5768	2868	inn.bin.exe	184
PID 2868 wrote to memory of 5768	2868	inn.bin.exe	184
PID 2868 wrote to memory of 5768	2868	inn.bin.exe	184
PID 3516 wrote to memory of 5804	3516	net.exe	186
PID 3516 wrote to memory of 5804	3516	net.exe	186
PID 3516 wrote to memory of 5804	3516	net.exe	186
PID 5012 wrote to memory of 5820	5012	net.exe	187
PID 5012 wrote to memory of 5820	5012	net.exe	187
PID 5012 wrote to memory of 5820	5012	net.exe	187
PID 2868 wrote to memory of 5852	2868	inn.bin.exe	188
PID 2868 wrote to memory of 5852	2868	inn.bin.exe	188
PID 2868 wrote to memory of 5852	2868	inn.bin.exe	188
PID 5064 wrote to memory of 5872	5064	net.exe	189
PID 5064 wrote to memory of 5872	5064	net.exe	189
PID 5064 wrote to memory of 5872	5064	net.exe	189
PID 2868 wrote to memory of 5924	2868	inn.bin.exe	191
PID 2868 wrote to memory of 5924	2868	inn.bin.exe	191
PID 2868 wrote to memory of 5924	2868	inn.bin.exe	191
PID 2868 wrote to memory of 5968	2868	inn.bin.exe	193
PID 2868 wrote to memory of 5968	2868	inn.bin.exe	193
PID 2868 wrote to memory of 5968	2868	inn.bin.exe	193
PID 4348 wrote to memory of 6004	4348	net.exe	194
PID 4348 wrote to memory of 6004	4348	net.exe	194
PID 4348 wrote to memory of 6004	4348	net.exe	194
PID 5020 wrote to memory of 6052	5020	net.exe	196
PID 5020 wrote to memory of 6052	5020	net.exe	196
PID 5020 wrote to memory of 6052	5020	net.exe	196
PID 5176 wrote to memory of 6064	5176	net.exe	197
PID 5176 wrote to memory of 6064	5176	net.exe	197
PID 5176 wrote to memory of 6064	5176	net.exe	197
PID 2868 wrote to memory of 6076	2868	inn.bin.exe	198
PID 2868 wrote to memory of 6076	2868	inn.bin.exe	198
PID 2868 wrote to memory of 6076	2868	inn.bin.exe	198
PID 2868 wrote to memory of 6112	2868	inn.bin.exe	200
PID 2868 wrote to memory of 6112	2868	inn.bin.exe	200
PID 2868 wrote to memory of 6112	2868	inn.bin.exe	200
PID 2868 wrote to memory of 4840	2868	inn.bin.exe	202
PID 2868 wrote to memory of 4840	2868	inn.bin.exe	202
PID 2868 wrote to memory of 4840	2868	inn.bin.exe	202
PID 5232 wrote to memory of 5268	5232	net.exe	203
PID 5232 wrote to memory of 5268	5232	net.exe	203
PID 5232 wrote to memory of 5268	5232	net.exe	203
PID 5304 wrote to memory of 5284	5304	net.exe	204
PID 5304 wrote to memory of 5284	5304	net.exe	204
PID 5304 wrote to memory of 5284	5304	net.exe	204
PID 2868 wrote to memory of 5636	2868	inn.bin.exe	205
PID 2868 wrote to memory of 5636	2868	inn.bin.exe	205
PID 2868 wrote to memory of 5636	2868	inn.bin.exe	205
PID 5340 wrote to memory of 5976	5340	net.exe	208
PID 5340 wrote to memory of 5976	5340	net.exe	208
PID 5340 wrote to memory of 5976	5340	net.exe	208
PID 2868 wrote to memory of 6084	2868	inn.bin.exe	209
PID 2868 wrote to memory of 6084	2868	inn.bin.exe	209
PID 2868 wrote to memory of 6084	2868	inn.bin.exe	209
PID 2868 wrote to memory of 6168	2868	inn.bin.exe	211
PID 2868 wrote to memory of 6168	2868	inn.bin.exe	211
PID 2868 wrote to memory of 6168	2868	inn.bin.exe	211
PID 5504 wrote to memory of 6200	5504	net.exe	212
PID 5504 wrote to memory of 6200	5504	net.exe	212
PID 5504 wrote to memory of 6200	5504	net.exe	212
PID 5548 wrote to memory of 6212	5548	net.exe	213
PID 5548 wrote to memory of 6212	5548	net.exe	213
PID 5548 wrote to memory of 6212	5548	net.exe	213
PID 5404 wrote to memory of 6228	5404	net.exe	214
PID 5404 wrote to memory of 6228	5404	net.exe	214
PID 5404 wrote to memory of 6228	5404	net.exe	214
PID 2868 wrote to memory of 6264	2868	inn.bin.exe	216
PID 2868 wrote to memory of 6264	2868	inn.bin.exe	216
PID 2868 wrote to memory of 6264	2868	inn.bin.exe	216
PID 5708 wrote to memory of 6296	5708	net.exe	217
PID 5708 wrote to memory of 6296	5708	net.exe	217
PID 5708 wrote to memory of 6296	5708	net.exe	217
PID 2868 wrote to memory of 6332	2868	inn.bin.exe	219
PID 2868 wrote to memory of 6332	2868	inn.bin.exe	219
PID 2868 wrote to memory of 6332	2868	inn.bin.exe	219
PID 5628 wrote to memory of 6348	5628	net.exe	220
PID 5628 wrote to memory of 6348	5628	net.exe	220
PID 5628 wrote to memory of 6348	5628	net.exe	220
PID 2868 wrote to memory of 6392	2868	inn.bin.exe	221
PID 2868 wrote to memory of 6392	2868	inn.bin.exe	221
PID 2868 wrote to memory of 6392	2868	inn.bin.exe	221
PID 2868 wrote to memory of 6444	2868	inn.bin.exe	224
PID 2868 wrote to memory of 6444	2868	inn.bin.exe	224
PID 2868 wrote to memory of 6444	2868	inn.bin.exe	224
PID 2868 wrote to memory of 6484	2868	inn.bin.exe	226
PID 2868 wrote to memory of 6484	2868	inn.bin.exe	226
PID 2868 wrote to memory of 6484	2868	inn.bin.exe	226
PID 5768 wrote to memory of 6508	5768	net.exe	227
PID 5768 wrote to memory of 6508	5768	net.exe	227
PID 5768 wrote to memory of 6508	5768	net.exe	227
PID 2868 wrote to memory of 6580	2868	inn.bin.exe	229
PID 2868 wrote to memory of 6580	2868	inn.bin.exe	229
PID 2868 wrote to memory of 6580	2868	inn.bin.exe	229
PID 5852 wrote to memory of 6608	5852	net.exe	230
PID 5852 wrote to memory of 6608	5852	net.exe	230
PID 5852 wrote to memory of 6608	5852	net.exe	230
PID 2868 wrote to memory of 6664	2868	inn.bin.exe	232
PID 2868 wrote to memory of 6664	2868	inn.bin.exe	232
PID 2868 wrote to memory of 6664	2868	inn.bin.exe	232
PID 2868 wrote to memory of 6720	2868	inn.bin.exe	234
PID 2868 wrote to memory of 6720	2868	inn.bin.exe	234
PID 2868 wrote to memory of 6720	2868	inn.bin.exe	234
PID 5924 wrote to memory of 6748	5924	net.exe	236
PID 5924 wrote to memory of 6748	5924	net.exe	236
PID 5924 wrote to memory of 6748	5924	net.exe	236
PID 5968 wrote to memory of 6740	5968	net.exe	235
PID 5968 wrote to memory of 6740	5968	net.exe	235
PID 5968 wrote to memory of 6740	5968	net.exe	235
PID 2868 wrote to memory of 6764	2868	inn.bin.exe	237
PID 2868 wrote to memory of 6764	2868	inn.bin.exe	237
PID 2868 wrote to memory of 6764	2868	inn.bin.exe	237
PID 6076 wrote to memory of 6808	6076	net.exe	239
PID 6076 wrote to memory of 6808	6076	net.exe	239
PID 6076 wrote to memory of 6808	6076	net.exe	239
PID 6112 wrote to memory of 6816	6112	net.exe	240
PID 6112 wrote to memory of 6816	6112	net.exe	240
PID 6112 wrote to memory of 6816	6112	net.exe	240
PID 2868 wrote to memory of 6856	2868	inn.bin.exe	242
PID 2868 wrote to memory of 6856	2868	inn.bin.exe	242
PID 2868 wrote to memory of 6856	2868	inn.bin.exe	242
PID 4840 wrote to memory of 6892	4840	net.exe	243
PID 4840 wrote to memory of 6892	4840	net.exe	243
PID 4840 wrote to memory of 6892	4840	net.exe	243
PID 2868 wrote to memory of 6936	2868	inn.bin.exe	245
PID 2868 wrote to memory of 6936	2868	inn.bin.exe	245
PID 2868 wrote to memory of 6936	2868	inn.bin.exe	245
PID 2868 wrote to memory of 6984	2868	inn.bin.exe	247
PID 2868 wrote to memory of 6984	2868	inn.bin.exe	247
PID 2868 wrote to memory of 6984	2868	inn.bin.exe	247
PID 6084 wrote to memory of 7028	6084	net.exe	248
PID 6084 wrote to memory of 7028	6084	net.exe	248
PID 6084 wrote to memory of 7028	6084	net.exe	248
PID 2868 wrote to memory of 7040	2868	inn.bin.exe	249
PID 2868 wrote to memory of 7040	2868	inn.bin.exe	249
PID 2868 wrote to memory of 7040	2868	inn.bin.exe	249
PID 5636 wrote to memory of 7068	5636	net.exe	251
PID 5636 wrote to memory of 7068	5636	net.exe	251
PID 5636 wrote to memory of 7068	5636	net.exe	251
PID 6168 wrote to memory of 7084	6168	net.exe	252
PID 6168 wrote to memory of 7084	6168	net.exe	252
PID 6168 wrote to memory of 7084	6168	net.exe	252
PID 2868 wrote to memory of 7136	2868	inn.bin.exe	254
PID 2868 wrote to memory of 7136	2868	inn.bin.exe	254
PID 2868 wrote to memory of 7136	2868	inn.bin.exe	254
PID 2868 wrote to memory of 6036	2868	inn.bin.exe	256
PID 2868 wrote to memory of 6036	2868	inn.bin.exe	256
PID 2868 wrote to memory of 6036	2868	inn.bin.exe	256
PID 2868 wrote to memory of 1768	2868	inn.bin.exe	258
PID 2868 wrote to memory of 1768	2868	inn.bin.exe	258
PID 2868 wrote to memory of 1768	2868	inn.bin.exe	258
PID 6332 wrote to memory of 4004	6332	net.exe	259
PID 6332 wrote to memory of 4004	6332	net.exe	259
PID 6332 wrote to memory of 4004	6332	net.exe	259
PID 2868 wrote to memory of 6836	2868	inn.bin.exe	260
PID 2868 wrote to memory of 6836	2868	inn.bin.exe	260
PID 2868 wrote to memory of 6836	2868	inn.bin.exe	260
PID 6264 wrote to memory of 5624	6264	net.exe	263
PID 6264 wrote to memory of 5624	6264	net.exe	263
PID 6264 wrote to memory of 5624	6264	net.exe	263
PID 6444 wrote to memory of 5560	6444	net.exe	264
PID 6444 wrote to memory of 5560	6444	net.exe	264
PID 6444 wrote to memory of 5560	6444	net.exe	264
PID 6392 wrote to memory of 6824	6392	net.exe	265
PID 6392 wrote to memory of 6824	6392	net.exe	265
PID 6392 wrote to memory of 6824	6392	net.exe	265
PID 2868 wrote to memory of 4496	2868	inn.bin.exe	266
PID 2868 wrote to memory of 4496	2868	inn.bin.exe	266
PID 2868 wrote to memory of 4496	2868	inn.bin.exe	266
PID 6720 wrote to memory of 4616	6720	net.exe	267
PID 6720 wrote to memory of 4616	6720	net.exe	267
PID 6720 wrote to memory of 4616	6720	net.exe	267
PID 2868 wrote to memory of 6728	2868	inn.bin.exe	269
PID 2868 wrote to memory of 6728	2868	inn.bin.exe	269
PID 2868 wrote to memory of 6728	2868	inn.bin.exe	269
PID 6580 wrote to memory of 5672	6580	net.exe	270
PID 6580 wrote to memory of 5672	6580	net.exe	270
PID 6580 wrote to memory of 5672	6580	net.exe	270
PID 6484 wrote to memory of 5988	6484	net.exe	271
PID 6484 wrote to memory of 5988	6484	net.exe	271
PID 6484 wrote to memory of 5988	6484	net.exe	271
PID 6664 wrote to memory of 5756	6664	net.exe	272
PID 6664 wrote to memory of 5756	6664	net.exe	272
PID 6664 wrote to memory of 5756	6664	net.exe	272
PID 2868 wrote to memory of 4968	2868	inn.bin.exe	275
PID 2868 wrote to memory of 4968	2868	inn.bin.exe	275
PID 2868 wrote to memory of 4968	2868	inn.bin.exe	275
PID 6764 wrote to memory of 7052	6764	net.exe	276
PID 6764 wrote to memory of 7052	6764	net.exe	276
PID 6764 wrote to memory of 7052	6764	net.exe	276
PID 2868 wrote to memory of 5100	2868	inn.bin.exe	277
PID 2868 wrote to memory of 5100	2868	inn.bin.exe	277
PID 2868 wrote to memory of 5100	2868	inn.bin.exe	277
PID 7040 wrote to memory of 4812	7040	net.exe	278
PID 7040 wrote to memory of 4812	7040	net.exe	278
PID 7040 wrote to memory of 4812	7040	net.exe	278
PID 6856 wrote to memory of 4708	6856	net.exe	279
PID 6856 wrote to memory of 4708	6856	net.exe	279
PID 6856 wrote to memory of 4708	6856	net.exe	279
PID 2868 wrote to memory of 5824	2868	inn.bin.exe	281
PID 2868 wrote to memory of 5824	2868	inn.bin.exe	281
PID 2868 wrote to memory of 5824	2868	inn.bin.exe	281
PID 6936 wrote to memory of 5496	6936	net.exe	282
PID 6936 wrote to memory of 5496	6936	net.exe	282
PID 6936 wrote to memory of 5496	6936	net.exe	282
PID 6984 wrote to memory of 5048	6984	net.exe	283
PID 6984 wrote to memory of 5048	6984	net.exe	283
PID 6984 wrote to memory of 5048	6984	net.exe	283
PID 2868 wrote to memory of 4728	2868	inn.bin.exe	286
PID 2868 wrote to memory of 4728	2868	inn.bin.exe	286
PID 2868 wrote to memory of 4728	2868	inn.bin.exe	286
PID 2868 wrote to memory of 4820	2868	inn.bin.exe	287
PID 2868 wrote to memory of 4820	2868	inn.bin.exe	287
PID 2868 wrote to memory of 4820	2868	inn.bin.exe	287
PID 1768 wrote to memory of 4928	1768	net.exe	288
PID 1768 wrote to memory of 4928	1768	net.exe	288
PID 1768 wrote to memory of 4928	1768	net.exe	288
PID 7136 wrote to memory of 4808	7136	net.exe	289
PID 7136 wrote to memory of 4808	7136	net.exe	289
PID 7136 wrote to memory of 4808	7136	net.exe	289
PID 6836 wrote to memory of 4736	6836	net.exe	291
PID 6836 wrote to memory of 4736	6836	net.exe	291
PID 6836 wrote to memory of 4736	6836	net.exe	291
PID 2868 wrote to memory of 5720	2868	inn.bin.exe	292
PID 2868 wrote to memory of 5720	2868	inn.bin.exe	292
PID 2868 wrote to memory of 5720	2868	inn.bin.exe	292
PID 6036 wrote to memory of 4668	6036	net.exe	293
PID 6036 wrote to memory of 4668	6036	net.exe	293
PID 6036 wrote to memory of 4668	6036	net.exe	293
PID 4496 wrote to memory of 6180	4496	net.exe	294
PID 4496 wrote to memory of 6180	4496	net.exe	294
PID 4496 wrote to memory of 6180	4496	net.exe	294
PID 2868 wrote to memory of 4984	2868	inn.bin.exe	296
PID 2868 wrote to memory of 4984	2868	inn.bin.exe	296
PID 2868 wrote to memory of 4984	2868	inn.bin.exe	296
PID 2868 wrote to memory of 5204	2868	inn.bin.exe	298
PID 2868 wrote to memory of 5204	2868	inn.bin.exe	298
PID 2868 wrote to memory of 5204	2868	inn.bin.exe	298
PID 2868 wrote to memory of 6184	2868	inn.bin.exe	300
PID 2868 wrote to memory of 6184	2868	inn.bin.exe	300
PID 2868 wrote to memory of 6184	2868	inn.bin.exe	300
PID 2868 wrote to memory of 5320	2868	inn.bin.exe	302
PID 2868 wrote to memory of 5320	2868	inn.bin.exe	302
PID 2868 wrote to memory of 5320	2868	inn.bin.exe	302
PID 6728 wrote to memory of 4904	6728	net.exe	303
PID 6728 wrote to memory of 4904	6728	net.exe	303
PID 6728 wrote to memory of 4904	6728	net.exe	303
PID 2868 wrote to memory of 6048	2868	inn.bin.exe	305
PID 2868 wrote to memory of 6048	2868	inn.bin.exe	305
PID 2868 wrote to memory of 6048	2868	inn.bin.exe	305
PID 2868 wrote to memory of 6760	2868	inn.bin.exe	307
PID 2868 wrote to memory of 6760	2868	inn.bin.exe	307
PID 2868 wrote to memory of 6760	2868	inn.bin.exe	307
PID 2868 wrote to memory of 5572	2868	inn.bin.exe	309
PID 2868 wrote to memory of 5572	2868	inn.bin.exe	309
PID 2868 wrote to memory of 5572	2868	inn.bin.exe	309
PID 2868 wrote to memory of 5652	2868	inn.bin.exe	311
PID 2868 wrote to memory of 5652	2868	inn.bin.exe	311
PID 2868 wrote to memory of 5652	2868	inn.bin.exe	311
PID 2868 wrote to memory of 5472	2868	inn.bin.exe	313
PID 2868 wrote to memory of 5472	2868	inn.bin.exe	313
PID 2868 wrote to memory of 5472	2868	inn.bin.exe	313
PID 2868 wrote to memory of 6544	2868	inn.bin.exe	315
PID 2868 wrote to memory of 6544	2868	inn.bin.exe	315
PID 2868 wrote to memory of 6544	2868	inn.bin.exe	315
PID 2868 wrote to memory of 5540	2868	inn.bin.exe	317
PID 2868 wrote to memory of 5540	2868	inn.bin.exe	317
PID 2868 wrote to memory of 5540	2868	inn.bin.exe	317
PID 2868 wrote to memory of 5376	2868	inn.bin.exe	319
PID 2868 wrote to memory of 5376	2868	inn.bin.exe	319
PID 2868 wrote to memory of 5376	2868	inn.bin.exe	319
PID 2868 wrote to memory of 4932	2868	inn.bin.exe	321
PID 2868 wrote to memory of 4932	2868	inn.bin.exe	321
PID 2868 wrote to memory of 4932	2868	inn.bin.exe	321
PID 2868 wrote to memory of 4924	2868	inn.bin.exe	323
PID 2868 wrote to memory of 4924	2868	inn.bin.exe	323
PID 2868 wrote to memory of 4924	2868	inn.bin.exe	323
PID 2868 wrote to memory of 5896	2868	inn.bin.exe	325
PID 2868 wrote to memory of 5896	2868	inn.bin.exe	325
PID 2868 wrote to memory of 5896	2868	inn.bin.exe	325
PID 2868 wrote to memory of 5948	2868	inn.bin.exe	327
PID 2868 wrote to memory of 5948	2868	inn.bin.exe	327
PID 2868 wrote to memory of 5948	2868	inn.bin.exe	327
PID 2868 wrote to memory of 6096	2868	inn.bin.exe	329
PID 2868 wrote to memory of 6096	2868	inn.bin.exe	329
PID 2868 wrote to memory of 6096	2868	inn.bin.exe	329
PID 2868 wrote to memory of 6340	2868	inn.bin.exe	331
PID 2868 wrote to memory of 6340	2868	inn.bin.exe	331
PID 2868 wrote to memory of 6340	2868	inn.bin.exe	331
PID 2868 wrote to memory of 5228	2868	inn.bin.exe	333
PID 2868 wrote to memory of 5228	2868	inn.bin.exe	333
PID 2868 wrote to memory of 5228	2868	inn.bin.exe	333
PID 2868 wrote to memory of 5972	2868	inn.bin.exe	335
PID 2868 wrote to memory of 5972	2868	inn.bin.exe	335
PID 2868 wrote to memory of 5972	2868	inn.bin.exe	335
PID 2868 wrote to memory of 6620	2868	inn.bin.exe	337
PID 2868 wrote to memory of 6620	2868	inn.bin.exe	337
PID 2868 wrote to memory of 6620	2868	inn.bin.exe	337
PID 2868 wrote to memory of 6712	2868	inn.bin.exe	339
PID 2868 wrote to memory of 6712	2868	inn.bin.exe	339
PID 2868 wrote to memory of 6712	2868	inn.bin.exe	339
PID 2868 wrote to memory of 7032	2868	inn.bin.exe	341
PID 2868 wrote to memory of 7032	2868	inn.bin.exe	341
PID 2868 wrote to memory of 7032	2868	inn.bin.exe	341
PID 2868 wrote to memory of 6108	2868	inn.bin.exe	343
PID 2868 wrote to memory of 6108	2868	inn.bin.exe	343
PID 2868 wrote to memory of 6108	2868	inn.bin.exe	343
PID 2868 wrote to memory of 6876	2868	inn.bin.exe	345
PID 2868 wrote to memory of 6876	2868	inn.bin.exe	345
PID 2868 wrote to memory of 6876	2868	inn.bin.exe	345
PID 2868 wrote to memory of 5564	2868	inn.bin.exe	347
PID 2868 wrote to memory of 5564	2868	inn.bin.exe	347
PID 2868 wrote to memory of 5564	2868	inn.bin.exe	347
PID 2868 wrote to memory of 6372	2868	inn.bin.exe	349
PID 2868 wrote to memory of 6372	2868	inn.bin.exe	349
PID 2868 wrote to memory of 6372	2868	inn.bin.exe	349
PID 2868 wrote to memory of 4860	2868	inn.bin.exe	351
PID 2868 wrote to memory of 4860	2868	inn.bin.exe	351
PID 2868 wrote to memory of 4860	2868	inn.bin.exe	351
PID 2868 wrote to memory of 6268	2868	inn.bin.exe	353
PID 2868 wrote to memory of 6268	2868	inn.bin.exe	353
PID 2868 wrote to memory of 6268	2868	inn.bin.exe	353
PID 2868 wrote to memory of 5732	2868	inn.bin.exe	355
PID 2868 wrote to memory of 5732	2868	inn.bin.exe	355
PID 2868 wrote to memory of 5732	2868	inn.bin.exe	355
PID 2868 wrote to memory of 5992	2868	inn.bin.exe	357
PID 2868 wrote to memory of 5992	2868	inn.bin.exe	357
PID 2868 wrote to memory of 5992	2868	inn.bin.exe	357
PID 2868 wrote to memory of 5076	2868	inn.bin.exe	359
PID 2868 wrote to memory of 5076	2868	inn.bin.exe	359
PID 2868 wrote to memory of 5076	2868	inn.bin.exe	359
PID 2868 wrote to memory of 5744	2868	inn.bin.exe	361
PID 2868 wrote to memory of 5744	2868	inn.bin.exe	361
PID 2868 wrote to memory of 5744	2868	inn.bin.exe	361
PID 2868 wrote to memory of 6696	2868	inn.bin.exe	363
PID 2868 wrote to memory of 6696	2868	inn.bin.exe	363
PID 2868 wrote to memory of 6696	2868	inn.bin.exe	363
PID 2868 wrote to memory of 6572	2868	inn.bin.exe	365
PID 2868 wrote to memory of 6572	2868	inn.bin.exe	365
PID 2868 wrote to memory of 6572	2868	inn.bin.exe	365
PID 2868 wrote to memory of 7016	2868	inn.bin.exe	367
PID 2868 wrote to memory of 7016	2868	inn.bin.exe	367
PID 2868 wrote to memory of 7016	2868	inn.bin.exe	367
PID 2868 wrote to memory of 6848	2868	inn.bin.exe	369
PID 2868 wrote to memory of 6848	2868	inn.bin.exe	369
PID 2868 wrote to memory of 6848	2868	inn.bin.exe	369
PID 2868 wrote to memory of 5848	2868	inn.bin.exe	371
PID 2868 wrote to memory of 5848	2868	inn.bin.exe	371
PID 2868 wrote to memory of 5848	2868	inn.bin.exe	371
PID 2868 wrote to memory of 5748	2868	inn.bin.exe	373
PID 2868 wrote to memory of 5748	2868	inn.bin.exe	373
PID 2868 wrote to memory of 5748	2868	inn.bin.exe	373
PID 2868 wrote to memory of 5144	2868	inn.bin.exe	375
PID 2868 wrote to memory of 5144	2868	inn.bin.exe	375
PID 2868 wrote to memory of 5144	2868	inn.bin.exe	375
PID 2868 wrote to memory of 5196	2868	inn.bin.exe	377
PID 2868 wrote to memory of 5196	2868	inn.bin.exe	377
PID 2868 wrote to memory of 5196	2868	inn.bin.exe	377
PID 2868 wrote to memory of 5816	2868	inn.bin.exe	379
PID 2868 wrote to memory of 5816	2868	inn.bin.exe	379
PID 2868 wrote to memory of 5816	2868	inn.bin.exe	379
PID 2868 wrote to memory of 6440	2868	inn.bin.exe	381
PID 2868 wrote to memory of 6440	2868	inn.bin.exe	381
PID 2868 wrote to memory of 6440	2868	inn.bin.exe	381
PID 2868 wrote to memory of 1452	2868	inn.bin.exe	383
PID 2868 wrote to memory of 1452	2868	inn.bin.exe	383
PID 2868 wrote to memory of 1452	2868	inn.bin.exe	383
PID 2868 wrote to memory of 4652	2868	inn.bin.exe	385
PID 2868 wrote to memory of 4652	2868	inn.bin.exe	385
PID 2868 wrote to memory of 4652	2868	inn.bin.exe	385
PID 2868 wrote to memory of 5312	2868	inn.bin.exe	387
PID 2868 wrote to memory of 5312	2868	inn.bin.exe	387
PID 2868 wrote to memory of 5312	2868	inn.bin.exe	387
PID 2868 wrote to memory of 4940	2868	inn.bin.exe	389
PID 2868 wrote to memory of 4940	2868	inn.bin.exe	389
PID 2868 wrote to memory of 4940	2868	inn.bin.exe	389
PID 2868 wrote to memory of 5792	2868	inn.bin.exe	391
PID 2868 wrote to memory of 5792	2868	inn.bin.exe	391
PID 2868 wrote to memory of 5792	2868	inn.bin.exe	391
PID 2868 wrote to memory of 6772	2868	inn.bin.exe	393
PID 2868 wrote to memory of 6772	2868	inn.bin.exe	393
PID 2868 wrote to memory of 6772	2868	inn.bin.exe	393
PID 2868 wrote to memory of 6448	2868	inn.bin.exe	395
PID 2868 wrote to memory of 6448	2868	inn.bin.exe	395
PID 2868 wrote to memory of 6448	2868	inn.bin.exe	395
PID 2868 wrote to memory of 5140	2868	inn.bin.exe	397
PID 2868 wrote to memory of 5140	2868	inn.bin.exe	397
PID 2868 wrote to memory of 5140	2868	inn.bin.exe	397
PID 2868 wrote to memory of 4676	2868	inn.bin.exe	399
PID 2868 wrote to memory of 4676	2868	inn.bin.exe	399
PID 2868 wrote to memory of 4676	2868	inn.bin.exe	399
PID 2868 wrote to memory of 3476	2868	inn.bin.exe	401
PID 2868 wrote to memory of 3476	2868	inn.bin.exe	401
PID 2868 wrote to memory of 3476	2868	inn.bin.exe	401
PID 2868 wrote to memory of 6324	2868	inn.bin.exe	403
PID 2868 wrote to memory of 6324	2868	inn.bin.exe	403
PID 2868 wrote to memory of 6324	2868	inn.bin.exe	403
PID 2868 wrote to memory of 7188	2868	inn.bin.exe	405
PID 2868 wrote to memory of 7188	2868	inn.bin.exe	405
PID 2868 wrote to memory of 7188	2868	inn.bin.exe	405
PID 2868 wrote to memory of 7260	2868	inn.bin.exe	407
PID 2868 wrote to memory of 7260	2868	inn.bin.exe	407
PID 2868 wrote to memory of 7260	2868	inn.bin.exe	407
PID 2868 wrote to memory of 7304	2868	inn.bin.exe	409
PID 2868 wrote to memory of 7304	2868	inn.bin.exe	409
PID 2868 wrote to memory of 7304	2868	inn.bin.exe	409
PID 2868 wrote to memory of 7352	2868	inn.bin.exe	411
PID 2868 wrote to memory of 7352	2868	inn.bin.exe	411
PID 2868 wrote to memory of 7352	2868	inn.bin.exe	411
PID 2868 wrote to memory of 7376	2868	inn.bin.exe	413
PID 2868 wrote to memory of 7376	2868	inn.bin.exe	413
PID 2868 wrote to memory of 7376	2868	inn.bin.exe	413
PID 2868 wrote to memory of 7452	2868	inn.bin.exe	416
PID 2868 wrote to memory of 7452	2868	inn.bin.exe	416
PID 2868 wrote to memory of 7452	2868	inn.bin.exe	416
PID 2868 wrote to memory of 7488	2868	inn.bin.exe	417
PID 2868 wrote to memory of 7488	2868	inn.bin.exe	417
PID 2868 wrote to memory of 7488	2868	inn.bin.exe	417
PID 2868 wrote to memory of 7512	2868	inn.bin.exe	419
PID 2868 wrote to memory of 7512	2868	inn.bin.exe	419
PID 2868 wrote to memory of 7512	2868	inn.bin.exe	419
PID 2868 wrote to memory of 7624	2868	inn.bin.exe	422
PID 2868 wrote to memory of 7624	2868	inn.bin.exe	422
PID 2868 wrote to memory of 7624	2868	inn.bin.exe	422
PID 2868 wrote to memory of 7648	2868	inn.bin.exe	423
PID 2868 wrote to memory of 7648	2868	inn.bin.exe	423
PID 2868 wrote to memory of 7648	2868	inn.bin.exe	423
PID 2868 wrote to memory of 7680	2868	inn.bin.exe	425
PID 2868 wrote to memory of 7680	2868	inn.bin.exe	425
PID 2868 wrote to memory of 7680	2868	inn.bin.exe	425
PID 2868 wrote to memory of 7728	2868	inn.bin.exe	427
PID 2868 wrote to memory of 7728	2868	inn.bin.exe	427
PID 2868 wrote to memory of 7728	2868	inn.bin.exe	427
PID 2868 wrote to memory of 7788	2868	inn.bin.exe	429
PID 2868 wrote to memory of 7788	2868	inn.bin.exe	429
PID 2868 wrote to memory of 7788	2868	inn.bin.exe	429
PID 2868 wrote to memory of 7840	2868	inn.bin.exe	431
PID 2868 wrote to memory of 7840	2868	inn.bin.exe	431
PID 2868 wrote to memory of 7840	2868	inn.bin.exe	431
PID 2868 wrote to memory of 7880	2868	inn.bin.exe	433
PID 2868 wrote to memory of 7880	2868	inn.bin.exe	433
PID 2868 wrote to memory of 7880	2868	inn.bin.exe	433
PID 2868 wrote to memory of 7928	2868	inn.bin.exe	435
PID 2868 wrote to memory of 7928	2868	inn.bin.exe	435
PID 2868 wrote to memory of 7928	2868	inn.bin.exe	435
PID 2868 wrote to memory of 7992	2868	inn.bin.exe	437
PID 2868 wrote to memory of 7992	2868	inn.bin.exe	437
PID 2868 wrote to memory of 7992	2868	inn.bin.exe	437
PID 2868 wrote to memory of 8028	2868	inn.bin.exe	439
PID 2868 wrote to memory of 8028	2868	inn.bin.exe	439
PID 2868 wrote to memory of 8028	2868	inn.bin.exe	439
PID 2868 wrote to memory of 8072	2868	inn.bin.exe	441
PID 2868 wrote to memory of 8072	2868	inn.bin.exe	441
PID 2868 wrote to memory of 8072	2868	inn.bin.exe	441
PID 2868 wrote to memory of 8124	2868	inn.bin.exe	443
PID 2868 wrote to memory of 8124	2868	inn.bin.exe	443
PID 2868 wrote to memory of 8124	2868	inn.bin.exe	443
PID 2868 wrote to memory of 8176	2868	inn.bin.exe	445
PID 2868 wrote to memory of 8176	2868	inn.bin.exe	445
PID 2868 wrote to memory of 8176	2868	inn.bin.exe	445
PID 2868 wrote to memory of 7276	2868	inn.bin.exe	447
PID 2868 wrote to memory of 7276	2868	inn.bin.exe	447
PID 2868 wrote to memory of 7276	2868	inn.bin.exe	447
PID 2868 wrote to memory of 7372	2868	inn.bin.exe	449
PID 2868 wrote to memory of 7372	2868	inn.bin.exe	449
PID 2868 wrote to memory of 7372	2868	inn.bin.exe	449
PID 2868 wrote to memory of 7312	2868	inn.bin.exe	450
PID 2868 wrote to memory of 7312	2868	inn.bin.exe	450
PID 2868 wrote to memory of 7312	2868	inn.bin.exe	450
PID 2868 wrote to memory of 7688	2868	inn.bin.exe	453
PID 2868 wrote to memory of 7688	2868	inn.bin.exe	453
PID 2868 wrote to memory of 7688	2868	inn.bin.exe	453
PID 2868 wrote to memory of 8036	2868	inn.bin.exe	455
PID 2868 wrote to memory of 8036	2868	inn.bin.exe	455
PID 2868 wrote to memory of 8036	2868	inn.bin.exe	455
PID 2868 wrote to memory of 8196	2868	inn.bin.exe	457
PID 2868 wrote to memory of 8196	2868	inn.bin.exe	457
PID 2868 wrote to memory of 8196	2868	inn.bin.exe	457
PID 2868 wrote to memory of 8220	2868	inn.bin.exe	459
PID 2868 wrote to memory of 8220	2868	inn.bin.exe	459
PID 2868 wrote to memory of 8220	2868	inn.bin.exe	459
PID 2868 wrote to memory of 8268	2868	inn.bin.exe	461
PID 2868 wrote to memory of 8268	2868	inn.bin.exe	461
PID 2868 wrote to memory of 8268	2868	inn.bin.exe	461
PID 2868 wrote to memory of 8320	2868	inn.bin.exe	463
PID 2868 wrote to memory of 8320	2868	inn.bin.exe	463
PID 2868 wrote to memory of 8320	2868	inn.bin.exe	463
PID 2868 wrote to memory of 8368	2868	inn.bin.exe	465
PID 2868 wrote to memory of 8368	2868	inn.bin.exe	465
PID 2868 wrote to memory of 8368	2868	inn.bin.exe	465
PID 2868 wrote to memory of 8420	2868	inn.bin.exe	467
PID 2868 wrote to memory of 8420	2868	inn.bin.exe	467
PID 2868 wrote to memory of 8420	2868	inn.bin.exe	467
PID 2868 wrote to memory of 8484	2868	inn.bin.exe	469
PID 2868 wrote to memory of 8484	2868	inn.bin.exe	469
PID 2868 wrote to memory of 8484	2868	inn.bin.exe	469
PID 2868 wrote to memory of 8548	2868	inn.bin.exe	471
PID 2868 wrote to memory of 8548	2868	inn.bin.exe	471
PID 2868 wrote to memory of 8548	2868	inn.bin.exe	471
PID 2868 wrote to memory of 8596	2868	inn.bin.exe	473
PID 2868 wrote to memory of 8596	2868	inn.bin.exe	473
PID 2868 wrote to memory of 8596	2868	inn.bin.exe	473
PID 2868 wrote to memory of 8656	2868	inn.bin.exe	475
PID 2868 wrote to memory of 8656	2868	inn.bin.exe	475
PID 2868 wrote to memory of 8656	2868	inn.bin.exe	475
PID 2868 wrote to memory of 8704	2868	inn.bin.exe	476
PID 2868 wrote to memory of 8704	2868	inn.bin.exe	476
PID 2868 wrote to memory of 8704	2868	inn.bin.exe	476
PID 2868 wrote to memory of 8744	2868	inn.bin.exe	479
PID 2868 wrote to memory of 8744	2868	inn.bin.exe	479
PID 2868 wrote to memory of 8744	2868	inn.bin.exe	479
PID 2868 wrote to memory of 8788	2868	inn.bin.exe	481
PID 2868 wrote to memory of 8788	2868	inn.bin.exe	481
PID 2868 wrote to memory of 8788	2868	inn.bin.exe	481
PID 2868 wrote to memory of 8832	2868	inn.bin.exe	483
PID 2868 wrote to memory of 8832	2868	inn.bin.exe	483
PID 2868 wrote to memory of 8832	2868	inn.bin.exe	483
PID 2868 wrote to memory of 8880	2868	inn.bin.exe	485
PID 2868 wrote to memory of 8880	2868	inn.bin.exe	485
PID 2868 wrote to memory of 8880	2868	inn.bin.exe	485
PID 2868 wrote to memory of 8932	2868	inn.bin.exe	487
PID 2868 wrote to memory of 8932	2868	inn.bin.exe	487
PID 2868 wrote to memory of 8932	2868	inn.bin.exe	487
PID 2868 wrote to memory of 9004	2868	inn.bin.exe	490
PID 2868 wrote to memory of 9004	2868	inn.bin.exe	490
PID 2868 wrote to memory of 9004	2868	inn.bin.exe	490
PID 2868 wrote to memory of 9052	2868	inn.bin.exe	491
PID 2868 wrote to memory of 9052	2868	inn.bin.exe	491
PID 2868 wrote to memory of 9052	2868	inn.bin.exe	491
PID 2868 wrote to memory of 9088	2868	inn.bin.exe	493
PID 2868 wrote to memory of 9088	2868	inn.bin.exe	493
PID 2868 wrote to memory of 9088	2868	inn.bin.exe	493
PID 2868 wrote to memory of 9132	2868	inn.bin.exe	495
PID 2868 wrote to memory of 9132	2868	inn.bin.exe	495
PID 2868 wrote to memory of 9132	2868	inn.bin.exe	495
PID 2868 wrote to memory of 9180	2868	inn.bin.exe	497
PID 2868 wrote to memory of 9180	2868	inn.bin.exe	497
PID 2868 wrote to memory of 9180	2868	inn.bin.exe	497
PID 2868 wrote to memory of 2172	2868	inn.bin.exe	499
PID 2868 wrote to memory of 2172	2868	inn.bin.exe	499
PID 2868 wrote to memory of 2172	2868	inn.bin.exe	499
PID 2868 wrote to memory of 8328	2868	inn.bin.exe	501
PID 2868 wrote to memory of 8328	2868	inn.bin.exe	501
PID 2868 wrote to memory of 8328	2868	inn.bin.exe	501
PID 2868 wrote to memory of 8664	2868	inn.bin.exe	503
PID 2868 wrote to memory of 8664	2868	inn.bin.exe	503
PID 2868 wrote to memory of 8664	2868	inn.bin.exe	503
PID 2868 wrote to memory of 8924	2868	inn.bin.exe	505
PID 2868 wrote to memory of 8924	2868	inn.bin.exe	505
PID 2868 wrote to memory of 8924	2868	inn.bin.exe	505
PID 2868 wrote to memory of 3868	2868	inn.bin.exe	507
PID 2868 wrote to memory of 3868	2868	inn.bin.exe	507
PID 2868 wrote to memory of 3868	2868	inn.bin.exe	507
PID 2868 wrote to memory of 9268	2868	inn.bin.exe	509
PID 2868 wrote to memory of 9268	2868	inn.bin.exe	509
PID 2868 wrote to memory of 9268	2868	inn.bin.exe	509
PID 2868 wrote to memory of 9324	2868	inn.bin.exe	511
PID 2868 wrote to memory of 9324	2868	inn.bin.exe	511
PID 2868 wrote to memory of 9324	2868	inn.bin.exe	511
PID 2868 wrote to memory of 9364	2868	inn.bin.exe	513
PID 2868 wrote to memory of 9364	2868	inn.bin.exe	513
PID 2868 wrote to memory of 9364	2868	inn.bin.exe	513
PID 2868 wrote to memory of 9428	2868	inn.bin.exe	515
PID 2868 wrote to memory of 9428	2868	inn.bin.exe	515
PID 2868 wrote to memory of 9428	2868	inn.bin.exe	515
PID 2868 wrote to memory of 9508	2868	inn.bin.exe	517
PID 2868 wrote to memory of 9508	2868	inn.bin.exe	517
PID 2868 wrote to memory of 9508	2868	inn.bin.exe	517
PID 2868 wrote to memory of 9544	2868	inn.bin.exe	519
PID 2868 wrote to memory of 9544	2868	inn.bin.exe	519
PID 2868 wrote to memory of 9544	2868	inn.bin.exe	519
PID 2868 wrote to memory of 9588	2868	inn.bin.exe	521
PID 2868 wrote to memory of 9588	2868	inn.bin.exe	521
PID 2868 wrote to memory of 9588	2868	inn.bin.exe	521
PID 2868 wrote to memory of 9624	2868	inn.bin.exe	523
PID 2868 wrote to memory of 9624	2868	inn.bin.exe	523
PID 2868 wrote to memory of 9624	2868	inn.bin.exe	523

C:\Users\Admin\AppData\Local\Temp\inn.bin.exe
"C:\Users\Admin\AppData\Local\Temp\inn.bin.exe"
1⤵
- Modifies extensions of user files
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2868
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im "mysql*"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2196
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im "dsa*"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2828
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im "Ntrtscan*"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3884
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im "ds_monitor*"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3968
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im "Notifier*"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2356
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im "TmListen*"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2632
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im "iVPAgent*"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1364
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im "CNTAoSMgr*"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2668
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im "IBM*"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3524
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im "bes10*"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2260
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im "black*"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1320
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im "robo*"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4052
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im "copy*"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1208
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im "store.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2364
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im "sql*"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3892
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im "vee*"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4136
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im "wrsa*"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4176
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im "wrsa.exe"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4216
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im "postg*"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4272
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im "sage*"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4352
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "MSSQLServerADHelper100"
  2⤵
  PID:4424
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQLServerADHelper100"
    3⤵
    PID:4540
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "MSSQL$ISARS"
  2⤵
  PID:4472
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQL$ISARS"
    3⤵
    PID:4964
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "MSSQL$MSFW"
  2⤵
  PID:4492
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQL$MSFW"
    3⤵
    PID:4780
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "SQLAgent$ISARS"
  2⤵
  PID:4524
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLAgent$ISARS"
    3⤵
    PID:4480
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "SQLAgent$MSFW"
  2⤵
  PID:4564
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLAgent$MSFW"
    3⤵
    PID:4920
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "SQLBrowser"
  2⤵
  PID:4612
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLBrowser"
    3⤵
    PID:4620
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "ReportServer$ISARS"
  2⤵
  PID:4660
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "ReportServer$ISARS"
    3⤵
    PID:5208
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "SQLWriter"
  2⤵
  PID:4712
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SQLWriter"
    3⤵
    PID:5276
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "WinDefend"
  2⤵
  PID:4752
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "WinDefend"
    3⤵
    PID:5256
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "mr2kserv"
  2⤵
  PID:4792
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "mr2kserv"
    3⤵
    PID:5364
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "MSExchangeADTopology"
  2⤵
  PID:4824
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSExchangeADTopology"
    3⤵
    PID:5424
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "MSExchangeFBA"
  2⤵
  PID:4864
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSExchangeFBA"
    3⤵
    PID:5668
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "MSExchangeIS"
  2⤵
  PID:4912
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSExchangeIS"
    3⤵
    PID:5596
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "MSExchangeSA"
  2⤵
  PID:4956
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSExchangeSA"
    3⤵
    PID:5680
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "ShadowProtectSvc"
  2⤵
  PID:5012
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "ShadowProtectSvc"
    3⤵
    PID:5820
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "SPAdminV4"
  2⤵
  PID:5064
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SPAdminV4"
    3⤵
    PID:5872
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "SPTimerV4"
  2⤵
  PID:3516
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SPTimerV4"
    3⤵
    PID:5804
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "SPTraceV4"
  2⤵
  PID:4348
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SPTraceV4"
    3⤵
    PID:6004
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "SPUserCodeV4"
  2⤵
  PID:5020
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SPUserCodeV4"
    3⤵
    PID:6052
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "SPWriterV4"
  2⤵
  PID:5176
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SPWriterV4"
    3⤵
    PID:6064
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "SPSearch4"
  2⤵
  PID:5232
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SPSearch4"
    3⤵
    PID:5268
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "MSSQLServerADHelper100"
  2⤵
  PID:5304
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "MSSQLServerADHelper100"
    3⤵
    PID:5284
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "IISADMIN"
  2⤵
  PID:5340
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "IISADMIN"
    3⤵
    PID:5976
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "firebirdguardiandefaultinstance"
  2⤵
  PID:5404
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "firebirdguardiandefaultinstance"
    3⤵
    PID:6228
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "ibmiasrw"
  2⤵
  PID:5504
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "ibmiasrw"
    3⤵
    PID:6200
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "QBCFMonitorService"
  2⤵
  PID:5548
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "QBCFMonitorService"
    3⤵
    PID:6212
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "QBVSS"
  2⤵
  PID:5628
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "QBVSS"
    3⤵
    PID:6348
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "QBPOSDBServiceV12"
  2⤵
  PID:5708
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "QBPOSDBServiceV12"
    3⤵
    PID:6296
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "IBM Domino Server(CProgramFilesIBMDominodata)"
  2⤵
  PID:5768
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "IBM Domino Server(CProgramFilesIBMDominodata)"
    3⤵
    PID:6508
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "IBM Domino Diagnostics(CProgramFilesIBMDomino)"
  2⤵
  PID:5852
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "IBM Domino Diagnostics(CProgramFilesIBMDomino)"
    3⤵
    PID:6608
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "IISADMIN"
  2⤵
  PID:5924
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "IISADMIN"
    3⤵
    PID:6748
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "Simply Accounting Database Connection Manager"
  2⤵
  PID:5968
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Simply Accounting Database Connection Manager"
    3⤵
    PID:6740
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "QuickBooksDB1"
  2⤵
  PID:6076
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "QuickBooksDB1"
    3⤵
    PID:6808
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "QuickBooksDB2"
  2⤵
  PID:6112
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "QuickBooksDB2"
    3⤵
    PID:6816
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "QuickBooksDB3"
  2⤵
  PID:4840
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "QuickBooksDB3"
    3⤵
    PID:6892
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "QuickBooksDB4"
  2⤵
  PID:5636
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "QuickBooksDB4"
    3⤵
    PID:7068
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "QuickBooksDB5"
  2⤵
  PID:6084
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "QuickBooksDB5"
    3⤵
    PID:7028
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "QuickBooksDB6"
  2⤵
  PID:6168
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "QuickBooksDB6"
    3⤵
    PID:7084
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "QuickBooksDB7"
  2⤵
  PID:6264
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "QuickBooksDB7"
    3⤵
    PID:5624
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "QuickBooksDB8"
  2⤵
  PID:6332
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "QuickBooksDB8"
    3⤵
    PID:4004
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "QuickBooksDB9"
  2⤵
  PID:6392
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "QuickBooksDB9"
    3⤵
    PID:6824
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "QuickBooksDB10"
  2⤵
  PID:6444
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "QuickBooksDB10"
    3⤵
    PID:5560
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "QuickBooksDB11"
  2⤵
  PID:6484
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "QuickBooksDB11"
    3⤵
    PID:5988
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "QuickBooksDB12"
  2⤵
  PID:6580
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "QuickBooksDB12"
    3⤵
    PID:5672
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "QuickBooksDB13"
  2⤵
  PID:6664
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "QuickBooksDB13"
    3⤵
    PID:5756
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "QuickBooksDB14"
  2⤵
  PID:6720
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "QuickBooksDB14"
    3⤵
    PID:4616
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "QuickBooksDB15"
  2⤵
  PID:6764
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "QuickBooksDB15"
    3⤵
    PID:7052
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "QuickBooksDB16"
  2⤵
  PID:6856
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "QuickBooksDB16"
    3⤵
    PID:4708
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "QuickBooksDB17"
  2⤵
  PID:6936
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "QuickBooksDB17"
    3⤵
    PID:5496
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "QuickBooksDB18"
  2⤵
  PID:6984
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "QuickBooksDB18"
    3⤵
    PID:5048
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "QuickBooksDB19"
  2⤵
  PID:7040
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "QuickBooksDB19"
    3⤵
    PID:4812
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "QuickBooksDB20"
  2⤵
  PID:7136
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "QuickBooksDB20"
    3⤵
    PID:4808
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "QuickBooksDB21"
  2⤵
  PID:6036
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "QuickBooksDB21"
    3⤵
    PID:4668
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "QuickBooksDB22"
  2⤵
  PID:1768
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "QuickBooksDB22"
    3⤵
    PID:4928
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "QuickBooksDB23"
  2⤵
  PID:6836
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "QuickBooksDB23"
    3⤵
    PID:4736
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "QuickBooksDB24"
  2⤵
  PID:4496
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "QuickBooksDB24"
    3⤵
    PID:6180
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "QuickBooksDB25"
  2⤵
  PID:6728
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "QuickBooksDB25"
    3⤵
    PID:4904
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2728"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4968
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2728"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5100
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "2728"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5824
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5020"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4728
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5020"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4820
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5020"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5720
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5176"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4984
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5176"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5204
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5176"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:6184
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5232"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5320
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5232"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:6048
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5232"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:6760
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5304"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5572
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5304"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5652
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5304"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5472
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5340"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:6544
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5340"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5540
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5340"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5376
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5404"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4932
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5404"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4924
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5404"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5896
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5504"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5948
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5504"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:6096
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5504"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:6340
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5548"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5228
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5548"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5972
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5548"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:6620
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5628"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:6712
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5628"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:7032
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5628"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:6108
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5708"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:6876
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5708"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5564
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5708"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:6372
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5768"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4860
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5768"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:6268
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5768"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5732
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5852"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5992
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5852"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5076
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5852"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5744
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5924"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:6696
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5924"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:6572
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5924"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:7016
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5968"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:6848
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5968"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5848
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5968"
  2⤵
  - Kills process with taskkill
  PID:5748
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "6076"
  2⤵
  - Kills process with taskkill
  PID:5144
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "6076"
  2⤵
  PID:5196
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "6076"
  2⤵
  PID:5816
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "6112"
  2⤵
  PID:6440
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "6112"
  2⤵
  - Kills process with taskkill
  PID:1452
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "6112"
  2⤵
  PID:4652
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "4840"
  2⤵
  - Kills process with taskkill
  PID:5312
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "4840"
  2⤵
  - Kills process with taskkill
  PID:4940
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "4840"
  2⤵
  - Kills process with taskkill
  PID:5792
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5636"
  2⤵
  - Kills process with taskkill
  PID:6772
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5636"
  2⤵
  - Kills process with taskkill
  PID:6448
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "5636"
  2⤵
  PID:5140
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "6084"
  2⤵
  PID:4676
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "6084"
  2⤵
  - Kills process with taskkill
  PID:3476
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "6084"
  2⤵
  PID:6324
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "6168"
  2⤵
  PID:7188
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "6168"
  2⤵
  PID:7260
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "6168"
  2⤵
  - Kills process with taskkill
  PID:7304
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "6264"
  2⤵
  PID:7352
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "6264"
  2⤵
  PID:7376
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "6264"
  2⤵
  PID:7452
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "6332"
  2⤵
  PID:7488
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "6332"
  2⤵
  - Kills process with taskkill
  PID:7512
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "6332"
  2⤵
  - Kills process with taskkill
  PID:7624
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "6392"
  2⤵
  PID:7648
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "6392"
  2⤵
  PID:7680
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "6392"
  2⤵
  - Kills process with taskkill
  PID:7728
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "6444"
  2⤵
  PID:7788
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "6444"
  2⤵
  PID:7840
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "6444"
  2⤵
  PID:7880
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "6484"
  2⤵
  - Kills process with taskkill
  PID:7928
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "6484"
  2⤵
  PID:7992
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "6484"
  2⤵
  - Kills process with taskkill
  PID:8028
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "6580"
  2⤵
  PID:8072
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "6580"
  2⤵
  - Kills process with taskkill
  PID:8124
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "6580"
  2⤵
  - Kills process with taskkill
  PID:8176
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "6664"
  2⤵
  PID:7276
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "6664"
  2⤵
  - Kills process with taskkill
  PID:7372
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "6664"
  2⤵
  PID:7312
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "6720"
  2⤵
  PID:7688
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "6720"
  2⤵
  PID:8036
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "6720"
  2⤵
  - Kills process with taskkill
  PID:8196
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "6764"
  2⤵
  - Kills process with taskkill
  PID:8220
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "6764"
  2⤵
  PID:8268
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "6764"
  2⤵
  PID:8320
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "6856"
  2⤵
  PID:8368
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "6856"
  2⤵
  - Kills process with taskkill
  PID:8420
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "6856"
  2⤵
  - Kills process with taskkill
  PID:8484
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "6936"
  2⤵
  - Kills process with taskkill
  PID:8548
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "6936"
  2⤵
  PID:8596
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "6936"
  2⤵
  - Kills process with taskkill
  PID:8656
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "6984"
  2⤵
  - Kills process with taskkill
  PID:8704
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "6984"
  2⤵
  PID:8744
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "6984"
  2⤵
  - Kills process with taskkill
  PID:8788
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "7040"
  2⤵
  - Kills process with taskkill
  PID:8832
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "7040"
  2⤵
  - Kills process with taskkill
  PID:8880
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "7040"
  2⤵
  - Kills process with taskkill
  PID:8932
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "7136"
  2⤵
  PID:9004
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "7136"
  2⤵
  PID:9052
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "7136"
  2⤵
  - Kills process with taskkill
  PID:9088
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "6036"
  2⤵
  PID:9132
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "6036"
  2⤵
  - Kills process with taskkill
  PID:9180
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "6036"
  2⤵
  PID:2172
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "1768"
  2⤵
  - Kills process with taskkill
  PID:8328
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "1768"
  2⤵
  PID:8664
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "1768"
  2⤵
  PID:8924
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "6836"
  2⤵
  PID:3868
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "6836"
  2⤵
  PID:9268
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "6836"
  2⤵
  PID:9324
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "4496"
  2⤵
  - Kills process with taskkill
  PID:9364
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "4496"
  2⤵
  - Kills process with taskkill
  PID:9428
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "4496"
  2⤵
  - Kills process with taskkill
  PID:9508
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "6728"
  2⤵
  PID:9544
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "6728"
  2⤵
  - Kills process with taskkill
  PID:9588
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /PID "6728"
  2⤵
  - Kills process with taskkill
  PID:9624

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Modifies service
PID:11548

\??\c:\windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:12464

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads