d3ec5734dbfb2f7233f9b152599eccbb8a7badc565bcb4a23bc242be709f74e9

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
04/01/2024, 11:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

40ca3bdb93a3335c18f3b5d316aa101a.exe
Size

192KB
MD5

40ca3bdb93a3335c18f3b5d316aa101a
SHA1

3524b4d97028b0941fea1c4f4569c5214e814f52
SHA256

d3ec5734dbfb2f7233f9b152599eccbb8a7badc565bcb4a23bc242be709f74e9
SHA512

5a1cc8973132aa81527531a029a85d9b13cf05bcc5657aa8c391058ce756780a7954b0a1811f086a3c2388c54d9a0b14b623587755b24b2555878c7ba7db2bfe
SSDEEP

3072:mKb5zN9u8StaSRnYkOlzbG9/ZZADT7ONPGzXwTFKEGC2FovgiLfsuEnUooTpgO:md4ShcGhZ+T74PZFLMFUgiLPEUtFgO

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
4256	commserv.exe
1508	commserv.exe
1912	commserv.exe
2320	commserv.exe
3772	commserv.exe
5020	commserv.exe
5060	commserv.exe
2652	commserv.exe
4772	commserv.exe
4612	commserv.exe
2228	commserv.exe
5036	commserv.exe
2480	commserv.exe
1564	commserv.exe
3116	commserv.exe
4224	commserv.exe
4928	commserv.exe
2692	commserv.exe
4844	commserv.exe
3008	commserv.exe
4616	commserv.exe
4480	commserv.exe
4504	commserv.exe
4184	commserv.exe
4812	commserv.exe
1448	commserv.exe
3292	commserv.exe
3316	commserv.exe
3624	commserv.exe
1888	commserv.exe
2116	commserv.exe
4264	commserv.exe
2428	commserv.exe
4776	commserv.exe
4788	commserv.exe
4744	commserv.exe
396	commserv.exe
3316	commserv.exe
412	commserv.exe
2688	commserv.exe
1504	commserv.exe
1196	commserv.exe
2724	commserv.exe
952	commserv.exe
4788	commserv.exe
4848	commserv.exe
2936	commserv.exe
2632	commserv.exe
4584	commserv.exe
3412	commserv.exe
2232	commserv.exe
5044	commserv.exe
4496	commserv.exe
3672	commserv.exe
1848	commserv.exe
4368	commserv.exe
1904	commserv.exe
2524	commserv.exe
400	commserv.exe
3076	commserv.exe
1564	commserv.exe
3160	commserv.exe
2020	commserv.exe
1536	commserv.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\commserv.exe	40ca3bdb93a3335c18f3b5d316aa101a.exe
File opened for modification	C:\Windows\SysWOW64\accwiz.bin	commserv.exe
File opened for modification	C:\Windows\SysWOW64\commserv.exe	40ca3bdb93a3335c18f3b5d316aa101a.exe
File created	C:\Windows\SysWOW64\commserv.exe	40ca3bdb93a3335c18f3b5d316aa101a.exe
File opened for modification	C:\Windows\SysWOW64\accwiz.bin	commserv.exe
File opened for modification	C:\Windows\SysWOW64\commserv.exe	40ca3bdb93a3335c18f3b5d316aa101a.exe
File opened for modification	C:\Windows\SysWOW64\commserv.exe	40ca3bdb93a3335c18f3b5d316aa101a.exe
File created	C:\Windows\SysWOW64\commserv.exe	40ca3bdb93a3335c18f3b5d316aa101a.exe
File opened for modification	C:\Windows\SysWOW64\commserv.exe	40ca3bdb93a3335c18f3b5d316aa101a.exe
File opened for modification	C:\Windows\SysWOW64\accwiz.bin	commserv.exe
File created	C:\Windows\SysWOW64\commserv.exe	40ca3bdb93a3335c18f3b5d316aa101a.exe
File opened for modification	C:\Windows\SysWOW64\commserv.exe	40ca3bdb93a3335c18f3b5d316aa101a.exe
File opened for modification	C:\Windows\SysWOW64\commserv.exe	40ca3bdb93a3335c18f3b5d316aa101a.exe
File opened for modification	C:\Windows\SysWOW64\commserv.exe	40ca3bdb93a3335c18f3b5d316aa101a.exe
File opened for modification	C:\Windows\SysWOW64\commserv.exe	40ca3bdb93a3335c18f3b5d316aa101a.exe
File created	C:\Windows\SysWOW64\commserv.exe	40ca3bdb93a3335c18f3b5d316aa101a.exe
File created	C:\Windows\SysWOW64\commserv.exe	40ca3bdb93a3335c18f3b5d316aa101a.exe
File opened for modification	C:\Windows\SysWOW64\accwiz.bin	commserv.exe
File opened for modification	C:\Windows\SysWOW64\commserv.exe	40ca3bdb93a3335c18f3b5d316aa101a.exe
File opened for modification	C:\Windows\SysWOW64\commserv.exe	40ca3bdb93a3335c18f3b5d316aa101a.exe
File opened for modification	C:\Windows\SysWOW64\commserv.exe	40ca3bdb93a3335c18f3b5d316aa101a.exe
File opened for modification	C:\Windows\SysWOW64\commserv.exe	40ca3bdb93a3335c18f3b5d316aa101a.exe
File opened for modification	C:\Windows\SysWOW64\commserv.exe	40ca3bdb93a3335c18f3b5d316aa101a.exe
File opened for modification	C:\Windows\SysWOW64\accwiz.bin	commserv.exe
File opened for modification	C:\Windows\SysWOW64\commserv.exe	40ca3bdb93a3335c18f3b5d316aa101a.exe
File opened for modification	C:\Windows\SysWOW64\commserv.exe	40ca3bdb93a3335c18f3b5d316aa101a.exe
File opened for modification	C:\Windows\SysWOW64\accwiz.bin	commserv.exe
File opened for modification	C:\Windows\SysWOW64\commserv.exe	40ca3bdb93a3335c18f3b5d316aa101a.exe
File opened for modification	C:\Windows\SysWOW64\commserv.exe	40ca3bdb93a3335c18f3b5d316aa101a.exe
File created	C:\Windows\SysWOW64\commserv.exe	40ca3bdb93a3335c18f3b5d316aa101a.exe
File opened for modification	C:\Windows\SysWOW64\accwiz.bin	commserv.exe
File opened for modification	C:\Windows\SysWOW64\commserv.exe	40ca3bdb93a3335c18f3b5d316aa101a.exe
File created	C:\Windows\SysWOW64\commserv.exe	40ca3bdb93a3335c18f3b5d316aa101a.exe
File opened for modification	C:\Windows\SysWOW64\commserv.exe	40ca3bdb93a3335c18f3b5d316aa101a.exe
File opened for modification	C:\Windows\SysWOW64\commserv.exe	40ca3bdb93a3335c18f3b5d316aa101a.exe
File opened for modification	C:\Windows\SysWOW64\commserv.exe	40ca3bdb93a3335c18f3b5d316aa101a.exe
File opened for modification	C:\Windows\SysWOW64\accwiz.bin	commserv.exe
File created	C:\Windows\SysWOW64\commserv.exe	40ca3bdb93a3335c18f3b5d316aa101a.exe
File opened for modification	C:\Windows\SysWOW64\commserv.exe	40ca3bdb93a3335c18f3b5d316aa101a.exe
File opened for modification	C:\Windows\SysWOW64\commserv.exe	40ca3bdb93a3335c18f3b5d316aa101a.exe
File created	C:\Windows\SysWOW64\commserv.exe	40ca3bdb93a3335c18f3b5d316aa101a.exe
File opened for modification	C:\Windows\SysWOW64\accwiz.bin	commserv.exe
File opened for modification	C:\Windows\SysWOW64\accwiz.bin	commserv.exe
File opened for modification	C:\Windows\SysWOW64\commserv.exe	40ca3bdb93a3335c18f3b5d316aa101a.exe
File created	C:\Windows\SysWOW64\commserv.exe	40ca3bdb93a3335c18f3b5d316aa101a.exe
File opened for modification	C:\Windows\SysWOW64\commserv.exe	40ca3bdb93a3335c18f3b5d316aa101a.exe
File opened for modification	C:\Windows\SysWOW64\commserv.exe	40ca3bdb93a3335c18f3b5d316aa101a.exe
File created	C:\Windows\SysWOW64\commserv.exe	40ca3bdb93a3335c18f3b5d316aa101a.exe
File created	C:\Windows\SysWOW64\commserv.exe	40ca3bdb93a3335c18f3b5d316aa101a.exe
File opened for modification	C:\Windows\SysWOW64\accwiz.bin	commserv.exe
File created	C:\Windows\SysWOW64\commserv.exe	40ca3bdb93a3335c18f3b5d316aa101a.exe
File opened for modification	C:\Windows\SysWOW64\accwiz.bin	commserv.exe
File created	C:\Windows\SysWOW64\commserv.exe	40ca3bdb93a3335c18f3b5d316aa101a.exe
File opened for modification	C:\Windows\SysWOW64\accwiz.bin	commserv.exe
File created	C:\Windows\SysWOW64\commserv.exe	40ca3bdb93a3335c18f3b5d316aa101a.exe
File opened for modification	C:\Windows\SysWOW64\commserv.exe	40ca3bdb93a3335c18f3b5d316aa101a.exe
File opened for modification	C:\Windows\SysWOW64\commserv.exe	40ca3bdb93a3335c18f3b5d316aa101a.exe
File opened for modification	C:\Windows\SysWOW64\commserv.exe	40ca3bdb93a3335c18f3b5d316aa101a.exe
File created	C:\Windows\SysWOW64\commserv.exe	40ca3bdb93a3335c18f3b5d316aa101a.exe
File opened for modification	C:\Windows\SysWOW64\accwiz.bin	commserv.exe
File opened for modification	C:\Windows\SysWOW64\accwiz.bin	commserv.exe
File opened for modification	C:\Windows\SysWOW64\accwiz.bin	commserv.exe
File opened for modification	C:\Windows\SysWOW64\accwiz.bin	commserv.exe
File opened for modification	C:\Windows\SysWOW64\commserv.exe	40ca3bdb93a3335c18f3b5d316aa101a.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3324 wrote to memory of 400	3324	40ca3bdb93a3335c18f3b5d316aa101a.exe	90
PID 3324 wrote to memory of 400	3324	40ca3bdb93a3335c18f3b5d316aa101a.exe	90
PID 3324 wrote to memory of 400	3324	40ca3bdb93a3335c18f3b5d316aa101a.exe	90
PID 400 wrote to memory of 3024	400	40ca3bdb93a3335c18f3b5d316aa101a.exe	95
PID 400 wrote to memory of 3024	400	40ca3bdb93a3335c18f3b5d316aa101a.exe	95
PID 400 wrote to memory of 3024	400	40ca3bdb93a3335c18f3b5d316aa101a.exe	95
PID 3024 wrote to memory of 4160	3024	40ca3bdb93a3335c18f3b5d316aa101a.exe	98
PID 3024 wrote to memory of 4160	3024	40ca3bdb93a3335c18f3b5d316aa101a.exe	98
PID 3024 wrote to memory of 4160	3024	40ca3bdb93a3335c18f3b5d316aa101a.exe	98
PID 4160 wrote to memory of 2232	4160	40ca3bdb93a3335c18f3b5d316aa101a.exe	100
PID 4160 wrote to memory of 2232	4160	40ca3bdb93a3335c18f3b5d316aa101a.exe	100
PID 4160 wrote to memory of 2232	4160	40ca3bdb93a3335c18f3b5d316aa101a.exe	100
PID 2232 wrote to memory of 868	2232	40ca3bdb93a3335c18f3b5d316aa101a.exe	104
PID 2232 wrote to memory of 868	2232	40ca3bdb93a3335c18f3b5d316aa101a.exe	104
PID 2232 wrote to memory of 868	2232	40ca3bdb93a3335c18f3b5d316aa101a.exe	104
PID 868 wrote to memory of 1020	868	40ca3bdb93a3335c18f3b5d316aa101a.exe	108
PID 868 wrote to memory of 1020	868	40ca3bdb93a3335c18f3b5d316aa101a.exe	108
PID 868 wrote to memory of 1020	868	40ca3bdb93a3335c18f3b5d316aa101a.exe	108
PID 1020 wrote to memory of 4360	1020	40ca3bdb93a3335c18f3b5d316aa101a.exe	110
PID 1020 wrote to memory of 4360	1020	40ca3bdb93a3335c18f3b5d316aa101a.exe	110
PID 1020 wrote to memory of 4360	1020	40ca3bdb93a3335c18f3b5d316aa101a.exe	110
PID 4360 wrote to memory of 1672	4360	40ca3bdb93a3335c18f3b5d316aa101a.exe	112
PID 4360 wrote to memory of 1672	4360	40ca3bdb93a3335c18f3b5d316aa101a.exe	112
PID 4360 wrote to memory of 1672	4360	40ca3bdb93a3335c18f3b5d316aa101a.exe	112
PID 1672 wrote to memory of 4552	1672	40ca3bdb93a3335c18f3b5d316aa101a.exe	115
PID 1672 wrote to memory of 4552	1672	40ca3bdb93a3335c18f3b5d316aa101a.exe	115
PID 1672 wrote to memory of 4552	1672	40ca3bdb93a3335c18f3b5d316aa101a.exe	115
PID 4552 wrote to memory of 4364	4552	40ca3bdb93a3335c18f3b5d316aa101a.exe	117
PID 4552 wrote to memory of 4364	4552	40ca3bdb93a3335c18f3b5d316aa101a.exe	117
PID 4552 wrote to memory of 4364	4552	40ca3bdb93a3335c18f3b5d316aa101a.exe	117
PID 4364 wrote to memory of 3012	4364	40ca3bdb93a3335c18f3b5d316aa101a.exe	121
PID 4364 wrote to memory of 3012	4364	40ca3bdb93a3335c18f3b5d316aa101a.exe	121
PID 4364 wrote to memory of 3012	4364	40ca3bdb93a3335c18f3b5d316aa101a.exe	121
PID 3012 wrote to memory of 3292	3012	40ca3bdb93a3335c18f3b5d316aa101a.exe	123
PID 3012 wrote to memory of 3292	3012	40ca3bdb93a3335c18f3b5d316aa101a.exe	123
PID 3012 wrote to memory of 3292	3012	40ca3bdb93a3335c18f3b5d316aa101a.exe	123
PID 3292 wrote to memory of 640	3292	40ca3bdb93a3335c18f3b5d316aa101a.exe	125
PID 3292 wrote to memory of 640	3292	40ca3bdb93a3335c18f3b5d316aa101a.exe	125
PID 3292 wrote to memory of 640	3292	40ca3bdb93a3335c18f3b5d316aa101a.exe	125
PID 640 wrote to memory of 4860	640	40ca3bdb93a3335c18f3b5d316aa101a.exe	127
PID 640 wrote to memory of 4860	640	40ca3bdb93a3335c18f3b5d316aa101a.exe	127
PID 640 wrote to memory of 4860	640	40ca3bdb93a3335c18f3b5d316aa101a.exe	127
PID 4860 wrote to memory of 3684	4860	40ca3bdb93a3335c18f3b5d316aa101a.exe	129
PID 4860 wrote to memory of 3684	4860	40ca3bdb93a3335c18f3b5d316aa101a.exe	129
PID 4860 wrote to memory of 3684	4860	40ca3bdb93a3335c18f3b5d316aa101a.exe	129
PID 3684 wrote to memory of 1048	3684	40ca3bdb93a3335c18f3b5d316aa101a.exe	131
PID 3684 wrote to memory of 1048	3684	40ca3bdb93a3335c18f3b5d316aa101a.exe	131
PID 3684 wrote to memory of 1048	3684	40ca3bdb93a3335c18f3b5d316aa101a.exe	131
PID 1048 wrote to memory of 1504	1048	40ca3bdb93a3335c18f3b5d316aa101a.exe	133
PID 1048 wrote to memory of 1504	1048	40ca3bdb93a3335c18f3b5d316aa101a.exe	133
PID 1048 wrote to memory of 1504	1048	40ca3bdb93a3335c18f3b5d316aa101a.exe	133
PID 1504 wrote to memory of 2564	1504	40ca3bdb93a3335c18f3b5d316aa101a.exe	135
PID 1504 wrote to memory of 2564	1504	40ca3bdb93a3335c18f3b5d316aa101a.exe	135
PID 1504 wrote to memory of 2564	1504	40ca3bdb93a3335c18f3b5d316aa101a.exe	135
PID 2564 wrote to memory of 8	2564	40ca3bdb93a3335c18f3b5d316aa101a.exe	137
PID 2564 wrote to memory of 8	2564	40ca3bdb93a3335c18f3b5d316aa101a.exe	137
PID 2564 wrote to memory of 8	2564	40ca3bdb93a3335c18f3b5d316aa101a.exe	137
PID 8 wrote to memory of 1104	8	40ca3bdb93a3335c18f3b5d316aa101a.exe	139
PID 8 wrote to memory of 1104	8	40ca3bdb93a3335c18f3b5d316aa101a.exe	139
PID 8 wrote to memory of 1104	8	40ca3bdb93a3335c18f3b5d316aa101a.exe	139
PID 1104 wrote to memory of 4232	1104	40ca3bdb93a3335c18f3b5d316aa101a.exe	141
PID 1104 wrote to memory of 4232	1104	40ca3bdb93a3335c18f3b5d316aa101a.exe	141
PID 1104 wrote to memory of 4232	1104	40ca3bdb93a3335c18f3b5d316aa101a.exe	141
PID 4232 wrote to memory of 1672	4232	40ca3bdb93a3335c18f3b5d316aa101a.exe	143

C:\Users\Admin\AppData\Local\Temp\40ca3bdb93a3335c18f3b5d316aa101a.exe
"C:\Users\Admin\AppData\Local\Temp\40ca3bdb93a3335c18f3b5d316aa101a.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3324
- C:\Users\Admin\AppData\Local\Temp\40ca3bdb93a3335c18f3b5d316aa101a.exe
  a
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:400
- - C:\Users\Admin\AppData\Local\Temp\40ca3bdb93a3335c18f3b5d316aa101a.exe
    a
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3024
  - - C:\Users\Admin\AppData\Local\Temp\40ca3bdb93a3335c18f3b5d316aa101a.exe
      a
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4160
    - - C:\Users\Admin\AppData\Local\Temp\40ca3bdb93a3335c18f3b5d316aa101a.exe
        
        a
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2232
      - C:\Users\Admin\AppData\Local\Temp\40ca3bdb93a3335c18f3b5d316aa101a.exe
        
        a
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:868
        
        C:\Users\Admin\AppData\Local\Temp\40ca3bdb93a3335c18f3b5d316aa101a.exe
        
        a
        7⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1020
        
        C:\Users\Admin\AppData\Local\Temp\40ca3bdb93a3335c18f3b5d316aa101a.exe
        
        a
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:4360
        
        C:\Users\Admin\AppData\Local\Temp\40ca3bdb93a3335c18f3b5d316aa101a.exe
        
        a
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1672
        
        C:\Users\Admin\AppData\Local\Temp\40ca3bdb93a3335c18f3b5d316aa101a.exe
        
        a
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:4552
        
        C:\Users\Admin\AppData\Local\Temp\40ca3bdb93a3335c18f3b5d316aa101a.exe
        
        a
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:4364
        
        C:\Users\Admin\AppData\Local\Temp\40ca3bdb93a3335c18f3b5d316aa101a.exe
        
        a
        12⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3012
        
        C:\Users\Admin\AppData\Local\Temp\40ca3bdb93a3335c18f3b5d316aa101a.exe
        
        a
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:3292
        
        C:\Users\Admin\AppData\Local\Temp\40ca3bdb93a3335c18f3b5d316aa101a.exe
        
        a
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:640
        
        C:\Users\Admin\AppData\Local\Temp\40ca3bdb93a3335c18f3b5d316aa101a.exe
        
        a
        15⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4860
        
        C:\Users\Admin\AppData\Local\Temp\40ca3bdb93a3335c18f3b5d316aa101a.exe
        
        a
        16⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3684
        
        C:\Users\Admin\AppData\Local\Temp\40ca3bdb93a3335c18f3b5d316aa101a.exe
        
        a
        17⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1048
        
        C:\Users\Admin\AppData\Local\Temp\40ca3bdb93a3335c18f3b5d316aa101a.exe
        
        a
        18⤵
        Suspicious use of WriteProcessMemory
        
        PID:1504
        
        C:\Users\Admin\AppData\Local\Temp\40ca3bdb93a3335c18f3b5d316aa101a.exe
        
        a
        19⤵
        Suspicious use of WriteProcessMemory
        
        PID:2564
        
        C:\Users\Admin\AppData\Local\Temp\40ca3bdb93a3335c18f3b5d316aa101a.exe
        
        a
        20⤵
        Suspicious use of WriteProcessMemory
        
        PID:8
        
        C:\Users\Admin\AppData\Local\Temp\40ca3bdb93a3335c18f3b5d316aa101a.exe
        
        a
        21⤵
        Suspicious use of WriteProcessMemory
        
        PID:1104
        
        C:\Users\Admin\AppData\Local\Temp\40ca3bdb93a3335c18f3b5d316aa101a.exe
        
        a
        22⤵
        Suspicious use of WriteProcessMemory
        
        PID:4232
        
        C:\Users\Admin\AppData\Local\Temp\40ca3bdb93a3335c18f3b5d316aa101a.exe
        
        a
        23⤵
        
        PID:1672
        
        C:\Users\Admin\AppData\Local\Temp\40ca3bdb93a3335c18f3b5d316aa101a.exe
        
        a
        24⤵
        
        PID:1276
        
        C:\Users\Admin\AppData\Local\Temp\40ca3bdb93a3335c18f3b5d316aa101a.exe
        
        a
        25⤵
        
        PID:4872
        
        C:\Users\Admin\AppData\Local\Temp\40ca3bdb93a3335c18f3b5d316aa101a.exe
        
        a
        26⤵
        
        PID:1936
        
        C:\Users\Admin\AppData\Local\Temp\40ca3bdb93a3335c18f3b5d316aa101a.exe
        
        a
        27⤵
        Drops file in System32 directory
        
        PID:2256
        
        C:\Users\Admin\AppData\Local\Temp\40ca3bdb93a3335c18f3b5d316aa101a.exe
        
        a
        28⤵
        Drops file in System32 directory
        
        PID:3288
        
        C:\Users\Admin\AppData\Local\Temp\40ca3bdb93a3335c18f3b5d316aa101a.exe
        
        a
        29⤵
        
        PID:1256
        
        C:\Users\Admin\AppData\Local\Temp\40ca3bdb93a3335c18f3b5d316aa101a.exe
        
        a
        30⤵
        
        PID:732
        
        C:\Users\Admin\AppData\Local\Temp\40ca3bdb93a3335c18f3b5d316aa101a.exe
        
        a
        31⤵
        
        PID:3276
        
        C:\Users\Admin\AppData\Local\Temp\40ca3bdb93a3335c18f3b5d316aa101a.exe
        
        a
        32⤵
        
        PID:3176
        
        C:\Users\Admin\AppData\Local\Temp\40ca3bdb93a3335c18f3b5d316aa101a.exe
        
        a
        33⤵
        
        PID:4392
        
        C:\Users\Admin\AppData\Local\Temp\40ca3bdb93a3335c18f3b5d316aa101a.exe
        
        a
        34⤵
        
        PID:1848
        
        C:\Users\Admin\AppData\Local\Temp\40ca3bdb93a3335c18f3b5d316aa101a.exe
        
        a
        35⤵
        
        PID:4772
        
        C:\Users\Admin\AppData\Local\Temp\40ca3bdb93a3335c18f3b5d316aa101a.exe
        
        a
        36⤵
        Drops file in System32 directory
        
        PID:2528
        
        C:\Users\Admin\AppData\Local\Temp\40ca3bdb93a3335c18f3b5d316aa101a.exe
        
        a
        37⤵
        
        PID:4652
        
        C:\Users\Admin\AppData\Local\Temp\40ca3bdb93a3335c18f3b5d316aa101a.exe
        
        a
        38⤵
        Drops file in System32 directory
        
        PID:5056
        
        C:\Users\Admin\AppData\Local\Temp\40ca3bdb93a3335c18f3b5d316aa101a.exe
        
        a
        39⤵
        
        PID:1256
        
        C:\Users\Admin\AppData\Local\Temp\40ca3bdb93a3335c18f3b5d316aa101a.exe
        
        a
        40⤵
        
        PID:3256
        
        C:\Users\Admin\AppData\Local\Temp\40ca3bdb93a3335c18f3b5d316aa101a.exe
        
        a
        41⤵
        
        PID:3496
        
        C:\Users\Admin\AppData\Local\Temp\40ca3bdb93a3335c18f3b5d316aa101a.exe
        
        a
        42⤵
        Drops file in System32 directory
        
        PID:4436
        
        C:\Users\Admin\AppData\Local\Temp\40ca3bdb93a3335c18f3b5d316aa101a.exe
        
        a
        43⤵
        
        PID:2832
        
        C:\Users\Admin\AppData\Local\Temp\40ca3bdb93a3335c18f3b5d316aa101a.exe
        
        a
        44⤵
        Drops file in System32 directory
        
        PID:1220
        
        C:\Users\Admin\AppData\Local\Temp\40ca3bdb93a3335c18f3b5d316aa101a.exe
        
        a
        45⤵
        
        PID:1060
        
        C:\Users\Admin\AppData\Local\Temp\40ca3bdb93a3335c18f3b5d316aa101a.exe
        
        a
        46⤵
        
        PID:3220
        
        C:\Users\Admin\AppData\Local\Temp\40ca3bdb93a3335c18f3b5d316aa101a.exe
        
        a
        47⤵
        
        PID:3864
        
        C:\Users\Admin\AppData\Local\Temp\40ca3bdb93a3335c18f3b5d316aa101a.exe
        
        a
        48⤵
        Drops file in System32 directory
        
        PID:4976
        
        C:\Users\Admin\AppData\Local\Temp\40ca3bdb93a3335c18f3b5d316aa101a.exe
        
        a
        49⤵
        
        PID:1380
        
        C:\Users\Admin\AppData\Local\Temp\40ca3bdb93a3335c18f3b5d316aa101a.exe
        
        a
        50⤵
        
        PID:1960
        
        C:\Users\Admin\AppData\Local\Temp\40ca3bdb93a3335c18f3b5d316aa101a.exe
        
        a
        51⤵
        Drops file in System32 directory
        
        PID:1564
        
        C:\Users\Admin\AppData\Local\Temp\40ca3bdb93a3335c18f3b5d316aa101a.exe
        
        a
        52⤵
        
        PID:1004
        
        C:\Users\Admin\AppData\Local\Temp\40ca3bdb93a3335c18f3b5d316aa101a.exe
        
        a
        53⤵
        
        PID:2032
        
        C:\Users\Admin\AppData\Local\Temp\40ca3bdb93a3335c18f3b5d316aa101a.exe
        
        a
        54⤵
        
        PID:5020
        
        C:\Users\Admin\AppData\Local\Temp\40ca3bdb93a3335c18f3b5d316aa101a.exe
        
        a
        55⤵
        
        PID:4520
        
        C:\Users\Admin\AppData\Local\Temp\40ca3bdb93a3335c18f3b5d316aa101a.exe
        
        a
        56⤵
        
        PID:1652
        
        C:\Users\Admin\AppData\Local\Temp\40ca3bdb93a3335c18f3b5d316aa101a.exe
        
        a
        57⤵
        
        PID:952
        
        C:\Users\Admin\AppData\Local\Temp\40ca3bdb93a3335c18f3b5d316aa101a.exe
        
        a
        58⤵
        Drops file in System32 directory
        
        PID:2000
        
        C:\Users\Admin\AppData\Local\Temp\40ca3bdb93a3335c18f3b5d316aa101a.exe
        
        a
        59⤵
        
        PID:4508
        
        C:\Users\Admin\AppData\Local\Temp\40ca3bdb93a3335c18f3b5d316aa101a.exe
        
        a
        60⤵
        Drops file in System32 directory
        
        PID:2384
        
        C:\Users\Admin\AppData\Local\Temp\40ca3bdb93a3335c18f3b5d316aa101a.exe
        
        a
        61⤵
        Drops file in System32 directory
        
        PID:2972
        
        C:\Users\Admin\AppData\Local\Temp\40ca3bdb93a3335c18f3b5d316aa101a.exe
        
        a
        62⤵
        Drops file in System32 directory
        
        PID:4332
        
        C:\Users\Admin\AppData\Local\Temp\40ca3bdb93a3335c18f3b5d316aa101a.exe
        
        a
        63⤵
        
        PID:1640
        
        C:\Users\Admin\AppData\Local\Temp\40ca3bdb93a3335c18f3b5d316aa101a.exe
        
        a
        64⤵
        Drops file in System32 directory
        
        PID:3516
        
        C:\Users\Admin\AppData\Local\Temp\40ca3bdb93a3335c18f3b5d316aa101a.exe
        
        a
        65⤵
        Drops file in System32 directory
        
        PID:4104
        
        C:\Users\Admin\AppData\Local\Temp\40ca3bdb93a3335c18f3b5d316aa101a.exe
        
        a
        66⤵
        
        PID:4360
        
        C:\Users\Admin\AppData\Local\Temp\40ca3bdb93a3335c18f3b5d316aa101a.exe
        
        a
        67⤵
        
        PID:1652
        
        C:\Users\Admin\AppData\Local\Temp\40ca3bdb93a3335c18f3b5d316aa101a.exe
        
        a
        68⤵
        Drops file in System32 directory
        
        PID:3108
        
        C:\Users\Admin\AppData\Local\Temp\40ca3bdb93a3335c18f3b5d316aa101a.exe
        
        a
        69⤵
        
        PID:2528
        
        C:\Users\Admin\AppData\Local\Temp\40ca3bdb93a3335c18f3b5d316aa101a.exe
        
        a
        70⤵
        
        PID:3568
        
        C:\Users\Admin\AppData\Local\Temp\40ca3bdb93a3335c18f3b5d316aa101a.exe
        
        a
        71⤵
        Drops file in System32 directory
        
        PID:4184
        
        C:\Users\Admin\AppData\Local\Temp\40ca3bdb93a3335c18f3b5d316aa101a.exe
        
        a
        72⤵
        
        PID:1448
        
        C:\Users\Admin\AppData\Local\Temp\40ca3bdb93a3335c18f3b5d316aa101a.exe
        
        a
        73⤵
        Drops file in System32 directory
        
        PID:3124
        
        C:\Users\Admin\AppData\Local\Temp\40ca3bdb93a3335c18f3b5d316aa101a.exe
        
        a
        74⤵
        
        PID:4196
        
        C:\Users\Admin\AppData\Local\Temp\40ca3bdb93a3335c18f3b5d316aa101a.exe
        
        a
        75⤵
        Drops file in System32 directory
        
        PID:3316
        
        C:\Users\Admin\AppData\Local\Temp\40ca3bdb93a3335c18f3b5d316aa101a.exe
        
        a
        76⤵
        
        PID:1732
        
        C:\Users\Admin\AppData\Local\Temp\40ca3bdb93a3335c18f3b5d316aa101a.exe
        
        a
        77⤵
        
        PID:4332
        
        C:\Users\Admin\AppData\Local\Temp\40ca3bdb93a3335c18f3b5d316aa101a.exe
        
        a
        78⤵
        Drops file in System32 directory
        
        PID:1020
        
        C:\Users\Admin\AppData\Local\Temp\40ca3bdb93a3335c18f3b5d316aa101a.exe
        
        a
        79⤵
        
        PID:2812
        
        C:\Users\Admin\AppData\Local\Temp\40ca3bdb93a3335c18f3b5d316aa101a.exe
        
        a
        80⤵
        
        PID:3516
        
        C:\Users\Admin\AppData\Local\Temp\40ca3bdb93a3335c18f3b5d316aa101a.exe
        
        a
        81⤵
        
        PID:2708
        
        C:\Users\Admin\AppData\Local\Temp\40ca3bdb93a3335c18f3b5d316aa101a.exe
        
        a
        82⤵
        Drops file in System32 directory
        
        PID:2900
        
        C:\Users\Admin\AppData\Local\Temp\40ca3bdb93a3335c18f3b5d316aa101a.exe
        
        a
        83⤵
        
        PID:2652
        
        C:\Users\Admin\AppData\Local\Temp\40ca3bdb93a3335c18f3b5d316aa101a.exe
        
        a
        84⤵
        
        PID:4480
        
        C:\Users\Admin\AppData\Local\Temp\40ca3bdb93a3335c18f3b5d316aa101a.exe
        
        a
        85⤵
        
        PID:3860
        
        C:\Users\Admin\AppData\Local\Temp\40ca3bdb93a3335c18f3b5d316aa101a.exe
        
        a
        86⤵
        Drops file in System32 directory
        
        PID:5080
        
        C:\Users\Admin\AppData\Local\Temp\40ca3bdb93a3335c18f3b5d316aa101a.exe
        
        a
        87⤵
        Drops file in System32 directory
        
        PID:1216
        
        C:\Users\Admin\AppData\Local\Temp\40ca3bdb93a3335c18f3b5d316aa101a.exe
        
        a
        88⤵
        Drops file in System32 directory
        
        PID:4256
        
        C:\Users\Admin\AppData\Local\Temp\40ca3bdb93a3335c18f3b5d316aa101a.exe
        
        a
        89⤵
        
        PID:3076
        
        C:\Users\Admin\AppData\Local\Temp\40ca3bdb93a3335c18f3b5d316aa101a.exe
        
        a
        90⤵
        Drops file in System32 directory
        
        PID:3708
        
        C:\Users\Admin\AppData\Local\Temp\40ca3bdb93a3335c18f3b5d316aa101a.exe
        
        a
        91⤵
        Drops file in System32 directory
        
        PID:2416
        
        C:\Users\Admin\AppData\Local\Temp\40ca3bdb93a3335c18f3b5d316aa101a.exe
        
        a
        92⤵
        Drops file in System32 directory
        
        PID:2312
        
        C:\Users\Admin\AppData\Local\Temp\40ca3bdb93a3335c18f3b5d316aa101a.exe
        
        a
        93⤵
        
        PID:4484
        
        C:\Users\Admin\AppData\Local\Temp\40ca3bdb93a3335c18f3b5d316aa101a.exe
        
        a
        94⤵
        
        PID:3064
        
        C:\Users\Admin\AppData\Local\Temp\40ca3bdb93a3335c18f3b5d316aa101a.exe
        
        a
        95⤵
        Drops file in System32 directory
        
        PID:968
        
        C:\Users\Admin\AppData\Local\Temp\40ca3bdb93a3335c18f3b5d316aa101a.exe
        
        a
        96⤵
        
        PID:4148
        
        C:\Users\Admin\AppData\Local\Temp\40ca3bdb93a3335c18f3b5d316aa101a.exe
        
        a
        97⤵
        Drops file in System32 directory
        
        PID:4852
        
        C:\Users\Admin\AppData\Local\Temp\40ca3bdb93a3335c18f3b5d316aa101a.exe
        
        a
        98⤵
        
        PID:232
        
        C:\Users\Admin\AppData\Local\Temp\40ca3bdb93a3335c18f3b5d316aa101a.exe
        
        a
        99⤵
        Drops file in System32 directory
        
        PID:1380
        
        C:\Users\Admin\AppData\Local\Temp\40ca3bdb93a3335c18f3b5d316aa101a.exe
        
        a
        100⤵
        
        PID:2232
        
        C:\Users\Admin\AppData\Local\Temp\40ca3bdb93a3335c18f3b5d316aa101a.exe
        
        a
        101⤵
        Drops file in System32 directory
        
        PID:2528
        
        C:\Users\Admin\AppData\Local\Temp\40ca3bdb93a3335c18f3b5d316aa101a.exe
        
        a
        102⤵
        
        PID:640
        
        C:\Users\Admin\AppData\Local\Temp\40ca3bdb93a3335c18f3b5d316aa101a.exe
        
        a
        103⤵
        
        PID:2920
        
        C:\Users\Admin\AppData\Local\Temp\40ca3bdb93a3335c18f3b5d316aa101a.exe
        
        a
        104⤵
        
        PID:372
        
        C:\Users\Admin\AppData\Local\Temp\40ca3bdb93a3335c18f3b5d316aa101a.exe
        
        a
        105⤵
        Drops file in System32 directory
        
        PID:4912
        
        C:\Users\Admin\AppData\Local\Temp\40ca3bdb93a3335c18f3b5d316aa101a.exe
        
        a
        106⤵
        Drops file in System32 directory
        
        PID:4264
        
        C:\Users\Admin\AppData\Local\Temp\40ca3bdb93a3335c18f3b5d316aa101a.exe
        
        a
        107⤵
        
        PID:2124
        
        C:\Users\Admin\AppData\Local\Temp\40ca3bdb93a3335c18f3b5d316aa101a.exe
        
        a
        108⤵
        Drops file in System32 directory
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\40ca3bdb93a3335c18f3b5d316aa101a.exe
        
        a
        109⤵
        
        PID:1560
        
        C:\Users\Admin\AppData\Local\Temp\40ca3bdb93a3335c18f3b5d316aa101a.exe
        
        a
        110⤵
        
        PID:1312
        
        C:\Users\Admin\AppData\Local\Temp\40ca3bdb93a3335c18f3b5d316aa101a.exe
        
        a
        111⤵
        Drops file in System32 directory
        
        PID:3500
        
        C:\Users\Admin\AppData\Local\Temp\40ca3bdb93a3335c18f3b5d316aa101a.exe
        
        a
        112⤵
        Drops file in System32 directory
        
        PID:1660
        
        C:\Users\Admin\AppData\Local\Temp\40ca3bdb93a3335c18f3b5d316aa101a.exe
        
        a
        113⤵
        Drops file in System32 directory
        
        PID:3476
        
        C:\Users\Admin\AppData\Local\Temp\40ca3bdb93a3335c18f3b5d316aa101a.exe
        
        a
        114⤵
        
        PID:1472
        
        C:\Users\Admin\AppData\Local\Temp\40ca3bdb93a3335c18f3b5d316aa101a.exe
        
        a
        115⤵
        Drops file in System32 directory
        
        PID:1208
        
        C:\Users\Admin\AppData\Local\Temp\40ca3bdb93a3335c18f3b5d316aa101a.exe
        
        a
        116⤵
        
        PID:5056
        
        C:\Users\Admin\AppData\Local\Temp\40ca3bdb93a3335c18f3b5d316aa101a.exe
        
        a
        117⤵
        
        PID:640
        
        C:\Users\Admin\AppData\Local\Temp\40ca3bdb93a3335c18f3b5d316aa101a.exe
        
        a
        118⤵
        
        PID:2428
        
        C:\Users\Admin\AppData\Local\Temp\40ca3bdb93a3335c18f3b5d316aa101a.exe
        
        a
        119⤵
        Drops file in System32 directory
        
        PID:1848
        
        C:\Users\Admin\AppData\Local\Temp\40ca3bdb93a3335c18f3b5d316aa101a.exe
        
        a
        120⤵
        
        PID:4232
        
        C:\Users\Admin\AppData\Local\Temp\40ca3bdb93a3335c18f3b5d316aa101a.exe
        
        a
        121⤵
        
        PID:2260
        
        C:\Users\Admin\AppData\Local\Temp\40ca3bdb93a3335c18f3b5d316aa101a.exe
        
        a
        122⤵
        
        PID:3060
        
        C:\Users\Admin\AppData\Local\Temp\40ca3bdb93a3335c18f3b5d316aa101a.exe
        
        a
        123⤵
        
        PID:1336
        
        C:\Users\Admin\AppData\Local\Temp\40ca3bdb93a3335c18f3b5d316aa101a.exe
        
        a
        124⤵
        
        PID:4704
        
        C:\Users\Admin\AppData\Local\Temp\40ca3bdb93a3335c18f3b5d316aa101a.exe
        
        a
        125⤵
        
        PID:1960
        
        C:\Users\Admin\AppData\Local\Temp\40ca3bdb93a3335c18f3b5d316aa101a.exe
        
        a
        126⤵
        
        PID:2532
        
        C:\Users\Admin\AppData\Local\Temp\40ca3bdb93a3335c18f3b5d316aa101a.exe
        
        a
        127⤵
        
        PID:3160
        
        C:\Users\Admin\AppData\Local\Temp\40ca3bdb93a3335c18f3b5d316aa101a.exe
        
        a
        128⤵
        
        PID:716
        
        C:\Users\Admin\AppData\Local\Temp\40ca3bdb93a3335c18f3b5d316aa101a.exe
        
        a
        129⤵
        Drops file in System32 directory
        
        PID:1852
        
        C:\Users\Admin\AppData\Local\Temp\40ca3bdb93a3335c18f3b5d316aa101a.exe
        
        a
        130⤵
        
        PID:3176

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
- Executes dropped EXE
PID:4256

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
- Executes dropped EXE
PID:1508

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
- Executes dropped EXE
PID:1912

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
- Executes dropped EXE
PID:2320

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
- Executes dropped EXE
PID:3772

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
- Executes dropped EXE
PID:5020

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
- Executes dropped EXE
PID:5060

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
- Executes dropped EXE
PID:2652

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
- Executes dropped EXE
PID:4772

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
- Executes dropped EXE
PID:4612

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
- Executes dropped EXE
PID:2228

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5036

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
- Executes dropped EXE
PID:2480

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
- Executes dropped EXE
PID:1564

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3116

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4224

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4928

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
- Executes dropped EXE
PID:2692

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
- Executes dropped EXE
PID:4844

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
- Executes dropped EXE
PID:3008

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
- Executes dropped EXE
PID:4616

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
- Executes dropped EXE
PID:4480

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
- Executes dropped EXE
PID:4504

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4184

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
- Executes dropped EXE
PID:4812

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
- Executes dropped EXE
PID:1448

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3292

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
- Executes dropped EXE
PID:3316

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
- Executes dropped EXE
PID:3624

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
- Executes dropped EXE
PID:1888

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2116

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
- Executes dropped EXE
PID:4264

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
- Executes dropped EXE
PID:2428

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
- Executes dropped EXE
PID:4776

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
- Executes dropped EXE
PID:4788

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
- Executes dropped EXE
PID:4744

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
- Executes dropped EXE
PID:396

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3316

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
- Executes dropped EXE
PID:412

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2688

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
- Executes dropped EXE
PID:1504

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
- Executes dropped EXE
PID:1196

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
- Executes dropped EXE
PID:2724

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
- Executes dropped EXE
PID:952

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
- Executes dropped EXE
PID:4788

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
- Executes dropped EXE
PID:4848

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
- Executes dropped EXE
PID:2936

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
- Executes dropped EXE
PID:2632

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
- Executes dropped EXE
PID:4584

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
- Executes dropped EXE
PID:3412

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2232

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
- Executes dropped EXE
PID:5044

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
- Executes dropped EXE
PID:4496

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
- Executes dropped EXE
PID:3672

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
- Executes dropped EXE
PID:1848

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
- Executes dropped EXE
PID:4368

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
- Executes dropped EXE
PID:1904

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2524

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
- Executes dropped EXE
PID:400

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
- Executes dropped EXE
PID:3076

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
- Executes dropped EXE
PID:1564

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3160

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
- Executes dropped EXE
PID:2020

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
- Executes dropped EXE
PID:1536

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
PID:3672

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
PID:1488

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
PID:3532

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
PID:3948

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
PID:1728

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
PID:2524

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
PID:1100

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
PID:4572

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
PID:4144

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
PID:3232

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
PID:2612

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
- Drops file in System32 directory
PID:3036

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
PID:3052

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
PID:2032

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
PID:5020

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
PID:2312

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
PID:3564

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
PID:4960

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
PID:3204

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
PID:4776

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
- Drops file in System32 directory
PID:1660

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
PID:4852

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
PID:1600

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
PID:372

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
PID:4912

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
PID:4928

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
PID:2124

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
PID:228

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
PID:2832

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
PID:4732

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
PID:3956

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
PID:952

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
- Drops file in System32 directory
PID:1216

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
PID:4904

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
PID:4580

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
PID:2256

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
PID:2532

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
PID:4504

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
PID:4228

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
PID:3620

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
PID:2684

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
- Drops file in System32 directory
PID:3336

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
PID:2156

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
PID:5028

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
PID:3108

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
PID:3200

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
PID:2804

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
PID:1476

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
- Drops file in System32 directory
PID:3712

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
PID:1412

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
PID:2304

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
PID:3220

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
PID:696

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
PID:2040

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
PID:3764

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
PID:968

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
PID:2804

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
PID:4768

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
PID:2480

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
PID:936

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
PID:2100

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
PID:3036

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
PID:4548

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
PID:1084

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
PID:4520

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\accwiz.bin

Filesize
103B

MD5
9bb9747dbbfd72aef40b1b9e691e85a5

SHA1
5f7d6dd0e9d8fa03adb8f360d139bd648d88a33b

SHA256
fb040122c704a74e36ef23599572eb0bd6956dff71484f5ec7720702ebd0abb4

SHA512
a0d8f06863a0c0f59f582c4142547df281ec01be57e0c71c2222300e9f87a9cd091faf8664ac265ad4d77fc5ec3ba4e02749cb5fbcf207b96717debfb0ff9f77

Download Submit
C:\Windows\SysWOW64\commserv.exe

Filesize
124KB

MD5
01201ed072a39c34f21b15b604a9dcd8

SHA1
4761df28afbaa31e32dad6e96c58c9e8eeccdd13

SHA256
a5345fdfc98f7fa340775d0ca5c370b0d8446ee3d5a258979be2a0818b51ba30

SHA512
7532854d6d89c5259b71380eaf32d552e7d9523721536557b84567a5feaa5e0a6ef33e9e1629fbf7c8e6b00f1dd8038a1872c3a5ea4ea1278d9bfb726675dd5b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads