f37534f4fa518cf893d397f596c450de1583e25696e7a8fbc2ef691b0e87f78c

Analysis

max time kernel
149s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
27/06/2024, 21:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
Size

192KB
MD5

178572e4d86614d464edb0c49aed1865
SHA1

2873bb6205208d2996ff657a6dcd904e6beb5958
SHA256

f37534f4fa518cf893d397f596c450de1583e25696e7a8fbc2ef691b0e87f78c
SHA512

1b4fbd58425bfc8e179ead7259d33cf6df440e905beeb580ee97e40859e40e20662b13b6bc4ce89dc8f3e0f8f3ae98be17cec20c81d62429863e94d09d08ed4e
SSDEEP

3072:mKb5zN9u8StaSRnYkOlzbG9/ZZADT7ONPGzXwTFKEG4ne8svUqnvjy:md4ShcGhZ+T74PZFLQ/ve

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
1572	commserv.exe
984	commserv.exe
1420	commserv.exe
3240	commserv.exe
1184	commserv.exe
1364	commserv.exe
4212	commserv.exe
2088	commserv.exe
3424	commserv.exe
4428	commserv.exe
2364	commserv.exe
2388	commserv.exe
4244	commserv.exe
4192	commserv.exe
2484	commserv.exe
4796	commserv.exe
4764	commserv.exe
2592	commserv.exe
4268	commserv.exe
1112	commserv.exe
2656	commserv.exe
1052	commserv.exe
3112	commserv.exe
2644	commserv.exe
4548	commserv.exe
4540	commserv.exe
2140	commserv.exe
4552	commserv.exe
3492	commserv.exe
1400	commserv.exe
2976	commserv.exe
2928	commserv.exe
1572	commserv.exe
1964	commserv.exe
4448	commserv.exe
4904	commserv.exe
4784	commserv.exe
4840	commserv.exe
3216	commserv.exe
1148	commserv.exe
4104	commserv.exe
4916	commserv.exe
4472	commserv.exe
792	commserv.exe
3840	commserv.exe
3644	commserv.exe
2700	commserv.exe
1672	commserv.exe
1180	commserv.exe
1444	commserv.exe
756	commserv.exe
1348	commserv.exe
4116	commserv.exe
1676	commserv.exe
1928	commserv.exe
1352	commserv.exe
2208	commserv.exe
2708	commserv.exe
3408	commserv.exe
4884	commserv.exe
2068	commserv.exe
5024	commserv.exe
2176	commserv.exe
4396	commserv.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\commserv.exe	178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\commserv.exe	178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\accwiz.bin	commserv.exe
File opened for modification	C:\Windows\SysWOW64\commserv.exe	178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\commserv.exe	178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\commserv.exe	178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\accwiz.bin	commserv.exe
File opened for modification	C:\Windows\SysWOW64\commserv.exe	178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\commserv.exe	178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\commserv.exe	178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\commserv.exe	178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\accwiz.bin	commserv.exe
File opened for modification	C:\Windows\SysWOW64\accwiz.bin	commserv.exe
File opened for modification	C:\Windows\SysWOW64\commserv.exe	178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\commserv.exe	178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\commserv.exe	178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\commserv.exe	178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\commserv.exe	178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\commserv.exe	178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\commserv.exe	178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\commserv.exe	178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\commserv.exe	178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\commserv.exe	178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\commserv.exe	178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\commserv.exe	178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\commserv.exe	178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\commserv.exe	178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\commserv.exe	178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\commserv.exe	178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\accwiz.bin	commserv.exe
File created	C:\Windows\SysWOW64\commserv.exe	178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\accwiz.bin	commserv.exe
File opened for modification	C:\Windows\SysWOW64\commserv.exe	178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\commserv.exe	178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\commserv.exe	178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\commserv.exe	178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\commserv.exe	178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\commserv.exe	178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\commserv.exe	178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\accwiz.bin	commserv.exe
File opened for modification	C:\Windows\SysWOW64\commserv.exe	178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\commserv.exe	178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\commserv.exe	178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\commserv.exe	178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\accwiz.bin	commserv.exe
File opened for modification	C:\Windows\SysWOW64\commserv.exe	178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\commserv.exe	178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\accwiz.bin	commserv.exe
File opened for modification	C:\Windows\SysWOW64\accwiz.bin	commserv.exe
File opened for modification	C:\Windows\SysWOW64\commserv.exe	178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\accwiz.bin	commserv.exe
File opened for modification	C:\Windows\SysWOW64\accwiz.bin	commserv.exe
File opened for modification	C:\Windows\SysWOW64\commserv.exe	178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\accwiz.bin	commserv.exe
File opened for modification	C:\Windows\SysWOW64\accwiz.bin	commserv.exe
File created	C:\Windows\SysWOW64\commserv.exe	178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\accwiz.bin	commserv.exe
File created	C:\Windows\SysWOW64\commserv.exe	178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\commserv.exe	178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\accwiz.bin	commserv.exe
File opened for modification	C:\Windows\SysWOW64\accwiz.bin	commserv.exe
File opened for modification	C:\Windows\SysWOW64\commserv.exe	178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\commserv.exe	178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\accwiz.bin	commserv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1456 wrote to memory of 4240	1456	178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe	81
PID 1456 wrote to memory of 4240	1456	178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe	81
PID 1456 wrote to memory of 4240	1456	178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe	81
PID 4240 wrote to memory of 628	4240	178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe	83
PID 4240 wrote to memory of 628	4240	178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe	83
PID 4240 wrote to memory of 628	4240	178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe	83
PID 628 wrote to memory of 4964	628	178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe	85
PID 628 wrote to memory of 4964	628	178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe	85
PID 628 wrote to memory of 4964	628	178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe	85
PID 4964 wrote to memory of 2072	4964	178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe	87
PID 4964 wrote to memory of 2072	4964	178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe	87
PID 4964 wrote to memory of 2072	4964	178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe	87
PID 2072 wrote to memory of 2752	2072	178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe	89
PID 2072 wrote to memory of 2752	2072	178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe	89
PID 2072 wrote to memory of 2752	2072	178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe	89
PID 2752 wrote to memory of 3948	2752	178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe	91
PID 2752 wrote to memory of 3948	2752	178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe	91
PID 2752 wrote to memory of 3948	2752	178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe	91
PID 3948 wrote to memory of 4588	3948	178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe	93
PID 3948 wrote to memory of 4588	3948	178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe	93
PID 3948 wrote to memory of 4588	3948	178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe	93
PID 4588 wrote to memory of 3648	4588	178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe	95
PID 4588 wrote to memory of 3648	4588	178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe	95
PID 4588 wrote to memory of 3648	4588	178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe	95
PID 3648 wrote to memory of 2252	3648	178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe	97
PID 3648 wrote to memory of 2252	3648	178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe	97
PID 3648 wrote to memory of 2252	3648	178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe	97
PID 2252 wrote to memory of 3312	2252	178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe	99
PID 2252 wrote to memory of 3312	2252	178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe	99
PID 2252 wrote to memory of 3312	2252	178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe	99
PID 3312 wrote to memory of 5068	3312	178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe	101
PID 3312 wrote to memory of 5068	3312	178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe	101
PID 3312 wrote to memory of 5068	3312	178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe	101
PID 5068 wrote to memory of 4976	5068	178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe	103
PID 5068 wrote to memory of 4976	5068	178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe	103
PID 5068 wrote to memory of 4976	5068	178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe	103
PID 4976 wrote to memory of 4472	4976	178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe	105
PID 4976 wrote to memory of 4472	4976	178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe	105
PID 4976 wrote to memory of 4472	4976	178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe	105
PID 4472 wrote to memory of 2480	4472	178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe	107
PID 4472 wrote to memory of 2480	4472	178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe	107
PID 4472 wrote to memory of 2480	4472	178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe	107
PID 2480 wrote to memory of 2124	2480	178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe	109
PID 2480 wrote to memory of 2124	2480	178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe	109
PID 2480 wrote to memory of 2124	2480	178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe	109
PID 2124 wrote to memory of 1068	2124	178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe	111
PID 2124 wrote to memory of 1068	2124	178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe	111
PID 2124 wrote to memory of 1068	2124	178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe	111
PID 1068 wrote to memory of 3612	1068	178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe	113
PID 1068 wrote to memory of 3612	1068	178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe	113
PID 1068 wrote to memory of 3612	1068	178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe	113
PID 3612 wrote to memory of 1832	3612	178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe	115
PID 3612 wrote to memory of 1832	3612	178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe	115
PID 3612 wrote to memory of 1832	3612	178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe	115
PID 1832 wrote to memory of 2844	1832	178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe	117
PID 1832 wrote to memory of 2844	1832	178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe	117
PID 1832 wrote to memory of 2844	1832	178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe	117
PID 2844 wrote to memory of 2328	2844	178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe	119
PID 2844 wrote to memory of 2328	2844	178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe	119
PID 2844 wrote to memory of 2328	2844	178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe	119
PID 2328 wrote to memory of 4252	2328	178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe	121
PID 2328 wrote to memory of 4252	2328	178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe	121
PID 2328 wrote to memory of 4252	2328	178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe	121
PID 4252 wrote to memory of 3040	4252	178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe	123

C:\Users\Admin\AppData\Local\Temp\178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1456
- C:\Users\Admin\AppData\Local\Temp\178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
  a
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4240
- - C:\Users\Admin\AppData\Local\Temp\178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
    a
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:628
  - - C:\Users\Admin\AppData\Local\Temp\178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
      a
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4964
    - - C:\Users\Admin\AppData\Local\Temp\178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
        
        a
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2072
      - C:\Users\Admin\AppData\Local\Temp\178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
        
        a
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2752
        
        C:\Users\Admin\AppData\Local\Temp\178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
        
        a
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:3948
        
        C:\Users\Admin\AppData\Local\Temp\178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
        
        a
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:4588
        
        C:\Users\Admin\AppData\Local\Temp\178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
        
        a
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:3648
        
        C:\Users\Admin\AppData\Local\Temp\178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
        
        a
        10⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2252
        
        C:\Users\Admin\AppData\Local\Temp\178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
        
        a
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:3312
        
        C:\Users\Admin\AppData\Local\Temp\178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
        
        a
        12⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5068
        
        C:\Users\Admin\AppData\Local\Temp\178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
        
        a
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:4976
        
        C:\Users\Admin\AppData\Local\Temp\178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
        
        a
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:4472
        
        C:\Users\Admin\AppData\Local\Temp\178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
        
        a
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:2480
        
        C:\Users\Admin\AppData\Local\Temp\178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
        
        a
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:2124
        
        C:\Users\Admin\AppData\Local\Temp\178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
        
        a
        17⤵
        Suspicious use of WriteProcessMemory
        
        PID:1068
        
        C:\Users\Admin\AppData\Local\Temp\178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
        
        a
        18⤵
        Suspicious use of WriteProcessMemory
        
        PID:3612
        
        C:\Users\Admin\AppData\Local\Temp\178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
        
        a
        19⤵
        Suspicious use of WriteProcessMemory
        
        PID:1832
        
        C:\Users\Admin\AppData\Local\Temp\178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
        
        a
        20⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2844
        
        C:\Users\Admin\AppData\Local\Temp\178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
        
        a
        21⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2328
        
        C:\Users\Admin\AppData\Local\Temp\178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
        
        a
        22⤵
        Suspicious use of WriteProcessMemory
        
        PID:4252
        
        C:\Users\Admin\AppData\Local\Temp\178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
        
        a
        23⤵
        Drops file in System32 directory
        
        PID:3040
        
        C:\Users\Admin\AppData\Local\Temp\178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
        
        a
        24⤵
        Drops file in System32 directory
        
        PID:2420
        
        C:\Users\Admin\AppData\Local\Temp\178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
        
        a
        25⤵
        Drops file in System32 directory
        
        PID:2216
        
        C:\Users\Admin\AppData\Local\Temp\178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
        
        a
        26⤵
        Drops file in System32 directory
        
        PID:4384
        
        C:\Users\Admin\AppData\Local\Temp\178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
        
        a
        27⤵
        
        PID:4884
        
        C:\Users\Admin\AppData\Local\Temp\178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
        
        a
        28⤵
        Drops file in System32 directory
        
        PID:2068
        
        C:\Users\Admin\AppData\Local\Temp\178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
        
        a
        29⤵
        Drops file in System32 directory
        
        PID:4532
        
        C:\Users\Admin\AppData\Local\Temp\178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
        
        a
        30⤵
        Drops file in System32 directory
        
        PID:1804
        
        C:\Users\Admin\AppData\Local\Temp\178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
        
        a
        31⤵
        Drops file in System32 directory
        
        PID:4396
        
        C:\Users\Admin\AppData\Local\Temp\178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
        
        a
        32⤵
        
        PID:2284
        
        C:\Users\Admin\AppData\Local\Temp\178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
        
        a
        33⤵
        
        PID:2932
        
        C:\Users\Admin\AppData\Local\Temp\178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
        
        a
        34⤵
        
        PID:1276
        
        C:\Users\Admin\AppData\Local\Temp\178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
        
        a
        35⤵
        
        PID:2908
        
        C:\Users\Admin\AppData\Local\Temp\178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
        
        a
        36⤵
        
        PID:2984
        
        C:\Users\Admin\AppData\Local\Temp\178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
        
        a
        37⤵
        Drops file in System32 directory
        
        PID:3700
        
        C:\Users\Admin\AppData\Local\Temp\178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
        
        a
        38⤵
        
        PID:1416
        
        C:\Users\Admin\AppData\Local\Temp\178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
        
        a
        39⤵
        
        PID:4112
        
        C:\Users\Admin\AppData\Local\Temp\178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
        
        a
        40⤵
        Drops file in System32 directory
        
        PID:2088
        
        C:\Users\Admin\AppData\Local\Temp\178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
        
        a
        41⤵
        
        PID:640
        
        C:\Users\Admin\AppData\Local\Temp\178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
        
        a
        42⤵
        
        PID:4156
        
        C:\Users\Admin\AppData\Local\Temp\178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
        
        a
        43⤵
        Drops file in System32 directory
        
        PID:4976
        
        C:\Users\Admin\AppData\Local\Temp\178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
        
        a
        44⤵
        
        PID:528
        
        C:\Users\Admin\AppData\Local\Temp\178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
        
        a
        45⤵
        Drops file in System32 directory
        
        PID:4648
        
        C:\Users\Admin\AppData\Local\Temp\178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
        
        a
        46⤵
        
        PID:1332
        
        C:\Users\Admin\AppData\Local\Temp\178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
        
        a
        47⤵
        Drops file in System32 directory
        
        PID:3116
        
        C:\Users\Admin\AppData\Local\Temp\178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
        
        a
        48⤵
        
        PID:3016
        
        C:\Users\Admin\AppData\Local\Temp\178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
        
        a
        49⤵
        Drops file in System32 directory
        
        PID:1832
        
        C:\Users\Admin\AppData\Local\Temp\178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
        
        a
        50⤵
        
        PID:5116
        
        C:\Users\Admin\AppData\Local\Temp\178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
        
        a
        51⤵
        Drops file in System32 directory
        
        PID:3532
        
        C:\Users\Admin\AppData\Local\Temp\178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
        
        a
        52⤵
        Drops file in System32 directory
        
        PID:2960
        
        C:\Users\Admin\AppData\Local\Temp\178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
        
        a
        53⤵
        
        PID:2444
        
        C:\Users\Admin\AppData\Local\Temp\178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
        
        a
        54⤵
        Drops file in System32 directory
        
        PID:2656
        
        C:\Users\Admin\AppData\Local\Temp\178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
        
        a
        55⤵
        Drops file in System32 directory
        
        PID:512
        
        C:\Users\Admin\AppData\Local\Temp\178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
        
        a
        56⤵
        Drops file in System32 directory
        
        PID:4636
        
        C:\Users\Admin\AppData\Local\Temp\178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
        
        a
        57⤵
        
        PID:1512
        
        C:\Users\Admin\AppData\Local\Temp\178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
        
        a
        58⤵
        
        PID:3636
        
        C:\Users\Admin\AppData\Local\Temp\178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
        
        a
        59⤵
        Drops file in System32 directory
        
        PID:3880
        
        C:\Users\Admin\AppData\Local\Temp\178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
        
        a
        60⤵
        Drops file in System32 directory
        
        PID:4540
        
        C:\Users\Admin\AppData\Local\Temp\178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
        
        a
        61⤵
        Drops file in System32 directory
        
        PID:1944
        
        C:\Users\Admin\AppData\Local\Temp\178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
        
        a
        62⤵
        Drops file in System32 directory
        
        PID:4812
        
        C:\Users\Admin\AppData\Local\Temp\178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
        
        a
        63⤵
        
        PID:1884
        
        C:\Users\Admin\AppData\Local\Temp\178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
        
        a
        64⤵
        Drops file in System32 directory
        
        PID:4320
        
        C:\Users\Admin\AppData\Local\Temp\178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
        
        a
        65⤵
        
        PID:1360
        
        C:\Users\Admin\AppData\Local\Temp\178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
        
        a
        66⤵
        Drops file in System32 directory
        
        PID:1544
        
        C:\Users\Admin\AppData\Local\Temp\178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
        
        a
        67⤵
        
        PID:3624
        
        C:\Users\Admin\AppData\Local\Temp\178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
        
        a
        68⤵
        
        PID:1696
        
        C:\Users\Admin\AppData\Local\Temp\178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
        
        a
        69⤵
        
        PID:1852
        
        C:\Users\Admin\AppData\Local\Temp\178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
        
        a
        70⤵
        
        PID:4964
        
        C:\Users\Admin\AppData\Local\Temp\178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
        
        a
        71⤵
        
        PID:1056
        
        C:\Users\Admin\AppData\Local\Temp\178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
        
        a
        72⤵
        
        PID:2204
        
        C:\Users\Admin\AppData\Local\Temp\178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
        
        a
        73⤵
        Drops file in System32 directory
        
        PID:3948
        
        C:\Users\Admin\AppData\Local\Temp\178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
        
        a
        74⤵
        
        PID:3960
        
        C:\Users\Admin\AppData\Local\Temp\178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
        
        a
        75⤵
        
        PID:2252
        
        C:\Users\Admin\AppData\Local\Temp\178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
        
        a
        76⤵
        
        PID:1148
        
        C:\Users\Admin\AppData\Local\Temp\178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
        
        a
        77⤵
        
        PID:1140
        
        C:\Users\Admin\AppData\Local\Temp\178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
        
        a
        78⤵
        Drops file in System32 directory
        
        PID:4916
        
        C:\Users\Admin\AppData\Local\Temp\178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
        
        a
        79⤵
        
        PID:2172
        
        C:\Users\Admin\AppData\Local\Temp\178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
        
        a
        80⤵
        
        PID:4880
        
        C:\Users\Admin\AppData\Local\Temp\178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
        
        a
        81⤵
        
        PID:2476
        
        C:\Users\Admin\AppData\Local\Temp\178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
        
        a
        82⤵
        
        PID:4232
        
        C:\Users\Admin\AppData\Local\Temp\178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
        
        a
        83⤵
        
        PID:4528
        
        C:\Users\Admin\AppData\Local\Temp\178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
        
        a
        84⤵
        
        PID:2164
        
        C:\Users\Admin\AppData\Local\Temp\178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
        
        a
        85⤵
        
        PID:8
        
        C:\Users\Admin\AppData\Local\Temp\178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
        
        a
        86⤵
        
        PID:4684
        
        C:\Users\Admin\AppData\Local\Temp\178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
        
        a
        87⤵
        
        PID:764
        
        C:\Users\Admin\AppData\Local\Temp\178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
        
        a
        88⤵
        
        PID:1336
        
        C:\Users\Admin\AppData\Local\Temp\178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
        
        a
        89⤵
        Drops file in System32 directory
        
        PID:3556
        
        C:\Users\Admin\AppData\Local\Temp\178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
        
        a
        90⤵
        Drops file in System32 directory
        
        PID:5076
        
        C:\Users\Admin\AppData\Local\Temp\178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
        
        a
        91⤵
        
        PID:2656
        
        C:\Users\Admin\AppData\Local\Temp\178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
        
        a
        92⤵
        Drops file in System32 directory
        
        PID:512
        
        C:\Users\Admin\AppData\Local\Temp\178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
        
        a
        93⤵
        Drops file in System32 directory
        
        PID:4636
        
        C:\Users\Admin\AppData\Local\Temp\178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
        
        a
        94⤵
        
        PID:1512
        
        C:\Users\Admin\AppData\Local\Temp\178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
        
        a
        95⤵
        
        PID:3480
        
        C:\Users\Admin\AppData\Local\Temp\178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
        
        a
        96⤵
        Drops file in System32 directory
        
        PID:2160
        
        C:\Users\Admin\AppData\Local\Temp\178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
        
        a
        97⤵
        
        PID:2288
        
        C:\Users\Admin\AppData\Local\Temp\178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
        
        a
        98⤵
        Drops file in System32 directory
        
        PID:444
        
        C:\Users\Admin\AppData\Local\Temp\178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
        
        a
        99⤵
        
        PID:3152
        
        C:\Users\Admin\AppData\Local\Temp\178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
        
        a
        100⤵
        
        PID:4844
        
        C:\Users\Admin\AppData\Local\Temp\178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
        
        a
        101⤵
        
        PID:3132
        
        C:\Users\Admin\AppData\Local\Temp\178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
        
        a
        102⤵
        
        PID:2928
        
        C:\Users\Admin\AppData\Local\Temp\178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
        
        a
        103⤵
        
        PID:2248
        
        C:\Users\Admin\AppData\Local\Temp\178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
        
        a
        104⤵
        
        PID:1580
        
        C:\Users\Admin\AppData\Local\Temp\178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
        
        a
        105⤵
        
        PID:4536
        
        C:\Users\Admin\AppData\Local\Temp\178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
        
        a
        106⤵
        
        PID:3400
        
        C:\Users\Admin\AppData\Local\Temp\178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
        
        a
        107⤵
        
        PID:1280
        
        C:\Users\Admin\AppData\Local\Temp\178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
        
        a
        108⤵
        
        PID:1800
        
        C:\Users\Admin\AppData\Local\Temp\178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
        
        a
        109⤵
        
        PID:1668
        
        C:\Users\Admin\AppData\Local\Temp\178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
        
        a
        110⤵
        Drops file in System32 directory
        
        PID:4568
        
        C:\Users\Admin\AppData\Local\Temp\178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
        
        a
        111⤵
        Drops file in System32 directory
        
        PID:4436
        
        C:\Users\Admin\AppData\Local\Temp\178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
        
        a
        112⤵
        
        PID:4012
        
        C:\Users\Admin\AppData\Local\Temp\178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
        
        a
        113⤵
        
        PID:1720
        
        C:\Users\Admin\AppData\Local\Temp\178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
        
        a
        114⤵
        
        PID:820
        
        C:\Users\Admin\AppData\Local\Temp\178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
        
        a
        115⤵
        Drops file in System32 directory
        
        PID:4604
        
        C:\Users\Admin\AppData\Local\Temp\178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
        
        a
        116⤵
        Drops file in System32 directory
        
        PID:2408
        
        C:\Users\Admin\AppData\Local\Temp\178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
        
        a
        117⤵
        
        PID:1468
        
        C:\Users\Admin\AppData\Local\Temp\178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
        
        a
        118⤵
        
        PID:4264
        
        C:\Users\Admin\AppData\Local\Temp\178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
        
        a
        119⤵
        Drops file in System32 directory
        
        PID:5040
        
        C:\Users\Admin\AppData\Local\Temp\178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
        
        a
        120⤵
        
        PID:4820
        
        C:\Users\Admin\AppData\Local\Temp\178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
        
        a
        121⤵
        
        PID:3116
        
        C:\Users\Admin\AppData\Local\Temp\178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
        
        a
        122⤵
        
        PID:2588
        
        C:\Users\Admin\AppData\Local\Temp\178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
        
        a
        123⤵
        
        PID:3688
        
        C:\Users\Admin\AppData\Local\Temp\178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
        
        a
        124⤵
        
        PID:4752
        
        C:\Users\Admin\AppData\Local\Temp\178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
        
        a
        125⤵
        
        PID:1904
        
        C:\Users\Admin\AppData\Local\Temp\178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
        
        a
        126⤵
        
        PID:4276
        
        C:\Users\Admin\AppData\Local\Temp\178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
        
        a
        127⤵
        Drops file in System32 directory
        
        PID:448
        
        C:\Users\Admin\AppData\Local\Temp\178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
        
        a
        128⤵
        
        PID:3036
        
        C:\Users\Admin\AppData\Local\Temp\178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
        
        a
        129⤵
        
        PID:3632
        
        C:\Users\Admin\AppData\Local\Temp\178572e4d86614d464edb0c49aed1865_JaffaCakes118.exe
        
        a
        130⤵
        
        PID:992

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
- Executes dropped EXE
PID:1572

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
- Executes dropped EXE
PID:984

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
- Executes dropped EXE
PID:1420

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
- Executes dropped EXE
PID:3240

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
- Executes dropped EXE
PID:1184

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
- Executes dropped EXE
PID:1364

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
- Executes dropped EXE
PID:4212

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
- Executes dropped EXE
PID:2088

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
- Executes dropped EXE
PID:3424

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
- Executes dropped EXE
PID:4428

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
- Executes dropped EXE
PID:2364

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2388

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
- Executes dropped EXE
PID:4244

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
- Executes dropped EXE
PID:4192

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
- Executes dropped EXE
PID:2484

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4796

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
- Executes dropped EXE
PID:4764

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
- Executes dropped EXE
PID:2592

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
- Executes dropped EXE
PID:4268

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
- Executes dropped EXE
PID:1112

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
- Executes dropped EXE
PID:2656

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
- Executes dropped EXE
PID:1052

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
- Executes dropped EXE
PID:3112

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
- Executes dropped EXE
PID:2644

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
- Executes dropped EXE
PID:4548

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
- Executes dropped EXE
PID:4540

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
- Executes dropped EXE
PID:2140

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
- Executes dropped EXE
PID:4552

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
- Executes dropped EXE
PID:3492

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
- Executes dropped EXE
PID:1400

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
- Executes dropped EXE
PID:2976

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2928

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
- Executes dropped EXE
PID:1572

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1964

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
- Executes dropped EXE
PID:4448

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
- Executes dropped EXE
PID:4904

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
- Executes dropped EXE
PID:4784

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4840

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
- Executes dropped EXE
PID:3216

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
- Executes dropped EXE
PID:1148

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
- Executes dropped EXE
PID:4104

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
- Executes dropped EXE
PID:4916

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
- Executes dropped EXE
PID:4472

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
- Executes dropped EXE
PID:792

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
- Executes dropped EXE
PID:3840

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
- Executes dropped EXE
PID:3644

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
- Executes dropped EXE
PID:2700

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
- Executes dropped EXE
PID:1672

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
- Executes dropped EXE
PID:1180

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1444

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:756

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1348

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
- Executes dropped EXE
PID:4116

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
- Executes dropped EXE
PID:1676

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
- Executes dropped EXE
PID:1928

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
- Executes dropped EXE
PID:1352

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
- Executes dropped EXE
PID:2208

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
- Executes dropped EXE
PID:2708

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
- Executes dropped EXE
PID:3408

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
- Executes dropped EXE
PID:4884

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
- Executes dropped EXE
PID:2068

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
- Executes dropped EXE
PID:5024

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
- Executes dropped EXE
PID:2176

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4396

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
PID:3160

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
- Drops file in System32 directory
PID:1524

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
PID:4240

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
PID:4536

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
PID:3400

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
PID:1280

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
PID:1092

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
PID:748

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
PID:464

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
PID:4212

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
PID:2820

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
PID:2388

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
PID:2100

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
PID:396

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
PID:796

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
PID:4468

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
PID:636

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
- Drops file in System32 directory
PID:2144

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
PID:4848

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
PID:3016

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
PID:1832

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
- Drops file in System32 directory
PID:5116

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
PID:448

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
PID:3036

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
PID:2532

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
PID:4116

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
PID:1676

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
PID:3040

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
PID:2420

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
PID:4744

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
PID:4856

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
PID:3408

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
PID:4884

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
PID:2068

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
PID:2404

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
- Drops file in System32 directory
PID:3484

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
PID:4524

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
PID:4460

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
- Drops file in System32 directory
PID:588

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
PID:4448

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
PID:1432

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
PID:688

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
PID:836

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
PID:1184

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
PID:3948

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
PID:3960

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
PID:3984

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
PID:896

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
PID:2764

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
PID:5064

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
PID:2268

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
PID:1732

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
PID:3052

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
PID:2004

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
PID:3840

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
PID:3612

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
PID:3100

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
- Drops file in System32 directory
PID:1036

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
PID:1956

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
- Drops file in System32 directory
PID:2332

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
- Drops file in System32 directory
PID:1444

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
PID:756

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
- Drops file in System32 directory
PID:5036

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
PID:2276

C:\Windows\SysWOW64\commserv.exe
C:\Windows\SysWOW64\commserv.exe
1⤵
PID:2656

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\accwiz.bin

Filesize
103B

MD5
0392866ba517ff5be73775f2cfe83265

SHA1
c9c1070089f6516974341dc42dc6fbb7dce17588

SHA256
408cc36fe8c7e3964a270dc06b449cb9ed88932539d92dd6684a1aae6e05517d

SHA512
b88e2100892b26dc50989e692b9dbaf0bbb991ac2d54230b12b958860ecb6374c7e12644ccff7f461fb41509e430117c7aee1608c9d686a4f00a44d87dd7592c

Download Submit
C:\Windows\SysWOW64\commserv.exe

Filesize
124KB

MD5
01201ed072a39c34f21b15b604a9dcd8

SHA1
4761df28afbaa31e32dad6e96c58c9e8eeccdd13

SHA256
a5345fdfc98f7fa340775d0ca5c370b0d8446ee3d5a258979be2a0818b51ba30

SHA512
7532854d6d89c5259b71380eaf32d552e7d9523721536557b84567a5feaa5e0a6ef33e9e1629fbf7c8e6b00f1dd8038a1872c3a5ea4ea1278d9bfb726675dd5b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads