Analysis
-
max time kernel
155s -
max time network
121s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
10/02/2022, 06:54
Static task
static1
Behavioral task
behavioral1
Sample
v4vcmk.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
v4vcmk.exe
Resource
win10v2004-en-20220113
General
-
Target
v4vcmk.exe
-
Size
235KB
-
MD5
e7a30a6b98068f2c28af36b58c314c6a
-
SHA1
4a366530e40c4ba0f6df97c8ebce2429aea6cc35
-
SHA256
fa5e38ff3f546827c5e62db27f12d68bcc4cb30285a329088c54995b2e4ec5d0
-
SHA512
8e8bff9a8c1976ca5724a8eaec77b81f7d057311021845aa3f72a6573bf25b189e715af3902fef76079e3dd2dcc6cf7ed513f9f8df9cf60c1e23439c990b33e6
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs
-
Executes dropped EXE 2 IoCs
pid Process 1124 QgAscQoI.exe 788 PKsMQUYQ.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Control Panel\International\Geo\Nation QgAscQoI.exe -
Loads dropped DLL 14 IoCs
pid Process 1572 v4vcmk.exe 1572 v4vcmk.exe 1572 v4vcmk.exe 1572 v4vcmk.exe 1124 QgAscQoI.exe 1124 QgAscQoI.exe 1124 QgAscQoI.exe 1124 QgAscQoI.exe 1124 QgAscQoI.exe 1124 QgAscQoI.exe 1124 QgAscQoI.exe 1124 QgAscQoI.exe 1124 QgAscQoI.exe 1124 QgAscQoI.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PKsMQUYQ.exe = "C:\\ProgramData\\DmwYMgQc\\PKsMQUYQ.exe" PKsMQUYQ.exe Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\TIkMIsss.exe = "C:\\Users\\Admin\\mQUgQkwg\\TIkMIsss.exe" v4vcmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\YioMwUEg.exe = "C:\\ProgramData\\xcIAYMoI\\YioMwUEg.exe" v4vcmk.exe Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\QgAscQoI.exe = "C:\\Users\\Admin\\hYgwkYwM\\QgAscQoI.exe" v4vcmk.exe Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\QgAscQoI.exe = "C:\\Users\\Admin\\hYgwkYwM\\QgAscQoI.exe" QgAscQoI.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PKsMQUYQ.exe = "C:\\ProgramData\\DmwYMgQc\\PKsMQUYQ.exe" v4vcmk.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
pid pid_target Process procid_target 1728 1828 WerFault.exe 967 672 1472 WerFault.exe 968 -
Modifies registry key 1 TTPs 64 IoCs
pid Process 1096 reg.exe 1504 reg.exe 1576 reg.exe 1824 reg.exe 1536 reg.exe 440 reg.exe 1820 reg.exe 908 reg.exe 1460 reg.exe 880 reg.exe 1560 reg.exe 1060 reg.exe 896 reg.exe 876 reg.exe 1536 reg.exe 1544 reg.exe 1224 reg.exe 896 reg.exe 896 reg.exe 1468 reg.exe 1648 reg.exe 852 reg.exe 1276 reg.exe 748 reg.exe 1740 reg.exe 1564 reg.exe 1444 reg.exe 1880 reg.exe 1312 reg.exe 1908 reg.exe 1600 reg.exe 1532 reg.exe 1260 reg.exe 736 reg.exe 896 reg.exe 1464 reg.exe 1152 reg.exe 724 reg.exe 1572 reg.exe 1468 reg.exe 1224 reg.exe 964 reg.exe 1500 reg.exe 1720 reg.exe 1820 reg.exe 1740 reg.exe 1888 reg.exe 1712 reg.exe 1564 reg.exe 1968 reg.exe 1948 reg.exe 560 reg.exe 1060 reg.exe 1584 reg.exe 1224 reg.exe 1056 reg.exe 1872 reg.exe 1060 reg.exe 1988 reg.exe 1460 reg.exe 1512 reg.exe 1816 reg.exe 964 reg.exe 396 reg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1572 v4vcmk.exe 1572 v4vcmk.exe 1400 v4vcmk.exe 1400 v4vcmk.exe 1600 v4vcmk.exe 1600 v4vcmk.exe 1064 v4vcmk.exe 1064 v4vcmk.exe 1224 v4vcmk.exe 1224 v4vcmk.exe 1464 v4vcmk.exe 1464 v4vcmk.exe 900 v4vcmk.exe 900 v4vcmk.exe 1892 v4vcmk.exe 1892 v4vcmk.exe 1948 v4vcmk.exe 1948 v4vcmk.exe 1464 v4vcmk.exe 1464 v4vcmk.exe 1368 v4vcmk.exe 1368 v4vcmk.exe 1900 v4vcmk.exe 1900 v4vcmk.exe 1056 v4vcmk.exe 1056 v4vcmk.exe 572 v4vcmk.exe 572 v4vcmk.exe 968 v4vcmk.exe 968 v4vcmk.exe 1584 v4vcmk.exe 1584 v4vcmk.exe 1528 v4vcmk.exe 1528 v4vcmk.exe 856 v4vcmk.exe 856 v4vcmk.exe 1956 v4vcmk.exe 1956 v4vcmk.exe 1224 v4vcmk.exe 1224 v4vcmk.exe 668 v4vcmk.exe 668 v4vcmk.exe 1900 v4vcmk.exe 1900 v4vcmk.exe 1688 v4vcmk.exe 1688 v4vcmk.exe 708 v4vcmk.exe 708 v4vcmk.exe 1500 v4vcmk.exe 1500 v4vcmk.exe 1712 v4vcmk.exe 1712 v4vcmk.exe 1820 v4vcmk.exe 1820 v4vcmk.exe 440 v4vcmk.exe 440 v4vcmk.exe 1276 v4vcmk.exe 1276 v4vcmk.exe 992 v4vcmk.exe 992 v4vcmk.exe 1500 v4vcmk.exe 1500 v4vcmk.exe 1684 v4vcmk.exe 1684 v4vcmk.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1124 QgAscQoI.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1728 WerFault.exe Token: SeDebugPrivilege 672 WerFault.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 1124 QgAscQoI.exe 1124 QgAscQoI.exe 1124 QgAscQoI.exe 1124 QgAscQoI.exe 1124 QgAscQoI.exe 1124 QgAscQoI.exe 1124 QgAscQoI.exe 1124 QgAscQoI.exe 1124 QgAscQoI.exe 1124 QgAscQoI.exe 1124 QgAscQoI.exe 1124 QgAscQoI.exe 1124 QgAscQoI.exe 1124 QgAscQoI.exe 1124 QgAscQoI.exe 1124 QgAscQoI.exe 1124 QgAscQoI.exe 1124 QgAscQoI.exe 1124 QgAscQoI.exe 1124 QgAscQoI.exe 1124 QgAscQoI.exe 1124 QgAscQoI.exe 1124 QgAscQoI.exe 1124 QgAscQoI.exe 1124 QgAscQoI.exe 1124 QgAscQoI.exe 1124 QgAscQoI.exe 1124 QgAscQoI.exe 1124 QgAscQoI.exe 1124 QgAscQoI.exe 1124 QgAscQoI.exe 1124 QgAscQoI.exe 1124 QgAscQoI.exe 1124 QgAscQoI.exe 1124 QgAscQoI.exe 1124 QgAscQoI.exe 1124 QgAscQoI.exe 1124 QgAscQoI.exe 1124 QgAscQoI.exe 1124 QgAscQoI.exe 1124 QgAscQoI.exe 1124 QgAscQoI.exe 1124 QgAscQoI.exe 1124 QgAscQoI.exe 1124 QgAscQoI.exe 1124 QgAscQoI.exe 1124 QgAscQoI.exe 1124 QgAscQoI.exe 1124 QgAscQoI.exe 1124 QgAscQoI.exe 1124 QgAscQoI.exe 1124 QgAscQoI.exe 1124 QgAscQoI.exe 1124 QgAscQoI.exe 1124 QgAscQoI.exe 1124 QgAscQoI.exe 1124 QgAscQoI.exe 1124 QgAscQoI.exe 1124 QgAscQoI.exe 1124 QgAscQoI.exe 1124 QgAscQoI.exe 1124 QgAscQoI.exe 1124 QgAscQoI.exe 1124 QgAscQoI.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1572 wrote to memory of 1124 1572 v4vcmk.exe 27 PID 1572 wrote to memory of 1124 1572 v4vcmk.exe 27 PID 1572 wrote to memory of 1124 1572 v4vcmk.exe 27 PID 1572 wrote to memory of 1124 1572 v4vcmk.exe 27 PID 1572 wrote to memory of 788 1572 v4vcmk.exe 28 PID 1572 wrote to memory of 788 1572 v4vcmk.exe 28 PID 1572 wrote to memory of 788 1572 v4vcmk.exe 28 PID 1572 wrote to memory of 788 1572 v4vcmk.exe 28 PID 1572 wrote to memory of 1632 1572 v4vcmk.exe 29 PID 1572 wrote to memory of 1632 1572 v4vcmk.exe 29 PID 1572 wrote to memory of 1632 1572 v4vcmk.exe 29 PID 1572 wrote to memory of 1632 1572 v4vcmk.exe 29 PID 1572 wrote to memory of 668 1572 v4vcmk.exe 31 PID 1572 wrote to memory of 668 1572 v4vcmk.exe 31 PID 1572 wrote to memory of 668 1572 v4vcmk.exe 31 PID 1572 wrote to memory of 668 1572 v4vcmk.exe 31 PID 1572 wrote to memory of 1428 1572 v4vcmk.exe 32 PID 1572 wrote to memory of 1428 1572 v4vcmk.exe 32 PID 1572 wrote to memory of 1428 1572 v4vcmk.exe 32 PID 1572 wrote to memory of 1428 1572 v4vcmk.exe 32 PID 1572 wrote to memory of 724 1572 v4vcmk.exe 34 PID 1572 wrote to memory of 724 1572 v4vcmk.exe 34 PID 1572 wrote to memory of 724 1572 v4vcmk.exe 34 PID 1572 wrote to memory of 724 1572 v4vcmk.exe 34 PID 1572 wrote to memory of 1876 1572 v4vcmk.exe 36 PID 1572 wrote to memory of 1876 1572 v4vcmk.exe 36 PID 1572 wrote to memory of 1876 1572 v4vcmk.exe 36 PID 1572 wrote to memory of 1876 1572 v4vcmk.exe 36 PID 1632 wrote to memory of 1400 1632 cmd.exe 38 PID 1632 wrote to memory of 1400 1632 cmd.exe 38 PID 1632 wrote to memory of 1400 1632 cmd.exe 38 PID 1632 wrote to memory of 1400 1632 cmd.exe 38 PID 1876 wrote to memory of 1524 1876 cmd.exe 37 PID 1876 wrote to memory of 1524 1876 cmd.exe 37 PID 1876 wrote to memory of 1524 1876 cmd.exe 37 PID 1876 wrote to memory of 1524 1876 cmd.exe 37 PID 1400 wrote to memory of 1964 1400 v4vcmk.exe 41 PID 1400 wrote to memory of 1964 1400 v4vcmk.exe 41 PID 1400 wrote to memory of 1964 1400 v4vcmk.exe 41 PID 1400 wrote to memory of 1964 1400 v4vcmk.exe 41 PID 1964 wrote to memory of 1600 1964 cmd.exe 43 PID 1964 wrote to memory of 1600 1964 cmd.exe 43 PID 1964 wrote to memory of 1600 1964 cmd.exe 43 PID 1964 wrote to memory of 1600 1964 cmd.exe 43 PID 1400 wrote to memory of 988 1400 v4vcmk.exe 44 PID 1400 wrote to memory of 988 1400 v4vcmk.exe 44 PID 1400 wrote to memory of 988 1400 v4vcmk.exe 44 PID 1400 wrote to memory of 988 1400 v4vcmk.exe 44 PID 1400 wrote to memory of 1896 1400 v4vcmk.exe 45 PID 1400 wrote to memory of 1896 1400 v4vcmk.exe 45 PID 1400 wrote to memory of 1896 1400 v4vcmk.exe 45 PID 1400 wrote to memory of 1896 1400 v4vcmk.exe 45 PID 1400 wrote to memory of 1748 1400 v4vcmk.exe 50 PID 1400 wrote to memory of 1748 1400 v4vcmk.exe 50 PID 1400 wrote to memory of 1748 1400 v4vcmk.exe 50 PID 1400 wrote to memory of 1748 1400 v4vcmk.exe 50 PID 1400 wrote to memory of 1904 1400 v4vcmk.exe 48 PID 1400 wrote to memory of 1904 1400 v4vcmk.exe 48 PID 1400 wrote to memory of 1904 1400 v4vcmk.exe 48 PID 1400 wrote to memory of 1904 1400 v4vcmk.exe 48 PID 1904 wrote to memory of 1260 1904 cmd.exe 52 PID 1904 wrote to memory of 1260 1904 cmd.exe 52 PID 1904 wrote to memory of 1260 1904 cmd.exe 52 PID 1904 wrote to memory of 1260 1904 cmd.exe 52
Processes
-
C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe"C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1572 -
C:\Users\Admin\hYgwkYwM\QgAscQoI.exe"C:\Users\Admin\hYgwkYwM\QgAscQoI.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:1124
-
-
C:\ProgramData\DmwYMgQc\PKsMQUYQ.exe"C:\ProgramData\DmwYMgQc\PKsMQUYQ.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:788
-
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"2⤵
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Users\Admin\AppData\Local\Temp\v4vcmk.exeC:\Users\Admin\AppData\Local\Temp\v4vcmk3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1400 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"4⤵
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Users\Admin\AppData\Local\Temp\v4vcmk.exeC:\Users\Admin\AppData\Local\Temp\v4vcmk5⤵
- Suspicious behavior: EnumeratesProcesses
PID:1600 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"6⤵PID:1968
-
C:\Users\Admin\AppData\Local\Temp\v4vcmk.exeC:\Users\Admin\AppData\Local\Temp\v4vcmk7⤵
- Suspicious behavior: EnumeratesProcesses
PID:1064 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"8⤵PID:440
-
C:\Users\Admin\AppData\Local\Temp\v4vcmk.exeC:\Users\Admin\AppData\Local\Temp\v4vcmk9⤵
- Suspicious behavior: EnumeratesProcesses
PID:1224 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"10⤵PID:1056
-
C:\Users\Admin\AppData\Local\Temp\v4vcmk.exeC:\Users\Admin\AppData\Local\Temp\v4vcmk11⤵
- Suspicious behavior: EnumeratesProcesses
PID:1464 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"12⤵PID:856
-
C:\Users\Admin\AppData\Local\Temp\v4vcmk.exeC:\Users\Admin\AppData\Local\Temp\v4vcmk13⤵
- Suspicious behavior: EnumeratesProcesses
PID:900 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"14⤵PID:1680
-
C:\Users\Admin\AppData\Local\Temp\v4vcmk.exeC:\Users\Admin\AppData\Local\Temp\v4vcmk15⤵
- Suspicious behavior: EnumeratesProcesses
PID:1892 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"16⤵PID:280
-
C:\Users\Admin\AppData\Local\Temp\v4vcmk.exeC:\Users\Admin\AppData\Local\Temp\v4vcmk17⤵
- Suspicious behavior: EnumeratesProcesses
PID:1948 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"18⤵PID:1296
-
C:\Users\Admin\AppData\Local\Temp\v4vcmk.exeC:\Users\Admin\AppData\Local\Temp\v4vcmk19⤵
- Suspicious behavior: EnumeratesProcesses
PID:1464 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"20⤵PID:1688
-
C:\Users\Admin\AppData\Local\Temp\v4vcmk.exeC:\Users\Admin\AppData\Local\Temp\v4vcmk21⤵
- Suspicious behavior: EnumeratesProcesses
PID:1368 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"22⤵PID:1512
-
C:\Users\Admin\AppData\Local\Temp\v4vcmk.exeC:\Users\Admin\AppData\Local\Temp\v4vcmk23⤵
- Suspicious behavior: EnumeratesProcesses
PID:1900 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"24⤵PID:884
-
C:\Users\Admin\AppData\Local\Temp\v4vcmk.exeC:\Users\Admin\AppData\Local\Temp\v4vcmk25⤵
- Suspicious behavior: EnumeratesProcesses
PID:1056 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"26⤵PID:1436
-
C:\Users\Admin\AppData\Local\Temp\v4vcmk.exeC:\Users\Admin\AppData\Local\Temp\v4vcmk27⤵
- Suspicious behavior: EnumeratesProcesses
PID:572 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"28⤵PID:1368
-
C:\Users\Admin\AppData\Local\Temp\v4vcmk.exeC:\Users\Admin\AppData\Local\Temp\v4vcmk29⤵
- Suspicious behavior: EnumeratesProcesses
PID:968 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"30⤵PID:1880
-
C:\Users\Admin\AppData\Local\Temp\v4vcmk.exeC:\Users\Admin\AppData\Local\Temp\v4vcmk31⤵
- Suspicious behavior: EnumeratesProcesses
PID:1584 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"32⤵PID:2028
-
C:\Users\Admin\AppData\Local\Temp\v4vcmk.exeC:\Users\Admin\AppData\Local\Temp\v4vcmk33⤵
- Suspicious behavior: EnumeratesProcesses
PID:1528 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"34⤵PID:1260
-
C:\Users\Admin\AppData\Local\Temp\v4vcmk.exeC:\Users\Admin\AppData\Local\Temp\v4vcmk35⤵
- Suspicious behavior: EnumeratesProcesses
PID:856 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"36⤵PID:1824
-
C:\Users\Admin\AppData\Local\Temp\v4vcmk.exeC:\Users\Admin\AppData\Local\Temp\v4vcmk37⤵
- Suspicious behavior: EnumeratesProcesses
PID:1956 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"38⤵PID:1472
-
C:\Users\Admin\AppData\Local\Temp\v4vcmk.exeC:\Users\Admin\AppData\Local\Temp\v4vcmk39⤵
- Suspicious behavior: EnumeratesProcesses
PID:1224 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"40⤵PID:1904
-
C:\Users\Admin\AppData\Local\Temp\v4vcmk.exeC:\Users\Admin\AppData\Local\Temp\v4vcmk41⤵
- Suspicious behavior: EnumeratesProcesses
PID:668 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"42⤵PID:876
-
C:\Users\Admin\AppData\Local\Temp\v4vcmk.exeC:\Users\Admin\AppData\Local\Temp\v4vcmk43⤵
- Suspicious behavior: EnumeratesProcesses
PID:1900 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"44⤵PID:1804
-
C:\Users\Admin\AppData\Local\Temp\v4vcmk.exeC:\Users\Admin\AppData\Local\Temp\v4vcmk45⤵
- Suspicious behavior: EnumeratesProcesses
PID:1688 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"46⤵PID:1816
-
C:\Users\Admin\AppData\Local\Temp\v4vcmk.exeC:\Users\Admin\AppData\Local\Temp\v4vcmk47⤵
- Suspicious behavior: EnumeratesProcesses
PID:708 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"48⤵PID:1528
-
C:\Users\Admin\AppData\Local\Temp\v4vcmk.exeC:\Users\Admin\AppData\Local\Temp\v4vcmk49⤵
- Suspicious behavior: EnumeratesProcesses
PID:1500 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"50⤵PID:1056
-
C:\Users\Admin\AppData\Local\Temp\v4vcmk.exeC:\Users\Admin\AppData\Local\Temp\v4vcmk51⤵
- Suspicious behavior: EnumeratesProcesses
PID:1712 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"52⤵PID:744
-
C:\Users\Admin\AppData\Local\Temp\v4vcmk.exeC:\Users\Admin\AppData\Local\Temp\v4vcmk53⤵
- Suspicious behavior: EnumeratesProcesses
PID:1820 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"54⤵PID:1504
-
C:\Users\Admin\AppData\Local\Temp\v4vcmk.exeC:\Users\Admin\AppData\Local\Temp\v4vcmk55⤵
- Suspicious behavior: EnumeratesProcesses
PID:440 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"56⤵PID:1444
-
C:\Users\Admin\AppData\Local\Temp\v4vcmk.exeC:\Users\Admin\AppData\Local\Temp\v4vcmk57⤵
- Suspicious behavior: EnumeratesProcesses
PID:1276 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"58⤵PID:1740
-
C:\Users\Admin\AppData\Local\Temp\v4vcmk.exeC:\Users\Admin\AppData\Local\Temp\v4vcmk59⤵
- Suspicious behavior: EnumeratesProcesses
PID:992 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"60⤵PID:2028
-
C:\Users\Admin\AppData\Local\Temp\v4vcmk.exeC:\Users\Admin\AppData\Local\Temp\v4vcmk61⤵
- Suspicious behavior: EnumeratesProcesses
PID:1500 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"62⤵PID:1080
-
C:\Users\Admin\AppData\Local\Temp\v4vcmk.exeC:\Users\Admin\AppData\Local\Temp\v4vcmk63⤵
- Suspicious behavior: EnumeratesProcesses
PID:1684 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"64⤵PID:1200
-
C:\Users\Admin\AppData\Local\Temp\v4vcmk.exeC:\Users\Admin\AppData\Local\Temp\v4vcmk65⤵PID:1600
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"66⤵PID:1648
-
C:\Users\Admin\AppData\Local\Temp\v4vcmk.exeC:\Users\Admin\AppData\Local\Temp\v4vcmk67⤵PID:1956
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"68⤵PID:1276
-
C:\Users\Admin\AppData\Local\Temp\v4vcmk.exeC:\Users\Admin\AppData\Local\Temp\v4vcmk69⤵PID:1728
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"70⤵PID:1456
-
C:\Users\Admin\AppData\Local\Temp\v4vcmk.exeC:\Users\Admin\AppData\Local\Temp\v4vcmk71⤵PID:1512
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"72⤵PID:1900
-
C:\Users\Admin\AppData\Local\Temp\v4vcmk.exeC:\Users\Admin\AppData\Local\Temp\v4vcmk73⤵PID:1544
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"74⤵PID:1096
-
C:\Users\Admin\AppData\Local\Temp\v4vcmk.exeC:\Users\Admin\AppData\Local\Temp\v4vcmk75⤵PID:1260
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"76⤵PID:964
-
C:\Users\Admin\AppData\Local\Temp\v4vcmk.exeC:\Users\Admin\AppData\Local\Temp\v4vcmk77⤵PID:972
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"78⤵PID:708
-
C:\Users\Admin\AppData\Local\Temp\v4vcmk.exeC:\Users\Admin\AppData\Local\Temp\v4vcmk79⤵PID:736
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"80⤵PID:1592
-
C:\Users\Admin\AppData\Local\Temp\v4vcmk.exeC:\Users\Admin\AppData\Local\Temp\v4vcmk81⤵PID:1764
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"82⤵PID:1456
-
C:\Users\Admin\AppData\Local\Temp\v4vcmk.exeC:\Users\Admin\AppData\Local\Temp\v4vcmk83⤵PID:1968
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"84⤵PID:856
-
C:\Users\Admin\AppData\Local\Temp\v4vcmk.exeC:\Users\Admin\AppData\Local\Temp\v4vcmk85⤵PID:1544
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"86⤵PID:1608
-
C:\Users\Admin\AppData\Local\Temp\v4vcmk.exeC:\Users\Admin\AppData\Local\Temp\v4vcmk87⤵PID:440
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"88⤵PID:1464
-
C:\Users\Admin\AppData\Local\Temp\v4vcmk.exeC:\Users\Admin\AppData\Local\Temp\v4vcmk89⤵PID:1376
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"90⤵PID:744
-
C:\Users\Admin\AppData\Local\Temp\v4vcmk.exeC:\Users\Admin\AppData\Local\Temp\v4vcmk91⤵PID:1112
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"92⤵PID:1688
-
C:\Users\Admin\AppData\Local\Temp\v4vcmk.exeC:\Users\Admin\AppData\Local\Temp\v4vcmk93⤵PID:1764
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"94⤵PID:884
-
C:\Users\Admin\AppData\Local\Temp\v4vcmk.exeC:\Users\Admin\AppData\Local\Temp\v4vcmk95⤵PID:1500
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"96⤵PID:748
-
C:\Users\Admin\AppData\Local\Temp\v4vcmk.exeC:\Users\Admin\AppData\Local\Temp\v4vcmk97⤵PID:896
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"98⤵PID:1716
-
C:\Users\Admin\AppData\Local\Temp\v4vcmk.exeC:\Users\Admin\AppData\Local\Temp\v4vcmk99⤵PID:440
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"100⤵PID:1452
-
C:\Users\Admin\AppData\Local\Temp\v4vcmk.exeC:\Users\Admin\AppData\Local\Temp\v4vcmk101⤵PID:1012
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"102⤵PID:708
-
C:\Users\Admin\AppData\Local\Temp\v4vcmk.exeC:\Users\Admin\AppData\Local\Temp\v4vcmk103⤵PID:684
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"104⤵PID:1600
-
C:\Users\Admin\AppData\Local\Temp\v4vcmk.exeC:\Users\Admin\AppData\Local\Temp\v4vcmk105⤵PID:1984
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"106⤵PID:1888
-
C:\Users\Admin\AppData\Local\Temp\v4vcmk.exeC:\Users\Admin\AppData\Local\Temp\v4vcmk107⤵PID:1376
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"108⤵PID:880
-
C:\Users\Admin\AppData\Local\Temp\v4vcmk.exeC:\Users\Admin\AppData\Local\Temp\v4vcmk109⤵PID:1468
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"110⤵PID:964
-
C:\Users\Admin\AppData\Local\Temp\v4vcmk.exeC:\Users\Admin\AppData\Local\Temp\v4vcmk111⤵PID:1524
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"112⤵PID:1232
-
C:\Users\Admin\AppData\Local\Temp\v4vcmk.exeC:\Users\Admin\AppData\Local\Temp\v4vcmk113⤵PID:988
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"114⤵PID:908
-
C:\Users\Admin\AppData\Local\Temp\v4vcmk.exeC:\Users\Admin\AppData\Local\Temp\v4vcmk115⤵PID:736
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"116⤵PID:876
-
C:\Users\Admin\AppData\Local\Temp\v4vcmk.exeC:\Users\Admin\AppData\Local\Temp\v4vcmk117⤵PID:1528
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"118⤵PID:1376
-
C:\Users\Admin\AppData\Local\Temp\v4vcmk.exeC:\Users\Admin\AppData\Local\Temp\v4vcmk119⤵PID:1684
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"120⤵PID:1060
-
C:\Users\Admin\AppData\Local\Temp\v4vcmk.exeC:\Users\Admin\AppData\Local\Temp\v4vcmk121⤵PID:972
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"122⤵PID:1204
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-