Analysis
-
max time kernel
168s -
max time network
167s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
10/02/2022, 06:54
Static task
static1
Behavioral task
behavioral1
Sample
v4vcmk.exe
Resource
win7-en-20211208
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
v4vcmk.exe
Resource
win10v2004-en-20220113
0 signatures
0 seconds
General
-
Target
v4vcmk.exe
-
Size
235KB
-
MD5
e7a30a6b98068f2c28af36b58c314c6a
-
SHA1
4a366530e40c4ba0f6df97c8ebce2429aea6cc35
-
SHA256
fa5e38ff3f546827c5e62db27f12d68bcc4cb30285a329088c54995b2e4ec5d0
-
SHA512
8e8bff9a8c1976ca5724a8eaec77b81f7d057311021845aa3f72a6573bf25b189e715af3902fef76079e3dd2dcc6cf7ed513f9f8df9cf60c1e23439c990b33e6
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs
-
Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs
description pid Process procid_target PID 3868 created 4836 3868 WerFault.exe 693 PID 2432 created 3520 2432 WerFault.exe 696 -
Blocklisted process makes network request 2 IoCs
flow pid Process 6 3628 cmd.exe 8 3628 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 3404 dAkcYIYg.exe 4032 LyocAoAM.exe -
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dAkcYIYg.exe = "C:\\Users\\Admin\\fSgEsIQI\\dAkcYIYg.exe" v4vcmk.exe Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dAkcYIYg.exe = "C:\\Users\\Admin\\fSgEsIQI\\dAkcYIYg.exe" dAkcYIYg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LyocAoAM.exe = "C:\\ProgramData\\WwgMQcMw\\LyocAoAM.exe" v4vcmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LyocAoAM.exe = "C:\\ProgramData\\WwgMQcMw\\LyocAoAM.exe" LyocAoAM.exe Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ecEsQUkU.exe = "C:\\Users\\Admin\\IGMkwoUM\\ecEsQUkU.exe" Conhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\QMYUIoMs.exe = "C:\\ProgramData\\QAMQQckI\\QMYUIoMs.exe" Conhost.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cmd.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cmd.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cmd.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Process not Found -
Drops file in Windows directory 9 IoCs
description ioc Process File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\WinSxS\pending.xml Process not Found File opened for modification C:\Windows\Logs\CBS\CBS.log Process not Found File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp WerFault.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
pid pid_target Process procid_target 2308 3520 WerFault.exe 696 4460 4836 WerFault.exe 693 -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe -
Enumerates system info in registry 2 TTPs 4 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe -
Modifies registry key 1 TTPs 64 IoCs
pid Process 3864 reg.exe 1040 reg.exe 4600 reg.exe 940 reg.exe 4996 Process not Found 1296 Process not Found 3904 Process not Found 520 reg.exe 3928 reg.exe 4632 reg.exe 3472 reg.exe 2484 reg.exe 3760 Process not Found 4680 reg.exe 4464 reg.exe 1040 reg.exe 3336 reg.exe 3124 Process not Found 4232 reg.exe 3684 reg.exe 2792 reg.exe 4416 Process not Found 4884 Process not Found 4516 reg.exe 1368 reg.exe 520 Process not Found 4308 Process not Found 3768 reg.exe 3856 reg.exe 1488 Process not Found 2256 reg.exe 4660 reg.exe 2264 reg.exe 1136 reg.exe 2796 reg.exe 3776 Process not Found 2132 Process not Found 784 reg.exe 4668 reg.exe 4500 reg.exe 3336 reg.exe 2540 Process not Found 3608 Process not Found 2784 reg.exe 5000 reg.exe 2260 Process not Found 4552 reg.exe 4104 reg.exe 1432 reg.exe 1580 Process not Found 4788 Process not Found 344 Process not Found 364 reg.exe 4996 reg.exe 3400 reg.exe 2504 Process not Found 1908 Process not Found 2768 reg.exe 4676 reg.exe 2132 reg.exe 3076 Process not Found 4008 Process not Found 1712 reg.exe 1592 Process not Found -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2644 v4vcmk.exe 2644 v4vcmk.exe 2644 v4vcmk.exe 2644 v4vcmk.exe 1656 v4vcmk.exe 1656 v4vcmk.exe 1656 v4vcmk.exe 1656 v4vcmk.exe 1252 v4vcmk.exe 1252 v4vcmk.exe 1252 v4vcmk.exe 1252 v4vcmk.exe 4044 v4vcmk.exe 4044 v4vcmk.exe 4044 v4vcmk.exe 4044 v4vcmk.exe 4956 v4vcmk.exe 4956 v4vcmk.exe 4956 v4vcmk.exe 4956 v4vcmk.exe 1868 v4vcmk.exe 1868 v4vcmk.exe 1868 v4vcmk.exe 1868 v4vcmk.exe 1176 v4vcmk.exe 1176 v4vcmk.exe 1176 v4vcmk.exe 1176 v4vcmk.exe 4892 v4vcmk.exe 4892 v4vcmk.exe 4892 v4vcmk.exe 4892 v4vcmk.exe 1968 v4vcmk.exe 1968 v4vcmk.exe 1968 v4vcmk.exe 1968 v4vcmk.exe 3876 v4vcmk.exe 3876 v4vcmk.exe 3876 v4vcmk.exe 3876 v4vcmk.exe 4560 v4vcmk.exe 4560 v4vcmk.exe 4560 v4vcmk.exe 4560 v4vcmk.exe 3532 v4vcmk.exe 3532 v4vcmk.exe 3532 v4vcmk.exe 3532 v4vcmk.exe 3932 reg.exe 3932 reg.exe 3932 reg.exe 3932 reg.exe 4524 v4vcmk.exe 4524 v4vcmk.exe 4524 v4vcmk.exe 4524 v4vcmk.exe 4700 v4vcmk.exe 4700 v4vcmk.exe 4700 v4vcmk.exe 4700 v4vcmk.exe 3508 v4vcmk.exe 3508 v4vcmk.exe 3508 v4vcmk.exe 3508 v4vcmk.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 4608 svchost.exe Token: SeCreatePagefilePrivilege 4608 svchost.exe Token: SeShutdownPrivilege 4608 svchost.exe Token: SeCreatePagefilePrivilege 4608 svchost.exe Token: SeShutdownPrivilege 4608 svchost.exe Token: SeCreatePagefilePrivilege 4608 svchost.exe Token: SeRestorePrivilege 2308 WerFault.exe Token: SeBackupPrivilege 2308 WerFault.exe Token: SeRestorePrivilege 4460 WerFault.exe Token: SeBackupPrivilege 4460 WerFault.exe Token: SeBackupPrivilege 4460 WerFault.exe Token: SeSecurityPrivilege 3132 Process not Found Token: SeRestorePrivilege 3132 Process not Found Token: SeBackupPrivilege 3132 Process not Found Token: SeBackupPrivilege 3132 Process not Found Token: SeRestorePrivilege 3132 Process not Found Token: SeSecurityPrivilege 3132 Process not Found Token: SeBackupPrivilege 3132 Process not Found Token: SeRestorePrivilege 3132 Process not Found Token: SeSecurityPrivilege 3132 Process not Found Token: SeBackupPrivilege 3132 Process not Found Token: SeRestorePrivilege 3132 Process not Found Token: SeSecurityPrivilege 3132 Process not Found Token: SeBackupPrivilege 3132 Process not Found Token: SeRestorePrivilege 3132 Process not Found Token: SeSecurityPrivilege 3132 Process not Found Token: SeBackupPrivilege 3132 Process not Found Token: SeRestorePrivilege 3132 Process not Found Token: SeSecurityPrivilege 3132 Process not Found Token: SeBackupPrivilege 3132 Process not Found Token: SeRestorePrivilege 3132 Process not Found Token: SeSecurityPrivilege 3132 Process not Found Token: SeBackupPrivilege 3132 Process not Found Token: SeRestorePrivilege 3132 Process not Found Token: SeSecurityPrivilege 3132 Process not Found Token: SeBackupPrivilege 3132 Process not Found Token: SeRestorePrivilege 3132 Process not Found Token: SeSecurityPrivilege 3132 Process not Found Token: SeBackupPrivilege 3132 Process not Found Token: SeRestorePrivilege 3132 Process not Found Token: SeSecurityPrivilege 3132 Process not Found Token: SeBackupPrivilege 3132 Process not Found Token: SeRestorePrivilege 3132 Process not Found Token: SeSecurityPrivilege 3132 Process not Found Token: SeBackupPrivilege 3132 Process not Found Token: SeRestorePrivilege 3132 Process not Found Token: SeSecurityPrivilege 3132 Process not Found Token: SeBackupPrivilege 3132 Process not Found Token: SeRestorePrivilege 3132 Process not Found Token: SeSecurityPrivilege 3132 Process not Found Token: SeBackupPrivilege 3132 Process not Found Token: SeRestorePrivilege 3132 Process not Found Token: SeSecurityPrivilege 3132 Process not Found Token: SeBackupPrivilege 3132 Process not Found Token: SeRestorePrivilege 3132 Process not Found Token: SeSecurityPrivilege 3132 Process not Found Token: SeBackupPrivilege 3132 Process not Found Token: SeRestorePrivilege 3132 Process not Found Token: SeSecurityPrivilege 3132 Process not Found Token: SeBackupPrivilege 3132 Process not Found Token: SeRestorePrivilege 3132 Process not Found Token: SeSecurityPrivilege 3132 Process not Found Token: SeBackupPrivilege 3132 Process not Found Token: SeRestorePrivilege 3132 Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2644 wrote to memory of 3404 2644 v4vcmk.exe 82 PID 2644 wrote to memory of 3404 2644 v4vcmk.exe 82 PID 2644 wrote to memory of 3404 2644 v4vcmk.exe 82 PID 2644 wrote to memory of 4032 2644 v4vcmk.exe 83 PID 2644 wrote to memory of 4032 2644 v4vcmk.exe 83 PID 2644 wrote to memory of 4032 2644 v4vcmk.exe 83 PID 2644 wrote to memory of 1068 2644 v4vcmk.exe 84 PID 2644 wrote to memory of 1068 2644 v4vcmk.exe 84 PID 2644 wrote to memory of 1068 2644 v4vcmk.exe 84 PID 2644 wrote to memory of 3932 2644 v4vcmk.exe 85 PID 2644 wrote to memory of 3932 2644 v4vcmk.exe 85 PID 2644 wrote to memory of 3932 2644 v4vcmk.exe 85 PID 2644 wrote to memory of 520 2644 v4vcmk.exe 86 PID 2644 wrote to memory of 520 2644 v4vcmk.exe 86 PID 2644 wrote to memory of 520 2644 v4vcmk.exe 86 PID 2644 wrote to memory of 1552 2644 v4vcmk.exe 89 PID 2644 wrote to memory of 1552 2644 v4vcmk.exe 89 PID 2644 wrote to memory of 1552 2644 v4vcmk.exe 89 PID 2644 wrote to memory of 1996 2644 v4vcmk.exe 87 PID 2644 wrote to memory of 1996 2644 v4vcmk.exe 87 PID 2644 wrote to memory of 1996 2644 v4vcmk.exe 87 PID 1068 wrote to memory of 1656 1068 cmd.exe 95 PID 1068 wrote to memory of 1656 1068 cmd.exe 95 PID 1068 wrote to memory of 1656 1068 cmd.exe 95 PID 1996 wrote to memory of 4292 1996 cmd.exe 94 PID 1996 wrote to memory of 4292 1996 cmd.exe 94 PID 1996 wrote to memory of 4292 1996 cmd.exe 94 PID 1656 wrote to memory of 4008 1656 v4vcmk.exe 96 PID 1656 wrote to memory of 4008 1656 v4vcmk.exe 96 PID 1656 wrote to memory of 4008 1656 v4vcmk.exe 96 PID 4008 wrote to memory of 1252 4008 cmd.exe 98 PID 4008 wrote to memory of 1252 4008 cmd.exe 98 PID 4008 wrote to memory of 1252 4008 cmd.exe 98 PID 1656 wrote to memory of 3808 1656 v4vcmk.exe 106 PID 1656 wrote to memory of 3808 1656 v4vcmk.exe 106 PID 1656 wrote to memory of 3808 1656 v4vcmk.exe 106 PID 1656 wrote to memory of 4656 1656 v4vcmk.exe 105 PID 1656 wrote to memory of 4656 1656 v4vcmk.exe 105 PID 1656 wrote to memory of 4656 1656 v4vcmk.exe 105 PID 1656 wrote to memory of 2372 1656 v4vcmk.exe 104 PID 1656 wrote to memory of 2372 1656 v4vcmk.exe 104 PID 1656 wrote to memory of 2372 1656 v4vcmk.exe 104 PID 1656 wrote to memory of 2228 1656 v4vcmk.exe 99 PID 1656 wrote to memory of 2228 1656 v4vcmk.exe 99 PID 1656 wrote to memory of 2228 1656 v4vcmk.exe 99 PID 2228 wrote to memory of 2420 2228 cmd.exe 107 PID 2228 wrote to memory of 2420 2228 cmd.exe 107 PID 2228 wrote to memory of 2420 2228 cmd.exe 107 PID 1252 wrote to memory of 3212 1252 v4vcmk.exe 108 PID 1252 wrote to memory of 3212 1252 v4vcmk.exe 108 PID 1252 wrote to memory of 3212 1252 v4vcmk.exe 108 PID 1252 wrote to memory of 296 1252 v4vcmk.exe 117 PID 1252 wrote to memory of 296 1252 v4vcmk.exe 117 PID 1252 wrote to memory of 296 1252 v4vcmk.exe 117 PID 1252 wrote to memory of 740 1252 v4vcmk.exe 116 PID 1252 wrote to memory of 740 1252 v4vcmk.exe 116 PID 1252 wrote to memory of 740 1252 v4vcmk.exe 116 PID 1252 wrote to memory of 1688 1252 v4vcmk.exe 115 PID 1252 wrote to memory of 1688 1252 v4vcmk.exe 115 PID 1252 wrote to memory of 1688 1252 v4vcmk.exe 115 PID 1252 wrote to memory of 4204 1252 v4vcmk.exe 114 PID 1252 wrote to memory of 4204 1252 v4vcmk.exe 114 PID 1252 wrote to memory of 4204 1252 v4vcmk.exe 114 PID 3212 wrote to memory of 4044 3212 cmd.exe 118 -
System policy modification 1 TTPs 18 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe"C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Users\Admin\fSgEsIQI\dAkcYIYg.exe"C:\Users\Admin\fSgEsIQI\dAkcYIYg.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3404
-
-
C:\ProgramData\WwgMQcMw\LyocAoAM.exe"C:\ProgramData\WwgMQcMw\LyocAoAM.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4032
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"2⤵
- Suspicious use of WriteProcessMemory
PID:1068 -
C:\Users\Admin\AppData\Local\Temp\v4vcmk.exeC:\Users\Admin\AppData\Local\Temp\v4vcmk3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"4⤵
- Suspicious use of WriteProcessMemory
PID:4008 -
C:\Users\Admin\AppData\Local\Temp\v4vcmk.exeC:\Users\Admin\AppData\Local\Temp\v4vcmk5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1252 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"6⤵
- Suspicious use of WriteProcessMemory
PID:3212 -
C:\Users\Admin\AppData\Local\Temp\v4vcmk.exeC:\Users\Admin\AppData\Local\Temp\v4vcmk7⤵
- Suspicious behavior: EnumeratesProcesses
PID:4044 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"8⤵PID:1408
-
C:\Users\Admin\AppData\Local\Temp\v4vcmk.exeC:\Users\Admin\AppData\Local\Temp\v4vcmk9⤵
- Suspicious behavior: EnumeratesProcesses
PID:4956 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"10⤵PID:1856
-
C:\Users\Admin\AppData\Local\Temp\v4vcmk.exeC:\Users\Admin\AppData\Local\Temp\v4vcmk11⤵
- Suspicious behavior: EnumeratesProcesses
PID:1868 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"12⤵PID:3536
-
C:\Users\Admin\AppData\Local\Temp\v4vcmk.exeC:\Users\Admin\AppData\Local\Temp\v4vcmk13⤵
- Suspicious behavior: EnumeratesProcesses
PID:1176 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"14⤵PID:4856
-
C:\Users\Admin\AppData\Local\Temp\v4vcmk.exeC:\Users\Admin\AppData\Local\Temp\v4vcmk15⤵
- Suspicious behavior: EnumeratesProcesses
PID:4892 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"16⤵PID:2372
-
C:\Users\Admin\AppData\Local\Temp\v4vcmk.exeC:\Users\Admin\AppData\Local\Temp\v4vcmk17⤵
- Suspicious behavior: EnumeratesProcesses
PID:1968 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"18⤵PID:1488
-
C:\Users\Admin\AppData\Local\Temp\v4vcmk.exeC:\Users\Admin\AppData\Local\Temp\v4vcmk19⤵
- Suspicious behavior: EnumeratesProcesses
PID:3876 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"20⤵PID:5068
-
C:\Users\Admin\AppData\Local\Temp\v4vcmk.exeC:\Users\Admin\AppData\Local\Temp\v4vcmk21⤵
- Suspicious behavior: EnumeratesProcesses
PID:4560 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"22⤵PID:3480
-
C:\Users\Admin\AppData\Local\Temp\v4vcmk.exeC:\Users\Admin\AppData\Local\Temp\v4vcmk23⤵
- Suspicious behavior: EnumeratesProcesses
PID:3532 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"24⤵PID:2592
-
C:\Users\Admin\AppData\Local\Temp\v4vcmk.exeC:\Users\Admin\AppData\Local\Temp\v4vcmk25⤵PID:3932
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KYEkMowQ.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""26⤵PID:2704
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs27⤵PID:2132
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f26⤵PID:1020
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 226⤵PID:204
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 126⤵PID:2252
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"26⤵PID:2420
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 124⤵PID:3668
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KwcAQkMA.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""24⤵PID:3524
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs25⤵PID:4884
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f24⤵
- Modifies registry key
PID:2256
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 224⤵
- Modifies registry key
PID:520
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QCgIAsYA.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""22⤵PID:1748
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs23⤵PID:3800
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f22⤵PID:4600
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 222⤵PID:3984
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 122⤵PID:5008
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 120⤵PID:1912
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 220⤵PID:3336
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f20⤵PID:2784
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pooUoUQI.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""20⤵PID:1444
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs21⤵PID:3376
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VSYAEMQM.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""18⤵PID:4772
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs19⤵PID:3044
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f18⤵PID:3076
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 218⤵PID:4352
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 118⤵PID:4356
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 116⤵PID:4608
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HaIYwMoI.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""16⤵PID:4444
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs17⤵PID:60
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f16⤵PID:204
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 216⤵PID:396
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 214⤵PID:4436
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ncIgIoUw.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""14⤵PID:1656
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs15⤵PID:4800
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f14⤵
- Modifies registry key
PID:4232
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 114⤵PID:1716
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bcQoEgII.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""12⤵PID:3612
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs13⤵PID:752
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f12⤵PID:1600
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV113⤵PID:4252
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 212⤵PID:3560
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 112⤵PID:3800
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zMEQogAA.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""10⤵PID:4784
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs11⤵PID:3984
-
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV111⤵PID:2252
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f10⤵PID:1928
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV111⤵PID:2328
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 210⤵PID:2312
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 110⤵PID:4860
-
-
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV19⤵PID:3376
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 18⤵PID:1864
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 28⤵PID:4200
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f8⤵PID:3204
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\buskYcUk.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""8⤵PID:3864
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs9⤵PID:4360
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oiUcsAoE.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""6⤵PID:4204
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs7⤵PID:4332
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f6⤵PID:1688
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 26⤵PID:740
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 16⤵PID:296
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KmEMMMck.bat" "C:\Users\Admin\AppData\Local\Temp\v4vcmk.exe""4⤵
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs5⤵PID:2420
-
C:\Users\Admin\AppData\Local\Temp\v4vcmk.exeC:\Users\Admin\AppData\Local\Temp\v4vcmk6⤵
- Suspicious behavior: EnumeratesProcesses
PID:4524 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"7⤵PID:2328
-
C:\Users\Admin\AppData\Local\Temp\v4vcmk.exeC:\Users\Admin\AppData\Local\Temp\v4vcmk8⤵
- Suspicious behavior: EnumeratesProcesses
PID:4700 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"9⤵PID:4428
-
C:\Users\Admin\AppData\Local\Temp\v4vcmk.exeC:\Users\Admin\AppData\Local\Temp\v4vcmk10⤵PID:3508
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"11⤵PID:1988
-
C:\Users\Admin\AppData\Local\Temp\v4vcmk.exeC:\Users\Admin\AppData\Local\Temp\v4vcmk12⤵PID:4360
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"13⤵PID:1292
-
C:\Users\Admin\AppData\Local\Temp\v4vcmk.exeC:\Users\Admin\AppData\Local\Temp\v4vcmk14⤵PID:3692
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"15⤵PID:3804
-
C:\Users\Admin\AppData\Local\Temp\v4vcmk.exeC:\Users\Admin\AppData\Local\Temp\v4vcmk16⤵PID:4856
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"17⤵PID:4416
-
C:\Users\Admin\AppData\Local\Temp\v4vcmk.exeC:\Users\Admin\AppData\Local\Temp\v4vcmk18⤵PID:4320
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"19⤵PID:3440
-
C:\Users\Admin\AppData\Local\Temp\v4vcmk.exeC:\Users\Admin\AppData\Local\Temp\v4vcmk20⤵PID:2400
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"21⤵PID:656
-
C:\Users\Admin\AppData\Local\Temp\v4vcmk.exeC:\Users\Admin\AppData\Local\Temp\v4vcmk22⤵PID:748
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"23⤵PID:2100
-
C:\Users\Admin\AppData\Local\Temp\v4vcmk.exeC:\Users\Admin\AppData\Local\Temp\v4vcmk24⤵PID:5060
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"25⤵PID:3480
-
C:\Users\Admin\AppData\Local\Temp\v4vcmk.exeC:\Users\Admin\AppData\Local\Temp\v4vcmk26⤵PID:3880
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"27⤵PID:3104
-
C:\Users\Admin\AppData\Local\Temp\v4vcmk.exeC:\Users\Admin\AppData\Local\Temp\v4vcmk28⤵PID:4008
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"29⤵PID:4932
-
C:\Users\Admin\AppData\Local\Temp\v4vcmk.exeC:\Users\Admin\AppData\Local\Temp\v4vcmk30⤵PID:3396
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"31⤵PID:3864
-
C:\Users\Admin\AppData\Local\Temp\v4vcmk.exeC:\Users\Admin\AppData\Local\Temp\v4vcmk32⤵PID:4804
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"33⤵PID:2016
-
C:\Users\Admin\AppData\Local\Temp\v4vcmk.exeC:\Users\Admin\AppData\Local\Temp\v4vcmk34⤵PID:2564
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"35⤵PID:3456
-
C:\Users\Admin\AppData\Local\Temp\v4vcmk.exeC:\Users\Admin\AppData\Local\Temp\v4vcmk36⤵PID:5104
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"37⤵PID:2580
-
C:\Users\Admin\AppData\Local\Temp\v4vcmk.exeC:\Users\Admin\AppData\Local\Temp\v4vcmk38⤵PID:3692
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"39⤵PID:4252
-
C:\Users\Admin\AppData\Local\Temp\v4vcmk.exeC:\Users\Admin\AppData\Local\Temp\v4vcmk40⤵
- Suspicious behavior: EnumeratesProcesses
PID:3508 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"41⤵PID:4120
-
C:\Users\Admin\AppData\Local\Temp\v4vcmk.exeC:\Users\Admin\AppData\Local\Temp\v4vcmk42⤵PID:4216
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"43⤵PID:4016
-
C:\Users\Admin\AppData\Local\Temp\v4vcmk.exeC:\Users\Admin\AppData\Local\Temp\v4vcmk44⤵PID:4124
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"45⤵
- Checks whether UAC is enabled
- System policy modification
PID:2100 -
C:\Users\Admin\AppData\Local\Temp\v4vcmk.exeC:\Users\Admin\AppData\Local\Temp\v4vcmk46⤵PID:1976
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"47⤵PID:4008
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV148⤵PID:4300
-
-
C:\Users\Admin\AppData\Local\Temp\v4vcmk.exeC:\Users\Admin\AppData\Local\Temp\v4vcmk48⤵PID:4524
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"49⤵PID:3536
-
C:\Users\Admin\AppData\Local\Temp\v4vcmk.exeC:\Users\Admin\AppData\Local\Temp\v4vcmk50⤵PID:3788
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"51⤵PID:4804
-
C:\Users\Admin\AppData\Local\Temp\v4vcmk.exeC:\Users\Admin\AppData\Local\Temp\v4vcmk52⤵PID:5008
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"53⤵PID:1856
-
C:\Users\Admin\AppData\Local\Temp\v4vcmk.exeC:\Users\Admin\AppData\Local\Temp\v4vcmk54⤵PID:4124
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"55⤵PID:1272
-
C:\Users\Admin\AppData\Local\Temp\v4vcmk.exeC:\Users\Admin\AppData\Local\Temp\v4vcmk56⤵PID:4552
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"57⤵PID:4056
-
C:\Users\Admin\AppData\Local\Temp\v4vcmk.exeC:\Users\Admin\AppData\Local\Temp\v4vcmk58⤵PID:4576
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"59⤵PID:2388
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV160⤵PID:2260
-
-
C:\Users\Admin\AppData\Local\Temp\v4vcmk.exeC:\Users\Admin\AppData\Local\Temp\v4vcmk60⤵PID:3400
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"61⤵PID:3724
-
C:\Users\Admin\AppData\Local\Temp\v4vcmk.exeC:\Users\Admin\AppData\Local\Temp\v4vcmk62⤵PID:4228
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"63⤵PID:4076
-
C:\Users\Admin\AppData\Local\Temp\v4vcmk.exeC:\Users\Admin\AppData\Local\Temp\v4vcmk64⤵PID:4000
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"65⤵
- Checks whether UAC is enabled
- System policy modification
PID:2416 -
C:\Users\Admin\AppData\Local\Temp\v4vcmk.exeC:\Users\Admin\AppData\Local\Temp\v4vcmk66⤵PID:4676
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"67⤵PID:780
-
C:\Users\Admin\AppData\Local\Temp\v4vcmk.exeC:\Users\Admin\AppData\Local\Temp\v4vcmk68⤵PID:3760
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"69⤵PID:4920
-
C:\Users\Admin\AppData\Local\Temp\v4vcmk.exeC:\Users\Admin\AppData\Local\Temp\v4vcmk70⤵PID:5056
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"71⤵PID:796
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV172⤵PID:5008
-
-
C:\Users\Admin\AppData\Local\Temp\v4vcmk.exeC:\Users\Admin\AppData\Local\Temp\v4vcmk72⤵PID:3548
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"73⤵PID:3560
-
C:\Users\Admin\AppData\Local\Temp\v4vcmk.exeC:\Users\Admin\AppData\Local\Temp\v4vcmk74⤵PID:1868
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"75⤵PID:1712
-
C:\Users\Admin\AppData\Local\Temp\v4vcmk.exeC:\Users\Admin\AppData\Local\Temp\v4vcmk76⤵PID:4216
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"77⤵PID:1064
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV178⤵PID:3096
-
-
C:\Users\Admin\AppData\Local\Temp\v4vcmk.exeC:\Users\Admin\AppData\Local\Temp\v4vcmk78⤵PID:4784
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"79⤵PID:3996
-
C:\Users\Admin\AppData\Local\Temp\v4vcmk.exeC:\Users\Admin\AppData\Local\Temp\v4vcmk80⤵PID:3608
-
C:\Users\Admin\IGMkwoUM\ecEsQUkU.exe"C:\Users\Admin\IGMkwoUM\ecEsQUkU.exe"81⤵PID:4836
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4836 -s 22882⤵
- Drops file in Windows directory
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:4460
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"81⤵PID:2644
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV182⤵PID:5064
-
-
C:\Users\Admin\AppData\Local\Temp\v4vcmk.exeC:\Users\Admin\AppData\Local\Temp\v4vcmk82⤵PID:296
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"83⤵PID:3932
-
C:\Users\Admin\AppData\Local\Temp\v4vcmk.exeC:\Users\Admin\AppData\Local\Temp\v4vcmk84⤵PID:4500
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"85⤵PID:1600
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV186⤵PID:2188
-
-
C:\Users\Admin\AppData\Local\Temp\v4vcmk.exeC:\Users\Admin\AppData\Local\Temp\v4vcmk86⤵PID:4784
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"87⤵PID:3556
-
C:\Users\Admin\AppData\Local\Temp\v4vcmk.exeC:\Users\Admin\AppData\Local\Temp\v4vcmk88⤵PID:2020
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"89⤵PID:2484
-
C:\Users\Admin\AppData\Local\Temp\v4vcmk.exeC:\Users\Admin\AppData\Local\Temp\v4vcmk90⤵PID:3560
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"91⤵
- Blocklisted process makes network request
PID:3628 -
C:\Users\Admin\AppData\Local\Temp\v4vcmk.exeC:\Users\Admin\AppData\Local\Temp\v4vcmk92⤵PID:4356
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"93⤵PID:4200
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV194⤵PID:3464
-
-
C:\Users\Admin\AppData\Local\Temp\v4vcmk.exeC:\Users\Admin\AppData\Local\Temp\v4vcmk94⤵PID:2680
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"95⤵
- Checks whether UAC is enabled
- System policy modification
PID:2504 -
C:\Users\Admin\AppData\Local\Temp\v4vcmk.exeC:\Users\Admin\AppData\Local\Temp\v4vcmk96⤵PID:752
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"97⤵PID:2040
-
C:\Users\Admin\AppData\Local\Temp\v4vcmk.exeC:\Users\Admin\AppData\Local\Temp\v4vcmk98⤵PID:600
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"99⤵PID:4676
-
C:\Users\Admin\AppData\Local\Temp\v4vcmk.exeC:\Users\Admin\AppData\Local\Temp\v4vcmk100⤵PID:4720
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"101⤵
- Checks whether UAC is enabled
- System policy modification
PID:2928 -
C:\Users\Admin\AppData\Local\Temp\v4vcmk.exeC:\Users\Admin\AppData\Local\Temp\v4vcmk102⤵PID:4764
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"103⤵PID:5080
-
C:\Users\Admin\AppData\Local\Temp\v4vcmk.exeC:\Users\Admin\AppData\Local\Temp\v4vcmk104⤵PID:2188
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"105⤵PID:1296
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1106⤵PID:1968
-
-
C:\Users\Admin\AppData\Local\Temp\v4vcmk.exeC:\Users\Admin\AppData\Local\Temp\v4vcmk106⤵PID:2500
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"107⤵PID:2192
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1108⤵PID:2364
-
-
C:\Users\Admin\AppData\Local\Temp\v4vcmk.exeC:\Users\Admin\AppData\Local\Temp\v4vcmk108⤵PID:3256
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"109⤵PID:4532
-
C:\Users\Admin\AppData\Local\Temp\v4vcmk.exeC:\Users\Admin\AppData\Local\Temp\v4vcmk110⤵PID:4716
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"111⤵PID:3728
-
C:\Users\Admin\AppData\Local\Temp\v4vcmk.exeC:\Users\Admin\AppData\Local\Temp\v4vcmk112⤵PID:2312
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"113⤵PID:3424
-
C:\Users\Admin\AppData\Local\Temp\v4vcmk.exeC:\Users\Admin\AppData\Local\Temp\v4vcmk114⤵PID:4416
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"115⤵PID:2500
-
C:\Users\Admin\AppData\Local\Temp\v4vcmk.exeC:\Users\Admin\AppData\Local\Temp\v4vcmk116⤵PID:4308
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"117⤵PID:4200
-
C:\Users\Admin\AppData\Local\Temp\v4vcmk.exeC:\Users\Admin\AppData\Local\Temp\v4vcmk118⤵PID:1856
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"119⤵PID:920
-
C:\Users\Admin\AppData\Local\Temp\v4vcmk.exeC:\Users\Admin\AppData\Local\Temp\v4vcmk120⤵PID:2388
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v4vcmk"121⤵PID:892
-
C:\Users\Admin\AppData\Local\Temp\v4vcmk.exeC:\Users\Admin\AppData\Local\Temp\v4vcmk122⤵PID:2920
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-