d90639401e952a40009d20a954359d899c318c442d03b43f2a81b7b3fc00dd92

Analysis

max time kernel
151s
max time network
155s
platform
windows7_x64
resource
win7-20220414-en
submitted
20-05-2022 04:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d90639401e952a40009d20a954359d899c318c442d03b43f2a81b7b3fc00dd92.exe
Size

3.4MB
MD5

888d36190614310fbfc16548f3568e84
SHA1

238d4bc0cdc004c1c2be109058375e85f6342fc8
SHA256

d90639401e952a40009d20a954359d899c318c442d03b43f2a81b7b3fc00dd92
SHA512

23852fddcbdc526bfeebd7fad33715553e155c3d16a9ae67b314da0f4678ae5fe761c6fa9894be3fe43b84666db29e08f7d77cdce5b27944e33cab3f53ab39f9

Score

8^/10

miner upx

Malware Config

Signatures

Executes dropped EXE 5 IoCs

Processes:

Rar.exemonvuibk.exeRar.exeplus.exeoiqwiz.exe

pid process

1240 Rar.exe
1820 monvuibk.exe
932 Rar.exe
1352 plus.exe
1700 oiqwiz.exe

pid	process
1240	Rar.exe
1820	monvuibk.exe
932	Rar.exe
1352	plus.exe
1700	oiqwiz.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\xnojklgq\oiqwiz.exe	upx
\xnojklgq\oiqwiz.exe	upx
C:\xnojklgq\oiqwiz.exe	upx
C:\xnojklgq\oiqwiz.exe	upx

Cryptocurrency Miner
Makes network request to known mining pool URL.
miner
Drops startup file 1 IoCs

Processes:

plus.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xnojklgq.lnk plus.exe
Loads dropped DLL 8 IoCs

Processes:

cmd.exemonvuibk.execmd.execmd.exe

pid process

952 cmd.exe
952 cmd.exe
952 cmd.exe
1820 monvuibk.exe
572 cmd.exe
1820 monvuibk.exe
1748 cmd.exe
1748 cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xnojklgq.lnk	plus.exe

pid	process
952	cmd.exe
952	cmd.exe
952	cmd.exe
1820	monvuibk.exe
572	cmd.exe
1820	monvuibk.exe
1748	cmd.exe
1748	cmd.exe

Delays execution with timeout.exe 64 IoCs

evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid	process
1968	timeout.exe
1160	timeout.exe
928	timeout.exe
1736	timeout.exe
908	timeout.exe
740	timeout.exe
1944	timeout.exe
1556	timeout.exe
1536	timeout.exe
1108	timeout.exe
964	timeout.exe
1544	timeout.exe
472	timeout.exe
1108	timeout.exe
1744	timeout.exe
768	timeout.exe
1564	timeout.exe
856	timeout.exe
1660	timeout.exe
1156	timeout.exe
532	timeout.exe
1048	timeout.exe
1684	timeout.exe
1304	timeout.exe
1628	timeout.exe
1588	timeout.exe
472	timeout.exe
1412	timeout.exe
1000	timeout.exe
320	timeout.exe
2020	timeout.exe
1628	timeout.exe
376	timeout.exe
844	timeout.exe
1412	timeout.exe
1316	timeout.exe
1940	timeout.exe
852	timeout.exe
744	timeout.exe
1244	timeout.exe
1664	timeout.exe
308	timeout.exe
1580	timeout.exe
856	timeout.exe
616	timeout.exe
1792	timeout.exe
1580	timeout.exe
1636	timeout.exe
1584	timeout.exe
320	timeout.exe
596	timeout.exe
1492	timeout.exe
1324	timeout.exe
1612	timeout.exe
1928	timeout.exe
1356	timeout.exe
740	timeout.exe
1576	timeout.exe
888	timeout.exe
1744	timeout.exe
1324	timeout.exe
968	timeout.exe
1504	timeout.exe
748	timeout.exe

Enumerates processes with tasklist 1 TTPs 64 IoCs

Process Discovery

T1057

Processes:

tasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exe

pid	process
888	tasklist.exe
376	tasklist.exe
316	tasklist.exe
1668	tasklist.exe
1544	tasklist.exe
932	tasklist.exe
1604	tasklist.exe
1532	tasklist.exe
1120	tasklist.exe
1680	tasklist.exe
572	tasklist.exe
1588	tasklist.exe
744	tasklist.exe
1480	tasklist.exe
1628	tasklist.exe
1428	tasklist.exe
1680	tasklist.exe
1560	tasklist.exe
968	tasklist.exe
532	tasklist.exe
932	tasklist.exe
1940	tasklist.exe
972	tasklist.exe
1560	tasklist.exe
1476	tasklist.exe
1980	tasklist.exe
1752	tasklist.exe
1668	tasklist.exe
1572	tasklist.exe
1120	tasklist.exe
1736	tasklist.exe
616	tasklist.exe
532	tasklist.exe
2008	tasklist.exe
1668	tasklist.exe
820	tasklist.exe
1480	tasklist.exe
1260	tasklist.exe
952	tasklist.exe
876	tasklist.exe
1536	tasklist.exe
688	tasklist.exe
1044	tasklist.exe
1752	tasklist.exe
1496	tasklist.exe
1128	tasklist.exe
948	tasklist.exe
616	tasklist.exe
1264	tasklist.exe
1244	tasklist.exe
952	tasklist.exe
1028	tasklist.exe
928	tasklist.exe
1328	tasklist.exe
1624	tasklist.exe
1328	tasklist.exe
1668	tasklist.exe
584	tasklist.exe
1736	tasklist.exe
1564	tasklist.exe
1680	tasklist.exe
1328	tasklist.exe
968	tasklist.exe
1928	tasklist.exe

Kills process with taskkill 3 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exe

pid process

968 taskkill.exe
1688 taskkill.exe
1480 taskkill.exe

pid	process
968	taskkill.exe
1688	taskkill.exe
1480	taskkill.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

monvuibk.exe

pid	process
1820	monvuibk.exe
1820	monvuibk.exe
1820	monvuibk.exe
1820	monvuibk.exe
1820	monvuibk.exe
1820	monvuibk.exe
1820	monvuibk.exe
1820	monvuibk.exe
1820	monvuibk.exe
1820	monvuibk.exe
1820	monvuibk.exe
1820	monvuibk.exe
1820	monvuibk.exe
1820	monvuibk.exe
1820	monvuibk.exe
1820	monvuibk.exe
1820	monvuibk.exe
1820	monvuibk.exe
1820	monvuibk.exe
1820	monvuibk.exe
1820	monvuibk.exe
1820	monvuibk.exe
1820	monvuibk.exe
1820	monvuibk.exe
1820	monvuibk.exe
1820	monvuibk.exe
1820	monvuibk.exe
1820	monvuibk.exe
1820	monvuibk.exe
1820	monvuibk.exe
1820	monvuibk.exe
1820	monvuibk.exe
1820	monvuibk.exe
1820	monvuibk.exe
1820	monvuibk.exe
1820	monvuibk.exe
1820	monvuibk.exe
1820	monvuibk.exe
1820	monvuibk.exe
1820	monvuibk.exe
1820	monvuibk.exe
1820	monvuibk.exe
1820	monvuibk.exe
1820	monvuibk.exe
1820	monvuibk.exe
1820	monvuibk.exe
1820	monvuibk.exe
1820	monvuibk.exe
1820	monvuibk.exe
1820	monvuibk.exe
1820	monvuibk.exe
1820	monvuibk.exe
1820	monvuibk.exe
1820	monvuibk.exe
1820	monvuibk.exe
1820	monvuibk.exe
1820	monvuibk.exe
1820	monvuibk.exe
1820	monvuibk.exe
1820	monvuibk.exe
1820	monvuibk.exe
1820	monvuibk.exe
1820	monvuibk.exe
1820	monvuibk.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exe

description	pid	process
Token: SeDebugPrivilege	968	taskkill.exe
Token: SeDebugPrivilege	1688	taskkill.exe
Token: SeDebugPrivilege	1480	taskkill.exe
Token: SeDebugPrivilege	1668	tasklist.exe
Token: SeDebugPrivilege	1480	tasklist.exe
Token: SeDebugPrivilege	616	tasklist.exe
Token: SeDebugPrivilege	1532	tasklist.exe
Token: SeDebugPrivilege	1120	tasklist.exe
Token: SeDebugPrivilege	1224	tasklist.exe
Token: SeDebugPrivilege	788	tasklist.exe
Token: SeDebugPrivilege	968	tasklist.exe
Token: SeDebugPrivilege	1328	tasklist.exe
Token: SeDebugPrivilege	1544	tasklist.exe
Token: SeDebugPrivilege	1664	tasklist.exe
Token: SeDebugPrivilege	972	tasklist.exe
Token: SeDebugPrivilege	1624	tasklist.exe
Token: SeDebugPrivilege	1604	tasklist.exe
Token: SeDebugPrivilege	964	tasklist.exe
Token: SeDebugPrivilege	1820	tasklist.exe
Token: SeDebugPrivilege	1668	tasklist.exe
Token: SeDebugPrivilege	532	tasklist.exe
Token: SeDebugPrivilege	1496	tasklist.exe
Token: SeDebugPrivilege	932	tasklist.exe
Token: SeDebugPrivilege	2008	tasklist.exe
Token: SeDebugPrivilege	1048	tasklist.exe
Token: SeDebugPrivilege	1940	tasklist.exe
Token: SeDebugPrivilege	316	tasklist.exe
Token: SeDebugPrivilege	904	tasklist.exe
Token: SeDebugPrivilege	1128	tasklist.exe
Token: SeDebugPrivilege	820	tasklist.exe
Token: SeDebugPrivilege	532	tasklist.exe
Token: SeDebugPrivilege	1496	tasklist.exe
Token: SeDebugPrivilege	972	tasklist.exe
Token: SeDebugPrivilege	1120	tasklist.exe
Token: SeDebugPrivilege	1752	tasklist.exe
Token: SeDebugPrivilege	1680	tasklist.exe
Token: SeDebugPrivilege	952	tasklist.exe
Token: SeDebugPrivilege	1720	tasklist.exe
Token: SeDebugPrivilege	1028	tasklist.exe
Token: SeDebugPrivilege	1560	tasklist.exe
Token: SeDebugPrivilege	948	tasklist.exe
Token: SeDebugPrivilege	1476	tasklist.exe
Token: SeDebugPrivilege	932	tasklist.exe
Token: SeDebugPrivilege	1736	tasklist.exe
Token: SeDebugPrivilege	1400	tasklist.exe
Token: SeDebugPrivilege	1428	tasklist.exe
Token: SeDebugPrivilege	376	tasklist.exe
Token: SeDebugPrivilege	1116	tasklist.exe
Token: SeDebugPrivilege	1668	tasklist.exe
Token: SeDebugPrivilege	1044	tasklist.exe
Token: SeDebugPrivilege	616	tasklist.exe
Token: SeDebugPrivilege	732	tasklist.exe
Token: SeDebugPrivilege	584	tasklist.exe
Token: SeDebugPrivilege	1120	tasklist.exe
Token: SeDebugPrivilege	1752	tasklist.exe
Token: SeDebugPrivilege	1680	tasklist.exe
Token: SeDebugPrivilege	952	tasklist.exe
Token: SeDebugPrivilege	1720	tasklist.exe
Token: SeDebugPrivilege	1028	tasklist.exe
Token: SeDebugPrivilege	1560	tasklist.exe
Token: SeDebugPrivilege	948	tasklist.exe
Token: SeDebugPrivilege	1476	tasklist.exe
Token: SeDebugPrivilege	584	tasklist.exe
Token: SeDebugPrivilege	1120	tasklist.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

d90639401e952a40009d20a954359d899c318c442d03b43f2a81b7b3fc00dd92.exeWScript.execmd.exe

description	pid	process	target process
PID 1824 wrote to memory of 240	1824	d90639401e952a40009d20a954359d899c318c442d03b43f2a81b7b3fc00dd92.exe	WScript.exe
PID 1824 wrote to memory of 240	1824	d90639401e952a40009d20a954359d899c318c442d03b43f2a81b7b3fc00dd92.exe	WScript.exe
PID 1824 wrote to memory of 240	1824	d90639401e952a40009d20a954359d899c318c442d03b43f2a81b7b3fc00dd92.exe	WScript.exe
PID 1824 wrote to memory of 240	1824	d90639401e952a40009d20a954359d899c318c442d03b43f2a81b7b3fc00dd92.exe	WScript.exe
PID 1824 wrote to memory of 240	1824	d90639401e952a40009d20a954359d899c318c442d03b43f2a81b7b3fc00dd92.exe	WScript.exe
PID 1824 wrote to memory of 240	1824	d90639401e952a40009d20a954359d899c318c442d03b43f2a81b7b3fc00dd92.exe	WScript.exe
PID 1824 wrote to memory of 240	1824	d90639401e952a40009d20a954359d899c318c442d03b43f2a81b7b3fc00dd92.exe	WScript.exe
PID 240 wrote to memory of 952	240	WScript.exe	cmd.exe
PID 240 wrote to memory of 952	240	WScript.exe	cmd.exe
PID 240 wrote to memory of 952	240	WScript.exe	cmd.exe
PID 240 wrote to memory of 952	240	WScript.exe	cmd.exe
PID 240 wrote to memory of 952	240	WScript.exe	cmd.exe
PID 240 wrote to memory of 952	240	WScript.exe	cmd.exe
PID 240 wrote to memory of 952	240	WScript.exe	cmd.exe
PID 952 wrote to memory of 968	952	cmd.exe	taskkill.exe
PID 952 wrote to memory of 968	952	cmd.exe	taskkill.exe
PID 952 wrote to memory of 968	952	cmd.exe	taskkill.exe
PID 952 wrote to memory of 968	952	cmd.exe	taskkill.exe
PID 952 wrote to memory of 968	952	cmd.exe	taskkill.exe
PID 952 wrote to memory of 968	952	cmd.exe	taskkill.exe
PID 952 wrote to memory of 968	952	cmd.exe	taskkill.exe
PID 952 wrote to memory of 1688	952	cmd.exe	taskkill.exe
PID 952 wrote to memory of 1688	952	cmd.exe	taskkill.exe
PID 952 wrote to memory of 1688	952	cmd.exe	taskkill.exe
PID 952 wrote to memory of 1688	952	cmd.exe	taskkill.exe
PID 952 wrote to memory of 1688	952	cmd.exe	taskkill.exe
PID 952 wrote to memory of 1688	952	cmd.exe	taskkill.exe
PID 952 wrote to memory of 1688	952	cmd.exe	taskkill.exe
PID 952 wrote to memory of 744	952	cmd.exe	timeout.exe
PID 952 wrote to memory of 744	952	cmd.exe	timeout.exe
PID 952 wrote to memory of 744	952	cmd.exe	timeout.exe
PID 952 wrote to memory of 744	952	cmd.exe	timeout.exe
PID 952 wrote to memory of 744	952	cmd.exe	timeout.exe
PID 952 wrote to memory of 744	952	cmd.exe	timeout.exe
PID 952 wrote to memory of 744	952	cmd.exe	timeout.exe
PID 952 wrote to memory of 1572	952	cmd.exe	chcp.com
PID 952 wrote to memory of 1572	952	cmd.exe	chcp.com
PID 952 wrote to memory of 1572	952	cmd.exe	chcp.com
PID 952 wrote to memory of 1572	952	cmd.exe	chcp.com
PID 952 wrote to memory of 1572	952	cmd.exe	chcp.com
PID 952 wrote to memory of 1572	952	cmd.exe	chcp.com
PID 952 wrote to memory of 1572	952	cmd.exe	chcp.com
PID 952 wrote to memory of 1240	952	cmd.exe	Rar.exe
PID 952 wrote to memory of 1240	952	cmd.exe	Rar.exe
PID 952 wrote to memory of 1240	952	cmd.exe	Rar.exe
PID 952 wrote to memory of 1240	952	cmd.exe	Rar.exe
PID 952 wrote to memory of 1240	952	cmd.exe	Rar.exe
PID 952 wrote to memory of 1240	952	cmd.exe	Rar.exe
PID 952 wrote to memory of 1240	952	cmd.exe	Rar.exe
PID 952 wrote to memory of 1480	952	cmd.exe	taskkill.exe
PID 952 wrote to memory of 1480	952	cmd.exe	taskkill.exe
PID 952 wrote to memory of 1480	952	cmd.exe	taskkill.exe
PID 952 wrote to memory of 1480	952	cmd.exe	taskkill.exe
PID 952 wrote to memory of 1480	952	cmd.exe	taskkill.exe
PID 952 wrote to memory of 1480	952	cmd.exe	taskkill.exe
PID 952 wrote to memory of 1480	952	cmd.exe	taskkill.exe
PID 952 wrote to memory of 1820	952	cmd.exe	monvuibk.exe
PID 952 wrote to memory of 1820	952	cmd.exe	monvuibk.exe
PID 952 wrote to memory of 1820	952	cmd.exe	monvuibk.exe
PID 952 wrote to memory of 1820	952	cmd.exe	monvuibk.exe
PID 952 wrote to memory of 1820	952	cmd.exe	monvuibk.exe
PID 952 wrote to memory of 1820	952	cmd.exe	monvuibk.exe
PID 952 wrote to memory of 1820	952	cmd.exe	monvuibk.exe
PID 952 wrote to memory of 616	952	cmd.exe	timeout.exe

C:\Users\Admin\AppData\Local\Temp\d90639401e952a40009d20a954359d899c318c442d03b43f2a81b7b3fc00dd92.exe
"C:\Users\Admin\AppData\Local\Temp\d90639401e952a40009d20a954359d899c318c442d03b43f2a81b7b3fc00dd92.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1824

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\sunshiqn\run.vbs"
2⤵
- Suspicious use of WriteProcessMemory
PID:240

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\sunshiqn\pause.bat" "
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:952

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im rar.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:968

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im rar.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1688

C:\Windows\SysWOW64\timeout.exe
timeout 3
4⤵
- Delays execution with timeout.exe
PID:744

C:\Windows\SysWOW64\chcp.com
chcp 1251
4⤵
PID:1572

C:\sunshiqn\Rar.exe
"Rar.exe" e -p555 privat.rar
4⤵
- Executes dropped EXE
PID:1240

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im rar.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1480

C:\sunshiqn\monvuibk.exe
monvuibk.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1820

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\xnojklgq\omen.bat" "
5⤵
- Loads dropped DLL
PID:572

C:\Windows\SysWOW64\chcp.com
chcp 1251
6⤵
PID:1536

C:\xnojklgq\Rar.exe
"Rar.exe" c -zinfo.txt "plus.exe"
6⤵
- Executes dropped EXE
PID:932

C:\xnojklgq\plus.exe
"C:\xnojklgq\plus.exe"
5⤵
- Executes dropped EXE
- Drops startup file
PID:1352

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\xnojklgq\Go.vbs"
6⤵
PID:1980

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\xnojklgq\Go.bat" "
7⤵
PID:1276

C:\Windows\SysWOW64\timeout.exe
timeout /t 2 /nobreak
8⤵
- Delays execution with timeout.exe
PID:1628

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq Taskmgr.exe"
8⤵
PID:1684

C:\Windows\SysWOW64\tasklist.exe
tasklist /NH /FI "IMAGENAME eq Taskmgr.exe"
9⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1668

C:\Windows\SysWOW64\timeout.exe
timeout /t 1 /nobreak
8⤵
- Delays execution with timeout.exe
PID:1584

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq oiqwiz.exe"
8⤵
PID:688

C:\Windows\SysWOW64\tasklist.exe
tasklist /NH /FI "IMAGENAME eq oiqwiz.exe"
9⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1480

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq Taskmgr.exe"
8⤵
PID:1728

C:\Windows\SysWOW64\tasklist.exe
tasklist /NH /FI "IMAGENAME eq Taskmgr.exe"
9⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:616

C:\Windows\SysWOW64\timeout.exe
timeout /t 1 /nobreak
8⤵
- Delays execution with timeout.exe
PID:1536

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq oiqwiz.exe"
8⤵
PID:436

C:\Windows\SysWOW64\tasklist.exe
tasklist /NH /FI "IMAGENAME eq oiqwiz.exe"
9⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1532

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq Taskmgr.exe"
8⤵
PID:1488

C:\Windows\SysWOW64\tasklist.exe
tasklist /NH /FI "IMAGENAME eq Taskmgr.exe"
9⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1120

C:\Windows\SysWOW64\timeout.exe
timeout /t 1 /nobreak
8⤵
- Delays execution with timeout.exe
PID:1736

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq oiqwiz.exe"
8⤵
PID:1148

C:\Windows\SysWOW64\tasklist.exe
tasklist /NH /FI "IMAGENAME eq oiqwiz.exe"
9⤵
- Suspicious use of AdjustPrivilegeToken
PID:1224

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq Taskmgr.exe"
8⤵
PID:844

C:\Windows\SysWOW64\tasklist.exe
tasklist /NH /FI "IMAGENAME eq Taskmgr.exe"
9⤵
- Suspicious use of AdjustPrivilegeToken
PID:788

C:\Windows\SysWOW64\timeout.exe
timeout /t 1 /nobreak
8⤵
- Delays execution with timeout.exe
PID:908

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq oiqwiz.exe"
8⤵
PID:980

C:\Windows\SysWOW64\tasklist.exe
tasklist /NH /FI "IMAGENAME eq oiqwiz.exe"
9⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:968

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq Taskmgr.exe"
8⤵
PID:1628

C:\Windows\SysWOW64\tasklist.exe
tasklist /NH /FI "IMAGENAME eq Taskmgr.exe"
9⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1328

C:\Windows\SysWOW64\timeout.exe
timeout /t 1 /nobreak
8⤵
- Delays execution with timeout.exe
PID:1684

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq oiqwiz.exe"
8⤵
PID:1560

C:\Windows\SysWOW64\tasklist.exe
tasklist /NH /FI "IMAGENAME eq oiqwiz.exe"
9⤵
- Suspicious use of AdjustPrivilegeToken
PID:1544

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq Taskmgr.exe"
8⤵
PID:1968

C:\Windows\SysWOW64\tasklist.exe
tasklist /NH /FI "IMAGENAME eq Taskmgr.exe"
9⤵
- Suspicious use of AdjustPrivilegeToken
PID:1664

C:\Windows\SysWOW64\timeout.exe
timeout /t 1 /nobreak
8⤵
PID:1284

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq oiqwiz.exe"
8⤵
PID:1484

C:\Windows\SysWOW64\tasklist.exe
tasklist /NH /FI "IMAGENAME eq oiqwiz.exe"
9⤵
- Suspicious use of AdjustPrivilegeToken
PID:972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq Taskmgr.exe"
8⤵
PID:1048

C:\Windows\SysWOW64\tasklist.exe
tasklist /NH /FI "IMAGENAME eq Taskmgr.exe"
9⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1624

C:\Windows\SysWOW64\timeout.exe
timeout /t 1 /nobreak
8⤵
- Delays execution with timeout.exe
PID:768

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq oiqwiz.exe"
8⤵
PID:920

C:\Windows\SysWOW64\tasklist.exe
tasklist /NH /FI "IMAGENAME eq oiqwiz.exe"
9⤵
- Suspicious use of AdjustPrivilegeToken
PID:1604

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq Taskmgr.exe"
8⤵
PID:876

C:\Windows\SysWOW64\tasklist.exe
tasklist /NH /FI "IMAGENAME eq Taskmgr.exe"
9⤵
- Suspicious use of AdjustPrivilegeToken
PID:964

C:\Windows\SysWOW64\timeout.exe
timeout /t 1 /nobreak
8⤵
- Delays execution with timeout.exe
PID:888

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq oiqwiz.exe"
8⤵
PID:1444

C:\Windows\SysWOW64\tasklist.exe
tasklist /NH /FI "IMAGENAME eq oiqwiz.exe"
9⤵
- Suspicious use of AdjustPrivilegeToken
PID:1820

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq Taskmgr.exe"
8⤵
PID:1028

C:\Windows\SysWOW64\tasklist.exe
tasklist /NH /FI "IMAGENAME eq Taskmgr.exe"
9⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1668

C:\Windows\SysWOW64\timeout.exe
timeout /t 1 /nobreak
8⤵
- Delays execution with timeout.exe
PID:1564

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq oiqwiz.exe"
8⤵
PID:2040

C:\Windows\SysWOW64\tasklist.exe
tasklist /NH /FI "IMAGENAME eq oiqwiz.exe"
9⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:532

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq Taskmgr.exe"
8⤵
PID:680

C:\Windows\SysWOW64\tasklist.exe
tasklist /NH /FI "IMAGENAME eq Taskmgr.exe"
9⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1496

C:\Windows\SysWOW64\timeout.exe
timeout /t 1 /nobreak
8⤵
- Delays execution with timeout.exe
PID:1412

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq oiqwiz.exe"
8⤵
PID:1536

C:\Windows\SysWOW64\tasklist.exe
tasklist /NH /FI "IMAGENAME eq oiqwiz.exe"
9⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:932

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq Taskmgr.exe"
8⤵
PID:1344

C:\Windows\SysWOW64\tasklist.exe
tasklist /NH /FI "IMAGENAME eq Taskmgr.exe"
9⤵
- Suspicious use of AdjustPrivilegeToken
PID:2008

C:\Windows\SysWOW64\timeout.exe
timeout /t 1 /nobreak
8⤵
- Delays execution with timeout.exe
PID:740

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq oiqwiz.exe"
8⤵
PID:928

C:\Windows\SysWOW64\tasklist.exe
tasklist /NH /FI "IMAGENAME eq oiqwiz.exe"
9⤵
- Suspicious use of AdjustPrivilegeToken
PID:1048

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq Taskmgr.exe"
8⤵
PID:1400

C:\Windows\SysWOW64\tasklist.exe
tasklist /NH /FI "IMAGENAME eq Taskmgr.exe"
9⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1940

C:\Windows\SysWOW64\timeout.exe
timeout /t 1 /nobreak
8⤵
- Delays execution with timeout.exe
PID:1580

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq oiqwiz.exe"
8⤵
PID:844

C:\Windows\SysWOW64\tasklist.exe
tasklist /NH /FI "IMAGENAME eq oiqwiz.exe"
9⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:316

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq Taskmgr.exe"
8⤵
PID:376

C:\Windows\SysWOW64\tasklist.exe
tasklist /NH /FI "IMAGENAME eq Taskmgr.exe"
9⤵
- Suspicious use of AdjustPrivilegeToken
PID:904

C:\Windows\SysWOW64\timeout.exe
timeout /t 1 /nobreak
8⤵
- Delays execution with timeout.exe
PID:1108

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq oiqwiz.exe"
8⤵
PID:1444

C:\Windows\SysWOW64\tasklist.exe
tasklist /NH /FI "IMAGENAME eq oiqwiz.exe"
9⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1128

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq Taskmgr.exe"
8⤵
PID:1668

C:\Windows\SysWOW64\tasklist.exe
tasklist /NH /FI "IMAGENAME eq Taskmgr.exe"
9⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:820

C:\Windows\SysWOW64\timeout.exe
timeout /t 1 /nobreak
8⤵
- Delays execution with timeout.exe
PID:1576

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq oiqwiz.exe"
8⤵
PID:688

C:\Windows\SysWOW64\tasklist.exe
tasklist /NH /FI "IMAGENAME eq oiqwiz.exe"
9⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:532

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq Taskmgr.exe"
8⤵
PID:616

C:\Windows\SysWOW64\tasklist.exe
tasklist /NH /FI "IMAGENAME eq Taskmgr.exe"
9⤵
- Suspicious use of AdjustPrivilegeToken
PID:1496

C:\Windows\SysWOW64\timeout.exe
timeout /t 1 /nobreak
8⤵
- Delays execution with timeout.exe
PID:472

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq oiqwiz.exe"
8⤵
PID:932

C:\Windows\SysWOW64\tasklist.exe
tasklist /NH /FI "IMAGENAME eq oiqwiz.exe"
9⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq Taskmgr.exe"
8⤵
PID:2008

C:\Windows\SysWOW64\tasklist.exe
tasklist /NH /FI "IMAGENAME eq Taskmgr.exe"
9⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1120

C:\Windows\SysWOW64\timeout.exe
timeout /t 1 /nobreak
8⤵
- Delays execution with timeout.exe
PID:1944

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq oiqwiz.exe"
8⤵
PID:1048

C:\Windows\SysWOW64\tasklist.exe
tasklist /NH /FI "IMAGENAME eq oiqwiz.exe"
9⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1752

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq Taskmgr.exe"
8⤵
PID:1940

C:\Windows\SysWOW64\tasklist.exe
tasklist /NH /FI "IMAGENAME eq Taskmgr.exe"
9⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1680

C:\Windows\SysWOW64\timeout.exe
timeout /t 1 /nobreak
8⤵
- Delays execution with timeout.exe
PID:1244

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq oiqwiz.exe"
8⤵
PID:316

C:\Windows\SysWOW64\tasklist.exe
tasklist /NH /FI "IMAGENAME eq oiqwiz.exe"
9⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:952

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq Taskmgr.exe"
8⤵
PID:888

C:\Windows\SysWOW64\tasklist.exe
tasklist /NH /FI "IMAGENAME eq Taskmgr.exe"
9⤵
- Suspicious use of AdjustPrivilegeToken
PID:1720

C:\Windows\SysWOW64\timeout.exe
timeout /t 1 /nobreak
8⤵
- Delays execution with timeout.exe
PID:1628

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq oiqwiz.exe"
8⤵
PID:1128

C:\Windows\SysWOW64\tasklist.exe
tasklist /NH /FI "IMAGENAME eq oiqwiz.exe"
9⤵
- Suspicious use of AdjustPrivilegeToken
PID:1028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq Taskmgr.exe"
8⤵
PID:820

C:\Windows\SysWOW64\tasklist.exe
tasklist /NH /FI "IMAGENAME eq Taskmgr.exe"
9⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1560

C:\Windows\SysWOW64\timeout.exe
timeout /t 1 /nobreak
8⤵
- Delays execution with timeout.exe
PID:1000

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq oiqwiz.exe"
8⤵
PID:532

C:\Windows\SysWOW64\tasklist.exe
tasklist /NH /FI "IMAGENAME eq oiqwiz.exe"
9⤵
- Suspicious use of AdjustPrivilegeToken
PID:948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq Taskmgr.exe"
8⤵
PID:1496

C:\Windows\SysWOW64\tasklist.exe
tasklist /NH /FI "IMAGENAME eq Taskmgr.exe"
9⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1476

C:\Windows\SysWOW64\timeout.exe
timeout /t 1 /nobreak
8⤵
- Delays execution with timeout.exe
PID:308

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq oiqwiz.exe"
8⤵
PID:584

C:\Windows\SysWOW64\tasklist.exe
tasklist /NH /FI "IMAGENAME eq oiqwiz.exe"
9⤵
- Suspicious use of AdjustPrivilegeToken
PID:932

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq Taskmgr.exe"
8⤵
PID:1120

C:\Windows\SysWOW64\tasklist.exe
tasklist /NH /FI "IMAGENAME eq Taskmgr.exe"
9⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1736

C:\Windows\SysWOW64\timeout.exe
timeout /t 1 /nobreak
8⤵
- Delays execution with timeout.exe
PID:1928

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq oiqwiz.exe"
8⤵
PID:1752

C:\Windows\SysWOW64\tasklist.exe
tasklist /NH /FI "IMAGENAME eq oiqwiz.exe"
9⤵
- Suspicious use of AdjustPrivilegeToken
PID:1400

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq Taskmgr.exe"
8⤵
PID:1680

C:\Windows\SysWOW64\tasklist.exe
tasklist /NH /FI "IMAGENAME eq Taskmgr.exe"
9⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1428

C:\Windows\SysWOW64\timeout.exe
timeout /t 1 /nobreak
8⤵
- Delays execution with timeout.exe
PID:856

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq oiqwiz.exe"
8⤵
PID:952

C:\Windows\SysWOW64\tasklist.exe
tasklist /NH /FI "IMAGENAME eq oiqwiz.exe"
9⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:376

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq Taskmgr.exe"
8⤵
PID:1720

C:\Windows\SysWOW64\tasklist.exe
tasklist /NH /FI "IMAGENAME eq Taskmgr.exe"
9⤵
- Suspicious use of AdjustPrivilegeToken
PID:1116

C:\Windows\SysWOW64\timeout.exe
timeout /t 1 /nobreak
8⤵
- Delays execution with timeout.exe
PID:1556

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq oiqwiz.exe"
8⤵
PID:1236

C:\Windows\SysWOW64\tasklist.exe
tasklist /NH /FI "IMAGENAME eq oiqwiz.exe"
9⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1668

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq Taskmgr.exe"
8⤵
PID:1560

C:\Windows\SysWOW64\tasklist.exe
tasklist /NH /FI "IMAGENAME eq Taskmgr.exe"
9⤵
- Suspicious use of AdjustPrivilegeToken
PID:1044

C:\Windows\SysWOW64\timeout.exe
timeout /t 1 /nobreak
8⤵
- Delays execution with timeout.exe
PID:1356

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq oiqwiz.exe"
8⤵
PID:948

C:\Windows\SysWOW64\tasklist.exe
tasklist /NH /FI "IMAGENAME eq oiqwiz.exe"
9⤵
- Suspicious use of AdjustPrivilegeToken
PID:616

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq Taskmgr.exe"
8⤵
PID:1476

C:\Windows\SysWOW64\tasklist.exe
tasklist /NH /FI "IMAGENAME eq Taskmgr.exe"
9⤵
- Suspicious use of AdjustPrivilegeToken
PID:732

C:\Windows\SysWOW64\timeout.exe
timeout /t 1 /nobreak
8⤵
- Delays execution with timeout.exe
PID:1660

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq oiqwiz.exe"
8⤵
PID:1344

C:\Windows\SysWOW64\tasklist.exe
tasklist /NH /FI "IMAGENAME eq oiqwiz.exe"
9⤵
- Suspicious use of AdjustPrivilegeToken
PID:584

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq Taskmgr.exe"
8⤵
PID:768

C:\Windows\SysWOW64\tasklist.exe
tasklist /NH /FI "IMAGENAME eq Taskmgr.exe"
9⤵
- Suspicious use of AdjustPrivilegeToken
PID:1120

C:\Windows\SysWOW64\timeout.exe
timeout /t 1 /nobreak
8⤵
- Delays execution with timeout.exe
PID:964

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq oiqwiz.exe"
8⤵
PID:1580

C:\Windows\SysWOW64\tasklist.exe
tasklist /NH /FI "IMAGENAME eq oiqwiz.exe"
9⤵
- Suspicious use of AdjustPrivilegeToken
PID:1752

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq Taskmgr.exe"
8⤵
PID:876

C:\Windows\SysWOW64\tasklist.exe
tasklist /NH /FI "IMAGENAME eq Taskmgr.exe"
9⤵
- Suspicious use of AdjustPrivilegeToken
PID:1680

C:\Windows\SysWOW64\timeout.exe
timeout /t 1 /nobreak
8⤵
- Delays execution with timeout.exe
PID:1792

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq oiqwiz.exe"
8⤵
PID:1108

C:\Windows\SysWOW64\tasklist.exe
tasklist /NH /FI "IMAGENAME eq oiqwiz.exe"
9⤵
- Suspicious use of AdjustPrivilegeToken
PID:952

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq Taskmgr.exe"
8⤵
PID:1328

C:\Windows\SysWOW64\tasklist.exe
tasklist /NH /FI "IMAGENAME eq Taskmgr.exe"
9⤵
- Suspicious use of AdjustPrivilegeToken
PID:1720

C:\Windows\SysWOW64\timeout.exe
timeout /t 1 /nobreak
8⤵
- Delays execution with timeout.exe
PID:1544

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq oiqwiz.exe"
8⤵
PID:1664

C:\Windows\SysWOW64\tasklist.exe
tasklist /NH /FI "IMAGENAME eq oiqwiz.exe"
9⤵
- Suspicious use of AdjustPrivilegeToken
PID:1028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq Taskmgr.exe"
8⤵
PID:1728

C:\Windows\SysWOW64\tasklist.exe
tasklist /NH /FI "IMAGENAME eq Taskmgr.exe"
9⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1560

C:\Windows\SysWOW64\timeout.exe
timeout /t 1 /nobreak
8⤵
- Delays execution with timeout.exe
PID:472

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq oiqwiz.exe"
8⤵
PID:572

C:\Windows\SysWOW64\tasklist.exe
tasklist /NH /FI "IMAGENAME eq oiqwiz.exe"
9⤵
- Suspicious use of AdjustPrivilegeToken
PID:948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq Taskmgr.exe"
8⤵
PID:1948

C:\Windows\SysWOW64\tasklist.exe
tasklist /NH /FI "IMAGENAME eq Taskmgr.exe"
9⤵
- Suspicious use of AdjustPrivilegeToken
PID:1476

C:\Windows\SysWOW64\timeout.exe
timeout /t 1 /nobreak
8⤵
- Delays execution with timeout.exe
PID:1612

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq oiqwiz.exe"
8⤵
PID:920

C:\Windows\SysWOW64\tasklist.exe
tasklist /NH /FI "IMAGENAME eq oiqwiz.exe"
9⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:584

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq Taskmgr.exe"
8⤵
PID:1048

C:\Windows\SysWOW64\tasklist.exe
tasklist /NH /FI "IMAGENAME eq Taskmgr.exe"
9⤵
- Suspicious use of AdjustPrivilegeToken
PID:1120

C:\Windows\SysWOW64\timeout.exe
timeout /t 1 /nobreak
8⤵
- Delays execution with timeout.exe
PID:844

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq oiqwiz.exe"
8⤵
PID:1192

C:\Windows\SysWOW64\tasklist.exe
tasklist /NH /FI "IMAGENAME eq oiqwiz.exe"
9⤵
PID:1752

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq Taskmgr.exe"
8⤵
PID:856

C:\Windows\SysWOW64\tasklist.exe
tasklist /NH /FI "IMAGENAME eq Taskmgr.exe"
9⤵
- Enumerates processes with tasklist
PID:1680

C:\Windows\SysWOW64\timeout.exe
timeout /t 1 /nobreak
8⤵
- Delays execution with timeout.exe
PID:1744

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq oiqwiz.exe"
8⤵
PID:1684

C:\Windows\SysWOW64\tasklist.exe
tasklist /NH /FI "IMAGENAME eq oiqwiz.exe"
9⤵
- Enumerates processes with tasklist
PID:952

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq Taskmgr.exe"
8⤵
PID:1316

C:\Windows\SysWOW64\tasklist.exe
tasklist /NH /FI "IMAGENAME eq Taskmgr.exe"
9⤵
PID:1720

C:\Windows\SysWOW64\timeout.exe
timeout /t 1 /nobreak
8⤵
- Delays execution with timeout.exe
PID:320

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq oiqwiz.exe"
8⤵
PID:1000

C:\Windows\SysWOW64\tasklist.exe
tasklist /NH /FI "IMAGENAME eq oiqwiz.exe"
9⤵
- Enumerates processes with tasklist
PID:1028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq Taskmgr.exe"
8⤵
PID:532

C:\Windows\SysWOW64\tasklist.exe
tasklist /NH /FI "IMAGENAME eq Taskmgr.exe"
9⤵
PID:1044

C:\Windows\SysWOW64\timeout.exe
timeout /t 1 /nobreak
8⤵
- Delays execution with timeout.exe
PID:740

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq oiqwiz.exe"
8⤵
PID:1496

C:\Windows\SysWOW64\tasklist.exe
tasklist /NH /FI "IMAGENAME eq oiqwiz.exe"
9⤵
- Enumerates processes with tasklist
PID:572

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq Taskmgr.exe"
8⤵
PID:1476

C:\Windows\SysWOW64\tasklist.exe
tasklist /NH /FI "IMAGENAME eq Taskmgr.exe"
9⤵
PID:1692

C:\Windows\SysWOW64\timeout.exe
timeout /t 1 /nobreak
8⤵
- Delays execution with timeout.exe
PID:1588

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq oiqwiz.exe"
8⤵
PID:2008

C:\Windows\SysWOW64\tasklist.exe
tasklist /NH /FI "IMAGENAME eq oiqwiz.exe"
9⤵
- Enumerates processes with tasklist
PID:1980

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq Taskmgr.exe"
8⤵
PID:1048

C:\Windows\SysWOW64\tasklist.exe
tasklist /NH /FI "IMAGENAME eq Taskmgr.exe"
9⤵
PID:1256

C:\Windows\SysWOW64\timeout.exe
timeout /t 1 /nobreak
8⤵
- Delays execution with timeout.exe
PID:1156

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq oiqwiz.exe"
8⤵
PID:980

C:\Windows\SysWOW64\tasklist.exe
tasklist /NH /FI "IMAGENAME eq oiqwiz.exe"
9⤵
- Enumerates processes with tasklist
PID:876

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq Taskmgr.exe"
8⤵
PID:316

C:\Windows\SysWOW64\tasklist.exe
tasklist /NH /FI "IMAGENAME eq Taskmgr.exe"
9⤵
- Enumerates processes with tasklist
PID:1480

C:\Windows\SysWOW64\timeout.exe
timeout /t 1 /nobreak
8⤵
- Delays execution with timeout.exe
PID:376

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq oiqwiz.exe"
8⤵
PID:1684

C:\Windows\SysWOW64\tasklist.exe
tasklist /NH /FI "IMAGENAME eq oiqwiz.exe"
9⤵
- Enumerates processes with tasklist
PID:1668

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq Taskmgr.exe"
8⤵
PID:1316

C:\Windows\SysWOW64\tasklist.exe
tasklist /NH /FI "IMAGENAME eq Taskmgr.exe"
9⤵
PID:1968

C:\Windows\SysWOW64\timeout.exe
timeout /t 1 /nobreak
8⤵
- Delays execution with timeout.exe
PID:1412

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq oiqwiz.exe"
8⤵
PID:816

C:\Windows\SysWOW64\tasklist.exe
tasklist /NH /FI "IMAGENAME eq oiqwiz.exe"
9⤵
PID:1488

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq Taskmgr.exe"
8⤵
PID:1356

C:\Windows\SysWOW64\tasklist.exe
tasklist /NH /FI "IMAGENAME eq Taskmgr.exe"
9⤵
PID:1264

C:\Windows\SysWOW64\timeout.exe
timeout /t 1 /nobreak
8⤵
- Delays execution with timeout.exe
PID:928

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq oiqwiz.exe"
8⤵
PID:948

C:\Windows\SysWOW64\tasklist.exe
tasklist /NH /FI "IMAGENAME eq oiqwiz.exe"
9⤵
PID:1348

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq Taskmgr.exe"
8⤵
PID:732

C:\Windows\SysWOW64\tasklist.exe
tasklist /NH /FI "IMAGENAME eq Taskmgr.exe"
9⤵
PID:1856

C:\Windows\SysWOW64\timeout.exe
timeout /t 1 /nobreak
8⤵
- Delays execution with timeout.exe
PID:1324

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq oiqwiz.exe"
8⤵
PID:1608

C:\Windows\SysWOW64\tasklist.exe
tasklist /NH /FI "IMAGENAME eq oiqwiz.exe"
9⤵
- Enumerates processes with tasklist
PID:1244

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq Taskmgr.exe"
8⤵
PID:920

C:\Windows\SysWOW64\tasklist.exe
tasklist /NH /FI "IMAGENAME eq Taskmgr.exe"
9⤵
- Enumerates processes with tasklist
PID:1928

C:\Windows\SysWOW64\timeout.exe
timeout /t 1 /nobreak
8⤵
- Delays execution with timeout.exe
PID:968

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq oiqwiz.exe"
8⤵
PID:1400

C:\Windows\SysWOW64\tasklist.exe
tasklist /NH /FI "IMAGENAME eq oiqwiz.exe"
9⤵
- Enumerates processes with tasklist
PID:1628

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq Taskmgr.exe"
8⤵
PID:1192

C:\Windows\SysWOW64\tasklist.exe
tasklist /NH /FI "IMAGENAME eq Taskmgr.exe"
9⤵
- Enumerates processes with tasklist
PID:888

C:\Windows\SysWOW64\timeout.exe
timeout /t 1 /nobreak
8⤵
- Delays execution with timeout.exe
PID:856

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq oiqwiz.exe"
8⤵
PID:952

C:\Windows\SysWOW64\tasklist.exe
tasklist /NH /FI "IMAGENAME eq oiqwiz.exe"
9⤵
- Enumerates processes with tasklist
PID:1544

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq Taskmgr.exe"
8⤵
PID:1684

C:\Windows\SysWOW64\tasklist.exe
tasklist /NH /FI "IMAGENAME eq Taskmgr.exe"
9⤵
- Enumerates processes with tasklist
PID:1536

C:\Windows\SysWOW64\timeout.exe
timeout /t 1 /nobreak
8⤵
- Delays execution with timeout.exe
PID:1316

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq oiqwiz.exe"
8⤵
PID:1412

C:\Windows\SysWOW64\tasklist.exe
tasklist /NH /FI "IMAGENAME eq oiqwiz.exe"
9⤵
PID:1924

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq Taskmgr.exe"
8⤵
PID:1000

C:\Windows\SysWOW64\tasklist.exe
tasklist /NH /FI "IMAGENAME eq Taskmgr.exe"
9⤵
PID:616

C:\Windows\SysWOW64\timeout.exe
timeout /t 1 /nobreak
8⤵
- Delays execution with timeout.exe
PID:532

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq oiqwiz.exe"
8⤵
PID:1952

C:\Windows\SysWOW64\tasklist.exe
tasklist /NH /FI "IMAGENAME eq oiqwiz.exe"
9⤵
- Enumerates processes with tasklist
PID:928

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq Taskmgr.exe"
8⤵
PID:1148

C:\Windows\SysWOW64\tasklist.exe
tasklist /NH /FI "IMAGENAME eq Taskmgr.exe"
9⤵
- Enumerates processes with tasklist
PID:948

C:\Windows\SysWOW64\timeout.exe
timeout /t 1 /nobreak
8⤵
- Delays execution with timeout.exe
PID:1504

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq oiqwiz.exe"
8⤵
PID:732

C:\Windows\SysWOW64\tasklist.exe
tasklist /NH /FI "IMAGENAME eq oiqwiz.exe"
9⤵
- Enumerates processes with tasklist
PID:688

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq Taskmgr.exe"
8⤵
PID:1864

C:\Windows\SysWOW64\tasklist.exe
tasklist /NH /FI "IMAGENAME eq Taskmgr.exe"
9⤵
- Enumerates processes with tasklist
PID:1588

C:\Windows\SysWOW64\timeout.exe
timeout /t 1 /nobreak
8⤵
- Delays execution with timeout.exe
PID:1940

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq oiqwiz.exe"
8⤵
PID:920

C:\Windows\SysWOW64\tasklist.exe
tasklist /NH /FI "IMAGENAME eq oiqwiz.exe"
9⤵
PID:1048

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq Taskmgr.exe"
8⤵
PID:1792

C:\Windows\SysWOW64\tasklist.exe
tasklist /NH /FI "IMAGENAME eq Taskmgr.exe"
9⤵
PID:1156

C:\Windows\SysWOW64\timeout.exe
timeout /t 1 /nobreak
8⤵
- Delays execution with timeout.exe
PID:1108

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq oiqwiz.exe"
8⤵
PID:980

C:\Windows\SysWOW64\tasklist.exe
tasklist /NH /FI "IMAGENAME eq oiqwiz.exe"
9⤵
PID:988

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq Taskmgr.exe"
8⤵
PID:1116

C:\Windows\SysWOW64\tasklist.exe
tasklist /NH /FI "IMAGENAME eq Taskmgr.exe"
9⤵
PID:1544

C:\Windows\SysWOW64\timeout.exe
timeout /t 1 /nobreak
8⤵
- Delays execution with timeout.exe
PID:1664

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq oiqwiz.exe"
8⤵
PID:1536

C:\Windows\SysWOW64\tasklist.exe
tasklist /NH /FI "IMAGENAME eq oiqwiz.exe"
9⤵
PID:1576

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq Taskmgr.exe"
8⤵
PID:1728

C:\Windows\SysWOW64\tasklist.exe
tasklist /NH /FI "IMAGENAME eq Taskmgr.exe"
9⤵
PID:1924

C:\Windows\SysWOW64\timeout.exe
timeout /t 1 /nobreak
8⤵
- Delays execution with timeout.exe
PID:596

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq oiqwiz.exe"
8⤵
PID:616

C:\Windows\SysWOW64\tasklist.exe
tasklist /NH /FI "IMAGENAME eq oiqwiz.exe"
9⤵
PID:572

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq Taskmgr.exe"
8⤵
PID:1716

C:\Windows\SysWOW64\tasklist.exe
tasklist /NH /FI "IMAGENAME eq Taskmgr.exe"
9⤵
PID:928

C:\Windows\SysWOW64\timeout.exe
timeout /t 1 /nobreak
8⤵
- Delays execution with timeout.exe
PID:852

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq oiqwiz.exe"
8⤵
PID:948

C:\Windows\SysWOW64\tasklist.exe
tasklist /NH /FI "IMAGENAME eq oiqwiz.exe"
9⤵
PID:1476

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq Taskmgr.exe"
8⤵
PID:1604

C:\Windows\SysWOW64\tasklist.exe
tasklist /NH /FI "IMAGENAME eq Taskmgr.exe"
9⤵
PID:688

C:\Windows\SysWOW64\timeout.exe
timeout /t 1 /nobreak
8⤵
- Delays execution with timeout.exe
PID:748

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq oiqwiz.exe"
8⤵
PID:1588

C:\Windows\SysWOW64\tasklist.exe
tasklist /NH /FI "IMAGENAME eq oiqwiz.exe"
9⤵
- Enumerates processes with tasklist
PID:2008

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq Taskmgr.exe"
8⤵
PID:1680

C:\Windows\SysWOW64\tasklist.exe
tasklist /NH /FI "IMAGENAME eq Taskmgr.exe"
9⤵
- Enumerates processes with tasklist
PID:1752

C:\Windows\SysWOW64\timeout.exe
timeout /t 1 /nobreak
8⤵
- Delays execution with timeout.exe
PID:1744

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq oiqwiz.exe"
8⤵
PID:1792

C:\Windows\SysWOW64\tasklist.exe
tasklist /NH /FI "IMAGENAME eq oiqwiz.exe"
9⤵
PID:1772

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq Taskmgr.exe"
8⤵
PID:1464

C:\Windows\SysWOW64\tasklist.exe
tasklist /NH /FI "IMAGENAME eq Taskmgr.exe"
9⤵
PID:316

C:\Windows\SysWOW64\timeout.exe
timeout /t 1 /nobreak
8⤵
- Delays execution with timeout.exe
PID:320

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq oiqwiz.exe"
8⤵
PID:1544

C:\Windows\SysWOW64\tasklist.exe
tasklist /NH /FI "IMAGENAME eq oiqwiz.exe"
9⤵
- Enumerates processes with tasklist
PID:744

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq Taskmgr.exe"
8⤵
PID:972

C:\Windows\SysWOW64\tasklist.exe
tasklist /NH /FI "IMAGENAME eq Taskmgr.exe"
9⤵
PID:1368

C:\Windows\SysWOW64\timeout.exe
timeout /t 1 /nobreak
8⤵
- Delays execution with timeout.exe
PID:2020

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq oiqwiz.exe"
8⤵
PID:1924

C:\Windows\SysWOW64\tasklist.exe
tasklist /NH /FI "IMAGENAME eq oiqwiz.exe"
9⤵
PID:1224

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq Taskmgr.exe"
8⤵
PID:1084

C:\Windows\SysWOW64\tasklist.exe
tasklist /NH /FI "IMAGENAME eq Taskmgr.exe"
9⤵
PID:1356

C:\Windows\SysWOW64\timeout.exe
timeout /t 1 /nobreak
8⤵
- Delays execution with timeout.exe
PID:1304

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq oiqwiz.exe"
8⤵
PID:1104

C:\Windows\SysWOW64\tasklist.exe
tasklist /NH /FI "IMAGENAME eq oiqwiz.exe"
9⤵
PID:1716

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq Taskmgr.exe"
8⤵
PID:1980

C:\Windows\SysWOW64\tasklist.exe
tasklist /NH /FI "IMAGENAME eq Taskmgr.exe"
9⤵
- Enumerates processes with tasklist
PID:1736

C:\Windows\SysWOW64\timeout.exe
timeout /t 1 /nobreak
8⤵
- Delays execution with timeout.exe
PID:1580

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq oiqwiz.exe"
8⤵
PID:1688

C:\Windows\SysWOW64\tasklist.exe
tasklist /NH /FI "IMAGENAME eq oiqwiz.exe"
9⤵
PID:964

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq Taskmgr.exe"
8⤵
PID:1260

C:\Windows\SysWOW64\tasklist.exe
tasklist /NH /FI "IMAGENAME eq Taskmgr.exe"
9⤵
- Enumerates processes with tasklist
PID:1572

C:\Windows\SysWOW64\timeout.exe
timeout /t 1 /nobreak
8⤵
- Delays execution with timeout.exe
PID:1492

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq oiqwiz.exe"
8⤵
PID:1672

C:\Windows\SysWOW64\tasklist.exe
tasklist /NH /FI "IMAGENAME eq oiqwiz.exe"
9⤵
- Enumerates processes with tasklist
PID:968

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq Taskmgr.exe"
8⤵
PID:820

C:\Windows\SysWOW64\tasklist.exe
tasklist /NH /FI "IMAGENAME eq Taskmgr.exe"
9⤵
- Enumerates processes with tasklist
PID:1564

C:\Windows\SysWOW64\timeout.exe
timeout /t 1 /nobreak
8⤵
- Delays execution with timeout.exe
PID:1968

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq oiqwiz.exe"
8⤵
PID:1720

C:\Windows\SysWOW64\tasklist.exe
tasklist /NH /FI "IMAGENAME eq oiqwiz.exe"
9⤵
- Enumerates processes with tasklist
PID:1328

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq Taskmgr.exe"
8⤵
PID:1484

C:\Windows\SysWOW64\tasklist.exe
tasklist /NH /FI "IMAGENAME eq Taskmgr.exe"
9⤵
PID:1316

C:\Windows\SysWOW64\timeout.exe
timeout /t 1 /nobreak
8⤵
PID:740

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq oiqwiz.exe"
8⤵
PID:1412

C:\Windows\SysWOW64\tasklist.exe
tasklist /NH /FI "IMAGENAME eq oiqwiz.exe"
9⤵
- Enumerates processes with tasklist
PID:1044

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq Taskmgr.exe"
8⤵
PID:1612

C:\Windows\SysWOW64\tasklist.exe
tasklist /NH /FI "IMAGENAME eq Taskmgr.exe"
9⤵
PID:556

C:\Windows\SysWOW64\timeout.exe
timeout /t 1 /nobreak
8⤵
- Delays execution with timeout.exe
PID:1160

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq oiqwiz.exe"
8⤵
PID:572

C:\Windows\SysWOW64\tasklist.exe
tasklist /NH /FI "IMAGENAME eq oiqwiz.exe"
9⤵
PID:1084

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq Taskmgr.exe"
8⤵
PID:1148

C:\Windows\SysWOW64\tasklist.exe
tasklist /NH /FI "IMAGENAME eq Taskmgr.exe"
9⤵
- Enumerates processes with tasklist
PID:932

C:\Windows\SysWOW64\timeout.exe
timeout /t 1 /nobreak
8⤵
- Delays execution with timeout.exe
PID:1324

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq oiqwiz.exe"
8⤵
PID:1856

C:\Windows\SysWOW64\tasklist.exe
tasklist /NH /FI "IMAGENAME eq oiqwiz.exe"
9⤵
PID:1980

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq Taskmgr.exe"
8⤵
PID:1864

C:\Windows\SysWOW64\tasklist.exe
tasklist /NH /FI "IMAGENAME eq Taskmgr.exe"
9⤵
- Enumerates processes with tasklist
PID:1604

C:\Windows\SysWOW64\timeout.exe
timeout /t 1 /nobreak
8⤵
- Delays execution with timeout.exe
PID:1048

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq oiqwiz.exe"
8⤵
PID:1928

C:\Windows\SysWOW64\tasklist.exe
tasklist /NH /FI "IMAGENAME eq oiqwiz.exe"
9⤵
- Enumerates processes with tasklist
PID:1260

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq Taskmgr.exe"
8⤵
PID:1240

C:\Windows\SysWOW64\tasklist.exe
tasklist /NH /FI "IMAGENAME eq Taskmgr.exe"
9⤵
- Enumerates processes with tasklist
PID:1680

C:\Windows\SysWOW64\timeout.exe
timeout /t 1 /nobreak
8⤵
PID:1556

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq oiqwiz.exe"
8⤵
PID:1296

C:\Windows\SysWOW64\tasklist.exe
tasklist /NH /FI "IMAGENAME eq oiqwiz.exe"
9⤵
PID:820

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq Taskmgr.exe"
8⤵
PID:1236

C:\Windows\SysWOW64\tasklist.exe
tasklist /NH /FI "IMAGENAME eq Taskmgr.exe"
9⤵
- Enumerates processes with tasklist
PID:1328

C:\Windows\SysWOW64\timeout.exe
timeout /t 1 /nobreak
8⤵
- Delays execution with timeout.exe
PID:1636

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq oiqwiz.exe"
8⤵
PID:1488

C:\Windows\SysWOW64\tasklist.exe
tasklist /NH /FI "IMAGENAME eq oiqwiz.exe"
9⤵
- Enumerates processes with tasklist
PID:1264

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq Taskmgr.exe"
8⤵
PID:1944

C:\Windows\SysWOW64\tasklist.exe
tasklist /NH /FI "IMAGENAME eq Taskmgr.exe"
9⤵
PID:1576

C:\Windows\SysWOW64\timeout.exe
timeout /t 1 /nobreak
8⤵
PID:1224

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq oiqwiz.exe"
8⤵
PID:556

C:\Windows\SysWOW64\tasklist.exe
tasklist /NH /FI "IMAGENAME eq oiqwiz.exe"
9⤵
- Enumerates processes with tasklist
PID:616

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq Taskmgr.exe"
8⤵
PID:1304

C:\Windows\SysWOW64\tasklist.exe
tasklist /NH /FI "IMAGENAME eq Taskmgr.exe"
9⤵
PID:1084

C:\Windows\SysWOW64\timeout.exe
timeout /t 1 /nobreak
8⤵
PID:1104

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\xnojklgq\Auto.vbs"
6⤵
PID:876

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\xnojklgq\Auto.bat" "
7⤵
- Loads dropped DLL
PID:1748

C:\xnojklgq\oiqwiz.exe
"oiqwiz.exe"
8⤵
- Executes dropped EXE
PID:1700

C:\Windows\SysWOW64\timeout.exe
timeout 2
4⤵
- Delays execution with timeout.exe
PID:616

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Process Discovery

T1057

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\sunshiqn\Rar.exe
Filesize
370KB

MD5
2e86a9862257a0cf723ceef3868a1a12

SHA1
a4324281823f0800132bf13f5ad3860e6b5532c6

SHA256
2356220cfa9159b463d762e2833f647a04fa58b4c627fcb4fb1773d199656ab8

SHA512
3a8e0389637fc8a3f8bab130326fe091ead8c0575a1a3861622466d4e3c37818c928bc74af4d14b5bb3080dfae46e41fee2c362a7093b5aa3b9df39110c8e9de

Download Submit
C:\sunshiqn\Rar.exe
Filesize
370KB

MD5
2e86a9862257a0cf723ceef3868a1a12

SHA1
a4324281823f0800132bf13f5ad3860e6b5532c6

SHA256
2356220cfa9159b463d762e2833f647a04fa58b4c627fcb4fb1773d199656ab8

SHA512
3a8e0389637fc8a3f8bab130326fe091ead8c0575a1a3861622466d4e3c37818c928bc74af4d14b5bb3080dfae46e41fee2c362a7093b5aa3b9df39110c8e9de

Download Submit
C:\sunshiqn\monvuibk.exe
Filesize
6.5MB

MD5
5a5db532785179ed05b8a80187d7ee21

SHA1
e42a3a40e836b691c2aa9dbe9600da17c8c75763

SHA256
43d61d6b22303523a18c79162c58c15f108635a6b9bbff1a3331b74624467593

SHA512
4e45569289f3dbe5abd7c2f4303e2af0facdf239ec1effd2d15fac01f129bcd44ece0b389892ad70a42d0dd511e156adb5ce98176158c0ea42b4b0fefa51138b

Download Submit
C:\sunshiqn\monvuibk.exe
Filesize
6.5MB

MD5
5a5db532785179ed05b8a80187d7ee21

SHA1
e42a3a40e836b691c2aa9dbe9600da17c8c75763

SHA256
43d61d6b22303523a18c79162c58c15f108635a6b9bbff1a3331b74624467593

SHA512
4e45569289f3dbe5abd7c2f4303e2af0facdf239ec1effd2d15fac01f129bcd44ece0b389892ad70a42d0dd511e156adb5ce98176158c0ea42b4b0fefa51138b

Download Submit
C:\sunshiqn\pause.bat
Filesize
325B

MD5
fb085f47185862061fa2adb5acc58171

SHA1
5f91cf2e8bc109e20dbe97ab91d0b047a727e93b

SHA256
fec96179e59437ede713340e5686b681c107a0363e79c5c24045887f5e7d3e1b

SHA512
a2ac14d7e67fa5d13312141b76fbc11cd373dfb1499b7d575c80e4409334a4bb28523d31044003fd907e5e52ac5e5cc45377551b1d3b704b94b2de7de892e76e

Download Submit
C:\sunshiqn\privat.rar
Filesize
3.0MB

MD5
bcd1d52c65ff0c640681ef7f4b4dd701

SHA1
b3a364dda02cd50ebb7990b2bfee1779a001bd95

SHA256
c54c442cfc5b905a337c740e1008ada67158e22c1b780d39e0e7c5e90ab82750

SHA512
bd9f2033a337acfed85e500588814530f81ef299a241998ae20d4518b01d9094e7ec65f7da2bfbc6328b9a89fd90cdc9233e575274efd4db04269baf035526b8

Download Submit
C:\sunshiqn\run.vbs
Filesize
84B

MD5
6a5f5a48072a1adae96d2bd88848dcff

SHA1
b381fa864db6c521cbf1133a68acf1db4baa7005

SHA256
c7758bb2fdf207306a5b83c9916bfffcc5e85efe14c8f00d18e2b6639b9780fe

SHA512
d11101b11a95d39a2b23411955e869f92451e1613b150c15d953cccf0f741fb6c3cf082124af8b67d4eb40feb112e1167a1e25bdeab9e433af3ccc5384ccb90c

Download Submit
C:\xnojklgq\Auto.bat
Filesize
219B

MD5
88659c9200f43efa7eedad229588356b

SHA1
36b4c368c1f5c75ca990b4d14f8a5eec903485b1

SHA256
4c77b094a906d8a0299b275581628e66c9d4e6ca96dcede7e67a3eb1c2aec2cc

SHA512
a4fe7494848608cdfe65b221edf479ff725c420772899b27db3beef540e64bf36dbc1beca31651b34664445238052d5e41360c47efe17058daa7c848103944ee

Download Submit
C:\xnojklgq\Auto.vbs
Filesize
118B

MD5
8cab8206831c992d7c6dd5f9cfea94d9

SHA1
e36b6dd77691dbf8b1bcb4ce986e3432ff9d06af

SHA256
519603f0aa335880a3a93ba0c193a81b0bff798d931e07e4b6a4109f5a174a52

SHA512
82561a074d840666c6a2549b32d2e6f9d172d6dd7c4a5ee1009f4863fd9522cbbd8296fcdd9534a8243e22f89c6555c10c160576c5f1af516b675bc6d90de105

Download Submit
C:\xnojklgq\Go.bat
Filesize
716B

MD5
6b5ec49cb5d3ae843891067a3484d99e

SHA1
7a903ae5924a1c2dd5406afdf8fa694243d2a26b

SHA256
7874c9ef2c75258c90f01bbc3d5a3f9ed65f1f09c8b00a39b7cfb07f7b45740f

SHA512
9279071dfb1a599827919cff376ae1ef0f518415180ecf1631563caf7c0548f827373e4fee44e24eb705b55107f1bf945aa3cdfd618fdb54ed9c7f381fef4101

Download Submit
C:\xnojklgq\Go.vbs
Filesize
227B

MD5
a3f3d477adf9ca6fffc7eb6ecd9eb17d

SHA1
611442499a4d0ae3fbce1ae1cde20cb92360bb75

SHA256
4e7ea70519889275be433f5bf53a4c81e0ea3db8f0bd2429b68b4f9b262d307c

SHA512
0b4864684acac03fe25b4c80677c4da9e0890cf1b3164e98ee9f807a54017e0f1bceec4010de11b5be5ebedc32f9fe3dc53d5c9529a1ce26485669f00611746d

Download Submit
C:\xnojklgq\Rar.exe
Filesize
370KB

MD5
2e86a9862257a0cf723ceef3868a1a12

SHA1
a4324281823f0800132bf13f5ad3860e6b5532c6

SHA256
2356220cfa9159b463d762e2833f647a04fa58b4c627fcb4fb1773d199656ab8

SHA512
3a8e0389637fc8a3f8bab130326fe091ead8c0575a1a3861622466d4e3c37818c928bc74af4d14b5bb3080dfae46e41fee2c362a7093b5aa3b9df39110c8e9de

Download Submit
C:\xnojklgq\Rar.exe
Filesize
370KB

MD5
2e86a9862257a0cf723ceef3868a1a12

SHA1
a4324281823f0800132bf13f5ad3860e6b5532c6

SHA256
2356220cfa9159b463d762e2833f647a04fa58b4c627fcb4fb1773d199656ab8

SHA512
3a8e0389637fc8a3f8bab130326fe091ead8c0575a1a3861622466d4e3c37818c928bc74af4d14b5bb3080dfae46e41fee2c362a7093b5aa3b9df39110c8e9de

Download Submit
C:\xnojklgq\giperdragsBFS.json
Filesize
395B

MD5
6e840dd9b1daabed84d1d32f7b8c1b8b

SHA1
ecd00359d98a48fd50856845574579cd93189f6a

SHA256
5a51a2a5f900ef34f3976ac9ccbd9686dc9affe92d9c529b0c8c9361fbc0e3fb

SHA512
11d7d9477fec95d41d721c41bb909869f2bf0bcd1de4755b0a32aeabb73b3235e874e33ee633f7d43982d452849847cee885a2dadebe538f72ab5ea4d2a94ff0

Download Submit
C:\xnojklgq\info.txt
Filesize
142B

MD5
88cebd7e2150d2c3b0c6bff92766cebe

SHA1
a2f955ec6dca14621fa7242b3c7cec77fa349f21

SHA256
5ff39948360d11a40eb8fdcfdd0e31da86bb4018fad97745f570f9bebd159d38

SHA512
e0d2690e5ccaaad279ebb73c2ffc7ee3ca6fe0cbf3af3974df1124eb71fd00906a71819675a258a65411130cf0778ae7f5554d0b1b9be2a4dfd4c486a74597be

Download Submit
C:\xnojklgq\oiqwiz.exe
Filesize
1.4MB

MD5
ddc91455c12983afeda765ebc1405fc7

SHA1
818d160bfb4ae6b870083e80c12ada9bc5c6d9df

SHA256
7e87dcc6ca8263694bdd0313fe3b52d9088c5545dccace2af02e1bdf44e66554

SHA512
51cdc75b64a0ea18db0729f2b9505b1288c4defca7a5e9492922282b475b95b0307cce1daf3677f230140a2c9de594ee28e714eeab7dd69c3ed6fe466b00fe58

Download Submit
C:\xnojklgq\oiqwiz.exe
Filesize
1.4MB

MD5
ddc91455c12983afeda765ebc1405fc7

SHA1
818d160bfb4ae6b870083e80c12ada9bc5c6d9df

SHA256
7e87dcc6ca8263694bdd0313fe3b52d9088c5545dccace2af02e1bdf44e66554

SHA512
51cdc75b64a0ea18db0729f2b9505b1288c4defca7a5e9492922282b475b95b0307cce1daf3677f230140a2c9de594ee28e714eeab7dd69c3ed6fe466b00fe58

Download Submit
C:\xnojklgq\omen.bat
Filesize
78B

MD5
a15b61671e902fe28fb1bf7e459a7bdd

SHA1
694d542af6834fa4cbc81cc3b3a8a99d61378f5e

SHA256
d763ef51ee4520819f8021ebb138578ba3261aa8db5fcec7c69382cca95ff75f

SHA512
653ec95af8f6f73538b0cb8d0fe903267e56b1f1a7d810bff1f4dd5adf675ae2f5a55260b0bc41295b60052fe056b1acfa00c2a07121dd387eb7719997fa15f6

Download Submit
C:\xnojklgq\plus.exe
Filesize
253KB

MD5
ca106b2dd914c5f5b7c0b30e503e35d9

SHA1
0c072402d244612f45f9901a3a22726226a64e29

SHA256
b300747328bd15f160c5bc063e80a961ebf56f3efe2c14da0c51dcbb38b0a55b

SHA512
ee4afcfe7763c66d8a9f2eafa0bd889b0aa86ebaad18d817f23dc6240a214425837dc593dbed971a07a51455ca6911a5f777912687a56e0d8446db0a31664c0a

Download Submit
C:\xnojklgq\plus.exe
Filesize
253KB

MD5
81107f80c971b15dd3718f6b4070c0c1

SHA1
d93e601e3d3e96422881d81a26b4bb108635f6fd

SHA256
ab5fb605318dcc99217aa0c1fb7b646ec16a242db5c8cfa50316794d3c979921

SHA512
c9185e949a7a5a24c9047c7fbfb5702c5f74e8ab5e57dcf2ac893b92d8b1be6e8b8247c83cd746a9eb932b316b691d4f971c19464d9faf6fe2c309b2c10810be

Download Submit
C:\xnojklgq\plus.exe
Filesize
253KB

MD5
81107f80c971b15dd3718f6b4070c0c1

SHA1
d93e601e3d3e96422881d81a26b4bb108635f6fd

SHA256
ab5fb605318dcc99217aa0c1fb7b646ec16a242db5c8cfa50316794d3c979921

SHA512
c9185e949a7a5a24c9047c7fbfb5702c5f74e8ab5e57dcf2ac893b92d8b1be6e8b8247c83cd746a9eb932b316b691d4f971c19464d9faf6fe2c309b2c10810be

Download Submit
\sunshiqn\Rar.exe
Filesize
370KB

MD5
2e86a9862257a0cf723ceef3868a1a12

SHA1
a4324281823f0800132bf13f5ad3860e6b5532c6

SHA256
2356220cfa9159b463d762e2833f647a04fa58b4c627fcb4fb1773d199656ab8

SHA512
3a8e0389637fc8a3f8bab130326fe091ead8c0575a1a3861622466d4e3c37818c928bc74af4d14b5bb3080dfae46e41fee2c362a7093b5aa3b9df39110c8e9de

Download Submit
\sunshiqn\monvuibk.exe
Filesize
6.5MB

MD5
5a5db532785179ed05b8a80187d7ee21

SHA1
e42a3a40e836b691c2aa9dbe9600da17c8c75763

SHA256
43d61d6b22303523a18c79162c58c15f108635a6b9bbff1a3331b74624467593

SHA512
4e45569289f3dbe5abd7c2f4303e2af0facdf239ec1effd2d15fac01f129bcd44ece0b389892ad70a42d0dd511e156adb5ce98176158c0ea42b4b0fefa51138b

Download Submit
\sunshiqn\monvuibk.exe
Filesize
6.5MB

MD5
5a5db532785179ed05b8a80187d7ee21

SHA1
e42a3a40e836b691c2aa9dbe9600da17c8c75763

SHA256
43d61d6b22303523a18c79162c58c15f108635a6b9bbff1a3331b74624467593

SHA512
4e45569289f3dbe5abd7c2f4303e2af0facdf239ec1effd2d15fac01f129bcd44ece0b389892ad70a42d0dd511e156adb5ce98176158c0ea42b4b0fefa51138b

Download Submit
\sunshiqn\monvuibk.exe
Filesize
6.5MB

MD5
5a5db532785179ed05b8a80187d7ee21

SHA1
e42a3a40e836b691c2aa9dbe9600da17c8c75763

SHA256
43d61d6b22303523a18c79162c58c15f108635a6b9bbff1a3331b74624467593

SHA512
4e45569289f3dbe5abd7c2f4303e2af0facdf239ec1effd2d15fac01f129bcd44ece0b389892ad70a42d0dd511e156adb5ce98176158c0ea42b4b0fefa51138b

Download Submit
\xnojklgq\Rar.exe
Filesize
370KB

MD5
2e86a9862257a0cf723ceef3868a1a12

SHA1
a4324281823f0800132bf13f5ad3860e6b5532c6

SHA256
2356220cfa9159b463d762e2833f647a04fa58b4c627fcb4fb1773d199656ab8

SHA512
3a8e0389637fc8a3f8bab130326fe091ead8c0575a1a3861622466d4e3c37818c928bc74af4d14b5bb3080dfae46e41fee2c362a7093b5aa3b9df39110c8e9de

Download Submit
\xnojklgq\oiqwiz.exe
Filesize
1.4MB

MD5
ddc91455c12983afeda765ebc1405fc7

SHA1
818d160bfb4ae6b870083e80c12ada9bc5c6d9df

SHA256
7e87dcc6ca8263694bdd0313fe3b52d9088c5545dccace2af02e1bdf44e66554

SHA512
51cdc75b64a0ea18db0729f2b9505b1288c4defca7a5e9492922282b475b95b0307cce1daf3677f230140a2c9de594ee28e714eeab7dd69c3ed6fe466b00fe58

Download Submit
\xnojklgq\oiqwiz.exe
Filesize
1.4MB

MD5
ddc91455c12983afeda765ebc1405fc7

SHA1
818d160bfb4ae6b870083e80c12ada9bc5c6d9df

SHA256
7e87dcc6ca8263694bdd0313fe3b52d9088c5545dccace2af02e1bdf44e66554

SHA512
51cdc75b64a0ea18db0729f2b9505b1288c4defca7a5e9492922282b475b95b0307cce1daf3677f230140a2c9de594ee28e714eeab7dd69c3ed6fe466b00fe58

Download Submit
\xnojklgq\plus.exe
Filesize
253KB

MD5
81107f80c971b15dd3718f6b4070c0c1

SHA1
d93e601e3d3e96422881d81a26b4bb108635f6fd

SHA256
ab5fb605318dcc99217aa0c1fb7b646ec16a242db5c8cfa50316794d3c979921

SHA512
c9185e949a7a5a24c9047c7fbfb5702c5f74e8ab5e57dcf2ac893b92d8b1be6e8b8247c83cd746a9eb932b316b691d4f971c19464d9faf6fe2c309b2c10810be

Download Submit
memory/240-55-0x0000000000000000-mapping.dmp

Download
memory/436-139-0x0000000000000000-mapping.dmp

Download
memory/532-209-0x0000000000000000-mapping.dmp

Download
memory/572-86-0x0000000000000000-mapping.dmp

Download
memory/616-135-0x0000000000000000-mapping.dmp

Download
memory/616-81-0x0000000000000000-mapping.dmp

Download
memory/688-129-0x0000000000000000-mapping.dmp

Download
memory/744-65-0x0000000000000000-mapping.dmp

Download
memory/768-187-0x0000000000000000-mapping.dmp

Download
memory/788-155-0x0000000000000000-mapping.dmp

Download
memory/844-153-0x0000000000000000-mapping.dmp

Download
memory/876-107-0x0000000000000000-mapping.dmp

Download
memory/876-191-0x0000000000000000-mapping.dmp

Download
memory/888-195-0x0000000000000000-mapping.dmp

Download
memory/908-157-0x0000000000000000-mapping.dmp

Download
memory/920-189-0x0000000000000000-mapping.dmp

Download
memory/932-93-0x0000000000000000-mapping.dmp

Download
memory/952-59-0x0000000000000000-mapping.dmp

Download
memory/964-193-0x0000000000000000-mapping.dmp

Download
memory/968-161-0x0000000000000000-mapping.dmp

Download
memory/968-61-0x0000000000000000-mapping.dmp

Download
memory/972-181-0x0000000000000000-mapping.dmp

Download
memory/980-159-0x0000000000000000-mapping.dmp

Download
memory/1028-201-0x0000000000000000-mapping.dmp

Download
memory/1048-183-0x0000000000000000-mapping.dmp

Download
memory/1120-145-0x0000000000000000-mapping.dmp

Download
memory/1148-149-0x0000000000000000-mapping.dmp

Download
memory/1224-151-0x0000000000000000-mapping.dmp

Download
memory/1240-71-0x0000000000000000-mapping.dmp

Download
memory/1276-110-0x0000000000000000-mapping.dmp

Download
memory/1284-177-0x0000000000000000-mapping.dmp

Download
memory/1328-165-0x0000000000000000-mapping.dmp

Download
memory/1352-100-0x0000000000000000-mapping.dmp

Download
memory/1444-197-0x0000000000000000-mapping.dmp

Download
memory/1480-75-0x0000000000000000-mapping.dmp

Download
memory/1480-131-0x0000000000000000-mapping.dmp

Download
memory/1484-179-0x0000000000000000-mapping.dmp

Download
memory/1488-143-0x0000000000000000-mapping.dmp

Download
memory/1532-141-0x0000000000000000-mapping.dmp

Download
memory/1536-137-0x0000000000000000-mapping.dmp

Download
memory/1536-89-0x0000000000000000-mapping.dmp

Download
memory/1544-171-0x0000000000000000-mapping.dmp

Download
memory/1560-169-0x0000000000000000-mapping.dmp

Download
memory/1564-205-0x0000000000000000-mapping.dmp

Download
memory/1572-67-0x0000000000000000-mapping.dmp

Download
memory/1584-127-0x0000000000000000-mapping.dmp

Download
memory/1624-185-0x0000000000000000-mapping.dmp

Download
memory/1628-163-0x0000000000000000-mapping.dmp

Download
memory/1628-115-0x0000000000000000-mapping.dmp

Download
memory/1664-175-0x0000000000000000-mapping.dmp

Download
memory/1668-203-0x0000000000000000-mapping.dmp

Download
memory/1668-125-0x0000000000000000-mapping.dmp

Download
memory/1684-123-0x0000000000000000-mapping.dmp

Download
memory/1684-167-0x0000000000000000-mapping.dmp

Download
memory/1688-63-0x0000000000000000-mapping.dmp

Download
memory/1700-120-0x0000000000000000-mapping.dmp

Download
memory/1728-133-0x0000000000000000-mapping.dmp

Download
memory/1736-147-0x0000000000000000-mapping.dmp

Download
memory/1748-112-0x0000000000000000-mapping.dmp

Download
memory/1820-80-0x0000000000000000-mapping.dmp

Download
memory/1820-199-0x0000000000000000-mapping.dmp

Download
memory/1824-54-0x0000000075E41000-0x0000000075E43000-memory.dmp

Filesize
8KB

Download
memory/1968-173-0x0000000000000000-mapping.dmp

Download
memory/1980-104-0x0000000000000000-mapping.dmp

Download
memory/2040-207-0x0000000000000000-mapping.dmp

Download