Analysis
-
max time kernel
147s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
-
submitted
30-12-2023 10:59
General
-
Target
169770d1b39686dba1237519ab827a2d.exe
-
Size
42KB
-
MD5
169770d1b39686dba1237519ab827a2d
-
SHA1
fb5352912ffff67cea1afe02c38a7e19993d7851
-
SHA256
fc39d9f91900bed78a83835b43cdc19375e3278a3878ebfd5bf6e4f5b94d1839
-
SHA512
d2fe537125dd519437de12224d679ef044902abf03bb0185b1288f9f8bd900bb56ce18fc8fb8cee19219e643ed942ad5efe1269c4a97716be632dcc43daa427d
-
SSDEEP
768:n+WwQOIEXqFsVSNAB8pz7T8RQYHhplSm8IIYkYDgn7Tf241WJkBI:+odIqcMA6tTFwpkP7Ykn248J3
Score
8/10
Malware Config
Signatures
-
Blocklisted process makes network request 3 IoCs
-
Drops file in Drivers directory 37 IoCs
-
Checks computer location settings 2 TTPs 28 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 64 IoCs
-
Adds Run key to start application 2 TTPs 38 IoCs
-
Drops file in System32 directory 64 IoCs
-
Suspicious use of SetThreadContext 38 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 38 IoCs
-
Suspicious use of AdjustPrivilegeToken 37 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\169770d1b39686dba1237519ab827a2d.exe"C:\Users\Admin\AppData\Local\Temp\169770d1b39686dba1237519ab827a2d.exe"1⤵
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\SysWOW64\shwizard.exe"1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\shwizard.exe > nul2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.com"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.zip"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip2⤵
- Drops file in Drivers directory
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\system32\shwizard.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\SysWOW64\shwizard.exe"1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\shwizard.exe > nul2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.com"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.zip"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip2⤵
-
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\system32\shwizard.exe"2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\shwizard.exe > nul1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"1⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\shwizard.exe > nul1⤵
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\SysWOW64\shwizard.exe"1⤵
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\SysWOW64\shwizard.exe"1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\shwizard.exe > nul2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\shwizard.exe > nul3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"3⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"3⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.com"3⤵
- Drops file in Drivers directory
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.zip"3⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com3⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip3⤵
-
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\system32\shwizard.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.com"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.zip"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip2⤵
-
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\system32\shwizard.exe"2⤵
-
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\SysWOW64\shwizard.exe"1⤵
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\system32\shwizard.exe"2⤵
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\SysWOW64\shwizard.exe"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\shwizard.exe > nul4⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"4⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"4⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.com"4⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.zip"4⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com4⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip4⤵
-
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\system32\shwizard.exe"4⤵
-
-
-
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\system32\shwizard.exe"1⤵
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\SysWOW64\shwizard.exe"1⤵
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\SysWOW64\shwizard.exe"1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\shwizard.exe > nul2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.com"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.zip"2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip2⤵
-
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\system32\shwizard.exe"2⤵
-
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\SysWOW64\shwizard.exe"1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\shwizard.exe > nul2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.com"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.zip"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com2⤵
-
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\system32\shwizard.exe"2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\SysWOW64\shwizard.exe"1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\shwizard.exe > nul2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.com"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.zip"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip2⤵
-
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\system32\shwizard.exe"2⤵
-
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\SysWOW64\shwizard.exe"1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\shwizard.exe > nul2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.com"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.zip"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\shwizard.exe > nul3⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"3⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"3⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.com"3⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.zip"3⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com3⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip3⤵
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\SysWOW64\shwizard.exe"4⤵
- Drops file in Drivers directory
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\system32\shwizard.exe"3⤵
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\SysWOW64\shwizard.exe"4⤵
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\SysWOW64\shwizard.exe"5⤵
- Drops file in Drivers directory
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\system32\shwizard.exe"2⤵
-
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\SysWOW64\shwizard.exe"1⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\shwizard.exe > nul2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.com"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.zip"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip2⤵
-
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\system32\shwizard.exe"2⤵
-
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\SysWOW64\shwizard.exe"1⤵
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\SysWOW64\shwizard.exe"1⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\shwizard.exe > nul1⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\shwizard.exe > nul2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.com"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.zip"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip2⤵
-
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\system32\shwizard.exe"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"1⤵
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\SysWOW64\shwizard.exe"1⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\shwizard.exe > nul2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.com"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.zip"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\shwizard.exe > nul3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\shwizard.exe > nul4⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"4⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"4⤵
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\SysWOW64\shwizard.exe"5⤵
-
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.com"4⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.zip"4⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com4⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip4⤵
-
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\system32\shwizard.exe"4⤵
-
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"3⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"3⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.com"3⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.zip"3⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com3⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip3⤵
-
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\system32\shwizard.exe"3⤵
-
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip2⤵
-
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\system32\shwizard.exe"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip1⤵
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\SysWOW64\shwizard.exe"1⤵
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\SysWOW64\shwizard.exe"1⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\shwizard.exe > nul2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.com"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.zip"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip2⤵
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\SysWOW64\shwizard.exe"3⤵
-
-
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\system32\shwizard.exe"2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\shwizard.exe > nul1⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\shwizard.exe > nul1⤵
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\SysWOW64\shwizard.exe"1⤵
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\SysWOW64\shwizard.exe"1⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\shwizard.exe > nul2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.com"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.zip"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip2⤵
-
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\system32\shwizard.exe"2⤵
-
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\SysWOW64\shwizard.exe"1⤵
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\SysWOW64\shwizard.exe"1⤵
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\SysWOW64\shwizard.exe"1⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\shwizard.exe > nul2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.com"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.zip"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip2⤵
-
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\system32\shwizard.exe"2⤵
-
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\SysWOW64\shwizard.exe"1⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\shwizard.exe > nul2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.com"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.zip"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip2⤵
-
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\system32\shwizard.exe"2⤵
-
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\SysWOW64\shwizard.exe"1⤵
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\system32\shwizard.exe"2⤵
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\SysWOW64\shwizard.exe"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\shwizard.exe > nul4⤵
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\SysWOW64\shwizard.exe"5⤵
-
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"4⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"4⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.com"4⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.zip"4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\shwizard.exe > nul5⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"5⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"5⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.com"5⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.zip"5⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com5⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip5⤵
-
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\system32\shwizard.exe"5⤵
-
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com4⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip4⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
-
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\system32\shwizard.exe"4⤵
-
-
-
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\SysWOW64\shwizard.exe"1⤵
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\SysWOW64\shwizard.exe"1⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\shwizard.exe > nul2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.com"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.zip"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\shwizard.exe > nul3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\shwizard.exe > nul4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\shwizard.exe > nul5⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"5⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"5⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.com"5⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.zip"5⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com5⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip5⤵
-
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\system32\shwizard.exe"5⤵
-
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"4⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"4⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.com"4⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.zip"4⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com4⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip4⤵
-
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\system32\shwizard.exe"4⤵
-
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"3⤵
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\SysWOW64\shwizard.exe"4⤵
-
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"3⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.com"3⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.zip"3⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com3⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip3⤵
-
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\system32\shwizard.exe"3⤵
-
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip2⤵
-
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\system32\shwizard.exe"2⤵
-
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\SysWOW64\shwizard.exe"1⤵
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\SysWOW64\shwizard.exe"1⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\shwizard.exe > nul2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.com"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.zip"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip2⤵
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\SysWOW64\shwizard.exe"3⤵
-
-
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\system32\shwizard.exe"2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\shwizard.exe > nul2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.com"2⤵
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\SysWOW64\shwizard.exe"3⤵
-
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.zip"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip2⤵
-
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\system32\shwizard.exe"2⤵
-
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\SysWOW64\shwizard.exe"1⤵
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\SysWOW64\shwizard.exe"1⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\shwizard.exe > nul2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.com"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.zip"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip2⤵
-
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\system32\shwizard.exe"2⤵
-
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\SysWOW64\shwizard.exe"1⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\shwizard.exe > nul2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.com"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.zip"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip2⤵
-
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\system32\shwizard.exe"2⤵
-
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\SysWOW64\shwizard.exe"1⤵
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\system32\shwizard.exe"2⤵
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\SysWOW64\shwizard.exe"3⤵
-
-
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\SysWOW64\shwizard.exe"1⤵
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\SysWOW64\shwizard.exe"2⤵
-
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\SysWOW64\shwizard.exe"1⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\shwizard.exe > nul2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.com"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.zip"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip2⤵
-
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\system32\shwizard.exe"2⤵
-
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\SysWOW64\shwizard.exe"1⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\shwizard.exe > nul2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\shwizard.exe > nul3⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"3⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"3⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.com"3⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.zip"3⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com3⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip3⤵
-
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\system32\shwizard.exe"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\shwizard.exe > nul4⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"4⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\shwizard.exe > nul5⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"5⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"5⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.com"5⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.zip"5⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com5⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip5⤵
-
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\system32\shwizard.exe"5⤵
-
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.com"4⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.zip"4⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com4⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip4⤵
-
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\system32\shwizard.exe"4⤵
-
-
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.com"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.zip"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip2⤵
-
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\system32\shwizard.exe"2⤵
-
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\SysWOW64\shwizard.exe"1⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\shwizard.exe > nul2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.com"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.zip"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip2⤵
-
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\system32\shwizard.exe"2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\shwizard.exe > nul2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.com"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.zip"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip2⤵
-
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\system32\shwizard.exe"2⤵
-
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\SysWOW64\shwizard.exe"1⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\shwizard.exe > nul2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.com"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.zip"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip2⤵
-
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\system32\shwizard.exe"2⤵
-
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\SysWOW64\shwizard.exe"1⤵
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\SysWOW64\shwizard.exe"1⤵
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\SysWOW64\shwizard.exe"1⤵
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\system32\shwizard.exe"2⤵
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\SysWOW64\shwizard.exe"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\shwizard.exe > nul4⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"4⤵
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\SysWOW64\shwizard.exe"5⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\shwizard.exe > nul6⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"6⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"6⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.com"6⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.zip"6⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com6⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip6⤵
-
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\system32\shwizard.exe"6⤵
-
-
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"4⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.com"4⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.zip"4⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com4⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip4⤵
-
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\system32\shwizard.exe"4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\shwizard.exe > nul2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.com"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.zip"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip2⤵
-
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\SysWOW64\shwizard.exe"1⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\shwizard.exe > nul2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.com"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.zip"2⤵
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\SysWOW64\shwizard.exe"3⤵
-
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip2⤵
-
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\system32\shwizard.exe"2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\shwizard.exe > nul1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.com"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.zip"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com1⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\shwizard.exe > nul2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.com"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.zip"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip2⤵
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\system32\shwizard.exe"3⤵
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\SysWOW64\shwizard.exe"4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\shwizard.exe > nul3⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"3⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"3⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.com"3⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.zip"3⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com3⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip3⤵
-
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip1⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\shwizard.exe > nul2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.com"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.zip"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip2⤵
-
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\system32\shwizard.exe"2⤵
-
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\system32\shwizard.exe"1⤵
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\SysWOW64\shwizard.exe"1⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\shwizard.exe > nul1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.com"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.zip"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip1⤵
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\system32\shwizard.exe"1⤵
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\SysWOW64\shwizard.exe"1⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\shwizard.exe > nul1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.com"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.zip"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip1⤵
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\system32\shwizard.exe"1⤵
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\SysWOW64\shwizard.exe"1⤵
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\SysWOW64\shwizard.exe"1⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\shwizard.exe > nul2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.com"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.zip"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip2⤵
-
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\system32\shwizard.exe"2⤵
-
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\SysWOW64\shwizard.exe"1⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\shwizard.exe > nul2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.com"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.zip"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\shwizard.exe > nul3⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"3⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"3⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.com"3⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.zip"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\shwizard.exe > nul4⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"4⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"4⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.com"4⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.zip"4⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com4⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip4⤵
-
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com3⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip3⤵
-
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\system32\shwizard.exe"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\shwizard.exe > nul4⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"4⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"4⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.com"4⤵
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\SysWOW64\shwizard.exe"5⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\shwizard.exe > nul6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\shwizard.exe > nul7⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"7⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"7⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.com"7⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV18⤵
-
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.zip"7⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com7⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip7⤵
-
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\system32\shwizard.exe"7⤵
-
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"6⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"6⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.com"6⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.zip"6⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com6⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip6⤵
-
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\system32\shwizard.exe"6⤵
-
-
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.zip"4⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com4⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip4⤵
-
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\system32\shwizard.exe"4⤵
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\SysWOW64\shwizard.exe"5⤵
-
-
-
-
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\system32\shwizard.exe"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\shwizard.exe > nul3⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"3⤵
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\SysWOW64\shwizard.exe"4⤵
-
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"3⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.com"3⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.zip"3⤵
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\SysWOW64\shwizard.exe"4⤵
-
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com3⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip3⤵
-
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\system32\shwizard.exe"3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\shwizard.exe > nul1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.com"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.zip"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip1⤵
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\system32\shwizard.exe"1⤵
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\SysWOW64\shwizard.exe"1⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\shwizard.exe > nul1⤵
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\SysWOW64\shwizard.exe"1⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\shwizard.exe > nul2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.com"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\shwizard.exe > nul3⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"3⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"3⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.com"3⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.zip"3⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com3⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\shwizard.exe > nul4⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"4⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"4⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.com"4⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.zip"4⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com4⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip4⤵
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\SysWOW64\shwizard.exe"5⤵
- Drops file in Drivers directory
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\system32\shwizard.exe"4⤵
-
-
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\system32\shwizard.exe"3⤵
-
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.zip"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip2⤵
-
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\system32\shwizard.exe"2⤵
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\SysWOW64\shwizard.exe"3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\shwizard.exe > nul1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.com"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.zip"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip1⤵
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\system32\shwizard.exe"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.com"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.zip"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip1⤵
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\system32\shwizard.exe"1⤵
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\SysWOW64\shwizard.exe"1⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\shwizard.exe > nul1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.com"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.zip"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip1⤵
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\system32\shwizard.exe"1⤵
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\SysWOW64\shwizard.exe"1⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\shwizard.exe > nul1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.com"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.zip"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip1⤵
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\system32\shwizard.exe"1⤵
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\SysWOW64\shwizard.exe"1⤵
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\SysWOW64\shwizard.exe"1⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\shwizard.exe > nul1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.com"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.zip"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip1⤵
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\system32\shwizard.exe"1⤵
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\SysWOW64\shwizard.exe"1⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\shwizard.exe > nul1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.com"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.zip"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip1⤵
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\system32\shwizard.exe"1⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\shwizard.exe > nul1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.com"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.zip"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip1⤵
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\system32\shwizard.exe"1⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\shwizard.exe > nul1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.com"1⤵
- Blocklisted process makes network request
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.zip"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip1⤵
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\SysWOW64\shwizard.exe"2⤵
-
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\system32\shwizard.exe"1⤵
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\SysWOW64\shwizard.exe"1⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\shwizard.exe > nul1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"1⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.com"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.zip"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip1⤵
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\system32\shwizard.exe"1⤵
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\SysWOW64\shwizard.exe"1⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\shwizard.exe > nul1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.com"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.zip"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip1⤵
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\system32\shwizard.exe"1⤵
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\SysWOW64\shwizard.exe"1⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\shwizard.exe > nul1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.com"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.zip"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip1⤵
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\system32\shwizard.exe"1⤵
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\SysWOW64\shwizard.exe"1⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\shwizard.exe > nul1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.com"1⤵
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\SysWOW64\shwizard.exe"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.zip"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.com"2⤵
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\SysWOW64\shwizard.exe"3⤵
-
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.zip"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip2⤵
-
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\system32\shwizard.exe"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip1⤵
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\system32\shwizard.exe"1⤵
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\SysWOW64\shwizard.exe"1⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\shwizard.exe > nul1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.com"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.zip"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip1⤵
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\SysWOW64\shwizard.exe"2⤵
-
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\system32\shwizard.exe"1⤵
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\SysWOW64\shwizard.exe"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\shwizard.exe > nul3⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"3⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"3⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.com"3⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.zip"3⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com3⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip3⤵
-
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\system32\shwizard.exe"3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\shwizard.exe > nul1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.com"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.zip"1⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\shwizard.exe > nul2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.com"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.zip"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip2⤵
-
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\system32\shwizard.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com1⤵
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\SysWOW64\shwizard.exe"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip1⤵
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\system32\shwizard.exe"1⤵
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\SysWOW64\shwizard.exe"2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\shwizard.exe > nul1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.com"1⤵
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\SysWOW64\shwizard.exe"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.zip"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip1⤵
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\system32\shwizard.exe"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"1⤵
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\SysWOW64\shwizard.exe"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.com"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.zip"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip1⤵
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\system32\shwizard.exe"1⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\shwizard.exe > nul2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.com"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.zip"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\shwizard.exe > nul1⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.com"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.zip"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip1⤵
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\system32\shwizard.exe"1⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\shwizard.exe > nul1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.com"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.zip"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com1⤵
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\system32\shwizard.exe"1⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\shwizard.exe > nul1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.com"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.zip"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip1⤵
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\system32\shwizard.exe"1⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\shwizard.exe > nul1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.com"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.zip"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip1⤵
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\system32\shwizard.exe"1⤵
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\SysWOW64\shwizard.exe"1⤵
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\SysWOW64\shwizard.exe"1⤵
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\SysWOW64\shwizard.exe"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.com"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.zip"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip1⤵
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\system32\shwizard.exe"1⤵
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\SysWOW64\shwizard.exe"1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\shwizard.exe > nul1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.com"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.zip"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com1⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\shwizard.exe > nul2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.com"2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.zip"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com2⤵
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\SysWOW64\shwizard.exe"3⤵
- Drops file in Drivers directory
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip2⤵
-
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\system32\shwizard.exe"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip1⤵
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\system32\shwizard.exe"1⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\shwizard.exe > nul1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.com"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.zip"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip1⤵
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\system32\shwizard.exe"1⤵
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\SysWOW64\shwizard.exe"1⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\shwizard.exe > nul1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.com"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.zip"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip1⤵
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\system32\shwizard.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\shwizard.exe > nul1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"1⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.com"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.zip"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip1⤵
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\system32\shwizard.exe"1⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\shwizard.exe > nul1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.com"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.zip"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip1⤵
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\system32\shwizard.exe"1⤵
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\SysWOW64\shwizard.exe"1⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\shwizard.exe > nul1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.com"1⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\shwizard.exe > nul2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.com"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.zip"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip2⤵
-
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\system32\shwizard.exe"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.zip"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com1⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip1⤵
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\SysWOW64\shwizard.exe"2⤵
- Drops file in Drivers directory
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\SysWOW64\shwizard.exe"1⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\SysWOW64\shwizard.exe"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.com"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.zip"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip1⤵
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\system32\shwizard.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\SysWOW64\shwizard.exe"1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.com"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.zip"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com1⤵
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\SysWOW64\shwizard.exe"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip1⤵
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\system32\shwizard.exe"1⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\shwizard.exe > nul1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.com"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.zip"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip1⤵
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\system32\shwizard.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\shwizard.exe > nul1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.com"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.zip"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip1⤵
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\system32\shwizard.exe"1⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\shwizard.exe > nul1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.com"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.zip"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\system32\shwizard.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\shwizard.exe > nul1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.com"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.zip"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\system32\shwizard.exe"1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\SysWOW64\shwizard.exe"1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\shwizard.exe > nul1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.com"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.zip"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip1⤵
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\system32\shwizard.exe"1⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\169770~1.EXE > nul1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.com"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.zip"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip1⤵
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\system32\shwizard.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\169770d1b39686dba1237519ab827a2d.exe"C:\Users\Admin\AppData\Local\Temp\169770d1b39686dba1237519ab827a2d.exe"1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\SysWOW64\shwizard.exe"1⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\shwizard.exe > nul2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.com"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.zip"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip2⤵
-
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\system32\shwizard.exe"2⤵
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\SysWOW64\shwizard.exe"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\shwizard.exe > nul4⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"4⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"4⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.com"4⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.zip"4⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com4⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip4⤵
-
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\system32\shwizard.exe"4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\shwizard.exe > nul1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.com"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.zip"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip1⤵
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\system32\shwizard.exe"1⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\shwizard.exe > nul1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.com"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.zip"1⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\shwizard.exe > nul2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.com"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.zip"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip2⤵
-
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\system32\shwizard.exe"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com1⤵
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\SysWOW64\shwizard.exe"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\shwizard.exe > nul3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"3⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"3⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.com"3⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.zip"3⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com3⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip3⤵
-
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\system32\shwizard.exe"3⤵
-
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip1⤵
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\system32\shwizard.exe"1⤵
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\SysWOW64\shwizard.exe"1⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\shwizard.exe > nul2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.com"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.zip"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip2⤵
-
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\system32\shwizard.exe"2⤵
-
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\SysWOW64\shwizard.exe"1⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\shwizard.exe > nul2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.com"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.zip"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip2⤵
-
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\system32\shwizard.exe"2⤵
-
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\shwizard.exe > nul1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.com"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.zip"1⤵
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\SysWOW64\shwizard.exe"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip1⤵
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\system32\shwizard.exe"1⤵
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\SysWOW64\shwizard.exe"2⤵
-
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\SysWOW64\shwizard.exe"1⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\shwizard.exe > nul1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.com"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.zip"1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com1⤵
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip1⤵
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\system32\shwizard.exe"1⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\SysWOW64\shwizard.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\shwizard.exe > nul2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.com"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q "%HOMEPATH%\Desktop\*.zip"2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.com2⤵
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C del /F /S /Q *.zip2⤵
-
-
C:\Windows\SysWOW64\shwizard.exe"C:\Windows\SysWOW64\shwizard.exe"1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
42KB
MD5169770d1b39686dba1237519ab827a2d
SHA1fb5352912ffff67cea1afe02c38a7e19993d7851
SHA256fc39d9f91900bed78a83835b43cdc19375e3278a3878ebfd5bf6e4f5b94d1839
SHA512d2fe537125dd519437de12224d679ef044902abf03bb0185b1288f9f8bd900bb56ce18fc8fb8cee19219e643ed942ad5efe1269c4a97716be632dcc43daa427d
-
Filesize
3KB
MD5a3ba37f0afdc1fd9a69f4f44cdbc26e1
SHA15d667022420623974407a1157933b08c52e72d2c
SHA2566d63d07049c5eeae2802b8fd9f4294e8a4620643dca5e6c4dbe1d0c09e60a4c5
SHA512edf6413cf88bb1b5e7e5e04cc1f786ab934f41a18abd85dc77456f282be83f828559e09727f2b97fa2a50c46c95190b610c2cf28db24bdd7112d71a4a33826e8
-
Filesize
40KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
40KB
-
Filesize
40KB
-
Filesize
40KB
-
Filesize
40KB
-
Filesize
40KB
-
Filesize
72KB