14d8da4067620e891c74a980d9c0ad594cca94f9c33e8fc63d80ce1668694bd1

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
04/01/2024, 01:43

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3f94d8ec1b53caedf1d8e6c019143101.exe
Size

8KB
MD5

3f94d8ec1b53caedf1d8e6c019143101
SHA1

929ca2e2f55292177670779df2c294ef7d561737
SHA256

14d8da4067620e891c74a980d9c0ad594cca94f9c33e8fc63d80ce1668694bd1
SHA512

b18b7ab6a3582dd32692c8febe6c282c36e26b4d7b281e4dfac1e0014cc0e9cd5474858b1e69bee9c2a282963d6369e28552cf06eb0d424a101fdb8c926d7552
SSDEEP

192:p4nxSVdbZWyabn8AN7chT5Ug1hp6e6Y9T/ap:p44y8ANo6eppY

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2792	cmd.exe

Executes dropped EXE 61 IoCs

pid	Process
2336	nwizhx2.exe
2676	nwizhx2.exe
2996	nwizhx2.exe
2596	nwizhx2.exe
2568	nwizhx2.exe
1220	nwizhx2.exe
1964	nwizhx2.exe
960	nwizhx2.exe
1648	nwizhx2.exe
2960	nwizhx2.exe
1824	nwizhx2.exe
2032	nwizhx2.exe
2200	nwizhx2.exe
2560	nwizhx2.exe
2660	nwizhx2.exe
2096	nwizhx2.exe
1256	nwizhx2.exe
2124	nwizhx2.exe
2452	nwizhx2.exe
2180	nwizhx2.exe
1340	nwizhx2.exe
1788	nwizhx2.exe
1560	nwizhx2.exe
1908	nwizhx2.exe
740	nwizhx2.exe
1668	nwizhx2.exe
940	nwizhx2.exe
3052	nwizhx2.exe
484	nwizhx2.exe
868	nwizhx2.exe
1728	nwizhx2.exe
1956	nwizhx2.exe
2816	nwizhx2.exe
3000	nwizhx2.exe
2800	nwizhx2.exe
2332	nwizhx2.exe
2740	nwizhx2.exe
292	nwizhx2.exe
2596	nwizhx2.exe
2584	nwizhx2.exe
2424	nwizhx2.exe
800	nwizhx2.exe
1484	nwizhx2.exe
968	nwizhx2.exe
2944	nwizhx2.exe
2972	nwizhx2.exe
2956	nwizhx2.exe
1076	nwizhx2.exe
2288	nwizhx2.exe
2156	nwizhx2.exe
1680	nwizhx2.exe
1232	nwizhx2.exe
756	nwizhx2.exe
1356	nwizhx2.exe
2072	nwizhx2.exe
2280	nwizhx2.exe
2904	nwizhx2.exe
2284	nwizhx2.exe
2108	nwizhx2.exe
2180	nwizhx2.exe
1704	cmd.exe

Loads dropped DLL 64 IoCs

pid	Process
2548	3f94d8ec1b53caedf1d8e6c019143101.exe
2548	3f94d8ec1b53caedf1d8e6c019143101.exe
2336	nwizhx2.exe
2336	nwizhx2.exe
2676	nwizhx2.exe
2676	nwizhx2.exe
2996	nwizhx2.exe
2996	nwizhx2.exe
2596	nwizhx2.exe
2596	nwizhx2.exe
2568	nwizhx2.exe
2568	nwizhx2.exe
1220	nwizhx2.exe
1220	nwizhx2.exe
1964	nwizhx2.exe
1964	nwizhx2.exe
960	nwizhx2.exe
960	nwizhx2.exe
1648	nwizhx2.exe
1648	nwizhx2.exe
2960	nwizhx2.exe
2960	nwizhx2.exe
1824	nwizhx2.exe
1824	nwizhx2.exe
2032	nwizhx2.exe
2032	nwizhx2.exe
2200	nwizhx2.exe
2200	nwizhx2.exe
2560	nwizhx2.exe
2560	nwizhx2.exe
2660	nwizhx2.exe
2660	nwizhx2.exe
2096	nwizhx2.exe
2096	nwizhx2.exe
1256	nwizhx2.exe
1256	nwizhx2.exe
2124	nwizhx2.exe
2124	nwizhx2.exe
2452	nwizhx2.exe
2452	nwizhx2.exe
2180	nwizhx2.exe
2180	nwizhx2.exe
1340	nwizhx2.exe
1340	nwizhx2.exe
1788	nwizhx2.exe
1788	nwizhx2.exe
1560	nwizhx2.exe
1560	nwizhx2.exe
1908	nwizhx2.exe
1908	nwizhx2.exe
740	nwizhx2.exe
740	nwizhx2.exe
1668	nwizhx2.exe
1668	nwizhx2.exe
940	nwizhx2.exe
940	nwizhx2.exe
3052	nwizhx2.exe
3052	nwizhx2.exe
484	nwizhx2.exe
484	nwizhx2.exe
868	nwizhx2.exe
868	nwizhx2.exe
1728	nwizhx2.exe
1728	nwizhx2.exe

Drops file in System32 directory 63 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\nwizhx2.exe	nwizhx2.exe
File created	C:\Windows\SysWOW64\nwizhx2.exe	nwizhx2.exe
File created	C:\Windows\SysWOW64\nwizhx2.exe	nwizhx2.exe
File created	C:\Windows\SysWOW64\nwizhx2.exe	cmd.exe
File created	C:\Windows\SysWOW64\nwizhx2.exe	nwizhx2.exe
File created	C:\Windows\SysWOW64\nwizhx2.exe	nwizhx2.exe
File created	C:\Windows\SysWOW64\nwizhx2.exe	nwizhx2.exe
File created	C:\Windows\SysWOW64\nwizhx2.exe	nwizhx2.exe
File created	C:\Windows\SysWOW64\nwizhx2.exe	3f94d8ec1b53caedf1d8e6c019143101.exe
File created	C:\Windows\SysWOW64\nwizhx2.exe	nwizhx2.exe
File created	C:\Windows\SysWOW64\nwizhx2.exe	nwizhx2.exe
File created	C:\Windows\SysWOW64\nwizhx2.exe	nwizhx2.exe
File created	C:\Windows\SysWOW64\nwizhx2.exe	nwizhx2.exe
File created	C:\Windows\SysWOW64\nwizhx2.exe	nwizhx2.exe
File created	C:\Windows\SysWOW64\nwizhx2.exe	nwizhx2.exe
File created	C:\Windows\SysWOW64\nwizhx2.exe	nwizhx2.exe
File created	C:\Windows\SysWOW64\nwizhx2.exe	nwizhx2.exe
File created	C:\Windows\SysWOW64\nwizhx2.exe	nwizhx2.exe
File created	C:\Windows\SysWOW64\nwizhx2.exe	nwizhx2.exe
File created	C:\Windows\SysWOW64\nwizhx2.exe	nwizhx2.exe
File created	C:\Windows\SysWOW64\nwizhx2.exe	nwizhx2.exe
File created	C:\Windows\SysWOW64\nwizhx2.exe	nwizhx2.exe
File created	C:\Windows\SysWOW64\nwizhx2.exe	nwizhx2.exe
File created	C:\Windows\SysWOW64\nwizhx2.exe	nwizhx2.exe
File created	C:\Windows\SysWOW64\nwizhx2.exe	nwizhx2.exe
File created	C:\Windows\SysWOW64\nwizhx2.exe	nwizhx2.exe
File created	C:\Windows\SysWOW64\nwizhx2.exe	nwizhx2.exe
File created	C:\Windows\SysWOW64\nwizhx2.exe	nwizhx2.exe
File created	C:\Windows\SysWOW64\nwizhx2.exe	nwizhx2.exe
File created	C:\Windows\SysWOW64\nwizhx2.exe	nwizhx2.exe
File created	C:\Windows\SysWOW64\nwizhx2.exe	nwizhx2.exe
File created	C:\Windows\SysWOW64\nwizhx2.exe	nwizhx2.exe
File created	C:\Windows\SysWOW64\nwizhx2.exe	nwizhx2.exe
File created	C:\Windows\SysWOW64\nwizhx2.exe	nwizhx2.exe
File created	C:\Windows\SysWOW64\nwizhx2.exe	Process not Found
File created	C:\Windows\SysWOW64\nwizhx2.exe	nwizhx2.exe
File created	C:\Windows\SysWOW64\nwizhx2.exe	nwizhx2.exe
File created	C:\Windows\SysWOW64\nwizhx2.exe	nwizhx2.exe
File created	C:\Windows\SysWOW64\nwizhx2.exe	nwizhx2.exe
File created	C:\Windows\SysWOW64\nwizhx2.exe	nwizhx2.exe
File opened for modification	C:\Windows\SysWOW64\nwizhx2.exe	3f94d8ec1b53caedf1d8e6c019143101.exe
File created	C:\Windows\SysWOW64\nwizhx2.exe	nwizhx2.exe
File created	C:\Windows\SysWOW64\nwizhx2.exe	nwizhx2.exe
File created	C:\Windows\SysWOW64\nwizhx2.exe	nwizhx2.exe
File created	C:\Windows\SysWOW64\nwizhx2.exe	nwizhx2.exe
File created	C:\Windows\SysWOW64\nwizhx2.exe	nwizhx2.exe
File created	C:\Windows\SysWOW64\nwizhx2.exe	nwizhx2.exe
File created	C:\Windows\SysWOW64\nwizhx2.exe	nwizhx2.exe
File created	C:\Windows\SysWOW64\nwizhx2.exe	nwizhx2.exe
File created	C:\Windows\SysWOW64\nwizhx2.exe	nwizhx2.exe
File created	C:\Windows\SysWOW64\nwizhx2.exe	nwizhx2.exe
File created	C:\Windows\SysWOW64\nwizhx2.exe	nwizhx2.exe
File created	C:\Windows\SysWOW64\nwizhx2.exe	nwizhx2.exe
File created	C:\Windows\SysWOW64\nwizhx2.exe	nwizhx2.exe
File created	C:\Windows\SysWOW64\nwizhx2.exe	nwizhx2.exe
File created	C:\Windows\SysWOW64\nwizhx2.exe	nwizhx2.exe
File created	C:\Windows\SysWOW64\nwizhx2.exe	nwizhx2.exe
File created	C:\Windows\SysWOW64\nwizhx2.exe	nwizhx2.exe
File created	C:\Windows\SysWOW64\nwizhx2.exe	nwizhx2.exe
File created	C:\Windows\SysWOW64\nwizhx2.exe	nwizhx2.exe
File created	C:\Windows\SysWOW64\nwizhx2.exe	nwizhx2.exe
File created	C:\Windows\SysWOW64\nwizhx2.exe	nwizhx2.exe
File created	C:\Windows\SysWOW64\nwizhx2.exe	nwizhx2.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2548	3f94d8ec1b53caedf1d8e6c019143101.exe
2548	3f94d8ec1b53caedf1d8e6c019143101.exe
2548	3f94d8ec1b53caedf1d8e6c019143101.exe
2548	3f94d8ec1b53caedf1d8e6c019143101.exe
2336	nwizhx2.exe
2336	nwizhx2.exe
2336	nwizhx2.exe
2336	nwizhx2.exe
2676	nwizhx2.exe
2676	nwizhx2.exe
2676	nwizhx2.exe
2676	nwizhx2.exe
2996	nwizhx2.exe
2996	nwizhx2.exe
2996	nwizhx2.exe
2996	nwizhx2.exe
2596	nwizhx2.exe
2596	nwizhx2.exe
2596	nwizhx2.exe
2596	nwizhx2.exe
2568	nwizhx2.exe
2568	nwizhx2.exe
2568	nwizhx2.exe
2568	nwizhx2.exe
1220	nwizhx2.exe
1220	nwizhx2.exe
1220	nwizhx2.exe
1220	nwizhx2.exe
1964	nwizhx2.exe
1964	nwizhx2.exe
1964	nwizhx2.exe
1964	nwizhx2.exe
960	nwizhx2.exe
960	nwizhx2.exe
960	nwizhx2.exe
960	nwizhx2.exe
1648	nwizhx2.exe
1648	nwizhx2.exe
1648	nwizhx2.exe
1648	nwizhx2.exe
2960	nwizhx2.exe
2960	nwizhx2.exe
2960	nwizhx2.exe
2960	nwizhx2.exe
1824	nwizhx2.exe
1824	nwizhx2.exe
1824	nwizhx2.exe
1824	nwizhx2.exe
2032	nwizhx2.exe
2032	nwizhx2.exe
2032	nwizhx2.exe
2032	nwizhx2.exe
2200	nwizhx2.exe
2200	nwizhx2.exe
2200	nwizhx2.exe
2200	nwizhx2.exe
2560	nwizhx2.exe
2560	nwizhx2.exe
2560	nwizhx2.exe
2560	nwizhx2.exe
2660	nwizhx2.exe
2660	nwizhx2.exe
2660	nwizhx2.exe
2660	nwizhx2.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2548 wrote to memory of 2336	2548	3f94d8ec1b53caedf1d8e6c019143101.exe	28
PID 2548 wrote to memory of 2336	2548	3f94d8ec1b53caedf1d8e6c019143101.exe	28
PID 2548 wrote to memory of 2336	2548	3f94d8ec1b53caedf1d8e6c019143101.exe	28
PID 2548 wrote to memory of 2336	2548	3f94d8ec1b53caedf1d8e6c019143101.exe	28
PID 2548 wrote to memory of 2792	2548	3f94d8ec1b53caedf1d8e6c019143101.exe	29
PID 2548 wrote to memory of 2792	2548	3f94d8ec1b53caedf1d8e6c019143101.exe	29
PID 2548 wrote to memory of 2792	2548	3f94d8ec1b53caedf1d8e6c019143101.exe	29
PID 2548 wrote to memory of 2792	2548	3f94d8ec1b53caedf1d8e6c019143101.exe	29
PID 2336 wrote to memory of 2676	2336	nwizhx2.exe	31
PID 2336 wrote to memory of 2676	2336	nwizhx2.exe	31
PID 2336 wrote to memory of 2676	2336	nwizhx2.exe	31
PID 2336 wrote to memory of 2676	2336	nwizhx2.exe	31
PID 2336 wrote to memory of 2800	2336	nwizhx2.exe	32
PID 2336 wrote to memory of 2800	2336	nwizhx2.exe	32
PID 2336 wrote to memory of 2800	2336	nwizhx2.exe	32
PID 2336 wrote to memory of 2800	2336	nwizhx2.exe	32
PID 2676 wrote to memory of 2996	2676	nwizhx2.exe	34
PID 2676 wrote to memory of 2996	2676	nwizhx2.exe	34
PID 2676 wrote to memory of 2996	2676	nwizhx2.exe	34
PID 2676 wrote to memory of 2996	2676	nwizhx2.exe	34
PID 2676 wrote to memory of 2608	2676	nwizhx2.exe	35
PID 2676 wrote to memory of 2608	2676	nwizhx2.exe	35
PID 2676 wrote to memory of 2608	2676	nwizhx2.exe	35
PID 2676 wrote to memory of 2608	2676	nwizhx2.exe	35
PID 2996 wrote to memory of 2596	2996	nwizhx2.exe	37
PID 2996 wrote to memory of 2596	2996	nwizhx2.exe	37
PID 2996 wrote to memory of 2596	2996	nwizhx2.exe	37
PID 2996 wrote to memory of 2596	2996	nwizhx2.exe	37
PID 2996 wrote to memory of 2736	2996	nwizhx2.exe	38
PID 2996 wrote to memory of 2736	2996	nwizhx2.exe	38
PID 2996 wrote to memory of 2736	2996	nwizhx2.exe	38
PID 2996 wrote to memory of 2736	2996	nwizhx2.exe	38
PID 2596 wrote to memory of 2568	2596	nwizhx2.exe	40
PID 2596 wrote to memory of 2568	2596	nwizhx2.exe	40
PID 2596 wrote to memory of 2568	2596	nwizhx2.exe	40
PID 2596 wrote to memory of 2568	2596	nwizhx2.exe	40
PID 2596 wrote to memory of 2604	2596	nwizhx2.exe	41
PID 2596 wrote to memory of 2604	2596	nwizhx2.exe	41
PID 2596 wrote to memory of 2604	2596	nwizhx2.exe	41
PID 2596 wrote to memory of 2604	2596	nwizhx2.exe	41
PID 2568 wrote to memory of 1220	2568	nwizhx2.exe	43
PID 2568 wrote to memory of 1220	2568	nwizhx2.exe	43
PID 2568 wrote to memory of 1220	2568	nwizhx2.exe	43
PID 2568 wrote to memory of 1220	2568	nwizhx2.exe	43
PID 2568 wrote to memory of 2616	2568	nwizhx2.exe	44
PID 2568 wrote to memory of 2616	2568	nwizhx2.exe	44
PID 2568 wrote to memory of 2616	2568	nwizhx2.exe	44
PID 2568 wrote to memory of 2616	2568	nwizhx2.exe	44
PID 1220 wrote to memory of 1964	1220	nwizhx2.exe	46
PID 1220 wrote to memory of 1964	1220	nwizhx2.exe	46
PID 1220 wrote to memory of 1964	1220	nwizhx2.exe	46
PID 1220 wrote to memory of 1964	1220	nwizhx2.exe	46
PID 1220 wrote to memory of 524	1220	nwizhx2.exe	47
PID 1220 wrote to memory of 524	1220	nwizhx2.exe	47
PID 1220 wrote to memory of 524	1220	nwizhx2.exe	47
PID 1220 wrote to memory of 524	1220	nwizhx2.exe	47
PID 1964 wrote to memory of 960	1964	nwizhx2.exe	49
PID 1964 wrote to memory of 960	1964	nwizhx2.exe	49
PID 1964 wrote to memory of 960	1964	nwizhx2.exe	49
PID 1964 wrote to memory of 960	1964	nwizhx2.exe	49
PID 1964 wrote to memory of 572	1964	nwizhx2.exe	50
PID 1964 wrote to memory of 572	1964	nwizhx2.exe	50
PID 1964 wrote to memory of 572	1964	nwizhx2.exe	50
PID 1964 wrote to memory of 572	1964	nwizhx2.exe	50

C:\Users\Admin\AppData\Local\Temp\3f94d8ec1b53caedf1d8e6c019143101.exe
"C:\Users\Admin\AppData\Local\Temp\3f94d8ec1b53caedf1d8e6c019143101.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2548
- C:\Windows\SysWOW64\nwizhx2.exe
  C:\Windows\system32\nwizhx2.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2336
- - C:\Windows\SysWOW64\nwizhx2.exe
    C:\Windows\system32\nwizhx2.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2676
  - - C:\Windows\SysWOW64\nwizhx2.exe
      C:\Windows\system32\nwizhx2.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2996
    - - C:\Windows\SysWOW64\nwizhx2.exe
        
        C:\Windows\system32\nwizhx2.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2596
      - C:\Windows\SysWOW64\nwizhx2.exe
        
        C:\Windows\system32\nwizhx2.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2568
        
        C:\Windows\SysWOW64\nwizhx2.exe
        
        C:\Windows\system32\nwizhx2.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1220
        
        C:\Windows\SysWOW64\nwizhx2.exe
        
        C:\Windows\system32\nwizhx2.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1964
        
        C:\Windows\SysWOW64\nwizhx2.exe
        
        C:\Windows\system32\nwizhx2.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:960
        
        C:\Windows\SysWOW64\nwizhx2.exe
        
        C:\Windows\system32\nwizhx2.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1648
        
        C:\Windows\SysWOW64\nwizhx2.exe
        
        C:\Windows\system32\nwizhx2.exe
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2960
        
        C:\Windows\SysWOW64\nwizhx2.exe
        
        C:\Windows\system32\nwizhx2.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1824
        
        C:\Windows\SysWOW64\nwizhx2.exe
        
        C:\Windows\system32\nwizhx2.exe
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2032
        
        C:\Windows\SysWOW64\nwizhx2.exe
        
        C:\Windows\system32\nwizhx2.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2200
        
        C:\Windows\SysWOW64\nwizhx2.exe
        
        C:\Windows\system32\nwizhx2.exe
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2560
        
        C:\Windows\SysWOW64\nwizhx2.exe
        
        C:\Windows\system32\nwizhx2.exe
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2660
        
        C:\Windows\SysWOW64\nwizhx2.exe
        
        C:\Windows\system32\nwizhx2.exe
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2096
        
        C:\Windows\SysWOW64\nwizhx2.exe
        
        C:\Windows\system32\nwizhx2.exe
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1256
        
        C:\Windows\SysWOW64\nwizhx2.exe
        
        C:\Windows\system32\nwizhx2.exe
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2124
        
        C:\Windows\SysWOW64\nwizhx2.exe
        
        C:\Windows\system32\nwizhx2.exe
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2452
        
        C:\Windows\SysWOW64\nwizhx2.exe
        
        C:\Windows\system32\nwizhx2.exe
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2180
        
        C:\Windows\SysWOW64\nwizhx2.exe
        
        C:\Windows\system32\nwizhx2.exe
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1340
        
        C:\Windows\SysWOW64\nwizhx2.exe
        
        C:\Windows\system32\nwizhx2.exe
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1788
        
        C:\Windows\SysWOW64\nwizhx2.exe
        
        C:\Windows\system32\nwizhx2.exe
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1560
        
        C:\Windows\SysWOW64\nwizhx2.exe
        
        C:\Windows\system32\nwizhx2.exe
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1908
        
        C:\Windows\SysWOW64\nwizhx2.exe
        
        C:\Windows\system32\nwizhx2.exe
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:740
        
        C:\Windows\SysWOW64\nwizhx2.exe
        
        C:\Windows\system32\nwizhx2.exe
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1668
        
        C:\Windows\SysWOW64\nwizhx2.exe
        
        C:\Windows\system32\nwizhx2.exe
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:940
        
        C:\Windows\SysWOW64\nwizhx2.exe
        
        C:\Windows\system32\nwizhx2.exe
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:3052
        
        C:\Windows\SysWOW64\nwizhx2.exe
        
        C:\Windows\system32\nwizhx2.exe
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:484
        
        C:\Windows\SysWOW64\nwizhx2.exe
        
        C:\Windows\system32\nwizhx2.exe
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:868
        
        C:\Windows\SysWOW64\nwizhx2.exe
        
        C:\Windows\system32\nwizhx2.exe
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1728
        
        C:\Windows\SysWOW64\nwizhx2.exe
        
        C:\Windows\system32\nwizhx2.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1956
        
        C:\Windows\SysWOW64\nwizhx2.exe
        
        C:\Windows\system32\nwizhx2.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2816
        
        C:\Windows\SysWOW64\nwizhx2.exe
        
        C:\Windows\system32\nwizhx2.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3000
        
        C:\Windows\SysWOW64\nwizhx2.exe
        
        C:\Windows\system32\nwizhx2.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2800
        
        C:\Windows\SysWOW64\nwizhx2.exe
        
        C:\Windows\system32\nwizhx2.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2332
        
        C:\Windows\SysWOW64\nwizhx2.exe
        
        C:\Windows\system32\nwizhx2.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2740
        
        C:\Windows\SysWOW64\nwizhx2.exe
        
        C:\Windows\system32\nwizhx2.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:292
        
        C:\Windows\SysWOW64\nwizhx2.exe
        
        C:\Windows\system32\nwizhx2.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2596
        
        C:\Windows\SysWOW64\nwizhx2.exe
        
        C:\Windows\system32\nwizhx2.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2584
        
        C:\Windows\SysWOW64\nwizhx2.exe
        
        C:\Windows\system32\nwizhx2.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2424
        
        C:\Windows\SysWOW64\nwizhx2.exe
        
        C:\Windows\system32\nwizhx2.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:800
        
        C:\Windows\SysWOW64\nwizhx2.exe
        
        C:\Windows\system32\nwizhx2.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1484
        
        C:\Windows\SysWOW64\nwizhx2.exe
        
        C:\Windows\system32\nwizhx2.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:968
        
        C:\Windows\SysWOW64\nwizhx2.exe
        
        C:\Windows\system32\nwizhx2.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2944
        
        C:\Windows\SysWOW64\nwizhx2.exe
        
        C:\Windows\system32\nwizhx2.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2972
        
        C:\Windows\SysWOW64\nwizhx2.exe
        
        C:\Windows\system32\nwizhx2.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2956
        
        C:\Windows\SysWOW64\nwizhx2.exe
        
        C:\Windows\system32\nwizhx2.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1076
        
        C:\Windows\SysWOW64\nwizhx2.exe
        
        C:\Windows\system32\nwizhx2.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2288
        
        C:\Windows\SysWOW64\nwizhx2.exe
        
        C:\Windows\system32\nwizhx2.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2156
        
        C:\Windows\SysWOW64\nwizhx2.exe
        
        C:\Windows\system32\nwizhx2.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1680
        
        C:\Windows\SysWOW64\nwizhx2.exe
        
        C:\Windows\system32\nwizhx2.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1232
        
        C:\Windows\SysWOW64\nwizhx2.exe
        
        C:\Windows\system32\nwizhx2.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:756
        
        C:\Windows\SysWOW64\nwizhx2.exe
        
        C:\Windows\system32\nwizhx2.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1356
        
        C:\Windows\SysWOW64\nwizhx2.exe
        
        C:\Windows\system32\nwizhx2.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2072
        
        C:\Windows\SysWOW64\nwizhx2.exe
        
        C:\Windows\system32\nwizhx2.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2280
        
        C:\Windows\SysWOW64\nwizhx2.exe
        
        C:\Windows\system32\nwizhx2.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizhx2.exe"
        59⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\nwizhx2.exe
        
        C:\Windows\system32\nwizhx2.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizhx2.exe"
        60⤵
        
        PID:588
        
        C:\Windows\SysWOW64\nwizhx2.exe
        
        C:\Windows\system32\nwizhx2.exe
        60⤵
        Executes dropped EXE
        
        PID:2108
        
        C:\Windows\SysWOW64\nwizhx2.exe
        
        C:\Windows\system32\nwizhx2.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizhx2.exe"
        62⤵
        
        PID:1184
        
        C:\Windows\SysWOW64\nwizhx2.exe
        
        C:\Windows\system32\nwizhx2.exe
        62⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizhx2.exe"
        63⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\nwizhx2.exe
        
        C:\Windows\system32\nwizhx2.exe
        63⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\nwizhx2.exe
        
        C:\Windows\system32\nwizhx2.exe
        64⤵
        
        PID:972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizhx2.exe"
        65⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\nwizhx2.exe
        
        C:\Windows\system32\nwizhx2.exe
        65⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizhx2.exe"
        66⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\nwizhx2.exe
        
        C:\Windows\system32\nwizhx2.exe
        66⤵
        
        PID:1400
        
        C:\Windows\SysWOW64\nwizhx2.exe
        
        C:\Windows\system32\nwizhx2.exe
        67⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizhx2.exe"
        68⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\nwizhx2.exe
        
        C:\Windows\system32\nwizhx2.exe
        68⤵
        
        PID:1344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizhx2.exe"
        69⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\nwizhx2.exe
        
        C:\Windows\system32\nwizhx2.exe
        69⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizhx2.exe"
        70⤵
        
        PID:484
        
        C:\Windows\SysWOW64\nwizhx2.exe
        
        C:\Windows\system32\nwizhx2.exe
        70⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\nwizhx2.exe
        
        C:\Windows\system32\nwizhx2.exe
        71⤵
        
        PID:2500
        
        C:\Windows\SysWOW64\nwizhx2.exe
        
        C:\Windows\system32\nwizhx2.exe
        72⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\nwizhx2.exe
        
        C:\Windows\system32\nwizhx2.exe
        73⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizhx2.exe"
        74⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\nwizhx2.exe
        
        C:\Windows\system32\nwizhx2.exe
        74⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\nwizhx2.exe
        
        C:\Windows\system32\nwizhx2.exe
        75⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\nwizhx2.exe
        
        C:\Windows\system32\nwizhx2.exe
        76⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\nwizhx2.exe
        
        C:\Windows\system32\nwizhx2.exe
        77⤵
        
        PID:1092
        
        C:\Windows\SysWOW64\nwizhx2.exe
        
        C:\Windows\system32\nwizhx2.exe
        78⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\nwizhx2.exe
        
        C:\Windows\system32\nwizhx2.exe
        79⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizhx2.exe"
        80⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\nwizhx2.exe
        
        C:\Windows\system32\nwizhx2.exe
        80⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\nwizhx2.exe
        
        C:\Windows\system32\nwizhx2.exe
        81⤵
        
        PID:2988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizhx2.exe"
        82⤵
        
        PID:1364
        
        C:\Windows\SysWOW64\nwizhx2.exe
        
        C:\Windows\system32\nwizhx2.exe
        82⤵
        
        PID:1220
        
        C:\Windows\SysWOW64\nwizhx2.exe
        
        C:\Windows\system32\nwizhx2.exe
        83⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizhx2.exe"
        84⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\nwizhx2.exe
        
        C:\Windows\system32\nwizhx2.exe
        84⤵
        
        PID:824
        
        C:\Windows\SysWOW64\nwizhx2.exe
        
        C:\Windows\system32\nwizhx2.exe
        85⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\nwizhx2.exe
        
        C:\Windows\system32\nwizhx2.exe
        86⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizhx2.exe"
        87⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\nwizhx2.exe
        
        C:\Windows\system32\nwizhx2.exe
        87⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizhx2.exe"
        88⤵
        
        PID:772
        
        C:\Windows\SysWOW64\nwizhx2.exe
        
        C:\Windows\system32\nwizhx2.exe
        88⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizhx2.exe"
        89⤵
        
        PID:856
        
        C:\Windows\SysWOW64\nwizhx2.exe
        
        C:\Windows\system32\nwizhx2.exe
        89⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizhx2.exe"
        90⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\nwizhx2.exe
        
        C:\Windows\system32\nwizhx2.exe
        90⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizhx2.exe"
        91⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\nwizhx2.exe
        
        C:\Windows\system32\nwizhx2.exe
        91⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\nwizhx2.exe
        
        C:\Windows\system32\nwizhx2.exe
        92⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\nwizhx2.exe
        
        C:\Windows\system32\nwizhx2.exe
        93⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizhx2.exe"
        94⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\nwizhx2.exe
        
        C:\Windows\system32\nwizhx2.exe
        94⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\nwizhx2.exe
        
        C:\Windows\system32\nwizhx2.exe
        95⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizhx2.exe"
        96⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\nwizhx2.exe
        
        C:\Windows\system32\nwizhx2.exe
        96⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\nwizhx2.exe
        
        C:\Windows\system32\nwizhx2.exe
        97⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\nwizhx2.exe
        
        C:\Windows\system32\nwizhx2.exe
        98⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizhx2.exe"
        99⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\nwizhx2.exe
        
        C:\Windows\system32\nwizhx2.exe
        99⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\nwizhx2.exe
        
        C:\Windows\system32\nwizhx2.exe
        100⤵
        
        PID:288
        
        C:\Windows\SysWOW64\nwizhx2.exe
        
        C:\Windows\system32\nwizhx2.exe
        101⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\nwizhx2.exe
        
        C:\Windows\system32\nwizhx2.exe
        102⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\nwizhx2.exe
        
        C:\Windows\system32\nwizhx2.exe
        103⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizhx2.exe"
        104⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\nwizhx2.exe
        
        C:\Windows\system32\nwizhx2.exe
        104⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizhx2.exe"
        105⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\nwizhx2.exe
        
        C:\Windows\system32\nwizhx2.exe
        105⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\nwizhx2.exe
        
        C:\Windows\system32\nwizhx2.exe
        106⤵
        
        PID:1372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizhx2.exe"
        107⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\nwizhx2.exe
        
        C:\Windows\system32\nwizhx2.exe
        107⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\nwizhx2.exe
        
        C:\Windows\system32\nwizhx2.exe
        108⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizhx2.exe"
        109⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\nwizhx2.exe
        
        C:\Windows\system32\nwizhx2.exe
        109⤵
        
        PID:940
        
        C:\Windows\SysWOW64\nwizhx2.exe
        
        C:\Windows\system32\nwizhx2.exe
        110⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\nwizhx2.exe
        
        C:\Windows\system32\nwizhx2.exe
        111⤵
        
        PID:484
        
        C:\Windows\SysWOW64\nwizhx2.exe
        
        C:\Windows\system32\nwizhx2.exe
        112⤵
        
        PID:868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizhx2.exe"
        113⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\nwizhx2.exe
        
        C:\Windows\system32\nwizhx2.exe
        113⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizhx2.exe"
        114⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\nwizhx2.exe
        
        C:\Windows\system32\nwizhx2.exe
        114⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizhx2.exe"
        115⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\nwizhx2.exe
        
        C:\Windows\system32\nwizhx2.exe
        115⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\nwizhx2.exe
        
        C:\Windows\system32\nwizhx2.exe
        116⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\nwizhx2.exe
        
        C:\Windows\system32\nwizhx2.exe
        117⤵
        
        PID:1396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizhx2.exe"
        118⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\nwizhx2.exe
        
        C:\Windows\system32\nwizhx2.exe
        118⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizhx2.exe"
        119⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\nwizhx2.exe
        
        C:\Windows\system32\nwizhx2.exe
        119⤵
        
        PID:1092
        
        C:\Windows\SysWOW64\nwizhx2.exe
        
        C:\Windows\system32\nwizhx2.exe
        120⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\nwizhx2.exe
        
        C:\Windows\system32\nwizhx2.exe
        121⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\nwizhx2.exe
        
        C:\Windows\system32\nwizhx2.exe
        122⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\nwizhx2.exe
        
        C:\Windows\system32\nwizhx2.exe
        123⤵
        
        PID:2584
        
        C:\Windows\SysWOW64\nwizhx2.exe
        
        C:\Windows\system32\nwizhx2.exe
        124⤵
        
        PID:1220
        
        C:\Windows\SysWOW64\nwizhx2.exe
        
        C:\Windows\system32\nwizhx2.exe
        125⤵
        
        PID:800
        
        C:\Windows\SysWOW64\nwizhx2.exe
        
        C:\Windows\system32\nwizhx2.exe
        126⤵
        
        PID:824
        
        C:\Windows\SysWOW64\nwizhx2.exe
        
        C:\Windows\system32\nwizhx2.exe
        127⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizhx2.exe"
        128⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\nwizhx2.exe
        
        C:\Windows\system32\nwizhx2.exe
        128⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\nwizhx2.exe
        
        C:\Windows\system32\nwizhx2.exe
        129⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizhx2.exe"
        130⤵
        
        PID:1160
        
        C:\Windows\SysWOW64\nwizhx2.exe
        
        C:\Windows\system32\nwizhx2.exe
        130⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\nwizhx2.exe
        
        C:\Windows\system32\nwizhx2.exe
        131⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizhx2.exe"
        132⤵
        
        PID:344
        
        C:\Windows\SysWOW64\nwizhx2.exe
        
        C:\Windows\system32\nwizhx2.exe
        132⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\nwizhx2.exe
        
        C:\Windows\system32\nwizhx2.exe
        133⤵
        
        PID:924
        
        C:\Windows\SysWOW64\nwizhx2.exe
        
        C:\Windows\system32\nwizhx2.exe
        134⤵
        
        PID:548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizhx2.exe"
        135⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\nwizhx2.exe
        
        C:\Windows\system32\nwizhx2.exe
        135⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizhx2.exe"
        136⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\nwizhx2.exe
        
        C:\Windows\system32\nwizhx2.exe
        136⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizhx2.exe"
        137⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\nwizhx2.exe
        
        C:\Windows\system32\nwizhx2.exe
        137⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\nwizhx2.exe
        
        C:\Windows\system32\nwizhx2.exe
        138⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizhx2.exe"
        139⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\nwizhx2.exe
        
        C:\Windows\system32\nwizhx2.exe
        139⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\nwizhx2.exe
        
        C:\Windows\system32\nwizhx2.exe
        140⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizhx2.exe"
        138⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizhx2.exe"
        134⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizhx2.exe"
        133⤵
        
        PID:912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizhx2.exe"
        131⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizhx2.exe"
        129⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizhx2.exe"
        127⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizhx2.exe"
        126⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizhx2.exe"
        125⤵
        
        PID:572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizhx2.exe"
        124⤵
        
        PID:436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizhx2.exe"
        123⤵
        
        PID:1060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizhx2.exe"
        122⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizhx2.exe"
        121⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizhx2.exe"
        120⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizhx2.exe"
        117⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizhx2.exe"
        116⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizhx2.exe"
        112⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizhx2.exe"
        111⤵
        
        PID:1380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizhx2.exe"
        110⤵
        
        PID:1080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizhx2.exe"
        108⤵
        
        PID:644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizhx2.exe"
        106⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizhx2.exe"
        103⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizhx2.exe"
        102⤵
        
        PID:656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizhx2.exe"
        101⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizhx2.exe"
        100⤵
        
        PID:1168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizhx2.exe"
        98⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizhx2.exe"
        97⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizhx2.exe"
        95⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizhx2.exe"
        93⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizhx2.exe"
        92⤵
        
        PID:548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizhx2.exe"
        86⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizhx2.exe"
        85⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizhx2.exe"
        83⤵
        
        PID:268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizhx2.exe"
        81⤵
        
        PID:1128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizhx2.exe"
        79⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizhx2.exe"
        78⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizhx2.exe"
        77⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizhx2.exe"
        76⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizhx2.exe"
        75⤵
        
        PID:540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizhx2.exe"
        73⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizhx2.exe"
        72⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizhx2.exe"
        71⤵
        
        PID:868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizhx2.exe"
        67⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizhx2.exe"
        64⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizhx2.exe"
        61⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizhx2.exe"
        58⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizhx2.exe"
        57⤵
        
        PID:1256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizhx2.exe"
        56⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizhx2.exe"
        55⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizhx2.exe"
        54⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizhx2.exe"
        53⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizhx2.exe"
        52⤵
        
        PID:1332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizhx2.exe"
        51⤵
        
        PID:320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizhx2.exe"
        50⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizhx2.exe"
        49⤵
        
        PID:856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizhx2.exe"
        48⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizhx2.exe"
        47⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizhx2.exe"
        46⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizhx2.exe"
        45⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizhx2.exe"
        44⤵
        
        PID:1120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizhx2.exe"
        43⤵
        
        PID:436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizhx2.exe"
        42⤵
        
        PID:1876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizhx2.exe"
        41⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizhx2.exe"
        40⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizhx2.exe"
        39⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizhx2.exe"
        38⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizhx2.exe"
        37⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizhx2.exe"
        36⤵
        
        PID:540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizhx2.exe"
        35⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizhx2.exe"
        34⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizhx2.exe"
        33⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizhx2.exe"
        32⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizhx2.exe"
        31⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizhx2.exe"
        30⤵
        
        PID:1080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizhx2.exe"
        29⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizhx2.exe"
        28⤵
        
        PID:644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizhx2.exe"
        27⤵
        
        PID:1468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizhx2.exe"
        26⤵
        
        PID:916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizhx2.exe"
        25⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizhx2.exe"
        24⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizhx2.exe"
        23⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizhx2.exe"
        22⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizhx2.exe"
        21⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizhx2.exe"
        20⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizhx2.exe"
        19⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizhx2.exe"
        18⤵
        
        PID:1376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizhx2.exe"
        17⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizhx2.exe"
        16⤵
        
        PID:1020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizhx2.exe"
        15⤵
        
        PID:296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizhx2.exe"
        14⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizhx2.exe"
        13⤵
        
        PID:1012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizhx2.exe"
        12⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizhx2.exe"
        11⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizhx2.exe"
        10⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizhx2.exe"
        9⤵
        
        PID:572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizhx2.exe"
        8⤵
        
        PID:524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizhx2.exe"
        7⤵
        
        PID:2616
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizhx2.exe"
        6⤵
        
        PID:2604
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizhx2.exe"
        5⤵
        
        PID:2736
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizhx2.exe"
      4⤵
      PID:2608
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\nwizhx2.exe"
    3⤵
    PID:2800
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\3f94d8ec1b53caedf1d8e6c019143101.exe"
  2⤵
  - Deletes itself
  PID:2792

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "82706806937372094318205532-1519191140-746849763885125772-1095013239325968224"
1⤵
PID:1184

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\nwizhx2.exe

Filesize
8KB

MD5
3f94d8ec1b53caedf1d8e6c019143101

SHA1
929ca2e2f55292177670779df2c294ef7d561737

SHA256
14d8da4067620e891c74a980d9c0ad594cca94f9c33e8fc63d80ce1668694bd1

SHA512
b18b7ab6a3582dd32692c8febe6c282c36e26b4d7b281e4dfac1e0014cc0e9cd5474858b1e69bee9c2a282963d6369e28552cf06eb0d424a101fdb8c926d7552

Download Submit