d222ec6dd3957a8fdec2dd14a3718ba2c9acae96e3476aced7d754bc19ecb03f

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
20/06/2024, 16:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Wave.exe
Size

6.6MB
MD5

0da2b181981239146eb1d216029207e8
SHA1

0bbc5a73f385be44301157b27a3674591ff03d09
SHA256

d222ec6dd3957a8fdec2dd14a3718ba2c9acae96e3476aced7d754bc19ecb03f
SHA512

6b5e29a0c90d46caa442fa92a56370c7ec19f22a7f64b498e5b87e97958eb802694f191248a9265d2c457e9df2ca5a1a7dcafcc7249ba7800234895b3e911b4b
SSDEEP

98304:rsOBVM2qwlj5awdv56s1Qr3iP4dtVOFyBwKQqHJTIXviT5AIWNZeJJPl4yNSYGl2:r5j5ao5pQrS8qFnKQ62qCIVPlDNF

Score

8^/10

spyware stealer

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	j25aynuw.123.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	u2u8.0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	j25aynuw.123.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	j25aynuw.123.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	Wave.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	j25aynuw.123.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	uwg.0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	u3n0.0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	Wave.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	Wave.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	j25aynuw.123.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	Wave.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	Wave.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	u3do.0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	u2lo.0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	Wave.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	Wave.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	Wave.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	j25aynuw.123.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	Wave.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	Wave.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	u3is.0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	Wave.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	ComcontainerAgentServer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	j25aynuw.123.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	Wave.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	uqw.0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	j25aynuw.123.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	ux0.0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	u3qo.0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	Wave.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	j25aynuw.123.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	Wave.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	u118.0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	u1ww.0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	Wave.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	u30w.0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	j25aynuw.123.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	ubg.0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	u1g0.0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	j25aynuw.123.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	u1us.0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	u2ys.0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	j25aynuw.123.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	Wave.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	Wave.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	j25aynuw.123.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	Wave.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	Wave.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	u3wg.0.exe

Executes dropped EXE 64 IoCs

pid	Process
5056	j25aynuw.123.exe
3372	u3wg.0.exe
2572	ComcontainerAgentServer.exe
3772	j25aynuw.123.exe
1292	u2ws.0.exe
4460	ComcontainerAgentServer.exe
1188	j25aynuw.123.exe
4556	ux0.0.exe
4716	ComcontainerAgentServer.exe
2276	j25aynuw.123.exe
3892	u1r8.0.exe
2656	ComcontainerAgentServer.exe
4348	j25aynuw.123.exe
4364	u3cs.0.exe
3996	ComcontainerAgentServer.exe
388	j25aynuw.123.exe
796	uas.0.exe
3252	ComcontainerAgentServer.exe
1776	j25aynuw.123.exe
2876	u1dc.0.exe
1940	ComcontainerAgentServer.exe
4848	j25aynuw.123.exe
4776	u3qo.0.exe
3616	ComcontainerAgentServer.exe
3768	j25aynuw.123.exe
1612	u2wo.0.exe
936	ComcontainerAgentServer.exe
2504	j25aynuw.123.exe
4356	u1xk.0.exe
4968	ComcontainerAgentServer.exe
3776	j25aynuw.123.exe
2308	u2ww.0.exe
648	ComcontainerAgentServer.exe
3092	j25aynuw.123.exe
3252	u2dw.0.exe
4456	ComcontainerAgentServer.exe
4100	j25aynuw.123.exe
2064	u35w.0.exe
2492	ComcontainerAgentServer.exe
3680	j25aynuw.123.exe
3044	u2u8.0.exe
2636	ComcontainerAgentServer.exe
2916	j25aynuw.123.exe
4840	u290.0.exe
2308	ComcontainerAgentServer.exe
2296	j25aynuw.123.exe
4968	u1rs.0.exe
2392	ComcontainerAgentServer.exe
3372	j25aynuw.123.exe
1052	u2lo.0.exe
3688	ComcontainerAgentServer.exe
312	j25aynuw.123.exe
3792	u8o.0.exe
1860	ComcontainerAgentServer.exe
4476	j25aynuw.123.exe
4964	u3gc.0.exe
2556	ComcontainerAgentServer.exe
2480	j25aynuw.123.exe
3768	u1ww.0.exe
4112	ComcontainerAgentServer.exe
3112	j25aynuw.123.exe
4532	u2eg.0.exe
4100	ComcontainerAgentServer.exe
848	j25aynuw.123.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 64 IoCs

Web Service

T1102

flow	ioc
164	raw.githubusercontent.com
175	raw.githubusercontent.com
52	raw.githubusercontent.com
58	raw.githubusercontent.com
117	raw.githubusercontent.com
123	raw.githubusercontent.com
173	raw.githubusercontent.com
192	raw.githubusercontent.com
198	raw.githubusercontent.com
37	raw.githubusercontent.com
134	raw.githubusercontent.com
56	raw.githubusercontent.com
96	raw.githubusercontent.com
202	raw.githubusercontent.com
206	raw.githubusercontent.com
26	raw.githubusercontent.com
94	raw.githubusercontent.com
100	raw.githubusercontent.com
149	raw.githubusercontent.com
187	raw.githubusercontent.com
200	raw.githubusercontent.com
208	raw.githubusercontent.com
42	raw.githubusercontent.com
84	raw.githubusercontent.com
88	raw.githubusercontent.com
121	raw.githubusercontent.com
140	raw.githubusercontent.com
54	raw.githubusercontent.com
115	raw.githubusercontent.com
119	raw.githubusercontent.com
142	raw.githubusercontent.com
125	raw.githubusercontent.com
127	raw.githubusercontent.com
151	raw.githubusercontent.com
185	raw.githubusercontent.com
190	raw.githubusercontent.com
204	raw.githubusercontent.com
102	raw.githubusercontent.com
181	raw.githubusercontent.com
92	raw.githubusercontent.com
167	raw.githubusercontent.com
177	raw.githubusercontent.com
32	raw.githubusercontent.com
74	raw.githubusercontent.com
183	raw.githubusercontent.com
60	raw.githubusercontent.com
62	raw.githubusercontent.com
98	raw.githubusercontent.com
196	raw.githubusercontent.com
82	raw.githubusercontent.com
90	raw.githubusercontent.com
104	raw.githubusercontent.com
138	raw.githubusercontent.com
146	raw.githubusercontent.com
179	raw.githubusercontent.com
194	raw.githubusercontent.com
40	raw.githubusercontent.com
47	raw.githubusercontent.com
80	raw.githubusercontent.com
169	raw.githubusercontent.com
210	raw.githubusercontent.com
27	raw.githubusercontent.com
64	raw.githubusercontent.com
86	raw.githubusercontent.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings	ux8.0.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings	u1oo.0.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings	unk.0.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings	u204.0.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings	u2kk.0.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings	u2h0.0.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings	u3n0.0.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings	u1ww.0.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings	u3is.0.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings	ubg.0.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings	u1xk.0.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings	u2ww.0.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings	u8o.0.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings	uqc.0.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings	u1ww.0.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings	uqw.0.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings	u1zw.0.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings	ux0.0.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings	ux0.0.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings	uf0.0.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings	u3rw.0.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings	u3cs.0.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings	u3qo.0.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings	un0.0.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings	u3do.0.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings	u3wg.0.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings	u22g.0.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings	u3bs.0.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings	u1g0.0.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings	u28w.0.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings	uas.0.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings	u290.0.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings	u118.0.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings	u3ao.0.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings	uhs.0.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings	u8o.0.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings	u3ns.0.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings	u2ws.0.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings	u1r8.0.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings	u1us.0.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings	u8o.0.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings	u3wk.0.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings	u30w.0.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings	ugo.0.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings	u2u8.0.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings	u1rs.0.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings	ComcontainerAgentServer.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings	u2lo.0.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings	u35w.0.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings	uwg.0.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings	u3ts.0.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings	u1dc.0.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings	u2wo.0.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings	u2dw.0.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings	u1zw.0.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings	u2os.0.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings	u19c.0.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings	u3sw.0.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings	u15k.0.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings	u22c.0.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings	u35k.0.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings	u2ys.0.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings	u3vg.0.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings	u3gc.0.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2572	ComcontainerAgentServer.exe
2572	ComcontainerAgentServer.exe
2572	ComcontainerAgentServer.exe
2572	ComcontainerAgentServer.exe
2572	ComcontainerAgentServer.exe
2572	ComcontainerAgentServer.exe
2572	ComcontainerAgentServer.exe
2572	ComcontainerAgentServer.exe
2572	ComcontainerAgentServer.exe
2572	ComcontainerAgentServer.exe
2572	ComcontainerAgentServer.exe
2572	ComcontainerAgentServer.exe
2572	ComcontainerAgentServer.exe
2572	ComcontainerAgentServer.exe
2572	ComcontainerAgentServer.exe
2572	ComcontainerAgentServer.exe
2572	ComcontainerAgentServer.exe
2572	ComcontainerAgentServer.exe
2572	ComcontainerAgentServer.exe
2572	ComcontainerAgentServer.exe
2572	ComcontainerAgentServer.exe
2572	ComcontainerAgentServer.exe
2572	ComcontainerAgentServer.exe
2572	ComcontainerAgentServer.exe
2572	ComcontainerAgentServer.exe
2572	ComcontainerAgentServer.exe
2572	ComcontainerAgentServer.exe
2572	ComcontainerAgentServer.exe
2572	ComcontainerAgentServer.exe
2572	ComcontainerAgentServer.exe
2572	ComcontainerAgentServer.exe
2572	ComcontainerAgentServer.exe
2572	ComcontainerAgentServer.exe
2572	ComcontainerAgentServer.exe
2572	ComcontainerAgentServer.exe
2572	ComcontainerAgentServer.exe
2572	ComcontainerAgentServer.exe
2572	ComcontainerAgentServer.exe
2572	ComcontainerAgentServer.exe
2572	ComcontainerAgentServer.exe
2572	ComcontainerAgentServer.exe
2572	ComcontainerAgentServer.exe
2572	ComcontainerAgentServer.exe
2572	ComcontainerAgentServer.exe
2572	ComcontainerAgentServer.exe
2572	ComcontainerAgentServer.exe
2572	ComcontainerAgentServer.exe
2572	ComcontainerAgentServer.exe
2572	ComcontainerAgentServer.exe
2572	ComcontainerAgentServer.exe
2572	ComcontainerAgentServer.exe
2572	ComcontainerAgentServer.exe
2572	ComcontainerAgentServer.exe
2572	ComcontainerAgentServer.exe
2572	ComcontainerAgentServer.exe
2572	ComcontainerAgentServer.exe
2572	ComcontainerAgentServer.exe
2572	ComcontainerAgentServer.exe
2572	ComcontainerAgentServer.exe
2572	ComcontainerAgentServer.exe
2572	ComcontainerAgentServer.exe
2572	ComcontainerAgentServer.exe
2572	ComcontainerAgentServer.exe
2572	ComcontainerAgentServer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2572	ComcontainerAgentServer.exe

Suspicious use of AdjustPrivilegeToken 63 IoCs

description	pid	Process
Token: SeDebugPrivilege	2572	ComcontainerAgentServer.exe
Token: SeDebugPrivilege	4460	ComcontainerAgentServer.exe
Token: SeDebugPrivilege	4716	ComcontainerAgentServer.exe
Token: SeDebugPrivilege	2656	ComcontainerAgentServer.exe
Token: SeDebugPrivilege	3996	ComcontainerAgentServer.exe
Token: SeDebugPrivilege	3252	ComcontainerAgentServer.exe
Token: SeDebugPrivilege	1940	ComcontainerAgentServer.exe
Token: SeDebugPrivilege	3616	ComcontainerAgentServer.exe
Token: SeDebugPrivilege	936	ComcontainerAgentServer.exe
Token: SeDebugPrivilege	4968	ComcontainerAgentServer.exe
Token: SeDebugPrivilege	648	ComcontainerAgentServer.exe
Token: SeDebugPrivilege	4456	ComcontainerAgentServer.exe
Token: SeDebugPrivilege	2492	ComcontainerAgentServer.exe
Token: SeDebugPrivilege	2636	ComcontainerAgentServer.exe
Token: SeDebugPrivilege	2308	ComcontainerAgentServer.exe
Token: SeDebugPrivilege	2392	ComcontainerAgentServer.exe
Token: SeDebugPrivilege	3688	ComcontainerAgentServer.exe
Token: SeDebugPrivilege	1860	ComcontainerAgentServer.exe
Token: SeDebugPrivilege	2556	ComcontainerAgentServer.exe
Token: SeDebugPrivilege	4112	ComcontainerAgentServer.exe
Token: SeDebugPrivilege	4100	ComcontainerAgentServer.exe
Token: SeDebugPrivilege	3136	ComcontainerAgentServer.exe
Token: SeDebugPrivilege	4840	ComcontainerAgentServer.exe
Token: SeDebugPrivilege	4888	ComcontainerAgentServer.exe
Token: SeDebugPrivilege	932	ComcontainerAgentServer.exe
Token: SeDebugPrivilege	1188	ComcontainerAgentServer.exe
Token: SeDebugPrivilege	2868	ComcontainerAgentServer.exe
Token: SeDebugPrivilege	4456	ComcontainerAgentServer.exe
Token: SeDebugPrivilege	4508	ComcontainerAgentServer.exe
Token: SeDebugPrivilege	1892	ComcontainerAgentServer.exe
Token: SeDebugPrivilege	3204	ComcontainerAgentServer.exe
Token: SeDebugPrivilege	2008	ComcontainerAgentServer.exe
Token: SeDebugPrivilege	4716	ComcontainerAgentServer.exe
Token: SeDebugPrivilege	1868	ComcontainerAgentServer.exe
Token: SeDebugPrivilege	5056	ComcontainerAgentServer.exe
Token: SeDebugPrivilege	1452	ComcontainerAgentServer.exe
Token: SeDebugPrivilege	3052	ComcontainerAgentServer.exe
Token: SeDebugPrivilege	736	ComcontainerAgentServer.exe
Token: SeDebugPrivilege	2948	ComcontainerAgentServer.exe
Token: SeDebugPrivilege	3912	ComcontainerAgentServer.exe
Token: SeDebugPrivilege	2088	ComcontainerAgentServer.exe
Token: SeDebugPrivilege	2180	ComcontainerAgentServer.exe
Token: SeDebugPrivilege	3996	ComcontainerAgentServer.exe
Token: SeDebugPrivilege	4060	ComcontainerAgentServer.exe
Token: SeDebugPrivilege	4164	ComcontainerAgentServer.exe
Token: SeDebugPrivilege	3144	ComcontainerAgentServer.exe
Token: SeDebugPrivilege	2784	ComcontainerAgentServer.exe
Token: SeDebugPrivilege	4528	ComcontainerAgentServer.exe
Token: SeDebugPrivilege	3556	ComcontainerAgentServer.exe
Token: SeDebugPrivilege	4676	ComcontainerAgentServer.exe
Token: SeDebugPrivilege	852	ComcontainerAgentServer.exe
Token: SeDebugPrivilege	3020	ComcontainerAgentServer.exe
Token: SeDebugPrivilege	2476	ComcontainerAgentServer.exe
Token: SeDebugPrivilege	4960	ComcontainerAgentServer.exe
Token: SeDebugPrivilege	3092	ComcontainerAgentServer.exe
Token: SeDebugPrivilege	3196	ComcontainerAgentServer.exe
Token: SeDebugPrivilege	1872	ComcontainerAgentServer.exe
Token: SeDebugPrivilege	4532	ComcontainerAgentServer.exe
Token: SeDebugPrivilege	3760	ComcontainerAgentServer.exe
Token: SeDebugPrivilege	1648	ComcontainerAgentServer.exe
Token: SeDebugPrivilege	4992	ComcontainerAgentServer.exe
Token: SeDebugPrivilege	1320	ComcontainerAgentServer.exe
Token: SeDebugPrivilege	952	ComcontainerAgentServer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 940 wrote to memory of 848	940	Wave.exe	88
PID 940 wrote to memory of 848	940	Wave.exe	88
PID 940 wrote to memory of 5056	940	Wave.exe	89
PID 940 wrote to memory of 5056	940	Wave.exe	89
PID 5056 wrote to memory of 3372	5056	j25aynuw.123.exe	91
PID 5056 wrote to memory of 3372	5056	j25aynuw.123.exe	91
PID 5056 wrote to memory of 3372	5056	j25aynuw.123.exe	91
PID 3372 wrote to memory of 1088	3372	u3wg.0.exe	93
PID 3372 wrote to memory of 1088	3372	u3wg.0.exe	93
PID 3372 wrote to memory of 1088	3372	u3wg.0.exe	93
PID 1088 wrote to memory of 4308	1088	WScript.exe	94
PID 1088 wrote to memory of 4308	1088	WScript.exe	94
PID 1088 wrote to memory of 4308	1088	WScript.exe	94
PID 4308 wrote to memory of 2572	4308	cmd.exe	96
PID 4308 wrote to memory of 2572	4308	cmd.exe	96
PID 848 wrote to memory of 1692	848	Wave.exe	97
PID 848 wrote to memory of 1692	848	Wave.exe	97
PID 848 wrote to memory of 3772	848	Wave.exe	98
PID 848 wrote to memory of 3772	848	Wave.exe	98
PID 3772 wrote to memory of 1292	3772	j25aynuw.123.exe	99
PID 3772 wrote to memory of 1292	3772	j25aynuw.123.exe	99
PID 3772 wrote to memory of 1292	3772	j25aynuw.123.exe	99
PID 1292 wrote to memory of 4632	1292	u2ws.0.exe	100
PID 1292 wrote to memory of 4632	1292	u2ws.0.exe	100
PID 1292 wrote to memory of 4632	1292	u2ws.0.exe	100
PID 4632 wrote to memory of 4860	4632	WScript.exe	101
PID 4632 wrote to memory of 4860	4632	WScript.exe	101
PID 4632 wrote to memory of 4860	4632	WScript.exe	101
PID 4860 wrote to memory of 4460	4860	cmd.exe	103
PID 4860 wrote to memory of 4460	4860	cmd.exe	103
PID 1692 wrote to memory of 1176	1692	Wave.exe	105
PID 1692 wrote to memory of 1176	1692	Wave.exe	105
PID 1692 wrote to memory of 1188	1692	Wave.exe	106
PID 1692 wrote to memory of 1188	1692	Wave.exe	106
PID 1188 wrote to memory of 4556	1188	j25aynuw.123.exe	107
PID 1188 wrote to memory of 4556	1188	j25aynuw.123.exe	107
PID 1188 wrote to memory of 4556	1188	j25aynuw.123.exe	107
PID 4556 wrote to memory of 5020	4556	ux0.0.exe	108
PID 4556 wrote to memory of 5020	4556	ux0.0.exe	108
PID 4556 wrote to memory of 5020	4556	ux0.0.exe	108
PID 5020 wrote to memory of 828	5020	WScript.exe	109
PID 5020 wrote to memory of 828	5020	WScript.exe	109
PID 5020 wrote to memory of 828	5020	WScript.exe	109
PID 828 wrote to memory of 4716	828	cmd.exe	111
PID 828 wrote to memory of 4716	828	cmd.exe	111
PID 1176 wrote to memory of 3320	1176	Wave.exe	112
PID 1176 wrote to memory of 3320	1176	Wave.exe	112
PID 1176 wrote to memory of 2276	1176	Wave.exe	113
PID 1176 wrote to memory of 2276	1176	Wave.exe	113
PID 2276 wrote to memory of 3892	2276	j25aynuw.123.exe	115
PID 2276 wrote to memory of 3892	2276	j25aynuw.123.exe	115
PID 2276 wrote to memory of 3892	2276	j25aynuw.123.exe	115
PID 3892 wrote to memory of 1460	3892	u1r8.0.exe	116
PID 3892 wrote to memory of 1460	3892	u1r8.0.exe	116
PID 3892 wrote to memory of 1460	3892	u1r8.0.exe	116
PID 1460 wrote to memory of 3920	1460	WScript.exe	117
PID 1460 wrote to memory of 3920	1460	WScript.exe	117
PID 1460 wrote to memory of 3920	1460	WScript.exe	117
PID 3920 wrote to memory of 2656	3920	cmd.exe	119
PID 3920 wrote to memory of 2656	3920	cmd.exe	119
PID 3320 wrote to memory of 2504	3320	Wave.exe	120
PID 3320 wrote to memory of 2504	3320	Wave.exe	120
PID 3320 wrote to memory of 4348	3320	Wave.exe	121
PID 3320 wrote to memory of 4348	3320	Wave.exe	121

C:\Users\Admin\AppData\Local\Temp\Wave.exe
"C:\Users\Admin\AppData\Local\Temp\Wave.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:940
- C:\Users\Admin\AppData\Local\Temp\Wave.exe
  "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:848
- - C:\Users\Admin\AppData\Local\Temp\Wave.exe
    "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:1692
  - - C:\Users\Admin\AppData\Local\Temp\Wave.exe
      "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1176
    - - C:\Users\Admin\AppData\Local\Temp\Wave.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
        5⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:3320
      - C:\Users\Admin\AppData\Local\Temp\Wave.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
        6⤵
        
        PID:2504
        
        C:\Users\Admin\AppData\Local\Temp\Wave.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
        7⤵
        
        PID:4028
        
        C:\Users\Admin\AppData\Local\Temp\Wave.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
        8⤵
        Checks computer location settings
        
        PID:1460
        
        C:\Users\Admin\AppData\Local\Temp\Wave.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
        9⤵
        
        PID:4408
        
        C:\Users\Admin\AppData\Local\Temp\Wave.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
        10⤵
        
        PID:1884
        
        C:\Users\Admin\AppData\Local\Temp\Wave.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
        11⤵
        
        PID:4596
        
        C:\Users\Admin\AppData\Local\Temp\Wave.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
        12⤵
        
        PID:2148
        
        C:\Users\Admin\AppData\Local\Temp\Wave.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
        13⤵
        
        PID:1612
        
        C:\Users\Admin\AppData\Local\Temp\Wave.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
        14⤵
        
        PID:2088
        
        C:\Users\Admin\AppData\Local\Temp\Wave.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
        15⤵
        Checks computer location settings
        
        PID:1884
        
        C:\Users\Admin\AppData\Local\Temp\Wave.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
        16⤵
        
        PID:600
        
        C:\Users\Admin\AppData\Local\Temp\Wave.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
        17⤵
        Checks computer location settings
        
        PID:4932
        
        C:\Users\Admin\AppData\Local\Temp\Wave.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
        18⤵
        
        PID:4708
        
        C:\Users\Admin\AppData\Local\Temp\Wave.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
        19⤵
        
        PID:2568
        
        C:\Users\Admin\AppData\Local\Temp\Wave.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
        20⤵
        Checks computer location settings
        
        PID:1784
        
        C:\Users\Admin\AppData\Local\Temp\Wave.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
        21⤵
        
        PID:2876
        
        C:\Users\Admin\AppData\Local\Temp\Wave.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
        22⤵
        
        PID:3144
        
        C:\Users\Admin\AppData\Local\Temp\Wave.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
        23⤵
        Checks computer location settings
        
        PID:5056
        
        C:\Users\Admin\AppData\Local\Temp\Wave.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
        24⤵
        
        PID:4120
        
        C:\Users\Admin\AppData\Local\Temp\Wave.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
        25⤵
        
        PID:2128
        
        C:\Users\Admin\AppData\Local\Temp\Wave.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
        26⤵
        Checks computer location settings
        
        PID:3796
        
        C:\Users\Admin\AppData\Local\Temp\Wave.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
        27⤵
        
        PID:2556
        
        C:\Users\Admin\AppData\Local\Temp\Wave.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
        28⤵
        
        PID:4140
        
        C:\Users\Admin\AppData\Local\Temp\Wave.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
        29⤵
        
        PID:3804
        
        C:\Users\Admin\AppData\Local\Temp\Wave.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
        30⤵
        
        PID:1732
        
        C:\Users\Admin\AppData\Local\Temp\Wave.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
        31⤵
        Checks computer location settings
        
        PID:1276
        
        C:\Users\Admin\AppData\Local\Temp\Wave.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
        32⤵
        
        PID:4984
        
        C:\Users\Admin\AppData\Local\Temp\Wave.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
        33⤵
        
        PID:4592
        
        C:\Users\Admin\AppData\Local\Temp\Wave.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
        34⤵
        
        PID:1444
        
        C:\Users\Admin\AppData\Local\Temp\Wave.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
        35⤵
        
        PID:3996
        
        C:\Users\Admin\AppData\Local\Temp\Wave.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
        36⤵
        Checks computer location settings
        
        PID:1768
        
        C:\Users\Admin\AppData\Local\Temp\Wave.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
        37⤵
        
        PID:1460
        
        C:\Users\Admin\AppData\Local\Temp\Wave.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
        38⤵
        
        PID:3440
        
        C:\Users\Admin\AppData\Local\Temp\Wave.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
        39⤵
        
        PID:3344
        
        C:\Users\Admin\AppData\Local\Temp\Wave.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
        40⤵
        Checks computer location settings
        
        PID:4728
        
        C:\Users\Admin\AppData\Local\Temp\Wave.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
        41⤵
        Checks computer location settings
        
        PID:4348
        
        C:\Users\Admin\AppData\Local\Temp\Wave.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
        42⤵
        Checks computer location settings
        
        PID:3580
        
        C:\Users\Admin\AppData\Local\Temp\Wave.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
        43⤵
        
        PID:3772
        
        C:\Users\Admin\AppData\Local\Temp\Wave.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
        44⤵
        
        PID:2404
        
        C:\Users\Admin\AppData\Local\Temp\Wave.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
        45⤵
        
        PID:2540
        
        C:\Users\Admin\AppData\Local\Temp\Wave.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
        46⤵
        Checks computer location settings
        
        PID:3208
        
        C:\Users\Admin\AppData\Local\Temp\Wave.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
        47⤵
        
        PID:2948
        
        C:\Users\Admin\AppData\Local\Temp\Wave.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
        48⤵
        
        PID:4756
        
        C:\Users\Admin\AppData\Local\Temp\Wave.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
        49⤵
        
        PID:4208
        
        C:\Users\Admin\AppData\Local\Temp\Wave.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
        50⤵
        Checks computer location settings
        
        PID:848
        
        C:\Users\Admin\AppData\Local\Temp\Wave.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
        51⤵
        Checks computer location settings
        
        PID:1988
        
        C:\Users\Admin\AppData\Local\Temp\Wave.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
        52⤵
        
        PID:4440
        
        C:\Users\Admin\AppData\Local\Temp\Wave.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
        53⤵
        
        PID:520
        
        C:\Users\Admin\AppData\Local\Temp\Wave.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
        54⤵
        
        PID:1428
        
        C:\Users\Admin\AppData\Local\Temp\Wave.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
        55⤵
        
        PID:1312
        
        C:\Users\Admin\AppData\Local\Temp\Wave.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
        56⤵
        
        PID:3584
        
        C:\Users\Admin\AppData\Local\Temp\Wave.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
        57⤵
        
        PID:3688
        
        C:\Users\Admin\AppData\Local\Temp\Wave.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
        58⤵
        Checks computer location settings
        
        PID:2804
        
        C:\Users\Admin\AppData\Local\Temp\Wave.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
        59⤵
        
        PID:4444
        
        C:\Users\Admin\AppData\Local\Temp\Wave.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
        60⤵
        
        PID:3744
        
        C:\Users\Admin\AppData\Local\Temp\Wave.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
        61⤵
        
        PID:3340
        
        C:\Users\Admin\AppData\Local\Temp\Wave.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
        62⤵
        
        PID:4240
        
        C:\Users\Admin\AppData\Local\Temp\Wave.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
        63⤵
        
        PID:2124
        
        C:\Users\Admin\AppData\Local\Temp\Wave.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
        64⤵
        Checks computer location settings
        
        PID:392
        
        C:\Users\Admin\AppData\Local\Temp\Wave.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
        65⤵
        
        PID:4700
        
        C:\Users\Admin\AppData\Local\Temp\Wave.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
        66⤵
        
        PID:1868
        
        C:\Users\Admin\AppData\Local\Temp\j25aynuw.123.exe
        
        "C:\Users\Admin\AppData\Local\Temp\j25aynuw.123.exe"
        66⤵
        Checks computer location settings
        
        PID:600
        
        C:\Users\Admin\AppData\Local\Temp\ugo.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ugo.0.exe"
        67⤵
        Modifies registry class
        
        PID:4868
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\portfontDriverRef\nhjhHElUL1tLCzCIDDeJMy041CB20BPkSu5XNsuz2xyN0BEWrS9YbVss.vbe"
        68⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\portfontDriverRef\UWjaidppTQUpTkM72U8TJTLZoJay.bat" "
        69⤵
        
        PID:4876
        
        C:\portfontDriverRef\ComcontainerAgentServer.exe
        
        "C:\portfontDriverRef/ComcontainerAgentServer.exe"
        70⤵
        
        PID:5024
        
        C:\Users\Admin\AppData\Local\Temp\j25aynuw.123.exe
        
        "C:\Users\Admin\AppData\Local\Temp\j25aynuw.123.exe"
        65⤵
        
        PID:4272
        
        C:\Users\Admin\AppData\Local\Temp\u3ao.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\u3ao.0.exe"
        66⤵
        Modifies registry class
        
        PID:3164
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\portfontDriverRef\nhjhHElUL1tLCzCIDDeJMy041CB20BPkSu5XNsuz2xyN0BEWrS9YbVss.vbe"
        67⤵
        
        PID:3972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\portfontDriverRef\UWjaidppTQUpTkM72U8TJTLZoJay.bat" "
        68⤵
        
        PID:3020
        
        C:\portfontDriverRef\ComcontainerAgentServer.exe
        
        "C:\portfontDriverRef/ComcontainerAgentServer.exe"
        69⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:952
        
        C:\Users\Admin\AppData\Local\Temp\j25aynuw.123.exe
        
        "C:\Users\Admin\AppData\Local\Temp\j25aynuw.123.exe"
        64⤵
        
        PID:1496
        
        C:\Users\Admin\AppData\Local\Temp\u15k.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\u15k.0.exe"
        65⤵
        Modifies registry class
        
        PID:1836
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\portfontDriverRef\nhjhHElUL1tLCzCIDDeJMy041CB20BPkSu5XNsuz2xyN0BEWrS9YbVss.vbe"
        66⤵
        
        PID:4832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\portfontDriverRef\UWjaidppTQUpTkM72U8TJTLZoJay.bat" "
        67⤵
        
        PID:2276
        
        C:\portfontDriverRef\ComcontainerAgentServer.exe
        
        "C:\portfontDriverRef/ComcontainerAgentServer.exe"
        68⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1320
        
        C:\Users\Admin\AppData\Local\Temp\j25aynuw.123.exe
        
        "C:\Users\Admin\AppData\Local\Temp\j25aynuw.123.exe"
        63⤵
        
        PID:4960
        
        C:\Users\Admin\AppData\Local\Temp\u3ts.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\u3ts.0.exe"
        64⤵
        Modifies registry class
        
        PID:1448
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\portfontDriverRef\nhjhHElUL1tLCzCIDDeJMy041CB20BPkSu5XNsuz2xyN0BEWrS9YbVss.vbe"
        65⤵
        Checks computer location settings
        
        PID:4000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\portfontDriverRef\UWjaidppTQUpTkM72U8TJTLZoJay.bat" "
        66⤵
        
        PID:5056
        
        C:\portfontDriverRef\ComcontainerAgentServer.exe
        
        "C:\portfontDriverRef/ComcontainerAgentServer.exe"
        67⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4992
        
        C:\Users\Admin\AppData\Local\Temp\j25aynuw.123.exe
        
        "C:\Users\Admin\AppData\Local\Temp\j25aynuw.123.exe"
        62⤵
        
        PID:2912
        
        C:\Users\Admin\AppData\Local\Temp\u28w.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\u28w.0.exe"
        63⤵
        Modifies registry class
        
        PID:4844
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\portfontDriverRef\nhjhHElUL1tLCzCIDDeJMy041CB20BPkSu5XNsuz2xyN0BEWrS9YbVss.vbe"
        64⤵
        Checks computer location settings
        
        PID:1404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\portfontDriverRef\UWjaidppTQUpTkM72U8TJTLZoJay.bat" "
        65⤵
        
        PID:3876
        
        C:\portfontDriverRef\ComcontainerAgentServer.exe
        
        "C:\portfontDriverRef/ComcontainerAgentServer.exe"
        66⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1648
        
        C:\Users\Admin\AppData\Local\Temp\j25aynuw.123.exe
        
        "C:\Users\Admin\AppData\Local\Temp\j25aynuw.123.exe"
        61⤵
        Checks computer location settings
        
        PID:5020
        
        C:\Users\Admin\AppData\Local\Temp\u3vg.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\u3vg.0.exe"
        62⤵
        Modifies registry class
        
        PID:3984
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\portfontDriverRef\nhjhHElUL1tLCzCIDDeJMy041CB20BPkSu5XNsuz2xyN0BEWrS9YbVss.vbe"
        63⤵
        
        PID:232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\portfontDriverRef\UWjaidppTQUpTkM72U8TJTLZoJay.bat" "
        64⤵
        
        PID:848
        
        C:\portfontDriverRef\ComcontainerAgentServer.exe
        
        "C:\portfontDriverRef/ComcontainerAgentServer.exe"
        65⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3760
        
        C:\Users\Admin\AppData\Local\Temp\j25aynuw.123.exe
        
        "C:\Users\Admin\AppData\Local\Temp\j25aynuw.123.exe"
        60⤵
        
        PID:3920
        
        C:\Users\Admin\AppData\Local\Temp\u30w.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\u30w.0.exe"
        61⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4048
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\portfontDriverRef\nhjhHElUL1tLCzCIDDeJMy041CB20BPkSu5XNsuz2xyN0BEWrS9YbVss.vbe"
        62⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\portfontDriverRef\UWjaidppTQUpTkM72U8TJTLZoJay.bat" "
        63⤵
        
        PID:2680
        
        C:\portfontDriverRef\ComcontainerAgentServer.exe
        
        "C:\portfontDriverRef/ComcontainerAgentServer.exe"
        64⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4532
        
        C:\Users\Admin\AppData\Local\Temp\j25aynuw.123.exe
        
        "C:\Users\Admin\AppData\Local\Temp\j25aynuw.123.exe"
        59⤵
        
        PID:4380
        
        C:\Users\Admin\AppData\Local\Temp\u3do.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\u3do.0.exe"
        60⤵
        Checks computer location settings
        Modifies registry class
        
        PID:792
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\portfontDriverRef\nhjhHElUL1tLCzCIDDeJMy041CB20BPkSu5XNsuz2xyN0BEWrS9YbVss.vbe"
        61⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\portfontDriverRef\UWjaidppTQUpTkM72U8TJTLZoJay.bat" "
        62⤵
        
        PID:1176
        
        C:\portfontDriverRef\ComcontainerAgentServer.exe
        
        "C:\portfontDriverRef/ComcontainerAgentServer.exe"
        63⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1872
        
        C:\Users\Admin\AppData\Local\Temp\j25aynuw.123.exe
        
        "C:\Users\Admin\AppData\Local\Temp\j25aynuw.123.exe"
        58⤵
        
        PID:3484
        
        C:\Users\Admin\AppData\Local\Temp\u2os.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\u2os.0.exe"
        59⤵
        Modifies registry class
        
        PID:2944
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\portfontDriverRef\nhjhHElUL1tLCzCIDDeJMy041CB20BPkSu5XNsuz2xyN0BEWrS9YbVss.vbe"
        60⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\portfontDriverRef\UWjaidppTQUpTkM72U8TJTLZoJay.bat" "
        61⤵
        
        PID:4172
        
        C:\portfontDriverRef\ComcontainerAgentServer.exe
        
        "C:\portfontDriverRef/ComcontainerAgentServer.exe"
        62⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3196
        
        C:\Users\Admin\AppData\Local\Temp\j25aynuw.123.exe
        
        "C:\Users\Admin\AppData\Local\Temp\j25aynuw.123.exe"
        57⤵
        Checks computer location settings
        
        PID:5060
        
        C:\Users\Admin\AppData\Local\Temp\u3wk.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\u3wk.0.exe"
        58⤵
        Modifies registry class
        
        PID:2008
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\portfontDriverRef\nhjhHElUL1tLCzCIDDeJMy041CB20BPkSu5XNsuz2xyN0BEWrS9YbVss.vbe"
        59⤵
        Checks computer location settings
        
        PID:3768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\portfontDriverRef\UWjaidppTQUpTkM72U8TJTLZoJay.bat" "
        60⤵
        
        PID:2652
        
        C:\portfontDriverRef\ComcontainerAgentServer.exe
        
        "C:\portfontDriverRef/ComcontainerAgentServer.exe"
        61⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3092
        
        C:\Users\Admin\AppData\Local\Temp\j25aynuw.123.exe
        
        "C:\Users\Admin\AppData\Local\Temp\j25aynuw.123.exe"
        56⤵
        
        PID:1872
        
        C:\Users\Admin\AppData\Local\Temp\u1g0.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\u1g0.0.exe"
        57⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4112
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\portfontDriverRef\nhjhHElUL1tLCzCIDDeJMy041CB20BPkSu5XNsuz2xyN0BEWrS9YbVss.vbe"
        58⤵
        
        PID:392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\portfontDriverRef\UWjaidppTQUpTkM72U8TJTLZoJay.bat" "
        59⤵
        
        PID:2628
        
        C:\portfontDriverRef\ComcontainerAgentServer.exe
        
        "C:\portfontDriverRef/ComcontainerAgentServer.exe"
        60⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4960
        
        C:\Users\Admin\AppData\Local\Temp\j25aynuw.123.exe
        
        "C:\Users\Admin\AppData\Local\Temp\j25aynuw.123.exe"
        55⤵
        
        PID:412
        
        C:\Users\Admin\AppData\Local\Temp\ubg.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ubg.0.exe"
        56⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4116
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\portfontDriverRef\nhjhHElUL1tLCzCIDDeJMy041CB20BPkSu5XNsuz2xyN0BEWrS9YbVss.vbe"
        57⤵
        Checks computer location settings
        
        PID:3920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\portfontDriverRef\UWjaidppTQUpTkM72U8TJTLZoJay.bat" "
        58⤵
        
        PID:4460
        
        C:\portfontDriverRef\ComcontainerAgentServer.exe
        
        "C:\portfontDriverRef/ComcontainerAgentServer.exe"
        59⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2476
        
        C:\Users\Admin\AppData\Local\Temp\j25aynuw.123.exe
        
        "C:\Users\Admin\AppData\Local\Temp\j25aynuw.123.exe"
        54⤵
        
        PID:312
        
        C:\Users\Admin\AppData\Local\Temp\u8o.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\u8o.0.exe"
        55⤵
        Modifies registry class
        
        PID:636
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\portfontDriverRef\nhjhHElUL1tLCzCIDDeJMy041CB20BPkSu5XNsuz2xyN0BEWrS9YbVss.vbe"
        56⤵
        
        PID:3440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\portfontDriverRef\UWjaidppTQUpTkM72U8TJTLZoJay.bat" "
        57⤵
        
        PID:232
        
        C:\portfontDriverRef\ComcontainerAgentServer.exe
        
        "C:\portfontDriverRef/ComcontainerAgentServer.exe"
        58⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3020
        
        C:\Users\Admin\AppData\Local\Temp\j25aynuw.123.exe
        
        "C:\Users\Admin\AppData\Local\Temp\j25aynuw.123.exe"
        53⤵
        
        PID:2184
        
        C:\Users\Admin\AppData\Local\Temp\u1oo.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\u1oo.0.exe"
        54⤵
        Modifies registry class
        
        PID:2812
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\portfontDriverRef\nhjhHElUL1tLCzCIDDeJMy041CB20BPkSu5XNsuz2xyN0BEWrS9YbVss.vbe"
        55⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\portfontDriverRef\UWjaidppTQUpTkM72U8TJTLZoJay.bat" "
        56⤵
        
        PID:3712
        
        C:\portfontDriverRef\ComcontainerAgentServer.exe
        
        "C:\portfontDriverRef/ComcontainerAgentServer.exe"
        57⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:852
        
        C:\Users\Admin\AppData\Local\Temp\j25aynuw.123.exe
        
        "C:\Users\Admin\AppData\Local\Temp\j25aynuw.123.exe"
        52⤵
        
        PID:4744
        
        C:\Users\Admin\AppData\Local\Temp\u3ns.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\u3ns.0.exe"
        53⤵
        Modifies registry class
        
        PID:2404
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\portfontDriverRef\nhjhHElUL1tLCzCIDDeJMy041CB20BPkSu5XNsuz2xyN0BEWrS9YbVss.vbe"
        54⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\portfontDriverRef\UWjaidppTQUpTkM72U8TJTLZoJay.bat" "
        55⤵
        
        PID:948
        
        C:\portfontDriverRef\ComcontainerAgentServer.exe
        
        "C:\portfontDriverRef/ComcontainerAgentServer.exe"
        56⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4676
        
        C:\Users\Admin\AppData\Local\Temp\j25aynuw.123.exe
        
        "C:\Users\Admin\AppData\Local\Temp\j25aynuw.123.exe"
        51⤵
        
        PID:2588
        
        C:\Users\Admin\AppData\Local\Temp\u1zw.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\u1zw.0.exe"
        52⤵
        Modifies registry class
        
        PID:1116
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\portfontDriverRef\nhjhHElUL1tLCzCIDDeJMy041CB20BPkSu5XNsuz2xyN0BEWrS9YbVss.vbe"
        53⤵
        
        PID:600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\portfontDriverRef\UWjaidppTQUpTkM72U8TJTLZoJay.bat" "
        54⤵
        
        PID:3164
        
        C:\portfontDriverRef\ComcontainerAgentServer.exe
        
        "C:\portfontDriverRef/ComcontainerAgentServer.exe"
        55⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3556
        
        C:\Users\Admin\AppData\Local\Temp\j25aynuw.123.exe
        
        "C:\Users\Admin\AppData\Local\Temp\j25aynuw.123.exe"
        50⤵
        
        PID:312
        
        C:\Users\Admin\AppData\Local\Temp\u8o.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\u8o.0.exe"
        51⤵
        Modifies registry class
        
        PID:2636
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\portfontDriverRef\nhjhHElUL1tLCzCIDDeJMy041CB20BPkSu5XNsuz2xyN0BEWrS9YbVss.vbe"
        52⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\portfontDriverRef\UWjaidppTQUpTkM72U8TJTLZoJay.bat" "
        53⤵
        
        PID:1320
        
        C:\portfontDriverRef\ComcontainerAgentServer.exe
        
        "C:\portfontDriverRef/ComcontainerAgentServer.exe"
        54⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4528
        
        C:\Users\Admin\AppData\Local\Temp\j25aynuw.123.exe
        
        "C:\Users\Admin\AppData\Local\Temp\j25aynuw.123.exe"
        49⤵
        
        PID:4312
        
        C:\Users\Admin\AppData\Local\Temp\u3bs.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\u3bs.0.exe"
        50⤵
        Modifies registry class
        
        PID:456
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\portfontDriverRef\nhjhHElUL1tLCzCIDDeJMy041CB20BPkSu5XNsuz2xyN0BEWrS9YbVss.vbe"
        51⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\portfontDriverRef\UWjaidppTQUpTkM72U8TJTLZoJay.bat" "
        52⤵
        
        PID:4000
        
        C:\portfontDriverRef\ComcontainerAgentServer.exe
        
        "C:\portfontDriverRef/ComcontainerAgentServer.exe"
        53⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4164
        
        C:\Users\Admin\AppData\Local\Temp\j25aynuw.123.exe
        
        "C:\Users\Admin\AppData\Local\Temp\j25aynuw.123.exe"
        48⤵
        Checks computer location settings
        
        PID:3332
        
        C:\Users\Admin\AppData\Local\Temp\u2kk.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\u2kk.0.exe"
        49⤵
        Modifies registry class
        
        PID:4932
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\portfontDriverRef\nhjhHElUL1tLCzCIDDeJMy041CB20BPkSu5XNsuz2xyN0BEWrS9YbVss.vbe"
        50⤵
        
        PID:3844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\portfontDriverRef\UWjaidppTQUpTkM72U8TJTLZoJay.bat" "
        51⤵
        
        PID:3372
        
        C:\portfontDriverRef\ComcontainerAgentServer.exe
        
        "C:\portfontDriverRef/ComcontainerAgentServer.exe"
        52⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3144
        
        C:\Users\Admin\AppData\Local\Temp\j25aynuw.123.exe
        
        "C:\Users\Admin\AppData\Local\Temp\j25aynuw.123.exe"
        47⤵
        
        PID:4564
        
        C:\Users\Admin\AppData\Local\Temp\u3is.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\u3is.0.exe"
        48⤵
        Checks computer location settings
        Modifies registry class
        
        PID:5000
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\portfontDriverRef\nhjhHElUL1tLCzCIDDeJMy041CB20BPkSu5XNsuz2xyN0BEWrS9YbVss.vbe"
        49⤵
        Checks computer location settings
        
        PID:1224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\portfontDriverRef\UWjaidppTQUpTkM72U8TJTLZoJay.bat" "
        50⤵
        
        PID:4196
        
        C:\portfontDriverRef\ComcontainerAgentServer.exe
        
        "C:\portfontDriverRef/ComcontainerAgentServer.exe"
        51⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4060
        
        C:\Users\Admin\AppData\Local\Temp\j25aynuw.123.exe
        
        "C:\Users\Admin\AppData\Local\Temp\j25aynuw.123.exe"
        46⤵
        
        PID:1196
        
        C:\Users\Admin\AppData\Local\Temp\ux8.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ux8.0.exe"
        47⤵
        Modifies registry class
        
        PID:1188
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\portfontDriverRef\nhjhHElUL1tLCzCIDDeJMy041CB20BPkSu5XNsuz2xyN0BEWrS9YbVss.vbe"
        48⤵
        
        PID:1444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\portfontDriverRef\UWjaidppTQUpTkM72U8TJTLZoJay.bat" "
        49⤵
        
        PID:704
        
        C:\portfontDriverRef\ComcontainerAgentServer.exe
        
        "C:\portfontDriverRef/ComcontainerAgentServer.exe"
        50⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2784
        
        C:\Users\Admin\AppData\Local\Temp\j25aynuw.123.exe
        
        "C:\Users\Admin\AppData\Local\Temp\j25aynuw.123.exe"
        45⤵
        
        PID:4928
        
        C:\Users\Admin\AppData\Local\Temp\u3sw.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\u3sw.0.exe"
        46⤵
        Modifies registry class
        
        PID:3372
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\portfontDriverRef\nhjhHElUL1tLCzCIDDeJMy041CB20BPkSu5XNsuz2xyN0BEWrS9YbVss.vbe"
        47⤵
        
        PID:3304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\portfontDriverRef\UWjaidppTQUpTkM72U8TJTLZoJay.bat" "
        48⤵
        
        PID:4716
        
        C:\portfontDriverRef\ComcontainerAgentServer.exe
        
        "C:\portfontDriverRef/ComcontainerAgentServer.exe"
        49⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3996
        
        C:\Users\Admin\AppData\Local\Temp\j25aynuw.123.exe
        
        "C:\Users\Admin\AppData\Local\Temp\j25aynuw.123.exe"
        44⤵
        
        PID:2588
        
        C:\Users\Admin\AppData\Local\Temp\u1zw.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\u1zw.0.exe"
        45⤵
        Modifies registry class
        
        PID:2208
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\portfontDriverRef\nhjhHElUL1tLCzCIDDeJMy041CB20BPkSu5XNsuz2xyN0BEWrS9YbVss.vbe"
        46⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\portfontDriverRef\UWjaidppTQUpTkM72U8TJTLZoJay.bat" "
        47⤵
        
        PID:952
        
        C:\portfontDriverRef\ComcontainerAgentServer.exe
        
        "C:\portfontDriverRef/ComcontainerAgentServer.exe"
        48⤵
        
        PID:1556
        
        C:\Users\Admin\AppData\Local\Temp\j25aynuw.123.exe
        
        "C:\Users\Admin\AppData\Local\Temp\j25aynuw.123.exe"
        43⤵
        Checks computer location settings
        
        PID:1168
        
        C:\Users\Admin\AppData\Local\Temp\uwg.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\uwg.0.exe"
        44⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1696
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\portfontDriverRef\nhjhHElUL1tLCzCIDDeJMy041CB20BPkSu5XNsuz2xyN0BEWrS9YbVss.vbe"
        45⤵
        Checks computer location settings
        
        PID:4776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\portfontDriverRef\UWjaidppTQUpTkM72U8TJTLZoJay.bat" "
        46⤵
        
        PID:2148
        
        C:\portfontDriverRef\ComcontainerAgentServer.exe
        
        "C:\portfontDriverRef/ComcontainerAgentServer.exe"
        47⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2180
        
        C:\Users\Admin\AppData\Local\Temp\j25aynuw.123.exe
        
        "C:\Users\Admin\AppData\Local\Temp\j25aynuw.123.exe"
        42⤵
        
        PID:1836
        
        C:\Users\Admin\AppData\Local\Temp\u1f0.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\u1f0.0.exe"
        43⤵
        
        PID:952
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\portfontDriverRef\nhjhHElUL1tLCzCIDDeJMy041CB20BPkSu5XNsuz2xyN0BEWrS9YbVss.vbe"
        44⤵
        Checks computer location settings
        
        PID:4484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\portfontDriverRef\UWjaidppTQUpTkM72U8TJTLZoJay.bat" "
        45⤵
        
        PID:2628
        
        C:\portfontDriverRef\ComcontainerAgentServer.exe
        
        "C:\portfontDriverRef/ComcontainerAgentServer.exe"
        46⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2088
        
        C:\Users\Admin\AppData\Local\Temp\j25aynuw.123.exe
        
        "C:\Users\Admin\AppData\Local\Temp\j25aynuw.123.exe"
        41⤵
        Checks computer location settings
        
        PID:2480
        
        C:\Users\Admin\AppData\Local\Temp\u1ww.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\u1ww.0.exe"
        42⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2372
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\portfontDriverRef\nhjhHElUL1tLCzCIDDeJMy041CB20BPkSu5XNsuz2xyN0BEWrS9YbVss.vbe"
        43⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\portfontDriverRef\UWjaidppTQUpTkM72U8TJTLZoJay.bat" "
        44⤵
        
        PID:732
        
        C:\portfontDriverRef\ComcontainerAgentServer.exe
        
        "C:\portfontDriverRef/ComcontainerAgentServer.exe"
        45⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3912
        
        C:\Users\Admin\AppData\Local\Temp\j25aynuw.123.exe
        
        "C:\Users\Admin\AppData\Local\Temp\j25aynuw.123.exe"
        40⤵
        
        PID:968
        
        C:\Users\Admin\AppData\Local\Temp\uqw.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\uqw.0.exe"
        41⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3844
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\portfontDriverRef\nhjhHElUL1tLCzCIDDeJMy041CB20BPkSu5XNsuz2xyN0BEWrS9YbVss.vbe"
        42⤵
        
        PID:4776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\portfontDriverRef\UWjaidppTQUpTkM72U8TJTLZoJay.bat" "
        43⤵
        
        PID:1628
        
        C:\portfontDriverRef\ComcontainerAgentServer.exe
        
        "C:\portfontDriverRef/ComcontainerAgentServer.exe"
        44⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2948
        
        C:\Users\Admin\AppData\Local\Temp\j25aynuw.123.exe
        
        "C:\Users\Admin\AppData\Local\Temp\j25aynuw.123.exe"
        39⤵
        
        PID:1340
        
        C:\Users\Admin\AppData\Local\Temp\u118.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\u118.0.exe"
        40⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2628
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\portfontDriverRef\nhjhHElUL1tLCzCIDDeJMy041CB20BPkSu5XNsuz2xyN0BEWrS9YbVss.vbe"
        41⤵
        
        PID:3528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\portfontDriverRef\UWjaidppTQUpTkM72U8TJTLZoJay.bat" "
        42⤵
        
        PID:488
        
        C:\portfontDriverRef\ComcontainerAgentServer.exe
        
        "C:\portfontDriverRef/ComcontainerAgentServer.exe"
        43⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:736
        
        C:\Users\Admin\AppData\Local\Temp\j25aynuw.123.exe
        
        "C:\Users\Admin\AppData\Local\Temp\j25aynuw.123.exe"
        38⤵
        
        PID:640
        
        C:\Users\Admin\AppData\Local\Temp\uhs.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\uhs.0.exe"
        39⤵
        Modifies registry class
        
        PID:4444
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\portfontDriverRef\nhjhHElUL1tLCzCIDDeJMy041CB20BPkSu5XNsuz2xyN0BEWrS9YbVss.vbe"
        40⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\portfontDriverRef\UWjaidppTQUpTkM72U8TJTLZoJay.bat" "
        41⤵
        
        PID:1564
        
        C:\portfontDriverRef\ComcontainerAgentServer.exe
        
        "C:\portfontDriverRef/ComcontainerAgentServer.exe"
        42⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3052
        
        C:\Users\Admin\AppData\Local\Temp\j25aynuw.123.exe
        
        "C:\Users\Admin\AppData\Local\Temp\j25aynuw.123.exe"
        37⤵
        
        PID:1188
        
        C:\Users\Admin\AppData\Local\Temp\ux0.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ux0.0.exe"
        38⤵
        Modifies registry class
        
        PID:4596
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\portfontDriverRef\nhjhHElUL1tLCzCIDDeJMy041CB20BPkSu5XNsuz2xyN0BEWrS9YbVss.vbe"
        39⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\portfontDriverRef\UWjaidppTQUpTkM72U8TJTLZoJay.bat" "
        40⤵
        
        PID:3700
        
        C:\portfontDriverRef\ComcontainerAgentServer.exe
        
        "C:\portfontDriverRef/ComcontainerAgentServer.exe"
        41⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1452
        
        C:\Users\Admin\AppData\Local\Temp\j25aynuw.123.exe
        
        "C:\Users\Admin\AppData\Local\Temp\j25aynuw.123.exe"
        36⤵
        
        PID:1632
        
        C:\Users\Admin\AppData\Local\Temp\u19c.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\u19c.0.exe"
        37⤵
        Modifies registry class
        
        PID:2248
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\portfontDriverRef\nhjhHElUL1tLCzCIDDeJMy041CB20BPkSu5XNsuz2xyN0BEWrS9YbVss.vbe"
        38⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\portfontDriverRef\UWjaidppTQUpTkM72U8TJTLZoJay.bat" "
        39⤵
        
        PID:4052
        
        C:\portfontDriverRef\ComcontainerAgentServer.exe
        
        "C:\portfontDriverRef/ComcontainerAgentServer.exe"
        40⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5056
        
        C:\Users\Admin\AppData\Local\Temp\j25aynuw.123.exe
        
        "C:\Users\Admin\AppData\Local\Temp\j25aynuw.123.exe"
        35⤵
        
        PID:828
        
        C:\Users\Admin\AppData\Local\Temp\un0.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\un0.0.exe"
        36⤵
        Modifies registry class
        
        PID:1344
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\portfontDriverRef\nhjhHElUL1tLCzCIDDeJMy041CB20BPkSu5XNsuz2xyN0BEWrS9YbVss.vbe"
        37⤵
        
        PID:3284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\portfontDriverRef\UWjaidppTQUpTkM72U8TJTLZoJay.bat" "
        38⤵
        
        PID:4544
        
        C:\portfontDriverRef\ComcontainerAgentServer.exe
        
        "C:\portfontDriverRef/ComcontainerAgentServer.exe"
        39⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1868
        
        C:\Users\Admin\AppData\Local\Temp\j25aynuw.123.exe
        
        "C:\Users\Admin\AppData\Local\Temp\j25aynuw.123.exe"
        34⤵
        
        PID:2680
        
        C:\Users\Admin\AppData\Local\Temp\u22g.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\u22g.0.exe"
        35⤵
        Modifies registry class
        
        PID:4768
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\portfontDriverRef\nhjhHElUL1tLCzCIDDeJMy041CB20BPkSu5XNsuz2xyN0BEWrS9YbVss.vbe"
        36⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\portfontDriverRef\UWjaidppTQUpTkM72U8TJTLZoJay.bat" "
        37⤵
        
        PID:2668
        
        C:\portfontDriverRef\ComcontainerAgentServer.exe
        
        "C:\portfontDriverRef/ComcontainerAgentServer.exe"
        38⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4716
        
        C:\Users\Admin\AppData\Local\Temp\j25aynuw.123.exe
        
        "C:\Users\Admin\AppData\Local\Temp\j25aynuw.123.exe"
        33⤵
        
        PID:4892
        
        C:\Users\Admin\AppData\Local\Temp\u3rw.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\u3rw.0.exe"
        34⤵
        Modifies registry class
        
        PID:4216
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\portfontDriverRef\nhjhHElUL1tLCzCIDDeJMy041CB20BPkSu5XNsuz2xyN0BEWrS9YbVss.vbe"
        35⤵
        
        PID:3528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\portfontDriverRef\UWjaidppTQUpTkM72U8TJTLZoJay.bat" "
        36⤵
        
        PID:4824
        
        C:\portfontDriverRef\ComcontainerAgentServer.exe
        
        "C:\portfontDriverRef/ComcontainerAgentServer.exe"
        37⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2008
        
        C:\Users\Admin\AppData\Local\Temp\j25aynuw.123.exe
        
        "C:\Users\Admin\AppData\Local\Temp\j25aynuw.123.exe"
        32⤵
        Checks computer location settings
        
        PID:4716
        
        C:\Users\Admin\AppData\Local\Temp\u3n0.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\u3n0.0.exe"
        33⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4836
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\portfontDriverRef\nhjhHElUL1tLCzCIDDeJMy041CB20BPkSu5XNsuz2xyN0BEWrS9YbVss.vbe"
        34⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\portfontDriverRef\UWjaidppTQUpTkM72U8TJTLZoJay.bat" "
        35⤵
        
        PID:1720
        
        C:\portfontDriverRef\ComcontainerAgentServer.exe
        
        "C:\portfontDriverRef/ComcontainerAgentServer.exe"
        36⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3204
        
        C:\Users\Admin\AppData\Local\Temp\j25aynuw.123.exe
        
        "C:\Users\Admin\AppData\Local\Temp\j25aynuw.123.exe"
        31⤵
        
        PID:3844
        
        C:\Users\Admin\AppData\Local\Temp\u2ys.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\u2ys.0.exe"
        32⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3504
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\portfontDriverRef\nhjhHElUL1tLCzCIDDeJMy041CB20BPkSu5XNsuz2xyN0BEWrS9YbVss.vbe"
        33⤵
        
        PID:3700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\portfontDriverRef\UWjaidppTQUpTkM72U8TJTLZoJay.bat" "
        34⤵
        
        PID:4912
        
        C:\portfontDriverRef\ComcontainerAgentServer.exe
        
        "C:\portfontDriverRef/ComcontainerAgentServer.exe"
        35⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1892
        
        C:\Users\Admin\AppData\Local\Temp\j25aynuw.123.exe
        
        "C:\Users\Admin\AppData\Local\Temp\j25aynuw.123.exe"
        30⤵
        
        PID:540
        
        C:\Users\Admin\AppData\Local\Temp\uf0.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\uf0.0.exe"
        31⤵
        Modifies registry class
        
        PID:312
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\portfontDriverRef\nhjhHElUL1tLCzCIDDeJMy041CB20BPkSu5XNsuz2xyN0BEWrS9YbVss.vbe"
        32⤵
        Checks computer location settings
        
        PID:4092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\portfontDriverRef\UWjaidppTQUpTkM72U8TJTLZoJay.bat" "
        33⤵
        
        PID:488
        
        C:\portfontDriverRef\ComcontainerAgentServer.exe
        
        "C:\portfontDriverRef/ComcontainerAgentServer.exe"
        34⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4508
        
        C:\Users\Admin\AppData\Local\Temp\j25aynuw.123.exe
        
        "C:\Users\Admin\AppData\Local\Temp\j25aynuw.123.exe"
        29⤵
        
        PID:2404
        
        C:\Users\Admin\AppData\Local\Temp\u1us.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\u1us.0.exe"
        30⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1784
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\portfontDriverRef\nhjhHElUL1tLCzCIDDeJMy041CB20BPkSu5XNsuz2xyN0BEWrS9YbVss.vbe"
        31⤵
        
        PID:3344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\portfontDriverRef\UWjaidppTQUpTkM72U8TJTLZoJay.bat" "
        32⤵
        
        PID:224
        
        C:\portfontDriverRef\ComcontainerAgentServer.exe
        
        "C:\portfontDriverRef/ComcontainerAgentServer.exe"
        33⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4456
        
        C:\Users\Admin\AppData\Local\Temp\j25aynuw.123.exe
        
        "C:\Users\Admin\AppData\Local\Temp\j25aynuw.123.exe"
        28⤵
        
        PID:2596
        
        C:\Users\Admin\AppData\Local\Temp\u204.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\u204.0.exe"
        29⤵
        Modifies registry class
        
        PID:1588
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\portfontDriverRef\nhjhHElUL1tLCzCIDDeJMy041CB20BPkSu5XNsuz2xyN0BEWrS9YbVss.vbe"
        30⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\portfontDriverRef\UWjaidppTQUpTkM72U8TJTLZoJay.bat" "
        31⤵
        
        PID:3284
        
        C:\portfontDriverRef\ComcontainerAgentServer.exe
        
        "C:\portfontDriverRef/ComcontainerAgentServer.exe"
        32⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2868
        
        C:\Users\Admin\AppData\Local\Temp\j25aynuw.123.exe
        
        "C:\Users\Admin\AppData\Local\Temp\j25aynuw.123.exe"
        27⤵
        
        PID:948
        
        C:\Users\Admin\AppData\Local\Temp\uqc.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\uqc.0.exe"
        28⤵
        Modifies registry class
        
        PID:1680
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\portfontDriverRef\nhjhHElUL1tLCzCIDDeJMy041CB20BPkSu5XNsuz2xyN0BEWrS9YbVss.vbe"
        29⤵
        
        PID:3580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\portfontDriverRef\UWjaidppTQUpTkM72U8TJTLZoJay.bat" "
        30⤵
        
        PID:3636
        
        C:\portfontDriverRef\ComcontainerAgentServer.exe
        
        "C:\portfontDriverRef/ComcontainerAgentServer.exe"
        31⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1188
        
        C:\Users\Admin\AppData\Local\Temp\j25aynuw.123.exe
        
        "C:\Users\Admin\AppData\Local\Temp\j25aynuw.123.exe"
        26⤵
        
        PID:4088
        
        C:\Users\Admin\AppData\Local\Temp\u35k.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\u35k.0.exe"
        27⤵
        Modifies registry class
        
        PID:1496
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\portfontDriverRef\nhjhHElUL1tLCzCIDDeJMy041CB20BPkSu5XNsuz2xyN0BEWrS9YbVss.vbe"
        28⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\portfontDriverRef\UWjaidppTQUpTkM72U8TJTLZoJay.bat" "
        29⤵
        
        PID:2916
        
        C:\portfontDriverRef\ComcontainerAgentServer.exe
        
        "C:\portfontDriverRef/ComcontainerAgentServer.exe"
        30⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:932
        
        C:\Users\Admin\AppData\Local\Temp\j25aynuw.123.exe
        
        "C:\Users\Admin\AppData\Local\Temp\j25aynuw.123.exe"
        25⤵
        
        PID:2676
        
        C:\Users\Admin\AppData\Local\Temp\u22c.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\u22c.0.exe"
        26⤵
        Modifies registry class
        
        PID:940
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\portfontDriverRef\nhjhHElUL1tLCzCIDDeJMy041CB20BPkSu5XNsuz2xyN0BEWrS9YbVss.vbe"
        27⤵
        Checks computer location settings
        
        PID:4540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\portfontDriverRef\UWjaidppTQUpTkM72U8TJTLZoJay.bat" "
        28⤵
        
        PID:2568
        
        C:\portfontDriverRef\ComcontainerAgentServer.exe
        
        "C:\portfontDriverRef/ComcontainerAgentServer.exe"
        29⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4888
        
        C:\Users\Admin\AppData\Local\Temp\j25aynuw.123.exe
        
        "C:\Users\Admin\AppData\Local\Temp\j25aynuw.123.exe"
        24⤵
        Checks computer location settings
        
        PID:3204
        
        C:\Users\Admin\AppData\Local\Temp\u2h0.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\u2h0.0.exe"
        25⤵
        Modifies registry class
        
        PID:2804
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\portfontDriverRef\nhjhHElUL1tLCzCIDDeJMy041CB20BPkSu5XNsuz2xyN0BEWrS9YbVss.vbe"
        26⤵
        Checks computer location settings
        
        PID:3840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\portfontDriverRef\UWjaidppTQUpTkM72U8TJTLZoJay.bat" "
        27⤵
        
        PID:3372
        
        C:\portfontDriverRef\ComcontainerAgentServer.exe
        
        "C:\portfontDriverRef/ComcontainerAgentServer.exe"
        28⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4840
        
        C:\Users\Admin\AppData\Local\Temp\j25aynuw.123.exe
        
        "C:\Users\Admin\AppData\Local\Temp\j25aynuw.123.exe"
        23⤵
        Executes dropped EXE
        
        PID:848
        
        C:\Users\Admin\AppData\Local\Temp\unk.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\unk.0.exe"
        24⤵
        Modifies registry class
        
        PID:4596
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\portfontDriverRef\nhjhHElUL1tLCzCIDDeJMy041CB20BPkSu5XNsuz2xyN0BEWrS9YbVss.vbe"
        25⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\portfontDriverRef\UWjaidppTQUpTkM72U8TJTLZoJay.bat" "
        26⤵
        
        PID:1968
        
        C:\portfontDriverRef\ComcontainerAgentServer.exe
        
        "C:\portfontDriverRef/ComcontainerAgentServer.exe"
        27⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3136
        
        C:\Users\Admin\AppData\Local\Temp\j25aynuw.123.exe
        
        "C:\Users\Admin\AppData\Local\Temp\j25aynuw.123.exe"
        22⤵
        Executes dropped EXE
        
        PID:3112
        
        C:\Users\Admin\AppData\Local\Temp\u2eg.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\u2eg.0.exe"
        23⤵
        Executes dropped EXE
        
        PID:4532
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\portfontDriverRef\nhjhHElUL1tLCzCIDDeJMy041CB20BPkSu5XNsuz2xyN0BEWrS9YbVss.vbe"
        24⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\portfontDriverRef\UWjaidppTQUpTkM72U8TJTLZoJay.bat" "
        25⤵
        
        PID:2564
        
        C:\portfontDriverRef\ComcontainerAgentServer.exe
        
        "C:\portfontDriverRef/ComcontainerAgentServer.exe"
        26⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4100
        
        C:\Users\Admin\AppData\Local\Temp\j25aynuw.123.exe
        
        "C:\Users\Admin\AppData\Local\Temp\j25aynuw.123.exe"
        21⤵
        Executes dropped EXE
        
        PID:2480
        
        C:\Users\Admin\AppData\Local\Temp\u1ww.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\u1ww.0.exe"
        22⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3768
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\portfontDriverRef\nhjhHElUL1tLCzCIDDeJMy041CB20BPkSu5XNsuz2xyN0BEWrS9YbVss.vbe"
        23⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\portfontDriverRef\UWjaidppTQUpTkM72U8TJTLZoJay.bat" "
        24⤵
        
        PID:2912
        
        C:\portfontDriverRef\ComcontainerAgentServer.exe
        
        "C:\portfontDriverRef/ComcontainerAgentServer.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4112
        
        C:\Users\Admin\AppData\Local\Temp\j25aynuw.123.exe
        
        "C:\Users\Admin\AppData\Local\Temp\j25aynuw.123.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4476
        
        C:\Users\Admin\AppData\Local\Temp\u3gc.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\u3gc.0.exe"
        21⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4964
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\portfontDriverRef\nhjhHElUL1tLCzCIDDeJMy041CB20BPkSu5XNsuz2xyN0BEWrS9YbVss.vbe"
        22⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\portfontDriverRef\UWjaidppTQUpTkM72U8TJTLZoJay.bat" "
        23⤵
        
        PID:4056
        
        C:\portfontDriverRef\ComcontainerAgentServer.exe
        
        "C:\portfontDriverRef/ComcontainerAgentServer.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2556
        
        C:\Users\Admin\AppData\Local\Temp\j25aynuw.123.exe
        
        "C:\Users\Admin\AppData\Local\Temp\j25aynuw.123.exe"
        19⤵
        Executes dropped EXE
        
        PID:312
        
        C:\Users\Admin\AppData\Local\Temp\u8o.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\u8o.0.exe"
        20⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3792
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\portfontDriverRef\nhjhHElUL1tLCzCIDDeJMy041CB20BPkSu5XNsuz2xyN0BEWrS9YbVss.vbe"
        21⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\portfontDriverRef\UWjaidppTQUpTkM72U8TJTLZoJay.bat" "
        22⤵
        
        PID:3584
        
        C:\portfontDriverRef\ComcontainerAgentServer.exe
        
        "C:\portfontDriverRef/ComcontainerAgentServer.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1860
        
        C:\Users\Admin\AppData\Local\Temp\j25aynuw.123.exe
        
        "C:\Users\Admin\AppData\Local\Temp\j25aynuw.123.exe"
        18⤵
        Executes dropped EXE
        
        PID:3372
        
        C:\Users\Admin\AppData\Local\Temp\u2lo.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\u2lo.0.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:1052
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\portfontDriverRef\nhjhHElUL1tLCzCIDDeJMy041CB20BPkSu5XNsuz2xyN0BEWrS9YbVss.vbe"
        20⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\portfontDriverRef\UWjaidppTQUpTkM72U8TJTLZoJay.bat" "
        21⤵
        
        PID:2128
        
        C:\portfontDriverRef\ComcontainerAgentServer.exe
        
        "C:\portfontDriverRef/ComcontainerAgentServer.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3688
        
        C:\Users\Admin\AppData\Local\Temp\j25aynuw.123.exe
        
        "C:\Users\Admin\AppData\Local\Temp\j25aynuw.123.exe"
        17⤵
        Executes dropped EXE
        
        PID:2296
        
        C:\Users\Admin\AppData\Local\Temp\u1rs.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\u1rs.0.exe"
        18⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4968
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\portfontDriverRef\nhjhHElUL1tLCzCIDDeJMy041CB20BPkSu5XNsuz2xyN0BEWrS9YbVss.vbe"
        19⤵
        Checks computer location settings
        
        PID:5056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\portfontDriverRef\UWjaidppTQUpTkM72U8TJTLZoJay.bat" "
        20⤵
        
        PID:932
        
        C:\portfontDriverRef\ComcontainerAgentServer.exe
        
        "C:\portfontDriverRef/ComcontainerAgentServer.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2392
        
        C:\Users\Admin\AppData\Local\Temp\j25aynuw.123.exe
        
        "C:\Users\Admin\AppData\Local\Temp\j25aynuw.123.exe"
        16⤵
        Executes dropped EXE
        
        PID:2916
        
        C:\Users\Admin\AppData\Local\Temp\u290.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\u290.0.exe"
        17⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4840
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\portfontDriverRef\nhjhHElUL1tLCzCIDDeJMy041CB20BPkSu5XNsuz2xyN0BEWrS9YbVss.vbe"
        18⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\portfontDriverRef\UWjaidppTQUpTkM72U8TJTLZoJay.bat" "
        19⤵
        
        PID:2996
        
        C:\portfontDriverRef\ComcontainerAgentServer.exe
        
        "C:\portfontDriverRef/ComcontainerAgentServer.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2308
        
        C:\Users\Admin\AppData\Local\Temp\j25aynuw.123.exe
        
        "C:\Users\Admin\AppData\Local\Temp\j25aynuw.123.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3680
        
        C:\Users\Admin\AppData\Local\Temp\u2u8.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\u2u8.0.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:3044
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\portfontDriverRef\nhjhHElUL1tLCzCIDDeJMy041CB20BPkSu5XNsuz2xyN0BEWrS9YbVss.vbe"
        17⤵
        Checks computer location settings
        
        PID:3696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\portfontDriverRef\UWjaidppTQUpTkM72U8TJTLZoJay.bat" "
        18⤵
        
        PID:4180
        
        C:\portfontDriverRef\ComcontainerAgentServer.exe
        
        "C:\portfontDriverRef/ComcontainerAgentServer.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2636
        
        C:\Users\Admin\AppData\Local\Temp\j25aynuw.123.exe
        
        "C:\Users\Admin\AppData\Local\Temp\j25aynuw.123.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4100
        
        C:\Users\Admin\AppData\Local\Temp\u35w.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\u35w.0.exe"
        15⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2064
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\portfontDriverRef\nhjhHElUL1tLCzCIDDeJMy041CB20BPkSu5XNsuz2xyN0BEWrS9YbVss.vbe"
        16⤵
        Checks computer location settings
        
        PID:312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\portfontDriverRef\UWjaidppTQUpTkM72U8TJTLZoJay.bat" "
        17⤵
        
        PID:2556
        
        C:\portfontDriverRef\ComcontainerAgentServer.exe
        
        "C:\portfontDriverRef/ComcontainerAgentServer.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2492
        
        C:\Users\Admin\AppData\Local\Temp\j25aynuw.123.exe
        
        "C:\Users\Admin\AppData\Local\Temp\j25aynuw.123.exe"
        13⤵
        Executes dropped EXE
        
        PID:3092
        
        C:\Users\Admin\AppData\Local\Temp\u2dw.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\u2dw.0.exe"
        14⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3252
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\portfontDriverRef\nhjhHElUL1tLCzCIDDeJMy041CB20BPkSu5XNsuz2xyN0BEWrS9YbVss.vbe"
        15⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\portfontDriverRef\UWjaidppTQUpTkM72U8TJTLZoJay.bat" "
        16⤵
        
        PID:2944
        
        C:\portfontDriverRef\ComcontainerAgentServer.exe
        
        "C:\portfontDriverRef/ComcontainerAgentServer.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4456
        
        C:\Users\Admin\AppData\Local\Temp\j25aynuw.123.exe
        
        "C:\Users\Admin\AppData\Local\Temp\j25aynuw.123.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3776
        
        C:\Users\Admin\AppData\Local\Temp\u2ww.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\u2ww.0.exe"
        13⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2308
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\portfontDriverRef\nhjhHElUL1tLCzCIDDeJMy041CB20BPkSu5XNsuz2xyN0BEWrS9YbVss.vbe"
        14⤵
        Checks computer location settings
        
        PID:4216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\portfontDriverRef\UWjaidppTQUpTkM72U8TJTLZoJay.bat" "
        15⤵
        
        PID:2128
        
        C:\portfontDriverRef\ComcontainerAgentServer.exe
        
        "C:\portfontDriverRef/ComcontainerAgentServer.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:648
        
        C:\Users\Admin\AppData\Local\Temp\j25aynuw.123.exe
        
        "C:\Users\Admin\AppData\Local\Temp\j25aynuw.123.exe"
        11⤵
        Executes dropped EXE
        
        PID:2504
        
        C:\Users\Admin\AppData\Local\Temp\u1xk.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\u1xk.0.exe"
        12⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4356
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\portfontDriverRef\nhjhHElUL1tLCzCIDDeJMy041CB20BPkSu5XNsuz2xyN0BEWrS9YbVss.vbe"
        13⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\portfontDriverRef\UWjaidppTQUpTkM72U8TJTLZoJay.bat" "
        14⤵
        
        PID:4848
        
        C:\portfontDriverRef\ComcontainerAgentServer.exe
        
        "C:\portfontDriverRef/ComcontainerAgentServer.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4968
        
        C:\Users\Admin\AppData\Local\Temp\j25aynuw.123.exe
        
        "C:\Users\Admin\AppData\Local\Temp\j25aynuw.123.exe"
        10⤵
        Executes dropped EXE
        
        PID:3768
        
        C:\Users\Admin\AppData\Local\Temp\u2wo.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\u2wo.0.exe"
        11⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1612
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\portfontDriverRef\nhjhHElUL1tLCzCIDDeJMy041CB20BPkSu5XNsuz2xyN0BEWrS9YbVss.vbe"
        12⤵
        
        PID:3748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\portfontDriverRef\UWjaidppTQUpTkM72U8TJTLZoJay.bat" "
        13⤵
        
        PID:4832
        
        C:\portfontDriverRef\ComcontainerAgentServer.exe
        
        "C:\portfontDriverRef/ComcontainerAgentServer.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:936
        
        C:\Users\Admin\AppData\Local\Temp\j25aynuw.123.exe
        
        "C:\Users\Admin\AppData\Local\Temp\j25aynuw.123.exe"
        9⤵
        Executes dropped EXE
        
        PID:4848
        
        C:\Users\Admin\AppData\Local\Temp\u3qo.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\u3qo.0.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:4776
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\portfontDriverRef\nhjhHElUL1tLCzCIDDeJMy041CB20BPkSu5XNsuz2xyN0BEWrS9YbVss.vbe"
        11⤵
        
        PID:4860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\portfontDriverRef\UWjaidppTQUpTkM72U8TJTLZoJay.bat" "
        12⤵
        
        PID:5056
        
        C:\portfontDriverRef\ComcontainerAgentServer.exe
        
        "C:\portfontDriverRef/ComcontainerAgentServer.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3616
        
        C:\Users\Admin\AppData\Local\Temp\j25aynuw.123.exe
        
        "C:\Users\Admin\AppData\Local\Temp\j25aynuw.123.exe"
        8⤵
        Executes dropped EXE
        
        PID:1776
        
        C:\Users\Admin\AppData\Local\Temp\u1dc.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\u1dc.0.exe"
        9⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2876
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\portfontDriverRef\nhjhHElUL1tLCzCIDDeJMy041CB20BPkSu5XNsuz2xyN0BEWrS9YbVss.vbe"
        10⤵
        
        PID:4364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\portfontDriverRef\UWjaidppTQUpTkM72U8TJTLZoJay.bat" "
        11⤵
        
        PID:3052
        
        C:\portfontDriverRef\ComcontainerAgentServer.exe
        
        "C:\portfontDriverRef/ComcontainerAgentServer.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1940
        
        C:\Users\Admin\AppData\Local\Temp\j25aynuw.123.exe
        
        "C:\Users\Admin\AppData\Local\Temp\j25aynuw.123.exe"
        7⤵
        Executes dropped EXE
        
        PID:388
        
        C:\Users\Admin\AppData\Local\Temp\uas.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\uas.0.exe"
        8⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:796
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\portfontDriverRef\nhjhHElUL1tLCzCIDDeJMy041CB20BPkSu5XNsuz2xyN0BEWrS9YbVss.vbe"
        9⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\portfontDriverRef\UWjaidppTQUpTkM72U8TJTLZoJay.bat" "
        10⤵
        
        PID:4088
        
        C:\portfontDriverRef\ComcontainerAgentServer.exe
        
        "C:\portfontDriverRef/ComcontainerAgentServer.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3252
      - C:\Users\Admin\AppData\Local\Temp\j25aynuw.123.exe
        
        "C:\Users\Admin\AppData\Local\Temp\j25aynuw.123.exe"
        6⤵
        Executes dropped EXE
        
        PID:4348
        
        C:\Users\Admin\AppData\Local\Temp\u3cs.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\u3cs.0.exe"
        7⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4364
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\portfontDriverRef\nhjhHElUL1tLCzCIDDeJMy041CB20BPkSu5XNsuz2xyN0BEWrS9YbVss.vbe"
        8⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\portfontDriverRef\UWjaidppTQUpTkM72U8TJTLZoJay.bat" "
        9⤵
        
        PID:524
        
        C:\portfontDriverRef\ComcontainerAgentServer.exe
        
        "C:\portfontDriverRef/ComcontainerAgentServer.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3996
    - - C:\Users\Admin\AppData\Local\Temp\j25aynuw.123.exe
        
        "C:\Users\Admin\AppData\Local\Temp\j25aynuw.123.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2276
      - C:\Users\Admin\AppData\Local\Temp\u1r8.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\u1r8.0.exe"
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3892
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\portfontDriverRef\nhjhHElUL1tLCzCIDDeJMy041CB20BPkSu5XNsuz2xyN0BEWrS9YbVss.vbe"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\portfontDriverRef\UWjaidppTQUpTkM72U8TJTLZoJay.bat" "
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:3920
        
        C:\portfontDriverRef\ComcontainerAgentServer.exe
        
        "C:\portfontDriverRef/ComcontainerAgentServer.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2656
  - - C:\Users\Admin\AppData\Local\Temp\j25aynuw.123.exe
      "C:\Users\Admin\AppData\Local\Temp\j25aynuw.123.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1188
    - - C:\Users\Admin\AppData\Local\Temp\ux0.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ux0.0.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4556
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\portfontDriverRef\nhjhHElUL1tLCzCIDDeJMy041CB20BPkSu5XNsuz2xyN0BEWrS9YbVss.vbe"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:5020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\portfontDriverRef\UWjaidppTQUpTkM72U8TJTLZoJay.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:828
        
        C:\portfontDriverRef\ComcontainerAgentServer.exe
        
        "C:\portfontDriverRef/ComcontainerAgentServer.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4716
- - C:\Users\Admin\AppData\Local\Temp\j25aynuw.123.exe
    "C:\Users\Admin\AppData\Local\Temp\j25aynuw.123.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3772
  - - C:\Users\Admin\AppData\Local\Temp\u2ws.0.exe
      "C:\Users\Admin\AppData\Local\Temp\u2ws.0.exe"
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1292
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\portfontDriverRef\nhjhHElUL1tLCzCIDDeJMy041CB20BPkSu5XNsuz2xyN0BEWrS9YbVss.vbe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4632
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\portfontDriverRef\UWjaidppTQUpTkM72U8TJTLZoJay.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4860
        
        C:\portfontDriverRef\ComcontainerAgentServer.exe
        
        "C:\portfontDriverRef/ComcontainerAgentServer.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4460
- C:\Users\Admin\AppData\Local\Temp\j25aynuw.123.exe
  "C:\Users\Admin\AppData\Local\Temp\j25aynuw.123.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5056
- - C:\Users\Admin\AppData\Local\Temp\u3wg.0.exe
    "C:\Users\Admin\AppData\Local\Temp\u3wg.0.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3372
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\portfontDriverRef\nhjhHElUL1tLCzCIDDeJMy041CB20BPkSu5XNsuz2xyN0BEWrS9YbVss.vbe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1088
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\portfontDriverRef\UWjaidppTQUpTkM72U8TJTLZoJay.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4308
      - C:\portfontDriverRef\ComcontainerAgentServer.exe
        
        "C:\portfontDriverRef/ComcontainerAgentServer.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:2572
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pksuDlslcW.bat"
        7⤵
        
        PID:2392
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:1064
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ComcontainerAgentServer.exe.log

Filesize
847B

MD5
66a0a4aa01208ed3d53a5e131a8d030a

SHA1
ef5312ba2b46b51a4d04b574ca1789ac4ff4a6b1

SHA256
f0ab05c32d6af3c2b559dbce4dec025ce3e730655a2430ade520e89a557cace8

SHA512
626f0dcf0c6bcdc0fef25dc7da058003cf929fd9a39a9f447b79fb139a417532a46f8bca1ff2dbde09abfcd70f5fb4f8d059b1fe91977c377df2f5f751c84c5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Wave.exe.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Temp\j25aynuw.123.exe

Filesize
416KB

MD5
459c4444f5fa7bda21ce1cfcfd73eeb3

SHA1
fae0300475ac000bdee75729be001cf3e73e1a5c

SHA256
1b176badfb2c11c6317cd796e7b136723da935d6bd7cd312a200474518710905

SHA512
c65d0883fff87270e09cf5001ff98c7928baf851b496e423f4759479b6292c782a6a2406b8ae01afb34009c3fa675019fe9d3e3f070c87bb1df1b1b05fa9669a

Download Submit
C:\Users\Admin\AppData\Local\Temp\u3wg.0.exe

Filesize
2.1MB

MD5
f8dde99b16e81802213092d8c3e280f4

SHA1
44b5c84264574ec0c86b67c4ab33fe3d2e943867

SHA256
07cb90a5763dcbe32c14d520aa28ee83a776637c270e11436e64fccc7ff2a9ce

SHA512
2b2bdeaf101633677ebe81ddb6fd2cb95846340ca57b3e5305dea848085fa912c413f25bac71c8bf7c219739a0293b1fde3028fb887997ec6296fc37993e4cde

Download Submit
C:\portfontDriverRef\ComcontainerAgentServer.exe

Filesize
1.8MB

MD5
e1ad20cdbfd4857fbdf11d4ab45131bb

SHA1
f07dd6c0e5ffa517d790d817faa800a2b670e56d

SHA256
52b91368ca96fa2491609a71f6104c39024edc8ef9c008dce0de50d071c9358c

SHA512
4127b963a45f36596550b1f69dc382e9b2a666ab4a7ece73d5c863cdff8dd0090a7b6b29c0e4bf82f61a38396d29ec4f4b10f68eb256abf84e7fcc12f4ecb1a7

Download Submit
C:\portfontDriverRef\UWjaidppTQUpTkM72U8TJTLZoJay.bat

Filesize
103B

MD5
eaceac8f39a0d99832897d1efdd398ed

SHA1
e3c0fa71bfe36b4e98662fe3fd5b30f81975b581

SHA256
4e8ff63a015f9ca5f3d43fa6f5447ebba1030104843f2cd9efd36925b0e3f3f1

SHA512
a18fb3d7d79b51db194f7eebcce9dfb56f4a978737c8a78133a6d2ebd68f089f9c7e2188ea99fb214114ed27d407dc5b4ee30f7c6be56ed5be243d42ca037e87

Download Submit
C:\portfontDriverRef\nhjhHElUL1tLCzCIDDeJMy041CB20BPkSu5XNsuz2xyN0BEWrS9YbVss.vbe

Filesize
220B

MD5
b01d5e80ad2526f67db23cda304c5a29

SHA1
e43a72b46b12c5579b13ebdd7d179753a8a98081

SHA256
15d8584d153568c0ab6607e22ba272c8bc263668150c29c62c2989095b349395

SHA512
47ad3537d796462284c9000ddfe6b92c953a8405a5bea61dd80da0d4454816eac9b1bdd505232a4fb4ddf145dc8f8b5618041bab7e3649ca7a821230af1ff2df

Download Submit
memory/848-11-0x00007FFFFB510000-0x00007FFFFBFD1000-memory.dmp

Filesize
10.8MB

Download
memory/848-43-0x00007FFFFB510000-0x00007FFFFBFD1000-memory.dmp

Filesize
10.8MB

Download
memory/940-13-0x00007FFFFB510000-0x00007FFFFBFD1000-memory.dmp

Filesize
10.8MB

Download
memory/940-2-0x00007FFFFB510000-0x00007FFFFBFD1000-memory.dmp

Filesize
10.8MB

Download
memory/940-0-0x00007FFFFB513000-0x00007FFFFB515000-memory.dmp

Filesize
8KB

Download
memory/940-1-0x0000000000BE0000-0x000000000128C000-memory.dmp

Filesize
6.7MB

Download
memory/2572-34-0x0000000000520000-0x00000000006FA000-memory.dmp

Filesize
1.9MB

Download
memory/2572-52-0x0000000002740000-0x000000000275C000-memory.dmp

Filesize
112KB

Download
memory/2572-55-0x000000001B300000-0x000000001B350000-memory.dmp

Filesize
320KB

Download
memory/2572-57-0x0000000002760000-0x0000000002778000-memory.dmp

Filesize
96KB

Download
memory/2572-60-0x0000000000DD0000-0x0000000000DDC000-memory.dmp

Filesize
48KB

Download
memory/2572-48-0x0000000000DC0000-0x0000000000DCE000-memory.dmp

Filesize
56KB

Download
memory/2572-139-0x000000001C200000-0x000000001C315000-memory.dmp

Filesize
1.1MB

Download
memory/2572-631-0x000000001BFC0000-0x000000001C01A000-memory.dmp

Filesize
360KB

Download
memory/2572-636-0x000000001C200000-0x000000001C315000-memory.dmp

Filesize
1.1MB

Download