Malware Analysis Report

2024-11-16 12:45

Sample ID 240303-cfjr1sbh69
Target Chernobyl.exe
SHA256 18f27d42b09fe462af83c3ec3e82842e09a7db2e9c69cb6044e977b7af87a3c9
Tags
bootkit discovery evasion exploit persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

18f27d42b09fe462af83c3ec3e82842e09a7db2e9c69cb6044e977b7af87a3c9

Threat Level: Known bad

The file Chernobyl.exe was found to be: Known bad.

Malicious Activity Summary

bootkit discovery evasion exploit persistence trojan

Contains code to disable Windows Defender

Modifies WinLogon for persistence

UAC bypass

Possible privilege escalation attempt

Disables Task Manager via registry modification

Disables RegEdit via registry modification

Loads dropped DLL

Modifies system executable filetype association

Modifies file permissions

Checks whether UAC is enabled

Modifies WinLogon

Writes to the Master Boot Record (MBR)

Drops file in System32 directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

System policy modification

Modifies File Icons

Modifies registry class

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-03 02:01

Signatures

Contains code to disable Windows Defender

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-03 02:01

Reported

2024-03-03 02:07

Platform

win7-20240221-en

Max time kernel

110s

Max time network

18s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe"

Signatures

Contains code to disable Windows Defender

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, cluttscape.exe" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A

Disables Task Manager via registry modification

evasion

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\DefaultIcon C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoRestartShell = "0" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DisableCAD = "1" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\kill.ico C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
File opened for modification C:\Windows\System32\wallpaper.jpg C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\cluttscape.exe C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
File opened for modification C:\Windows\cluttscape.exe C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A

Enumerates physical storage devices

Modifies File Icons

ransomware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons\3 = "C:\\Windows\\System32\\kill.ico" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons\4 = "C:\\Windows\\System32\\kill.ico" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\giffile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htlm\DefaultIcon C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\textfile\DefaultIcon C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\zapfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Key created \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\CLSID C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inifile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\jntfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Key created \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\CLSID\{031E4825-7B94-4dc3-B131-E946B44C8DD5} C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\CLSID\{031E4825-7B94-4dc3-B131-E946B44C8DD5}\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htlm C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htlm\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\JSFile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Unknown\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\icmfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\JSEFile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mscfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\pnffile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Key created \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\CLSID\{1248BD21-B584-4EB8-85D0-8EC479CD043B}\DefaultIcon C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\sysfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\pjpegfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\pngfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\sysfile\DefaultIcon C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\textfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\CLSID\{1248BD21-B584-4EB8-85D0-8EC479CD043B}\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\jpegfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ratfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\jarfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Key created \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\CLSID\{1248BD21-B584-4EB8-85D0-8EC479CD043B} C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\DefaultIcon C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\icofile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\dllfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\jarfile\DefaultIcon C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Key created \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\CLSID\{031E4825-7B94-4dc3-B131-E946B44C8DD5}\DefaultIcon C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1244 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\System32\cmd.exe
PID 1244 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\System32\cmd.exe
PID 1244 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\System32\cmd.exe
PID 1244 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\System32\cmd.exe
PID 1244 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\System32\cmd.exe
PID 1244 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\System32\cmd.exe
PID 1696 wrote to memory of 668 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\conhost.exe
PID 1696 wrote to memory of 668 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\conhost.exe
PID 1696 wrote to memory of 668 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\conhost.exe
PID 1244 wrote to memory of 476 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\System32\cmd.exe
PID 1244 wrote to memory of 476 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\System32\cmd.exe
PID 1244 wrote to memory of 476 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\System32\cmd.exe
PID 2192 wrote to memory of 436 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe
PID 2192 wrote to memory of 436 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe
PID 2192 wrote to memory of 436 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe
PID 1244 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\System32\cmd.exe
PID 1244 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\System32\cmd.exe
PID 1244 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\System32\cmd.exe
PID 476 wrote to memory of 880 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe
PID 476 wrote to memory of 880 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe
PID 476 wrote to memory of 880 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe
PID 1244 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\System32\cmd.exe
PID 1244 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\System32\cmd.exe
PID 1244 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\System32\cmd.exe
PID 1244 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\System32\cmd.exe
PID 1244 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\System32\cmd.exe
PID 1244 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\System32\cmd.exe
PID 1520 wrote to memory of 1644 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe
PID 1520 wrote to memory of 1644 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe
PID 1520 wrote to memory of 1644 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe
PID 1584 wrote to memory of 1688 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe
PID 1584 wrote to memory of 1688 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe
PID 1584 wrote to memory of 1688 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe
PID 1244 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\system32\rundll32.exe
PID 1244 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\system32\rundll32.exe
PID 1244 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\system32\rundll32.exe
PID 1980 wrote to memory of 624 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe
PID 1980 wrote to memory of 624 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe
PID 1980 wrote to memory of 624 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe
PID 1244 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\System32\cmd.exe
PID 1244 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\System32\cmd.exe
PID 1244 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\System32\cmd.exe
PID 1552 wrote to memory of 2680 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe
PID 1552 wrote to memory of 2680 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe
PID 1552 wrote to memory of 2680 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe
PID 1244 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\System32\cmd.exe
PID 1244 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\System32\cmd.exe
PID 1244 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\System32\cmd.exe
PID 1244 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\System32\cmd.exe
PID 1244 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\System32\cmd.exe
PID 1244 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\System32\cmd.exe
PID 2828 wrote to memory of 2952 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\conhost.exe
PID 2828 wrote to memory of 2952 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\conhost.exe
PID 2828 wrote to memory of 2952 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\conhost.exe
PID 1244 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\System32\cmd.exe
PID 1244 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\System32\cmd.exe
PID 1244 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\System32\cmd.exe
PID 2840 wrote to memory of 2824 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe
PID 2840 wrote to memory of 2824 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe
PID 2840 wrote to memory of 2824 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe
PID 1104 wrote to memory of 1536 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe
PID 1104 wrote to memory of 1536 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe
PID 1104 wrote to memory of 1536 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe
PID 1244 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\system32\conhost.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\UseDefaultTile = "1" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\shutdownwithoutlogon = "0" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe

"C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "54895417653445655620751004148627423071719257307-525580787-7071774771257655175"

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1621733526-12011147161859254869-1695348543-119211382-14980353089736523011016234392"

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-11435681537744094457464622-1367195511839874554826055691649856111821994029"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-3576495458805297127931491901025074956982201503-18164519511215232641-553113933"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-346397899200832466614001831481313348780437562311510088114-1597840612177851318"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1674539640209590052-620824865-345331065-1712403586-159578867353962019-1418431666"

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-27307056-51626916521179988316284245471316335247-1458593264-5854637631505391222"

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1959520742-21406153961186878365-1770231113-1520222623889518384303678895307505780"

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "84393655621056928821897055320-4313130461010516710-17565270531541018284-1549995032"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-8269622711828898472-2055274167-9621063312076265785-276465396-1076308921614959540"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "907999213135224872096942724311911542271954400322-1486061824-1117093346394661065"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-18951402328773463577693775105288011971796319081-466364653130441321400013580"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "832134706-4131248092025083737-789389331-2019538104-756545179-1377304373197514798"

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "950490706-5584995251537408815-1309645106-13177898181789902148-1484646813-1280944784"

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "10574926018162032349417425271841068690-2146251370170320052712519946551363881966"

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1761861311228798064-1223620581610275829-8453910321511030513295823737-30130781"

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "583892375-1460933130-16170746771981842696-2103827964-160302078716198758971117849232"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-853127713772086928368335505-513630690-1450586175-18943463811370168503-735799625"

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\smss.exe && icacls C:\Windows\System32\smss.exe /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\csrss.exe && icacls C:\Windows\System32\csrss.exe /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\wininit.exe && icacls C:\Windows\System32\wininit.exe /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\LogonUI.exe && icacls C:\Windows\System32\LogonUI.exe /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\smss.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\lsass.exe && icacls C:\Windows\System32\lsass.exe /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\services.exe && icacls C:\Windows\System32\services.exe /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\lsass.exe

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\csrss.exe

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\wininit.exe

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\LogonUI.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\winlogon.exe && icacls C:\Windows\System32\winlogon.exe /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\winload.efi && icacls C:\Windows\System32\winload.efi /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\LogonUI.exe /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\winload.exe && icacls C:\Windows\System32\winload.exe /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\services.exe

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\winlogon.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\ntoskrnl.exe && icacls C:\Windows\System32\ntoskrnl.exe /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\winload.efi

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\svchost.exe && icacls C:\Windows\System32\svchost.exe /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\winload.efi /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\SysWOW64\smss.exe && icacls C:\Windows\SysWOW64\smss.exe /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\winload.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\SysWOW64\csrss.exe && icacls C:\Windows\SysWOW64\csrss.exe /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\ntoskrnl.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\SysWOW64\wininit.exe && icacls C:\Windows\SysWOW64\wininit.exe /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\SysWOW64\LogonUI.exe && icacls C:\Windows\SysWOW64\LogonUI.exe /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\svchost.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\SysWOW64\lsass.exe && icacls C:\Windows\SysWOW64\lsass.exe /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\SysWOW64\smss.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\SysWOW64\services.exe && icacls C:\Windows\SysWOW64\services.exe /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\SysWOW64\wininit.exe

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\SysWOW64\csrss.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\SysWOW64\winlogon.exe && icacls C:\Windows\SysWOW64\winlogon.exe /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\SysWOW64\LogonUI.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\SysWOW64\winload.efi && icacls C:\Windows\SysWOW64\winload.efi /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\SysWOW64\lsass.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\SysWOW64\winload.exe && icacls C:\Windows\SysWOW64\winload.exe /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\SysWOW64\services.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\SysWOW64\ntoskrnl.exe && icacls C:\Windows\SysWOW64\ntoskrnl.exe /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\SysWOW64\winlogon.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\SysWOW64\svchost.exe && icacls C:\Windows\SysWOW64\svchost.exe /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\1394bus.sys && icacls C:\Windows\System32\drivers\1394bus.sys /grant "%username%:F" && exit

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "358573084-960319267877290552-168505249-1209121303-994186568-737338682-63422102"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\SysWOW64\winload.efi

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\1394ohci.sys && icacls C:\Windows\System32\drivers\1394ohci.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\SysWOW64\ntoskrnl.exe

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\SysWOW64\winload.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\acpi.sys && icacls C:\Windows\System32\drivers\acpi.sys /grant "%username%:F" && exit

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-137757887-2050928685-193987438-21198619938663582785240919491259895822-1405341401"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\acpipmi.sys && icacls C:\Windows\System32\drivers\acpipmi.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\adp94xx.sys && icacls C:\Windows\System32\drivers\adp94xx.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\adpahci.sys && icacls C:\Windows\System32\drivers\adpahci.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\SysWOW64\svchost.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\adpu320.sys && icacls C:\Windows\System32\drivers\adpu320.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\1394bus.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\afd.sys && icacls C:\Windows\System32\drivers\afd.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\acpi.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\acpipmi.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\1394ohci.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\adp94xx.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\agilevpn.sys && icacls C:\Windows\System32\drivers\agilevpn.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\AGP440.sys && icacls C:\Windows\System32\drivers\AGP440.sys /grant "%username%:F" && exit

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1582131915-1818442508345966894405292231-965675916-1306464604-1358459872-44459498"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\aliide.sys && icacls C:\Windows\System32\drivers\aliide.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\adpu320.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\adpahci.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\afd.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\amdide.sys && icacls C:\Windows\System32\drivers\amdide.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\AGP440.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\amdk8.sys && icacls C:\Windows\System32\drivers\amdk8.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\aliide.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\adpu320.sys /grant "Admin:F"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1798329338-412655061-1789956836-20815899961324467237-438090289-984704158-1466973907"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\agilevpn.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\AGP440.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\amdppm.sys && icacls C:\Windows\System32\drivers\amdppm.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\adpahci.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\afd.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\amdsata.sys && icacls C:\Windows\System32\drivers\amdsata.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\agilevpn.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\amdsbs.sys && icacls C:\Windows\System32\drivers\amdsbs.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\amdk8.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\amdide.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\amdxata.sys && icacls C:\Windows\System32\drivers\amdxata.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\appid.sys && icacls C:\Windows\System32\drivers\appid.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\amdk8.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\amdppm.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\arc.sys && icacls C:\Windows\System32\drivers\arc.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\amdsata.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\arcsas.sys && icacls C:\Windows\System32\drivers\arcsas.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\amdsbs.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\amdsbs.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\amdxata.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\amdppm.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\asyncmac.sys && icacls C:\Windows\System32\drivers\asyncmac.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\appid.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\arc.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\atapi.sys && icacls C:\Windows\System32\drivers\atapi.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ataport.sys && icacls C:\Windows\System32\drivers\ataport.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\arc.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\arcsas.sys

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1384728197-782569420-1993577204-1328441073345696650-1464539075371820741326197602"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\asyncmac.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\b57nd60a.sys && icacls C:\Windows\System32\drivers\b57nd60a.sys /grant "%username%:F" && exit

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1214900420-452387530-11941999901158575697-1538806498-820565254-17228258001313359688"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\asyncmac.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\atapi.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\battc.sys && icacls C:\Windows\System32\drivers\battc.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\ataport.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\b57nd60a.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\beep.sys && icacls C:\Windows\System32\drivers\beep.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\blbdrive.sys && icacls C:\Windows\System32\drivers\blbdrive.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\battc.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\bowser.sys && icacls C:\Windows\System32\drivers\bowser.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\BrFiltLo.sys && icacls C:\Windows\System32\drivers\BrFiltLo.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\BrFiltUp.sys && icacls C:\Windows\System32\drivers\BrFiltUp.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\bridge.sys && icacls C:\Windows\System32\drivers\bridge.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\BrSerId.sys && icacls C:\Windows\System32\drivers\BrSerId.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\blbdrive.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\beep.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\bowser.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\BrSerWdm.sys && icacls C:\Windows\System32\drivers\BrSerWdm.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\BrFiltLo.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\blbdrive.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\bridge.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\BrUsbMdm.sys && icacls C:\Windows\System32\drivers\BrUsbMdm.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\beep.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\BrFiltUp.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\BrUsbSer.sys && icacls C:\Windows\System32\drivers\BrUsbSer.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\bridge.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\bthmodem.sys && icacls C:\Windows\System32\drivers\bthmodem.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\BrSerWdm.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\BrUsbMdm.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\BrUsbSer.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\BrSerId.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\bxvbda.sys && icacls C:\Windows\System32\drivers\bxvbda.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\BrSerWdm.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\cdfs.sys && icacls C:\Windows\System32\drivers\cdfs.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\BrUsbMdm.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\bthmodem.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\cdrom.sys && icacls C:\Windows\System32\drivers\cdrom.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\bxvbda.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\circlass.sys && icacls C:\Windows\System32\drivers\circlass.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\Classpnp.sys && icacls C:\Windows\System32\drivers\Classpnp.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\cdfs.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\cdrom.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\CmBatt.sys && icacls C:\Windows\System32\drivers\CmBatt.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\cmdide.sys && icacls C:\Windows\System32\drivers\cmdide.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\circlass.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\Classpnp.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\Classpnp.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\cng.sys && icacls C:\Windows\System32\drivers\cng.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\compbatt.sys && icacls C:\Windows\System32\drivers\compbatt.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\CompositeBus.sys && icacls C:\Windows\System32\drivers\CompositeBus.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\crashdmp.sys && icacls C:\Windows\System32\drivers\crashdmp.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\cmdide.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\cng.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\CmBatt.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\crcdisk.sys && icacls C:\Windows\System32\drivers\crcdisk.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\cmdide.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\csc.sys && icacls C:\Windows\System32\drivers\csc.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\compbatt.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\compbatt.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\dfsc.sys && icacls C:\Windows\System32\drivers\dfsc.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\CompositeBus.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\crcdisk.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\crashdmp.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\discache.sys && icacls C:\Windows\System32\drivers\discache.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\csc.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\dfsc.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\disk.sys && icacls C:\Windows\System32\drivers\disk.sys /grant "%username%:F" && exit

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-738759891-169272849-12220861111889045868182299802103036214-1128965893-2133076818"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\Diskdump.sys && icacls C:\Windows\System32\drivers\Diskdump.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\dmvsc.sys && icacls C:\Windows\System32\drivers\dmvsc.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\discache.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\disk.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\drmk.sys && icacls C:\Windows\System32\drivers\drmk.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\drmkaud.sys && icacls C:\Windows\System32\drivers\drmkaud.sys /grant "%username%:F" && exit

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "909442621611109525-18363644442061430844-1703659490-21187344381522763982507322104"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\dmvsc.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\Dumpata.sys && icacls C:\Windows\System32\drivers\Dumpata.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\Diskdump.sys

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1171447329-1550907193-1142626495-45893687316679545081609237795857084959-158731582"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\dmvsc.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\dumpfve.sys && icacls C:\Windows\System32\drivers\dumpfve.sys /grant "%username%:F" && exit

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1511126505-57948661-2121121221-1685339390-357417678-705356418-97221525-564529714"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\dxapi.sys && icacls C:\Windows\System32\drivers\dxapi.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\drmk.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\dxg.sys && icacls C:\Windows\System32\drivers\dxg.sys /grant "%username%:F" && exit

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "12335844677926123231623818862-1210951843-1430338803-326344980-273474033183630140"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\drmkaud.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\dumpfve.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\Dumpata.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\dxgkrnl.sys && icacls C:\Windows\System32\drivers\dxgkrnl.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\dxapi.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\dxg.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\dumpfve.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\dxgmms1.sys && icacls C:\Windows\System32\drivers\dxgmms1.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\Dumpata.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\elxstor.sys && icacls C:\Windows\System32\drivers\elxstor.sys /grant "%username%:F" && exit

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "912181822-635074711-1791628637-174953248212170523841414846830828055649-47828480"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\errdev.sys && icacls C:\Windows\System32\drivers\errdev.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\dxgmms1.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\evbda.sys && icacls C:\Windows\System32\drivers\evbda.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\exfat.sys && icacls C:\Windows\System32\drivers\exfat.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\dxgkrnl.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\elxstor.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\evbda.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\errdev.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\evbda.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\elxstor.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\fastfat.sys && icacls C:\Windows\System32\drivers\fastfat.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\fdc.sys && icacls C:\Windows\System32\drivers\fdc.sys /grant "%username%:F" && exit

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-9083195921674414138625466066-11536012182275338281101342393-364201837-1487883231"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\errdev.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\exfat.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\fileinfo.sys && icacls C:\Windows\System32\drivers\fileinfo.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\exfat.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\fastfat.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\filetrace.sys && icacls C:\Windows\System32\drivers\filetrace.sys /grant "%username%:F" && exit

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "6262467071981080528-1710126922483141467-18320258611537763204114712572-2135070936"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\flpydisk.sys && icacls C:\Windows\System32\drivers\flpydisk.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\fdc.sys

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-8830745741128541469947272867817346731703568792853994779-1036088981303627429"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\fileinfo.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\fltMgr.sys && icacls C:\Windows\System32\drivers\fltMgr.sys /grant "%username%:F" && exit

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1847074793-100451235-599949181-847067753-1100701012768583410-14116908911596100789"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\fsdepends.sys && icacls C:\Windows\System32\drivers\fsdepends.sys /grant "%username%:F" && exit

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "79985939081526473503366797690443411815582440-1310187774589433001-701673817"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\fdc.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\filetrace.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\fs_rec.sys && icacls C:\Windows\System32\drivers\fs_rec.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\fvevol.sys && icacls C:\Windows\System32\drivers\fvevol.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\flpydisk.sys

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "19467059371834272716-499791449-20701899416360086008026456651472278311-851961786"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\fltMgr.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\FWPKCLNT.SYS && icacls C:\Windows\System32\drivers\FWPKCLNT.SYS /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\GAGP30KX.SYS && icacls C:\Windows\System32\drivers\GAGP30KX.SYS /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\fsdepends.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\gm.dls && icacls C:\Windows\System32\drivers\gm.dls /grant "%username%:F" && exit

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-2122788361728764020628613667-131468001110783859975834662945942944031109612079"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\fs_rec.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\gmreadme.txt && icacls C:\Windows\System32\drivers\gmreadme.txt /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\fvevol.sys

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "2110594314-66729367899563309321225789271018018137-11225088591368696231605207980"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\hcw85cir.sys && icacls C:\Windows\System32\drivers\hcw85cir.sys /grant "%username%:F" && exit

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "343668591043237973-1345592523-819772282-186996909476017302-574494909-1854474076"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\hdaudbus.sys && icacls C:\Windows\System32\drivers\hdaudbus.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\GAGP30KX.SYS

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\FWPKCLNT.SYS

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\gm.dls

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\hcw85cir.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\HdAudio.sys && icacls C:\Windows\System32\drivers\HdAudio.sys /grant "%username%:F" && exit

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "7622787231076324505-961219213153677226710162594931765731719-633592419-581249756"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\gmreadme.txt

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\hidbatt.sys && icacls C:\Windows\System32\drivers\hidbatt.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\FWPKCLNT.SYS /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\hcw85cir.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\hidbth.sys && icacls C:\Windows\System32\drivers\hidbth.sys /grant "%username%:F" && exit

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "176302930045025510950355524416160479211771133419-744891285812383129887332056"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\hidclass.sys && icacls C:\Windows\System32\drivers\hidclass.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\hidir.sys && icacls C:\Windows\System32\drivers\hidir.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\hdaudbus.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\hidparse.sys && icacls C:\Windows\System32\drivers\hidparse.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\HdAudio.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\hidbatt.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\hidbth.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\hidusb.sys && icacls C:\Windows\System32\drivers\hidusb.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\hidbth.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\hidclass.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\HpSAMD.sys && icacls C:\Windows\System32\drivers\HpSAMD.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\hidir.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\http.sys && icacls C:\Windows\System32\drivers\http.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\hidparse.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\hwpolicy.sys && icacls C:\Windows\System32\drivers\hwpolicy.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\hidusb.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\i8042prt.sys && icacls C:\Windows\System32\drivers\i8042prt.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\HpSAMD.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\http.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\iaStorV.sys && icacls C:\Windows\System32\drivers\iaStorV.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\iirsp.sys && icacls C:\Windows\System32\drivers\iirsp.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\hwpolicy.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\intelide.sys && icacls C:\Windows\System32\drivers\intelide.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\i8042prt.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\intelppm.sys && icacls C:\Windows\System32\drivers\intelppm.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ipfltdrv.sys && icacls C:\Windows\System32\drivers\ipfltdrv.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\iaStorV.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\IPMIDrv.sys && icacls C:\Windows\System32\drivers\IPMIDrv.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\iirsp.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\intelide.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ipnat.sys && icacls C:\Windows\System32\drivers\ipnat.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\intelppm.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\irda.sys && icacls C:\Windows\System32\drivers\irda.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\ipfltdrv.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\irenum.sys && icacls C:\Windows\System32\drivers\irenum.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\isapnp.sys && icacls C:\Windows\System32\drivers\isapnp.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\IPMIDrv.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\irenum.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\isapnp.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\ipnat.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\kbdclass.sys && icacls C:\Windows\System32\drivers\kbdclass.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\isapnp.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\irda.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\kbdhid.sys && icacls C:\Windows\System32\drivers\kbdhid.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ks.sys && icacls C:\Windows\System32\drivers\ks.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ksecdd.sys && icacls C:\Windows\System32\drivers\ksecdd.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\kbdclass.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ksecpkg.sys && icacls C:\Windows\System32\drivers\ksecpkg.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ksthunk.sys && icacls C:\Windows\System32\drivers\ksthunk.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\ksecdd.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\lltdio.sys && icacls C:\Windows\System32\drivers\lltdio.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\ks.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\kbdhid.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\lsi_fc.sys && icacls C:\Windows\System32\drivers\lsi_fc.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\ksecdd.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\ksecpkg.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\lsi_sas.sys && icacls C:\Windows\System32\drivers\lsi_sas.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\ksthunk.sys

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-169368444917609499241822192359870360578-11255443691343591135329150358-214181262"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\kbdhid.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\lsi_sas2.sys && icacls C:\Windows\System32\drivers\lsi_sas2.sys /grant "%username%:F" && exit

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-2083406644-458252017-18109127521619987457-1850783277334125821291293891407213967"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\lltdio.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\ksthunk.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\lsi_scsi.sys && icacls C:\Windows\System32\drivers\lsi_scsi.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\lsi_fc.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\lltdio.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\luafv.sys && icacls C:\Windows\System32\drivers\luafv.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mcd.sys && icacls C:\Windows\System32\drivers\mcd.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\lsi_sas.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\lsi_fc.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\megasas.sys && icacls C:\Windows\System32\drivers\megasas.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\MegaSR.sys && icacls C:\Windows\System32\drivers\MegaSR.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\modem.sys && icacls C:\Windows\System32\drivers\modem.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\lsi_sas2.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\monitor.sys && icacls C:\Windows\System32\drivers\monitor.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\luafv.sys

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1792147420114453575-774491207-1718244553-21129321871958232276-20383139511088840636"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\lsi_sas2.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\mcd.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\lsi_scsi.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\lsi_scsi.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\mcd.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mouclass.sys && icacls C:\Windows\System32\drivers\mouclass.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mouhid.sys && icacls C:\Windows\System32\drivers\mouhid.sys /grant "%username%:F" && exit

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "14141827161144511199216336081-1620129348105240240415728709031089094628-1809725220"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mountmgr.sys && icacls C:\Windows\System32\drivers\mountmgr.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\MegaSR.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mpio.sys && icacls C:\Windows\System32\drivers\mpio.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\megasas.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mpsdrv.sys && icacls C:\Windows\System32\drivers\mpsdrv.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\modem.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mrxdav.sys && icacls C:\Windows\System32\drivers\mrxdav.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\monitor.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\mouclass.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\monitor.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mrxsmb.sys && icacls C:\Windows\System32\drivers\mrxsmb.sys /grant "%username%:F" && exit

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "2354215381865823453-1244352468-1769240951965668692299531523645479703-1318357360"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mrxsmb10.sys && icacls C:\Windows\System32\drivers\mrxsmb10.sys /grant "%username%:F" && exit

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1939424173-168191625012758793563910675766062758893989050482044828546-502326009"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\mouhid.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mrxsmb20.sys && icacls C:\Windows\System32\drivers\mrxsmb20.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\mountmgr.sys

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1073366037-50025725519140407777061917002008316185136993642357581868-63714414"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\msahci.sys && icacls C:\Windows\System32\drivers\msahci.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\mrxdav.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\mrxsmb.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\mrxsmb10.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\mpio.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\msdsm.sys && icacls C:\Windows\System32\drivers\msdsm.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\mpsdrv.sys

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-898134462-20183623676635918-1036682329-1058665174-123364791-443841215-519531165"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\mrxdav.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\msfs.sys && icacls C:\Windows\System32\drivers\msfs.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\mpio.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\mrxsmb.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\MsftWdf_Kernel_01009_Inbox_Critical.Wdf && icacls C:\Windows\System32\drivers\MsftWdf_Kernel_01009_Inbox_Critical.Wdf /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mshidkmdf.sys && icacls C:\Windows\System32\drivers\mshidkmdf.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\mrxsmb20.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\msisadrv.sys && icacls C:\Windows\System32\drivers\msisadrv.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\msahci.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\msdsm.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\msiscsi.sys && icacls C:\Windows\System32\drivers\msiscsi.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\msfs.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\msfs.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mskssrv.sys && icacls C:\Windows\System32\drivers\mskssrv.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mspclock.sys && icacls C:\Windows\System32\drivers\mspclock.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\MsftWdf_Kernel_01009_Inbox_Critical.Wdf

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mspqm.sys && icacls C:\Windows\System32\drivers\mspqm.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\msisadrv.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\mshidkmdf.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\msrpc.sys && icacls C:\Windows\System32\drivers\msrpc.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\msiscsi.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\mskssrv.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\mspclock.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mssmbios.sys && icacls C:\Windows\System32\drivers\mssmbios.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mstee.sys && icacls C:\Windows\System32\drivers\mstee.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\msiscsi.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\mspclock.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\mspqm.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\MTConfig.sys && icacls C:\Windows\System32\drivers\MTConfig.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\mskssrv.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mup.sys && icacls C:\Windows\System32\drivers\mup.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ndis.sys && icacls C:\Windows\System32\drivers\ndis.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ndiscap.sys && icacls C:\Windows\System32\drivers\ndiscap.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ndistapi.sys && icacls C:\Windows\System32\drivers\ndistapi.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\mssmbios.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ndisuio.sys && icacls C:\Windows\System32\drivers\ndisuio.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\MTConfig.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\msrpc.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ndiswan.sys && icacls C:\Windows\System32\drivers\ndiswan.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ndproxy.sys && icacls C:\Windows\System32\drivers\ndproxy.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\mup.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\netbios.sys && icacls C:\Windows\System32\drivers\netbios.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\mstee.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\ndis.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\ndiscap.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\netbt.sys && icacls C:\Windows\System32\drivers\netbt.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\netio.sys && icacls C:\Windows\System32\drivers\netio.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\ndistapi.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\netbios.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\ndiswan.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\ndproxy.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\ndisuio.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\nfrd960.sys && icacls C:\Windows\System32\drivers\nfrd960.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\ndistapi.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\npfs.sys && icacls C:\Windows\System32\drivers\npfs.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\nsiproxy.sys && icacls C:\Windows\System32\drivers\nsiproxy.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\ndproxy.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\ndiswan.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\netbios.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ntfs.sys && icacls C:\Windows\System32\drivers\ntfs.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\null.sys && icacls C:\Windows\System32\drivers\null.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\netbt.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\nvraid.sys && icacls C:\Windows\System32\drivers\nvraid.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\nfrd960.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\nvstor.sys && icacls C:\Windows\System32\drivers\nvstor.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\netio.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\nsiproxy.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\npfs.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\ntfs.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\nsiproxy.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\npfs.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\NV_AGP.SYS && icacls C:\Windows\System32\drivers\NV_AGP.SYS /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\null.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\nwifi.sys && icacls C:\Windows\System32\drivers\nwifi.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\nvraid.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\NV_AGP.SYS

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ohci1394.sys && icacls C:\Windows\System32\drivers\ohci1394.sys /grant "%username%:F" && exit

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-169972305613419550011619440335-356624949362210721-6289303329923361602134556258"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\NV_AGP.SYS /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\nvraid.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\pacer.sys && icacls C:\Windows\System32\drivers\pacer.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\parport.sys && icacls C:\Windows\System32\drivers\parport.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\nvstor.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\partmgr.sys && icacls C:\Windows\System32\drivers\partmgr.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\ohci1394.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\pci.sys && icacls C:\Windows\System32\drivers\pci.sys /grant "%username%:F" && exit

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "620461132-123426941-1962000978100470382739756888-800552722-18831081841347159523"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\pciide.sys && icacls C:\Windows\System32\drivers\pciide.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\parport.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\nwifi.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\pciidex.sys && icacls C:\Windows\System32\drivers\pciidex.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\pacer.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\pcmcia.sys && icacls C:\Windows\System32\drivers\pcmcia.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\pcw.sys && icacls C:\Windows\System32\drivers\pcw.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\pci.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\PEAuth.sys && icacls C:\Windows\System32\drivers\PEAuth.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\partmgr.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\pciide.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\portcls.sys && icacls C:\Windows\System32\drivers\portcls.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\pciidex.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\processr.sys && icacls C:\Windows\System32\drivers\processr.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\pcmcia.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ql2300.sys && icacls C:\Windows\System32\drivers\ql2300.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\pcw.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ql40xx.sys && icacls C:\Windows\System32\drivers\ql40xx.sys /grant "%username%:F" && exit

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "18464894961532086107-10781256931693970440-1511652894534463130-11958893231369018071"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\qwavedrv.sys && icacls C:\Windows\System32\drivers\qwavedrv.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\PEAuth.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\portcls.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\rasacd.sys && icacls C:\Windows\System32\drivers\rasacd.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\ql2300.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\processr.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\rasl2tp.sys && icacls C:\Windows\System32\drivers\rasl2tp.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\raspppoe.sys && icacls C:\Windows\System32\drivers\raspppoe.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\ql2300.sys /grant "Admin:F"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "2118435253470978354-20081491951727838961370813369-111788706175611160-2122573909"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\processr.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\raspptp.sys && icacls C:\Windows\System32\drivers\raspptp.sys /grant "%username%:F" && exit

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-2093618180-34186218916457965602021462804-18472826642848317552096112729-1186846217"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\rassstp.sys && icacls C:\Windows\System32\drivers\rassstp.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\rdbss.sys && icacls C:\Windows\System32\drivers\rdbss.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\rasacd.sys

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-20333551891001056542840815792-19469999691057130786-8524922081803101268443354641"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\rasl2tp.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\qwavedrv.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\ql40xx.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\qwavedrv.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\rdpbus.sys && icacls C:\Windows\System32\drivers\rdpbus.sys /grant "%username%:F" && exit

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1196916639724021235-1103036701822276615222813484-1054341173-9578017631409481701"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\ql40xx.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\raspppoe.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\RDPCDD.sys && icacls C:\Windows\System32\drivers\RDPCDD.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\raspptp.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\rdpdr.sys && icacls C:\Windows\System32\drivers\rdpdr.sys /grant "%username%:F" && exit

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "20279316601214512637379116672-2112459730-1459444142-676821496-13539574311087169992"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\rassstp.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\rdbss.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\RDPENCDD.sys && icacls C:\Windows\System32\drivers\RDPENCDD.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\rdbss.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\rdpbus.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\RDPREFMP.sys && icacls C:\Windows\System32\drivers\RDPREFMP.sys /grant "%username%:F" && exit

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-36419231531891834161490150417601481821210273006-451914781-4150815481147947242"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\rdpvideominiport.sys && icacls C:\Windows\System32\drivers\rdpvideominiport.sys /grant "%username%:F" && exit

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "21325274891690799625-411762690-210458370144587626-1287372400-894139989-773496203"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\RDPCDD.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\rdpwd.sys && icacls C:\Windows\System32\drivers\rdpwd.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\rdyboost.sys && icacls C:\Windows\System32\drivers\rdyboost.sys /grant "%username%:F" && exit

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "477630112303842847-1538966470-2321699561507441143375011481-272179162861774097"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\rmcast.sys && icacls C:\Windows\System32\drivers\rmcast.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\rdpdr.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\RNDISMP.sys && icacls C:\Windows\System32\drivers\RNDISMP.sys /grant "%username%:F" && exit

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-89761958017178179411303792914052658301194957496-744994024-582986565-491657284"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\RDPREFMP.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\rdpvideominiport.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\rootmdm.sys && icacls C:\Windows\System32\drivers\rootmdm.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\rdyboost.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\rdpwd.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\RDPENCDD.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\rspndr.sys && icacls C:\Windows\System32\drivers\rspndr.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\rdpwd.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\RDPENCDD.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\rmcast.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\Rtnic64.sys && icacls C:\Windows\System32\drivers\Rtnic64.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\RNDISMP.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\sbp2port.sys && icacls C:\Windows\System32\drivers\sbp2port.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\rootmdm.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\rootmdm.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\scfilter.sys && icacls C:\Windows\System32\drivers\scfilter.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\rspndr.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\scsiport.sys && icacls C:\Windows\System32\drivers\scsiport.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\Rtnic64.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\Rtnic64.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\secdrv.sys && icacls C:\Windows\System32\drivers\secdrv.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\sbp2port.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\serenum.sys && icacls C:\Windows\System32\drivers\serenum.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\scfilter.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\serial.sys && icacls C:\Windows\System32\drivers\serial.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\scsiport.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\sermouse.sys && icacls C:\Windows\System32\drivers\sermouse.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\secdrv.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\sffdisk.sys && icacls C:\Windows\System32\drivers\sffdisk.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\serenum.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\sffp_mmc.sys && icacls C:\Windows\System32\drivers\sffp_mmc.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\sermouse.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\sffp_sd.sys && icacls C:\Windows\System32\drivers\sffp_sd.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\serial.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\sfloppy.sys && icacls C:\Windows\System32\drivers\sfloppy.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\serial.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\sisraid2.sys && icacls C:\Windows\System32\drivers\sisraid2.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\sffdisk.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\sisraid4.sys && icacls C:\Windows\System32\drivers\sisraid4.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\smb.sys && icacls C:\Windows\System32\drivers\smb.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\smclib.sys && icacls C:\Windows\System32\drivers\smclib.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\sffp_mmc.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\sffp_sd.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\sfloppy.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\sisraid4.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\sisraid2.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\spldr.sys && icacls C:\Windows\System32\drivers\spldr.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\spsys.sys && icacls C:\Windows\System32\drivers\spsys.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\smb.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\sr9lbsiiph8afw.sys && icacls C:\Windows\System32\drivers\sr9lbsiiph8afw.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\sisraid2.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\sfloppy.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\srv.sys && icacls C:\Windows\System32\drivers\srv.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\srv2.sys && icacls C:\Windows\System32\drivers\srv2.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\smb.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\srvnet.sys && icacls C:\Windows\System32\drivers\srvnet.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\smclib.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\stexstor.sys && icacls C:\Windows\System32\drivers\stexstor.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\storport.sys && icacls C:\Windows\System32\drivers\storport.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\storvsc.sys && icacls C:\Windows\System32\drivers\storvsc.sys /grant "%username%:F" && exit

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-3430514931322808691-219821169-171481091121267239641288379812192196806-1126358956"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\spsys.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\spldr.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\stream.sys && icacls C:\Windows\System32\drivers\stream.sys /grant "%username%:F" && exit

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1810580017-1318082151-846321335-537303132-1739101191366048271-1727058649-111601746"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\sr9lbsiiph8afw.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\srv.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\srv2.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\srvnet.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\stexstor.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\srv.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\swenum.sys && icacls C:\Windows\System32\drivers\swenum.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\storport.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\srv2.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\srvnet.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\stexstor.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\Synth3dVsc.sys && icacls C:\Windows\System32\drivers\Synth3dVsc.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\storvsc.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\tape.sys && icacls C:\Windows\System32\drivers\tape.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\storvsc.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\stream.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\tcpip.sys && icacls C:\Windows\System32\drivers\tcpip.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\tcpipreg.sys && icacls C:\Windows\System32\drivers\tcpipreg.sys /grant "%username%:F" && exit

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1625138446-5715141801621539351-1780038514109099997716152097851121320139-763580898"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\Synth3dVsc.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\swenum.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\tdi.sys && icacls C:\Windows\System32\drivers\tdi.sys /grant "%username%:F" && exit

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1218423955-608181404-1800546392-743557101-6093101861417298479-6596790571616924845"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\tape.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\tdpipe.sys && icacls C:\Windows\System32\drivers\tdpipe.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\tcpip.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\tcpipreg.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\tdtcp.sys && icacls C:\Windows\System32\drivers\tdtcp.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\tdx.sys && icacls C:\Windows\System32\drivers\tdx.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\tdi.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\tdpipe.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\termdd.sys && icacls C:\Windows\System32\drivers\termdd.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\terminpt.sys && icacls C:\Windows\System32\drivers\terminpt.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\tdtcp.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\tdx.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\tssecsrv.sys && icacls C:\Windows\System32\drivers\tssecsrv.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\TsUsbFlt.sys && icacls C:\Windows\System32\drivers\TsUsbFlt.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\termdd.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\TsUsbGD.sys && icacls C:\Windows\System32\drivers\TsUsbGD.sys /grant "%username%:F" && exit

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-109457793113897049151164471431363502228-200743819816811799701919143210-2097874320"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\terminpt.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\tsusbhub.sys && icacls C:\Windows\System32\drivers\tsusbhub.sys /grant "%username%:F" && exit

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1259855074-1977245523445304510421788527-1319203107-70223348-412296947-1672291520"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\tssecsrv.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\TsUsbFlt.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\tunnel.sys && icacls C:\Windows\System32\drivers\tunnel.sys /grant "%username%:F" && exit

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-5011441411538511296-253857375-1144637001-1801877649-133371606-1111799872690809377"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\UAGP35.SYS && icacls C:\Windows\System32\drivers\UAGP35.SYS /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\udfs.sys && icacls C:\Windows\System32\drivers\udfs.sys /grant "%username%:F" && exit

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-18238221211964626545-338877014904311416788685891591179566118515548926652419"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\TsUsbGD.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\tsusbhub.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ULIAGPKX.SYS && icacls C:\Windows\System32\drivers\ULIAGPKX.SYS /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\tunnel.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\umbus.sys && icacls C:\Windows\System32\drivers\umbus.sys /grant "%username%:F" && exit

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "358339041484075351389181171-710513929217506289-1645797217-12983784361456269411"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\UAGP35.SYS

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\umpass.sys && icacls C:\Windows\System32\drivers\umpass.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\udfs.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\usb8023.sys && icacls C:\Windows\System32\drivers\usb8023.sys /grant "%username%:F" && exit

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1676233521650095527-209488350-20796147191314991021121089822-1936053828-382493566"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\ULIAGPKX.SYS

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\USBCAMD2.sys && icacls C:\Windows\System32\drivers\USBCAMD2.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\umbus.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\umpass.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\usbccgp.sys && icacls C:\Windows\System32\drivers\usbccgp.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\usb8023.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\usbcir.sys && icacls C:\Windows\System32\drivers\usbcir.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\usbd.sys && icacls C:\Windows\System32\drivers\usbd.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\USBCAMD2.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\usbehci.sys && icacls C:\Windows\System32\drivers\usbehci.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\usbccgp.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\usbhub.sys && icacls C:\Windows\System32\drivers\usbhub.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\usbcir.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\usbohci.sys && icacls C:\Windows\System32\drivers\usbohci.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\usbd.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\usbport.sys && icacls C:\Windows\System32\drivers\usbport.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\usbehci.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\usbprint.sys && icacls C:\Windows\System32\drivers\usbprint.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\usbhub.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\usbrpm.sys && icacls C:\Windows\System32\drivers\usbrpm.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\USBSTOR.SYS && icacls C:\Windows\System32\drivers\USBSTOR.SYS /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\usbport.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\usbuhci.sys && icacls C:\Windows\System32\drivers\usbuhci.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\usbohci.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\usbprint.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\usbrpm.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\vdrvroot.sys && icacls C:\Windows\System32\drivers\vdrvroot.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\vga.sys && icacls C:\Windows\System32\drivers\vga.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\usbohci.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\USBSTOR.SYS

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\vgapnp.sys && icacls C:\Windows\System32\drivers\vgapnp.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\vhdmp.sys && icacls C:\Windows\System32\drivers\vhdmp.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\viaide.sys && icacls C:\Windows\System32\drivers\viaide.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\videoprt.sys && icacls C:\Windows\System32\drivers\videoprt.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\vmbus.sys && icacls C:\Windows\System32\drivers\vmbus.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\usbuhci.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\vga.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\vdrvroot.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\VMBusHID.sys && icacls C:\Windows\System32\drivers\VMBusHID.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\vgapnp.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\vga.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\vhdmp.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\vms3cap.sys && icacls C:\Windows\System32\drivers\vms3cap.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\viaide.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\vhdmp.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\vgapnp.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\viaide.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\vmstorfl.sys && icacls C:\Windows\System32\drivers\vmstorfl.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\videoprt.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\volmgr.sys && icacls C:\Windows\System32\drivers\volmgr.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\vmbus.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\volmgrx.sys && icacls C:\Windows\System32\drivers\volmgrx.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\VMBusHID.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\vms3cap.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\vms3cap.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\volsnap.sys && icacls C:\Windows\System32\drivers\volsnap.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\vmstorfl.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\volmgr.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\vsmraid.sys && icacls C:\Windows\System32\drivers\vsmraid.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\vwifibus.sys && icacls C:\Windows\System32\drivers\vwifibus.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\volmgrx.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\vwififlt.sys && icacls C:\Windows\System32\drivers\vwififlt.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\volsnap.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\vwifimp.sys && icacls C:\Windows\System32\drivers\vwifimp.sys /grant "%username%:F" && exit

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1962448231-1997928778165795822-1713653724-6492329517419397102119465381-782539627"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\vsmraid.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\wacompen.sys && icacls C:\Windows\System32\drivers\wacompen.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\vwifibus.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\wanarp.sys && icacls C:\Windows\System32\drivers\wanarp.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\watchdog.sys && icacls C:\Windows\System32\drivers\watchdog.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\vwififlt.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\vwifimp.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\wanarp.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\watchdog.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\wanarp.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\watchdog.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\wacompen.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\wd.sys && icacls C:\Windows\System32\drivers\wd.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\wacompen.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\Wdf01000.sys && icacls C:\Windows\System32\drivers\Wdf01000.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\WdfLdr.sys && icacls C:\Windows\System32\drivers\WdfLdr.sys /grant "%username%:F" && exit

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "60305341856596105-1218882355626985905396170726-1046832195-475847905653480907"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\wfplwf.sys && icacls C:\Windows\System32\drivers\wfplwf.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\wd.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\Wdf01000.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\WdfLdr.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\wimmount.sys && icacls C:\Windows\System32\drivers\wimmount.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\winhv.sys && icacls C:\Windows\System32\drivers\winhv.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\wfplwf.sys

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "644261067-156735115921421796631022974113-1803620011258711272392910789648484019"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\wmiacpi.sys && icacls C:\Windows\System32\drivers\wmiacpi.sys /grant "%username%:F" && exit

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-294590014901780365-178235231-1400509292109430596019378631522066116248297984904"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\wmiacpi.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\winhv.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\wmilib.sys && icacls C:\Windows\System32\drivers\wmilib.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\winhv.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ws2ifsl.sys && icacls C:\Windows\System32\drivers\ws2ifsl.sys /grant "%username%:F" && exit

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1200744732-1536618827160294134-816768690-13835457391037646315943764398-771462098"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\WUDFPf.sys && icacls C:\Windows\System32\drivers\WUDFPf.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\wimmount.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\WUDFRd.sys && icacls C:\Windows\System32\drivers\WUDFRd.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\ws2ifsl.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\wmilib.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\WUDFPf.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\WUDFRd.sys

Network

N/A

Files

memory/1244-0-0x000000013F620000-0x000000013F68C000-memory.dmp

memory/1244-1-0x000007FEF5860000-0x000007FEF624C000-memory.dmp

memory/1244-2-0x000000001BB00000-0x000000001BB80000-memory.dmp

memory/1244-3-0x000007FEF5860000-0x000007FEF624C000-memory.dmp

memory/1244-4-0x000000001BB00000-0x000000001BB80000-memory.dmp

C:\Users\Admin\Desktop\₧¤ß¾╔63ö◄•ř²¾▼åßóΣ╧╩↑å♪ř╩♂╚ě±2♫™♀š¶œÂ♪☼¤☻4↑Ç6¼í×™æ◙¢2◙╩¶½4žě♠♦µ¼☺č∞í☺♠↕ÿ₧õřπïě¬ñßŸě¢±╩5◙φ™²♦ε¥1—¤σŸí

MD5 9e1e5883c74742a497cf5c272ccd2321
SHA1 2cf33e34d08b8e17743a60352baffef4b6f02dee
SHA256 ca687b6a7c3d29b566f3e1988b9f877b51d9a83ee25ffe0755a8dcd3eb5f434a
SHA512 f2284f0c624cc07a65c16f87865bb98aaa176b1d8b45cd4fbcc1143c9c2297fe6b1d4db55ef054be2bc151c8cc25ff4da7c997b7d38dae3dccd2ffe1c3c01a6b

memory/1244-111-0x000000001BB00000-0x000000001BB80000-memory.dmp

memory/1244-112-0x000000001BB00000-0x000000001BB80000-memory.dmp

\Users\Admin\AppData\Local\Temp\Chernobyl.exe

MD5 f5007f18070e9cfc0b23c5ebb25c4468
SHA1 cf430806009fe87580705a85474a8604c84292fe
SHA256 18f27d42b09fe462af83c3ec3e82842e09a7db2e9c69cb6044e977b7af87a3c9
SHA512 7b9de630ea04314813895e2dc8908429bc393f2a7c0dd50ed1ac7802f8ba3d36998886bd9da3dd7c857a992dd9aecf016eb55a0cb33a3b234fa1e3137f094c50

C:\Windows\System32\kill.ico

MD5 373d53d7c6709d5106b29a26a71b0d31
SHA1 1708009c111266ba513503e06b94a5ccd402dee5
SHA256 de3f42bc53000d3dad58f3182108c414ce8062095ef390314fcc628473490c86
SHA512 15b32cd9b87a9852d6ad0f03321edb15468e136a220ff4473bc109355c9b401a4c4f7eeb99ad7097c67f9cfac7c416f84038c0639e4db59561d2dbc74ef5d67d